Design security for data at rest, data in motion, and data in use
Many organizations use Azure SQL Database for large customer databases that store phone numbers, addresses, orders, and credit card information. They need a security solution to prevent unauthorized data access to their cloud hosted databases. Classifying stored data by sensitivity and business scenario helps organizations determine the risks associated with their data.
There are three basic tenets of good information security: data discovery, classification, and protection. In this unit, we review different data states and encryption methods to apply these tenets in a strong security solution.
Data encryption for structured data
Data exists in three basic states: data at rest, data in motion, and data in process.
Data at rest is data on a storage device that isn't being moved or used. Data at rest includes archived email messages stored in your Outlook inbox, or files on your laptop that you aren't using. Data encryption at rest is a mandatory step toward data privacy, compliance, and data sovereignty.
Data in motion (also called data in transit) is data that's being moved from one device to another within a private network or public network like the internet. Data in motion can also be data that's being read (used) but not changed. Data in motion includes email messages in transit, browsing internet websites, or using company applications like an organization chart.
Data in process is data that's open and being changed. Data in process includes writing an email message, saving your work files, or ordering from a website.
There are different encryption methods for each of data state. The following table summarizes the methods.
| Data state | Encryption method | Encryption level |
|---|---|---|
| Data at rest | Transparent data encryption (TDE) | Always encrypted. |
| Data in motion | Secure Socket Layers and Transport Layer Security (SSL/TLS) | Always encrypted. |
| Data in process | Dynamic data masking | Specific data is unencrypted. Remaining data is encrypted. |
Things to know about data encryption
Transparent data encryption (TDE) protects Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. TDE performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. TDE is enabled by default to all newly deployed Azure SQL Databases.
Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics enforce Secure Socket Layers and Transport Layer Security (SSL/TLS) encryption always for all connections. This level of encryption ensures all data is encrypted "in transit" between the client and server. Transport Layer Security (TLS) is used by all drivers that Microsoft supplies or supports for connecting to databases in Azure SQL Database or Azure SQL Managed Instance.
Data-in-use employs a policy-based security feature called dynamic data masking. This feature hides the sensitive data in the result set of a query over designated database fields, while the data in the database remains unchanged. Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal consequence on the application layer.
Tip
Expand your learning with the Plan and implement security for Azure SQL Database and Azure SQL Managed Instance learning module.