SlideShare une entreprise Scribd logo

Windows azure sql_database_security_isug012013

S
sqlserver.co.il
1  sur  23
Télécharger pour lire hors ligne
Microsoft SQL Azure MICROSOFT WINDOWS AZURE SQL DATABASE SECURITY FEBRUARY 2013 DAVID HABUSHA, VP PRODUCTS
Agenda • Windows Azure SQL Database security capabilities and resources • Best practices securing Windows Azure SQL Database • What actually happens within my database? • Advanced Windows Azure SQL Database security with GreenSQL 2
Before We Start… • Windows Azure = Microsoft’s Cloud Platform • Windows Azure SQL Database (was known as “SQL Azure”, renamed by Microsoft on June 2012) is part of Windows Azure data management features • You can also run SQL Server on a virtual machine on Windows Azure (!= SQL Database) 3
What is Windows Azure SQL Database? • SQL Server engine, based on SQL Server 2012 with restrictions – New server-level roles, hashing algorithms, permissions – Contained databases – Security management enhancements • Main restrictions – Server auditing is not supported in SQL Database – SQL Server authentication only – USE command – See more at http://msdn.microsoft.com/en- us/library/ff394115.aspx and http://msdn.microsoft.com/en-us/library/ff394102.aspx 4
Security Best Practices • SQL Database clients – TCP port 1433 open for outbound connections (for TDS protocol) – Block inbound connections on TCP port 1433 • SQL Database is always up-to-date, make sure you use the most current version of clients (specifically SSMS 2012) • Configure Windows Azure SQL Database Firewall • General Best Practices – Prevent SQL Injection vulnerabilities during coding – Perform regular penetration testing 5
Security Best Practices – Encryption and Certificates • ALL communications between Windows Azure SQL Database and your applications require encryption (SSL) at all times (to avoid "man in the middle" attacks) • Apps need to explicitly request an encrypted connection • Don’t trust server certificates – If your application code does not request an encrypted connection, it will still receive one. However, it may not validate the server certificates and will be subject to "man in the middle" attacks 6
Security Best Practices - Authentication • Only SQL Server authentication is supported • Windows Authentication is NOT supported • Users must provide credentials (login and password) every time they connect to Windows Azure SQL Database • USE command is not allowed (connect to specific DB) • Password reset – Connections will not be immediately re-authenticated, ALWAYS (unlike on-premise SQL Server) – Re-authentication happens after more than 60 minutes from last re-authentication – If the password has been changed, the request will fail and the session will disconnect (end) 7
Security Best Practices – Logins & Users • Many restrictions apply. Main restrictions: – The database user in the master database corresponding to the server-level principal login cannot be altered or dropped – To access the master database, every login must be mapped to a user account in the master database – If you do not specify a database in the connection string, you will be connected to the master database by default – You must be connected to the master database when executing the CREATE/ALTER/DROP LOGIN and CREATE/ALTER/DROP DATABASE statements – CREATE USER statement with the FOR/FROM LOGIN option or the ALTER USER statement with the WITH LOGIN option, it must be the only statement in a batch – Azure User Management Console – AUMC - open source project on CodePlex http://aumc.codeplex.com/ 8
Security Best Practices - Contained Databases • Windows Azure SQL Database is a fully contained database as it employs a multi-tenant environment • SQL Databases have to be scoped to only allow users the ability to consume database level assets • This is the reason many SQL Server capabilities are not yet currently available in Windows Azure SQL Database • Assuming that Microsoft will add these capabilities to Windows Azure SQL Database with a contained implementation 9
