Follow us on https://kodekloud.com/ to learn more about us.

Provide a layered approach and multiple levels of protection.

Microsoft Defender for Cloud for SQL -and- Microsoft Defender for Cloud for Storage -and- Azure Information Protection.
Container Security.
Host Security.
Network Security Groups, Application Security Groups, Network Micro-Segmentation.
DDoS Azure Firewall.
Privileged Identity Management Conditional Access.
Centralized Key Management: Store and manage keys, secrets, and certificates in a secure and scalable cloud-based vault
Robust Security: Benefit from Azure's extensive security controls and measures to protect your sensitive data
Access Control and Auditing: Fine-grained access control policies and detailed logging help you manage and monitor access
to your key vault
Integration with Azure Services: Seamlessly integrate with other Azure services like Virtual Machines, App Service, Azure
Functions, and more
Developer-Friendly APIs: Easy-to-use APIs and SDKs for key vault operations, allowing developers to securely
access cryptographic materials
Azure Key Vault Cryptographic Keys – Support multiple key types and algorithms and enable the use of software-protected
and HSM-protected keys.

Azure Key Vault provides two types of resources to store and manage cryptographic keys. Vaults support software-
protected and HSM-protected (Hardware Security Module) keys. Note: Managed HSMs only support HSM-protected keys.
Vaults - Vaults provide a low-cost, easy to deploy, multi-tenant, zone-resilient (where available), highly
available key management solution suitable for most common cloud application scenarios.

Managed HSMs - Managed HSM provides single-tenant, zone-resilient (where available), highly available HSMs
to store and manage your cryptographic keys. Most suitable for applications and usage scenarios that handle
high-value keys. Also helps to meet most stringent security, compliance, and regulatory requirements.

Cryptographic keys in Key Vault are represented as JSON Web Key [JWK] objects. The JavaScript Object
Notation (JSON) and JavaScript Object Signing and Encryption (JOSE) specifications are:

JSON Web Key (JWK)

JSON Web Encryption (JWE)
JSON Web Algorithms (JWA)
JSON Web Signature (JWS)

The base JWK/JWA specifications are also extended to enable key types unique to the Azure Key Vault and
Managed HSM implementations.

HSM-protected keys (also referred to as HSM-keys) are processed in an HSM (Hardware Security Module) and
always remain HSM protection boundary.

Vaults use FIPS 140-2 Level 2 validated HSMs to protect HSM-keys in shared HSM backend infrastructure.
Managed HSM uses FIPS 140-2 Level 3 validated HSM modules to protect your keys. Each HSM pool is an
isolated single-tenant instance with its own security domain providing complete cryptographic isolation from
all other HSMs sharing the same hardware infrastructure.

These keys are protected in single-tenant HSM-pools. You can import an RSA, EC, and symmetric key, in soft
form or by exporting from a supported HSM device. You can also generate keys in HSM pools. When you
import HSM keys using the method described in the BYOK, or bring your own key, specification, it enables
secure transportation key material into Managed HSM pools.
Key types and protection methods

Key Vault supports RSA and EC keys. Managed HSM supports RSA, EC, and symmetric keys.
Key Vault provides secure storage of generic secrets, such as passwords and database connection strings.
Key Vault APIs accept and return secret values as strings, while internally storing and managing secrets as sequences of
octets with a maximum size of 25k bytes.
Key Vault encrypts all secrets at rest using a hierarchy of encryption keys, protected by FIPS 140-2 compliant modules.
The encryption leaf key is unique to each key vault, while the encryption root key varies in protection level based on the
region.
Clients can consider additional layers of protection, such as encrypting data with separate protection keys
before storing it in Key Vault.
Key Vault supports a contentType field for secrets, allowing clients to specify the content type of a secret to
assist in interpreting the data when retrieved.
Encryption in Key Vault is transparent, automatically encrypting secrets upon addition and decrypting them
when accessed
Secure storage: Key Vault provides secure storage and management of X.509 certificates. Store and manage TLS/SSL
certificates, code signing certificates, and more.
Centralized Management: Consolidate certificates in a scalable, cloud-based vault.
Robust Security: Key Vault ensures the secure storage and protection of certificates.
Certificate Lifecycle Management: Key Vault supports certificate creation, renewal, and revocation.
Integration with Azure Services: Seamlessly integrate certificates with Azure services like Azure App Service, Azure
Functions, and Azure Virtual Machines.
Developer-Friendly APIs: Use Azure Key Vault SDKs and APIs to programmatically manage certificates.
Compliance and Auditing: Key Vault provides auditing capabilities and helps meet compliance requirements.
Automated Renewal and Deployment: Enable automatic certificate renewal and deployment in Azure
environments.
Azure Key Vault Certificates - Exportable or Non-exportable key

