This post was authored by Rohan Kumar, General Manager, Database Systems.
Securing customer data while maintaining the highest levels of privacy have always been top priorities for Microsoft and the SQL organization. As a result, SQL Server, which also powers Azure SQL Database and Azure SQL Data Warehouse, continues to be one of the most secure Relational Database Management Systems (RDBMS) on the market.
At the RSA Conference last year, we talked about our commitment to security and privacy. I want to share a few examples of industry-leading security features we shipped since then and update you on our plans to deliver the highest levels of security across the SQL Database product lineup.
Announcing the April general availability of Azure SQL Database Threat Detection for proactive monitoring and alerting of suspicious database activities and potential vulnerabilities.
Using machine learning, SQL Database Threat Detection continuously monitors and profiles application behavior, and detects suspicious database activities to identify unusual and potentially harmful attempts to access, breach or exploit sensitive data in databases. When suspicious activity is detected, security officers and designated administrators get immediate notification or can view the alerts in the Azure Security Center along with recommendations for how to mitigate the threats. SQL Database Threat Detection can detect potential vulnerabilities and SQL injection attacks, as well as anomalous activities such as data access from unusual locations or by unfamiliar principals.
Frans Lytzen, CTO of New Orbit, UK, is early adopter of SQL Database Threat Detection, said “I’ve seen it detect potential SQL injection attacks […]. This is a useful feature to potentially detect both external and internal attacks […]. You have nothing to lose by switching it on.” SQL Database Threat Detection is simple to configure via the Azure portal and requires no modifications to your existing T-SQL code or client applications. Fernando Sola, Cloud Technology Consultant at HSI adds, “Thanks to Azure SQL Database Threat Detection, we were able to detect and fix vulnerabilities to SQL injection attacks and prevent potential threats to our database. I was very impressed with how simple it was to enable Threat Detection using the Azure portal.”
State-of-the-art protection of sensitive data in flight, at rest and during query processing with Always Encrypted in SQL Server 2016 and Azure SQL Database has been generally available since July 2016.
Always Encrypted is an industry-first feature that offers unparalleled data security against breaches involving the theft of critical data. For example, with Always Encrypted, customers’ credit card numbers are stored encrypted in the database at all times, even during query processing, allowing decryption at the point of use by authorized staff or applications that need to process that data. Encryption keys are managed outside of the database for maximum safety and separation of duties. Only authorized users with access to the encryption keys can see unencrypted data while using applications.
Financial Fabric, a global provider of big data analytics to hedge funds and institutional investors, uses Always Encrypted to ensure that sensitive data is encrypted from the moment it is ingested in Azure SQL Database until it is accessed by authorized end users. Paul Stirpe, CTO of Financial Fabric states, “With Always Encrypted in Azure SQL Database, analysts can aggregate information, work on client data and positions, and provide numbers without revealing highly sensitive, identifiable information.” You can read more about how Financial Fabric is transforming hedge fund management with Azure and SQL Database here.
Always Encrypted is simple to use, transparent, and ready to protect your data. Client drivers have been enhanced to work in conjunction with SQL Server and Azure SQL Database to decrypt and encrypt data at the point of use, requiring only minimal modifications to your applications.
SQL Dynamic Data Masking is another security capability that’s built right into the relational engine. Itlimits sensitive data exposure by masking the data when accessed by non-privileged users or applications. Any data in the result set of a query over masked database fields is obfuscated on the fly while the data in the database remains unchanged. SQL’s Dynamic Data Masking requires no changes to the application and is simple to configure. What’s more, for users of Azure SQL Database, Dynamic Data Masking can automatically discover potentially sensitive data and suggest the appropriate masks to be applied.
We have also delivered single sign-on for Azure SQL Database and SQL DW with Azure Active Directory Authentication which was made generally available in August 2016, and customers can now preview secure, compliant management of the TDE encryption keys using Azure Key Vault.
Securing customer data doesn’t end with the features we ship. Security and privacy are built right into our products, beginning with the Security Development Lifecycle (SDL) that focuses on security at every step – from the initial planning, to launch, to making sure the service and our infrastructure are continuously monitored and updated to stay ahead of new threats.
For example, our scanning and threat protection tools run continuously against our service to look for viruses, ensure software is properly patched, and identify potential vulnerabilities and misconfigurations. “Just-in-time” access management enables us to operate our service with no standing access to production servers and their databases. Instead, employees are required to request access which is reviewed and granted for the narrowest possible scope and limited time only. In addition, much of what we do internally has found its way back into customer facing products, Azure SQL Database Threat Detection is one example. I also encourage you to read our whitepaper on protecting data and privacy in the Azure cloud to learn about how we work hard every day to earn your trust.
Going forward we want to dramatically simplify security to ensure all of our customers can implement and operate an effective, defense-in-depth strategy for their sensitive data independent of their level of expertise. For example, we believe that securing a SQL database should be as simple as identifying the desired protection level (e.g., High Business Impact) and applying the appropriate policy to secure the database. Microsoft’s SQL Server platform will do the rest, including identifying which data is sensitive and which features are needed to secure the data. While the database is in use, it will continuously monitor for changes in the configuration and any unusual activities that may be signs of malicious attacks.
Although this remains a vision for now, we continue to invest in features that combine machine learning and adaptive behavior with state-of-the-art security and privacy protection to get us closer to our goals.
Our customers are taking notice, as voiced by Paul Stirpe from Financial Fabric who said “[… the] new technology that has been rolled out by Microsoft is a game-changer. Cloud security has fundamentally shifted as of now.”
We believe our vision of the intelligent, always secure database will democratize security in the same way relational query processing democratized data management in the 1970’s by enabling anyone who could write SQL queries to manage and access large databases.
 Based on vulnerabilities reported in the NIST National Vulnerability Database (nvd.nist.gov) for the last 6 years.