Security Best Practices – Hybrid Applications • To access on-premise SQL Server, use Windows Azure Connect (still CTP) • You can join Windows Azure role instances to your domain, so that you can use your existing methods for domain authentication • Windows Azure Connect uses industry-standard end-to-end IPSEC protocol to establish secure connections between on-premise machines and roles in the cloud. This allows you to connect to your cloud app as if it were inside the firewall. 10
Windows Azure SQL Database Firewall • Access grant based on originating IP address only • Default - SQL Database firewall prevents all access to your SQL Databases • Server-level firewall rules – Restrict access to the whole SQL Database server (all databases). Rules stored in master database. – Configured via Windows Azure Platform management portal, SQL Database Management REST API or System SPs&views (sys.firewall_rules, sp_set_firewall_rule and sp_delete_firewall_rule) 11
Windows Azure SQL Database Firewall • Database-level firewall rules – Restrict access to individual databases within a SQL Database server. Rules stored in each databases (including master). Rule extends server-level rules. – Configured via System SPs&views sys.database_firewall_rules, sp_set_database_firewall_rule and sp_delete_database_firewall_rule 12
Windows Azure SQL Database Firewall SQL Database Firewall architecture 13
Windows Azure SQL Database Firewall 14
Microsoft Resources • Start with Windows Azure Trust Center https://www.windowsazure.com/en-us/support/trust-center/ • You can carry out authorized penetration testing on Windows Azure http://download.microsoft.com/download/C/A/1/CA1E438E- CE2F-4659-B1C9- CB14917136B3/Penetration%20Test%20Questionnaire.docx • Microsoft constantly adding compliance to more regulations on Windows Azure – SQL Database compliance is still behind but in the works according to Microsoft https://www.windowsazure.com/en-us/support/trust- center/compliance/ 15
GreenSQL for Windows Azure SQL Database • Complete database security and regulatory compliance for Windows Azure SQL Database • Complements Windows Azure security capabilities • Software-based reversed database proxy, easy to install, maintain and use • Easy on your budget • Available for a FREE trial • Also supports SQL Server 2000 to 2012 (“Denali”), MySQL and PostgreSQL using same installation 16
GreenSQL for Windows Azure SQL Database • Supports hybrid and fully hosted architectures 17
GreenSQL for Windows Azure SQL Database 18
GreenSQL Offering Activity Monitoring Security • DAM (Database Activity • Prevents SQL Injection Monitoring) attacks • PCI-DSS,SOX,HIPAA reports • Separation of duties • Email Alerts • Database firewall • Before & after images Performance Data Masking • Offloading database • Hide sensitive data workload with caching • Dynamic, real-time, instant • Significant performance 19 improvement
SQL Database Security - Comparison Security Concern Windows Azure SQL Database Compliance & Regulations Limited, no server audit, Full administrative & SQL (Auditing) required by 3rd party according rd granular auditing, before & to regulations after image SQL Injection Protection None Full Separation of Duties Limited with database firewall Full, based on variety of criteria and database roles Complete Database Firewall Limited with database firewall Full, based on variety of criteria, customized actions Database patching Patching Frequent by Microsoft Virtual patching Data masking Masking None Dynamic, no code or schema changes required Unified security for hybrid and Limited with database firewall One management system with fully hosted apps flexible policies Direct database access SQL database is segregated Proxy, examines SQLs before they hit the database, performance acceleration 20
GreenSQL for Windows Azure SQL Database • Recommended compute instance size is medium (2 CPU cores, 3.5 GB RAM) • It can be installed on a Windows or Linux server • Recommended Windows 2008R2 64-bits • Web-based management, all major browsers supported • Flexible installation architecture – Windows Azure/On-premises 21
Best of Breed Database Protection + = Complete database security and regulatory compliance for Windows Azure cloud 22
Microsoft SQL Azure Thank you Q&A David Habusha, VP Product david.habusha@greensql.com