When a Key Vault certificate is created, it can be retrieved from the addressable secret with the private key in either PFX or
PEM format. The policy used to create the certificate must indicate that the key is exportable. If the policy indicates non-
exportable, then the private key isn't a part of the value when retrieved as a secret.
The addressable key becomes more relevant with non-exportable KV certificates. The addressable KV key's
operations are mapped from key usage field of the KV certificate policy used to create the KV Certificate.

The type of key pair to supported for certificates

Supported key types are RSA, RSA-HSM, EC, EC-HSM, oct (listed here). Exportable is only allowed with RSA,
EC. HSM keys would be non-exportable.
Azure Key Vault Security - https://docs.microsoft.com/en-us/azure/key-vault/general/overview-security

Access model overview

Access to a key vault is controlled through two interfaces: the management plane, and the data plane. The management
plane is where you manage Key Vault itself. Operations in this plane include creating and deleting key vaults, retrieving Key
Vault properties, and updating access policies. The data plane is where you work with the data stored in a key
vault. You can add, delete, and modify keys, secrets, and certificates from here.

To access a key vault in either plane, all callers (users or applications) must have proper authentication and
authorization. Authentication establishes the identity of the caller. Authorization determines which
operations the caller can execute. Both planes use Azure AD for authentication. For authorization, the
management plane uses RBAC, and the data plane uses a Key Vault access policy (newly released RBAC can be
used for access to the data plane). To access a key vault in either plane, all callers (users or applications) must
have proper authentication and authorization.

NEW -- Azure role-based access control (RBAC) for Azure Key Vault data plane authorization is now generally
available | Azure updates | Microsoft Azure
Configure customer-managed keys with Azure Key Vault by using the Azure portal - https://docs.microsoft.com/en-
us/azure/storage/common/storage-encryption-keys-portal

This service uses Azure Key Vault that provides highly available and scalable secure storage for RSA cryptographic keys
backed by FIPS 140-2 Level 2 validated HSMs (Hardware Security Modules). Key Vault streamlines the key management
process and enables customers to fully maintain control of keys that are used to encrypt data, manage, and audit their key
usage, in order to protect sensitive data as part of their regulatory or compliance needs, HIPAA and BAA
compliant.

Customers can generate/import their RSA key to Azure Key Vault and enable Storage Service Encryption.
Azure Storage handles the encryption and decryption in a fully transparent fashion using envelope encryption
in which data is encrypted using an AES-based key, which is in turn protected using the Customer Managed
Key stored in Azure Key Vault.

Customers can rotate their key in Azure Key Vault as per their compliance policies. When they rotate their
key, Azure Storage detects the new key version and re-encrypts the Account Encryption Key for that storage
account. This does not result in re-encryption of all data and there is no other action required from user.

Customers can also revoke access to the storage account by revoking access on their key in Azure Key Vault.
There are several ways to revoke access to your keys. Please refer to Azure Key Vault PowerShell and Azure
Key Vault CLI for more details. Revoking access will effectively block access to all blobs in the storage account
as the Account Encryption Key is inaccessible by Azure Storage.

Customers can enable this feature on all available redundancy types of Azure Blob storage including premium
storage and can toggle from using Microsoft managed to using customer managed keys. There is no
additional charge for enabling this feature.

You can enable this feature on any Azure Resource Manager storage account using the Azure Portal, Azure
PowerShell, Azure CLI, or the Microsoft Azure Storage Resource Provider API.
Key Rotation:
Regularly rotate cryptographic keys for enhanced security.
Use Key Vault APIs to automate key rotation processes.
Secret Rotation:
Periodically rotate secrets (e.g., passwords, API keys) to mitigate risks.
Utilize Key Vault APIs and automation for seamless secret rotation.
Benefits:
Mitigate risks from compromised keys or secrets.
Maintain security and compliance.
Prevent unauthorized access to sensitive data.
Ensure application availability.
Considerations:
Establish rotation frequency based on security requirements.
Implement secure distribution and storage processes.
Update applications to use the latest key and secret versions.
Monitor and audit rotation activities for compliance.
Provide a layered approach and multiple levels of protection.
Microsoft Defender for Cloud for SQL -and- Microsoft Defender for Cloud for Storage -and- Azure Information Protection.
Container Security.
Host Security.
Network Security Groups, Application Security Groups, Network Micro-Segmentation.
DDoS Azure Firewall.
Privileged Identity Management Conditional Access.
Cloud-based identity solution for applications and services.
Enables single sign-on (SSO) for seamless authentication.
Supports multi-factor authentication (MFA) for enhanced security.
Utilizes OAuth 2.0 and OpenID Connect for secure authorization.
Integrates with Azure Active Directory (Azure AD) for centralized identity management.
Developer-friendly with SDKs, libraries, and tools.
Simplifies authentication across platforms and devices.
Enhances security with features like MFA and conditional access.
Scalable and flexible for applications of all sizes.
Enables enterprise integration with Microsoft services and systems.
Benefits and Use Cases
Simplified Authentication
Enhanced Security
Scalability and Flexibility
Enterprise Integration
Cloud-based identity solution for applications and services.
Enables single sign-on (SSO) for seamless authentication.
Supports multi-factor authentication (MFA) for enhanced security.
Utilizes OAuth 2.0 and OpenID Connect for secure authorization.
Integrates with Azure Active Directory (Azure AD) for centralized identity management.
Developer-friendly with SDKs, libraries, and tools.
Simplifies authentication across platforms and devices.
Enhances security with features like MFA and conditional access.
Scalable and flexible for applications of all sizes.
Enables enterprise integration with Microsoft services and systems.

Benefits and Use Cases

Simplified Authentication
Enhanced Security
Scalability and Flexibility
Enterprise Integration

Single-page apps: Client-side web applications that provide a fluid user experience with dynamic content
updates and interactive capabilities.
Web apps : Server-side web applications accessed through web browsers, providing rich user interfaces and
functionality.
Web APIs: Backend services that expose APIs to enable secure interaction with client applications and other
services.
Mobile apps: Applications specifically designed for mobile devices, such as smartphones and tablets, offering
native experiences and offline capabilities.
Native apps: Platform-specific applications installed on devices, providing optimized user experiences and
leveraging device capabilities.
Daemon apps: Background services or processes that run without user interaction, typically performing tasks
on behalf of an application or system.
Server-side apps: Applications running on servers that handle requests and perform operations without direct
user involvement.

https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-flows-app-scenarios
Cloud-based identity solution for applications and services.
Enables single sign-on (SSO) for seamless authentication.
Supports multi-factor authentication (MFA) for enhanced security.
Utilizes OAuth 2.0 and OpenID Connect for secure authorization.
Integrates with Azure Active Directory (Azure AD) for centralized identity management.
Developer-friendly with SDKs, libraries, and tools.
Simplifies authentication across platforms and devices.
Enhances security with features like MFA and conditional access.
Scalable and flexible for applications of all sizes.
Enables enterprise integration with Microsoft services and systems.

Benefits and Use Cases

Simplified Authentication
Enhanced Security
Scalability and Flexibility
Enterprise Integration

Centralized Application Management:

Register your application in Azure AD to manage its settings, permissions, and access control centrally.
Configure authentication options, including single sign-on (SSO) and multi-factor authentication (MFA).
Secure User Authentication:
Leverage Azure AD's robust authentication mechanisms to authenticate users securely.
Support various authentication protocols like OAuth 2.0, OpenID Connect, and SAML.
Fine-Grained Authorization:
Define and manage application permissions using Azure AD's role-based access control (RBAC) model.
Grant specific permissions to users or groups based on their roles and responsibilities.
Integration with Azure Services:
Seamlessly integrate your app with other Azure services like Azure Key Vault, Azure Storage, and Azure
Functions.
Access and utilize these services securely by leveraging the authentication and authorization
capabilities of Azure AD.
App-to-App Authentication and Authorization:
 Enable your application to securely access and consume APIs provided by other registered apps using
the app's identity.
Establish trust relationships between applications using Azure AD's app roles and permissions.
Developer-Friendly:
Utilize Azure AD's developer tools, SDKs, and libraries to simplify app integration and enhance
developer productivity.
Leverage Azure AD's APIs and SDKs for authentication, authorization, and user management.
Secure and Scalable:
Benefit from Azure AD's built-in security features and scalability, ensuring high availability and
reliability.
Safeguard user identities and data with Azure AD's advanced security controls and compliance
certifications.