Recommandé

SQL Explore 2012 - Meir Dudai: DAC
SQL Explore 2012 - Meir Dudai: DACSQL Explore 2012 - Meir Dudai: DAC
SQL Explore 2012 - Meir Dudai: DAC
sqlserver.co.il
 
Adi Sapir ISUG 123 11/10/2012
Adi Sapir ISUG 123 11/10/2012Adi Sapir ISUG 123 11/10/2012
Adi Sapir ISUG 123 11/10/2012
sqlserver.co.il
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
Markus Eisele
 
SQL Server 2016 New Security Features
SQL Server 2016 New Security FeaturesSQL Server 2016 New Security Features
SQL Server 2016 New Security Features
Gianluca Sartori
 
Tomcat and MySQL in Windows Azure
Tomcat and MySQL in Windows Azure Tomcat and MySQL in Windows Azure
Tomcat and MySQL in Windows Azure
Guada Casuso
 
Geek Sync | SQL Security Principals and Permissions 101
Geek Sync | SQL Security Principals and Permissions 101Geek Sync | SQL Security Principals and Permissions 101
Geek Sync | SQL Security Principals and Permissions 101
IDERA Software
 
Building Cloud Apps using Azure SQL Database
Building Cloud Apps using Azure SQL DatabaseBuilding Cloud Apps using Azure SQL Database
Building Cloud Apps using Azure SQL Database
WinWire Technologies Inc
 
KoprowskiT_SQLSatDenmark_WASDforBeginners
KoprowskiT_SQLSatDenmark_WASDforBeginnersKoprowskiT_SQLSatDenmark_WASDforBeginners
KoprowskiT_SQLSatDenmark_WASDforBeginners
Tobias Koprowski
 

Recommandé

SQL Explore 2012 - Meir Dudai: DAC
SQL Explore 2012 - Meir Dudai: DACSQL Explore 2012 - Meir Dudai: DAC
SQL Explore 2012 - Meir Dudai: DAC
sqlserver.co.il
 
Adi Sapir ISUG 123 11/10/2012
Adi Sapir ISUG 123 11/10/2012Adi Sapir ISUG 123 11/10/2012
Adi Sapir ISUG 123 11/10/2012
sqlserver.co.il
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
Markus Eisele
 
SQL Server 2016 New Security Features
SQL Server 2016 New Security FeaturesSQL Server 2016 New Security Features
SQL Server 2016 New Security Features
Gianluca Sartori
 
Tomcat and MySQL in Windows Azure
Tomcat and MySQL in Windows Azure Tomcat and MySQL in Windows Azure
Tomcat and MySQL in Windows Azure
Guada Casuso
 
Geek Sync | SQL Security Principals and Permissions 101
Geek Sync | SQL Security Principals and Permissions 101Geek Sync | SQL Security Principals and Permissions 101
Geek Sync | SQL Security Principals and Permissions 101
IDERA Software
 
Building Cloud Apps using Azure SQL Database
Building Cloud Apps using Azure SQL DatabaseBuilding Cloud Apps using Azure SQL Database
Building Cloud Apps using Azure SQL Database
WinWire Technologies Inc
 
KoprowskiT_SQLSatDenmark_WASDforBeginners
KoprowskiT_SQLSatDenmark_WASDforBeginnersKoprowskiT_SQLSatDenmark_WASDforBeginners
KoprowskiT_SQLSatDenmark_WASDforBeginners
Tobias Koprowski
 
KoprowskiT_SQLSat409_MaintenancePlansForBeginners
KoprowskiT_SQLSat409_MaintenancePlansForBeginnersKoprowskiT_SQLSat409_MaintenancePlansForBeginners
KoprowskiT_SQLSat409_MaintenancePlansForBeginners
Tobias Koprowski
 
Cloud Design Patterns
Cloud Design PatternsCloud Design Patterns
Cloud Design Patterns
Taswar Bhatti
 
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERAGeek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
IDERA Software
 
SQL ON Azure (decision-matrix)
SQL ON Azure (decision-matrix)SQL ON Azure (decision-matrix)
SQL ON Azure (decision-matrix)
PARIKSHIT SAVJANI
 
Azure SQL Database Introduction by Tim Radney
Azure SQL Database Introduction by Tim RadneyAzure SQL Database Introduction by Tim Radney
Azure SQL Database Introduction by Tim Radney
Hasan Savran
 