https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-flows-app-scenarios
Granular Access Control:
Microsoft Graph uses permissions to control access to resources and operations.
Permissions are granted to applications and delegated to users.
Permission Types:
Delegated Permissions: Acquired by apps and used on behalf of a signed-in user.
Application Permissions: Acquired by apps and used independently of any user.
Permission Consent:
Users or administrators must grant consent to an application's requested permissions.
Consent can be granted at different levels, such as individual or organizational.
Source should be in Azure, and target can be any anything that supports Azure AD and Azure RBAC
No need to perform credential rotation or certificate management
No need to store keys in your code
Shared Compute (Free & Shared): Run apps on the shared Azure VM infrastructure where your app will be placed along with
other apps.
Dedicated Compute (Basic, Standard, and Premium): Dedicated VMs will be provisioned, and your apps will be running on
that
Isolated: Dedicated VMs will be provisioned in dedicated virtual networks.
Compute App Service Plan defines a set of compute resources required to run our App Service.
Performance tier Like VMs, App Service Plans also come in different tiers. These tiers represents the performance, features,
size and the price you pay.
Host Multiple Apps We can run multiple apps on a single App Service Plan. We can choose a different App Service Plan if
you need to deploy your apps in a different region, requires a different OS or higher performance.
Considerations Regardless of the number of apps you run, you have to pay the cost of the App Service Plans. We need to
choose the plans wisely to optimize the cost
Options for Adding Certificates in App Service:
Create a Free App Service Managed Certificate:
A private certificate that's free of charge, ideal for securing custom domains in App Service.
Simple to use, providing basic certificate management functionalities.
Purchase an App Service Certificate:
A private certificate managed by Azure, combining automated certificate management and renewal options.
 Offers flexibility and export options for advanced scenarios.
Import a Certificate from Key Vault:
Useful if you manage PKCS12 certificates in Azure Key Vault.
Enables integration between App Service and Key Vault for secure certificate management.
Upload a Private Certificate:
If you have a private certificate from a third-party provider, you can upload it to App Service.
Allows you to use your own custom certificate for securing your app.
Upload a Public Certificate:
Public certificates are not used for custom domain security but can be utilized in your application code
to access remote resources.
Provide a layered approach and multiple levels of protection.
Microsoft Defender for Cloud for SQL -and- Microsoft Defender for Cloud for Storage -and- Azure Information Protection.
Container Security.
Host Security.
Network Security Groups, Application Security Groups, Network Micro-Segmentation.
DDoS Azure Firewall.
Privileged Identity Management Conditional Access.
Questions on data residency and compliance in Microsoft Azure? - https://azure.microsoft.com/en-us/blog/questions-on-
data-residency-and-compliance-in-azure-we-got-answers/

Start by explaining the concept of data sovereignty. You can use for this purpose its Microsoft definition:
“Data sovereignty is the concept that information which has been converted and stored in binary digital form is subject to
the laws of the country in which it is located. Many of the current concerns that surround data sovereignty relate to
enforcing privacy regulations and preventing data that is stored in a foreign country from being subpoenaed
by the host country’s government. “

Next, explain the principle of Azure region pairing. Azure operates in multiple geographies around the world.
An Azure geography is a defined area of the world that contains at least one Azure Region. An Azure region is
an area within a geography, containing one or more datacenters. Each Azure region is paired with another
region within the same geography, forming a regional pair. The exception is Brazil South, which is paired with
a region outside its geography. Across the region pairs Azure serializes platform updates (or planned
maintenance), so that only one paired region is updated at a time. In the event of an outage affecting multiple
regions, one region in each pair will be prioritized for recovery.

Finally, explain the benefits of paired regions.

The first benefit is physical isolation. When possible, Azure services prefers at least 300 miles of separation
between datacenters in a regional pair (although this isn't practical or possible in all geographies). Physical
datacenter separation reduces the likelihood of both regions being affected simultaneously as a result of
natural disasters, civil unrest, power outages, or physical network outages. Isolation is subject to the
constraints within the geography, such as geography size, power and network infrastructure availability, and
regulations.

The second benefit is platform-provided replication. Some services such as geo-redundant storage provide
automatic replication to the paired region.

The third benefit ties to region recovery order. In the event of a broad outage, recovery of one region is
prioritized out of every pair. Applications that are deployed across paired regions are guaranteed to have one
of the regions recovered with priority. If an application is deployed across regions that are not paired,
recovery might be delayed. In the worst case the chosen regions might be the last two to be recovered.

The fourth benefit is associated with sequential updates. Planned Azure system updates are rolled out to
paired regions sequentially, not at the same time. This helps minimize downtime, the effect of bugs, and
logical failures in the rare event of a bad update.

The sixth benefit is data residency. To meet data residency requirements for tax and law enforcement
jurisdiction purposes, a region resides within the same geography as its pair, with the exception of Brazil
South.
Authorize requests to Azure Storage - https://docs.microsoft.com/en-us/rest/api/storageservices/authorize-requests-to-
azure-storage

More details on the next slides, just introduce the choices. Every request made against a secured resource in the Blob, File,
Queue, or Table service must be authorized. Authorization ensures that resources in your storage account are accessible
only when you want them to be, and only to those users or applications to whom you grant access. You can authorize
requests for Azure Storage by using Azure AD, Access Keys, and Shared Access Signatures. You also have the
option of enabling anonymous access.

Instructor Note – Azure Files Azure AD Authentication is no longer in preview -- General availability of Azure
Files on-premises Active Directory Domain Services authentication | Azure Blog and Updates | Microsoft Azure
https://kodekloud.blob.core.windows.net?sv=2020-08-04&ss=bfqt&srt=sc&sp=rwdlacup&se=2022-05-
19T14:31:40Z&st=2022-05-19T06:31:40Z&sip=168.11.12.13168.11.12.19&spr=https&sig=66iXqzZSakar
JO5J210%2ByoPRVXTeT%2FTJcHHSEkUjHr0%3D
Secure way of Authenticating Microsoft recommends using Azure AD authentication for accessing Blobs, Queues and
Tables. Azure AD integrates features such as MFA, Conditional Access to enhance the request to access storage.
Requires dedicated RBAC roles Even if you are the Owner or Contributor of the subscription, you would still require storage
specific RBAC to authorize storage access requests. These RBAC can be assigned to any scope and the access will be
inherited. Example: Storage Blob Data Owner, Storage Queue Data Contributor.
Secure way of Authenticating Microsoft recommends using Azure AD authentication for accessing Blobs, Queues and
Tables. Azure AD integrates features such as MFA, Conditional Access to enhance the request to access storage.
Requires dedicated RBAC roles Even if you are the Owner or Contributor of the subscription, you would still require storage
specific RBAC to authorize storage access requests. These RBAC can be assigned to any scope and the access will be
inherited. Example: Storage Blob Data Owner, Storage Queue Data Contributor.
Authorize requests to Azure Storage - https://docs.microsoft.com/en-us/rest/api/storageservices/authorize-requests-to-
azure-storage

More details on the next slides, just introduce the choices. Every request made against a secured resource in the Blob, File,
Queue, or Table service must be authorized. Authorization ensures that resources in your storage account are accessible
only when you want them to be, and only to those users or applications to whom you grant access. You can authorize
requests for Azure Storage by using Azure AD, Access Keys, and Shared Access Signatures. You also have the
option of enabling anonymous access.