Windows Azure Diagnostics
Windows Azure DiagnosticsWindows Azure Diagnostics
Windows Azure Diagnostics
Neil Mackenzie
 
PASS VC: SQL Server Performance Monitoring and Baselining
PASS VC: SQL Server Performance Monitoring and BaseliningPASS VC: SQL Server Performance Monitoring and Baselining
PASS VC: SQL Server Performance Monitoring and Baselining
PARIKSHIT SAVJANI
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudKoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
Tobias Koprowski
 
AzureSQL Managed Instance (SQLKonferenz 2018)
AzureSQL Managed Instance (SQLKonferenz 2018)AzureSQL Managed Instance (SQLKonferenz 2018)
AzureSQL Managed Instance (SQLKonferenz 2018)
Jovan Popovic
 
Introduction to Windows Azure Data Services
Introduction to Windows Azure Data ServicesIntroduction to Windows Azure Data Services
Introduction to Windows Azure Data Services
Robert Greiner
 
Debezium POC
Debezium POCDebezium POC
Debezium POC
kloia
 
The Essentials of Building Cloud-Based Web Apps with Azure
The Essentials of Building Cloud-Based Web Apps with AzureThe Essentials of Building Cloud-Based Web Apps with Azure
The Essentials of Building Cloud-Based Web Apps with Azure
Ido Flatow
 
KoprowskiT_SQLAzureLandingInBelfast
KoprowskiT_SQLAzureLandingInBelfastKoprowskiT_SQLAzureLandingInBelfast
KoprowskiT_SQLAzureLandingInBelfast
Tobias Koprowski
 
.NET Core Apps: Design & Development
.NET Core Apps: Design & Development.NET Core Apps: Design & Development
.NET Core Apps: Design & Development
GlobalLogic Ukraine
 
KoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginnersKoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginners
Tobias Koprowski
 
Migrating Customers to Microsoft Azure: Lessons Learned From the Field
Migrating Customers to Microsoft Azure: Lessons Learned From the FieldMigrating Customers to Microsoft Azure: Lessons Learned From the Field
Migrating Customers to Microsoft Azure: Lessons Learned From the Field
Ido Flatow
 
Modernizing Applications with Microservices
Modernizing Applications with MicroservicesModernizing Applications with Microservices
Modernizing Applications with Microservices
Markus Eisele
 
All about Kerberos In Microsoft BI
All about Kerberos In Microsoft BIAll about Kerberos In Microsoft BI
All about Kerberos In Microsoft BI
PARIKSHIT SAVJANI
 
Sql Server Security Best Practices
Sql Server Security Best PracticesSql Server Security Best Practices
Sql Server Security Best Practices
Information Technology
 
Tech ED 2014 Running Oracle Databases and Application Servers on Azurev1
Tech ED 2014 Running Oracle Databases and Application Servers on Azurev1Tech ED 2014 Running Oracle Databases and Application Servers on Azurev1
Tech ED 2014 Running Oracle Databases and Application Servers on Azurev1
Brian Benz
 
Back 2 basics - SSMS Tips (IDf)
Back 2 basics - SSMS Tips (IDf)Back 2 basics - SSMS Tips (IDf)
Back 2 basics - SSMS Tips (IDf)
sqlserver.co.il
 
Best Practices for JSF, Gameduell 2013
Best Practices for JSF, Gameduell 2013Best Practices for JSF, Gameduell 2013
Best Practices for JSF, Gameduell 2013
Edward Burns
 

Contenu connexe

Tendances

KoprowskiT_SQLSat409_MaintenancePlansForBeginners
KoprowskiT_SQLSat409_MaintenancePlansForBeginnersKoprowskiT_SQLSat409_MaintenancePlansForBeginners
KoprowskiT_SQLSat409_MaintenancePlansForBeginners
Tobias Koprowski
 
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERAGeek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
IDERA Software
 