Instructor Note – Azure Files Azure AD Authentication is no longer in preview -- General availability of Azure
Files on-premises Active Directory Domain Services authentication | Azure Blog and Updates | Microsoft Azure
On-premises Active Directory Domain Services (AD DS)

For on-premises AD DS authentication, you must set up your AD domain controllers and domain join your machines or VMs.
You can host your domain controllers on Azure VMs or on-premises. Either way, your domain joined clients must have line of
sight to the domain service, so they must be within the corporate network or virtual network (VNET) of your domain service.
The following diagram depicts on-premises AD DS authentication to Azure file shares over SMB. The on-prem
AD DS must be synced to Azure AD using Azure AD Connect sync. Only hybrid users that exist in both on-
premises AD DS and Azure AD can be authenticated and authorized for Azure file share access. This is because
the share level permission is configured against the identity represented in Azure AD where the directory/file
level permission is enforced with that in AD DS. Make sure that you configure the permissions correctly
against the same hybrid user.

1. Enable Azure Files on-prem AD DS authentication including creating an AD identity to represent the
storage account
2. Assign the Azure AD identity that was synced from AD on share level permission to Azure Files (for
example: [email protected])
3. Mount Azure Files with storage account key and configure directory/file level permissions (Windows
DACLs) to the AD identity (for example: [email protected])
4. Access Azure Files using AD credentials by first authenticating against AD DS and sending the Kerberos
token to Azure Files for authorization
Azure Active Directory Domain Services (Azure AD DS)

Azure AD DS provides managed domain services such as domain join, group policies, LDAP, and Kerberos/ Windows New
Technology LAN Manager (NTLM) authentication. These services are fully compatible with Active Directory Domain
Services. For more information, see Azure Active Directory Domain Services.
For Azure AD DS authentication, you should enable Azure AD Domain Services and domain join the VMs you
plan to access file data from. Your domain-joined VM must reside in the same virtual network (VNET) as your
Azure AD DS.

The following diagram represents the workflow for Azure AD DS authentication to Azure file shares over
SMB. It follows a similar pattern to on-prem AD DS authentication to Azure file shares.

There are two major differences:

First, you don't need to create the identity in Azure AD DS to represent the storage account. This is
performed by the enablement process in the background.

Second, all users that exist in Azure AD can be authenticated and authorized. The user can be cloud only or
hybrid. The sync from Azure AD to Azure AD DS is managed by the platform without requiring any user
configuration. However, the client must be domain joined to Azure AD DS, it cannot be Azure AD joined or
registered.

Flowchart:
Enable Azure Files Azure AD DS authentication
Assign the Azure AD identity on share level permission to Azure Files (for example: [email protected])
Mount Azure Files with storage account key and configure directory/file level permissions (Window DACLs) to
the Azure AD identity
Access Azure Files using Azure AD credentials by first authenticating against Azure AD DS and sending the
Kerberos token to Azure Files for authorization
What is 'Secure Transfer Required'?
A data protection feature provided by Microsoft Azure.
Ensures that all data is securely transferred to and from the Azure Storage Account.
How does it work?
When enabled, all requests to the storage account must be made over HTTPS, a secure transport protocol.
If a request is made over HTTP, it will fail.
Why use 'Secure Transfer Required'?
Enhances security: Data is encrypted during transmission.
Complies with industry standards: Meets data privacy and compliance requirements.
Provide a layered approach and multiple levels of protection.
Microsoft Defender for Cloud for SQL -and- Microsoft Defender for Cloud for Storage -and- Azure Information Protection.
Container Security.
Host Security.
Network Security Groups, Application Security Groups, Network Micro-Segmentation.
DDoS Azure Firewall.
Privileged Identity Management Conditional Access.
Secure method: A secure method for connecting to an Azure SQL Database.
Centralized Identity Management: Utilizes identities managed by Azure AD for consistency.
Setup Process: Involves setting up an Azure AD account, registering the application, and assigning permissions.
Single Sign-On (SSO): Provides seamless SSO experiences for users and applications.
Robust Security Protocols: Offers enhanced security measures such as multi-factor authentication.
Improved Access Control: Allows better control over who can access the database.
Simplified Management: Azure AD makes user management more streamlined.
Enhanced Security: Azure AD Authentication elevates the overall security level of cloud-based SQL
management.
Secure method: A secure method for connecting to an Azure SQL Database.
Centralized Identity Management: Utilizes identities managed by Azure AD for consistency.
Setup Process: Involves setting up an Azure AD account, registering the application, and assigning permissions.
Single Sign-On (SSO): Provides seamless SSO experiences for users and applications.
Robust Security Protocols: Offers enhanced security measures such as multi-factor authentication.
Improved Access Control: Allows better control over who can access the database.
Simplified Management: Azure AD makes user management more streamlined.
Enhanced Security: Azure AD Authentication elevates the overall security level of cloud-based SQL
management.
All access is denied by default

Database-Level Firewall Rules (T-SQL): Apply to individual databases within the Azure SQL Database server. Ideal for
providing granular access control. These rules don't provide access to other databases in the server or the master database.
Managed within each database, suitable for multi-tenant applications where different users need access to specific
databases.
Server-Level Firewall Rules (Portal, T-SQL, or PowerShell): Apply to the entire SQL server, including all
databases within the server. Allows a client to access all databases within a server, including the master
database. Administered at the server level, ideal for scenarios where a client requires access to multiple
databases on the server.
A feature that tracks database events and writes them to an audit log in your Azure storage account.
Comprehensive Tracking: Records and monitors database activities like login failures, transaction history, database
modifications, and more.
Compliance & Security: Helps meet organizational and regulatory compliance requirements by providing detailed audit
trails.
Threat Detection: Enables the identification of unusual patterns that could indicate potential threats or breaches.
Audit Log Analysis: Analysis of audit logs can be performed using tools like Azure Monitor logs, Power BI, etc.,
for deeper insights.
Retention Policy: You can define retention policies for your audit logs as per your organizational needs.
Overall Benefit: Azure SQL Auditing enhances security, aids in maintaining compliance, and improves
database management by providing visibility into your database activities.
An Azure feature that identifies, classifies, labels, and protects sensitive data in your databases.
Data Discovery: Automatically scans your SQL database to identify columns containing potentially sensitive data.
Data Classification: Enables categorizing data based on sensitivity, using labels like "Highly Confidential", "Confidential",
"General".
Data Protection: Once classified, data protection policies can be implemented to secure sensitive data.
Compliance Aid: Helps meet data privacy standards and regulatory compliance requirements like GDPR.
Reporting & Monitoring: Provides a detailed overview and reports of classified data, enabling better
monitoring and risk assessment.
Overall Benefit: Azure SQL Data Discovery & Classification enhances data security, aids compliance
requirements, and supports risk management by bringing transparency to your sensitive data landscape.
Threat Detection: Uses machine learning to identify unusual and potentially harmful activities indicating potential threats
and security breaches.
Vulnerability Assessment: Performs routine assessments to identify potential vulnerabilities in your databases and provides
remediation recommendations.
Security Alerts: Provides real-time security alerts about suspicious activities and potential vulnerabilities.
Secure Score: Offers a quantifiable measure of your security posture, helping you track your security improvements over
time.
Compliance Dashboard: Provides insights on compliance posture with respect to various industry standards
and regulations.
Azure SQL Advanced Threat Protection (ATP) is designed to detect and mitigate various types of security threats that could
compromise your database. Here are some key threats it can help stop:
SQL Injection Attacks: ATP can detect patterns typical of SQL Injection, one of the most common threats where an attacker
attempts to manipulate your database by inserting malicious SQL statements into a query.
Brute Force Attacks: ATP identifies repeated login attempts from unfamiliar locations or unusual data access patterns,
often signs of brute force attacks.
Anomalous Database Access and Query Patterns: By profiling your database's behavior, ATP can spot
abnormal database access or query patterns which could indicate unauthorized or harmful activity.
Potential Data Exfiltration: Unusual data transfer or export patterns, often a sign of data exfiltration
attempts, can be detected and alerted by ATP.
Unsafe Action Alerts: It also alerts administrators to potentially unsafe actions, like adding suspicious links to
the database.
Privileged Access Abuse: ATP can help detect instances where database access privileges are being misused,
including by rogue insiders.
Threats from Malware or Viruses: While not a replacement for dedicated antivirus software, ATP can still alert
on patterns of activity
An automated security tool that scans, identifies, and reports potential vulnerabilities in your database environment.
Routine Scanning: Conducts regular assessments to maintain the security of your system, keeping track of new potential
threats.
Detailed Reports: Provides comprehensive reports on found vulnerabilities with severity levels and suggests remediation
steps to mitigate them.
Security Alerts: Sends real-time alerts for high-risk vulnerabilities that need immediate attention.
Compliance Aid: VA reports can assist in demonstrating compliance with various data protection standards
and regulations.
Baseline Management: Enables setting up an acceptable baseline of your database configuration, and alerts
when deviations occur.
Overall Benefit: Vulnerability Assessment enhances system security, reduces the risk of breaches, aids in
compliance, and provides insight into the system's security posture.
A security feature in Azure SQL that hides sensitive data in the result set of a query, reducing the exposure of sensitive data.
Real-Time Masking: Provides real-time obfuscation of data so that no physical changes are made to data stored in the
database.
Customizable Masks: Allows defining of masking rules for specific data fields, according to data sensitivity and user
privileges.
Predefined Masking Patterns: Azure provides predefined masks like email, credit card, etc., to make the process simpler and
efficient.
Role-Based Access: Only users with the appropriate permissions can see unmasked data, ensuring secure
access.
Compliance Support: Aids in meeting data protection regulations and compliance requirements.
Overall Benefit: Dynamic Data Masking is a crucial security feature that helps protect sensitive data from
unauthorized access, enhancing data security in Azure SQL databases.
A security feature in Azure SQL that encrypts your databases, both at rest and during physical storage operations, such as
backup.
Real-Time Encryption & Decryption: TDE performs real-time I/O encryption and decryption, ensuring seamless operation
without affecting performance.
Protection of Data at Rest: Encrypts database files, safeguarding the data when it's stored on disk, preventing unauthorized
access.
Automatic Encryption Management: Azure manages TDE encryption keys, performing regular key rotations
without user intervention for enhanced security.
Always On: Enabled by default for all new Azure SQL databases, ensuring continuous data protection.
Regulatory Compliance: Assists in meeting regulatory compliance requirements related to data encryption.
Overall Benefit: Transparent Data Encryption offers an extra layer of protection for your Azure SQL
databases, securing data at rest and ensuring compliance with data protection regulations.
Always Encrypted is a data encryption technology in Azure SQL Database and SQL Server that helps protect sensitive data
at rest on the server, during movement between client and server, and while the data is in use. Always Encrypted ensures
that sensitive data never appears as plaintext inside the database system. After you configure data encryption, only client
applications or app servers that have access to the keys can access plaintext data. Always Encrypted uses
the AEAD_AES_256_CBC_HMAC_SHA_256 algorithm to encrypt data in the database.
A feature in Azure SQL that ensures sensitive data remains encrypted not only at rest but also during
transmission and in-memory processing.
Encryption & Decryption: Data encryption and decryption occur transparently in the application layer, limiting
the risk of exposure within the database system.
Key Management: Encryption keys are managed client-side, ensuring they are never exposed to the database
engine, providing an additional layer of data protection.
Secure Enclaves: Supports secure enclaves, which allows confidential computations on encrypted data.
Two Encryption Types: Supports randomized encryption for full anonymity and deterministic encryption for
indexing and equality searches.
Regulatory Compliance: Helps in meeting compliance requirements concerning data encryption and data
privacy.
Overall Benefit: Always Encrypted feature enhances data security by maintaining encryption not just at rest,
but also during data transmission and in-memory processing, ensuring continuous protection of sensitive
data.
Always Encrypted: Protect sensitive data and store encryption keys in the Windows certificate store -
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-always-encrypted?view=sql-server-ver15

Identity the database table and the sensitive data columns that need to be encrypted. In this case, SSN. In SQL Server
Management Studio view the table and select Encrypt Columns. This will launch the Always Encrypted wizard.
Select the columns you need encrypted.
Select the Encryption Type. There are two types: Deterministic and Randomized. Deterministic encryption
always generates the same encrypted value for any given plain text value. Randomized encryption uses a
method that encrypts data in a less predictable manner.
The Encryption Key can be autogenerated by the wizard. The key can be the same or different for each
encrypted column.
The Master Key that encrypts the column master keys can also be autogenerated. It can be stored in the
Windows certificate store or the Azure Key Vault.
SMSS is not the only tool you can also use T-SQL and PowerShell.
Follow us on https://kodekloud.com/ to learn more about us.