KoprowskiT_SQLAzureLandingInBelfast
KoprowskiT_SQLAzureLandingInBelfastKoprowskiT_SQLAzureLandingInBelfast
KoprowskiT_SQLAzureLandingInBelfast
Tobias Koprowski
 

Tendances (20)

KoprowskiT_SQLSat409_MaintenancePlansForBeginners
KoprowskiT_SQLSat409_MaintenancePlansForBeginnersKoprowskiT_SQLSat409_MaintenancePlansForBeginners
KoprowskiT_SQLSat409_MaintenancePlansForBeginners
 
Cloud Design Patterns
Cloud Design PatternsCloud Design Patterns
Cloud Design Patterns
 
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERAGeek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
 
SQL ON Azure (decision-matrix)
SQL ON Azure (decision-matrix)SQL ON Azure (decision-matrix)
SQL ON Azure (decision-matrix)
 
Azure SQL Database Introduction by Tim Radney
Azure SQL Database Introduction by Tim RadneyAzure SQL Database Introduction by Tim Radney
Azure SQL Database Introduction by Tim Radney
 
Windows Azure Diagnostics
Windows Azure DiagnosticsWindows Azure Diagnostics
Windows Azure Diagnostics
 
PASS VC: SQL Server Performance Monitoring and Baselining
PASS VC: SQL Server Performance Monitoring and BaseliningPASS VC: SQL Server Performance Monitoring and Baselining
PASS VC: SQL Server Performance Monitoring and Baselining
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudKoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
 
AzureSQL Managed Instance (SQLKonferenz 2018)
AzureSQL Managed Instance (SQLKonferenz 2018)AzureSQL Managed Instance (SQLKonferenz 2018)
AzureSQL Managed Instance (SQLKonferenz 2018)
 
Introduction to Windows Azure Data Services
Introduction to Windows Azure Data ServicesIntroduction to Windows Azure Data Services
Introduction to Windows Azure Data Services
 
Debezium POC
Debezium POCDebezium POC
Debezium POC
 
The Essentials of Building Cloud-Based Web Apps with Azure
The Essentials of Building Cloud-Based Web Apps with AzureThe Essentials of Building Cloud-Based Web Apps with Azure
The Essentials of Building Cloud-Based Web Apps with Azure
 
KoprowskiT_SQLAzureLandingInBelfast
KoprowskiT_SQLAzureLandingInBelfastKoprowskiT_SQLAzureLandingInBelfast
KoprowskiT_SQLAzureLandingInBelfast
 
.NET Core Apps: Design & Development
.NET Core Apps: Design & Development.NET Core Apps: Design & Development
.NET Core Apps: Design & Development
 
KoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginnersKoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginners
 
Migrating Customers to Microsoft Azure: Lessons Learned From the Field
Migrating Customers to Microsoft Azure: Lessons Learned From the FieldMigrating Customers to Microsoft Azure: Lessons Learned From the Field
Migrating Customers to Microsoft Azure: Lessons Learned From the Field
 
Modernizing Applications with Microservices
Modernizing Applications with MicroservicesModernizing Applications with Microservices
Modernizing Applications with Microservices
 
All about Kerberos In Microsoft BI
All about Kerberos In Microsoft BIAll about Kerberos In Microsoft BI
All about Kerberos In Microsoft BI
 
Sql Server Security Best Practices
Sql Server Security Best PracticesSql Server Security Best Practices
Sql Server Security Best Practices
 
Tech ED 2014 Running Oracle Databases and Application Servers on Azurev1
Tech ED 2014 Running Oracle Databases and Application Servers on Azurev1Tech ED 2014 Running Oracle Databases and Application Servers on Azurev1
Tech ED 2014 Running Oracle Databases and Application Servers on Azurev1
 

En vedette

Back 2 basics - SSMS Tips (IDf)
Back 2 basics - SSMS Tips (IDf)Back 2 basics - SSMS Tips (IDf)
Back 2 basics - SSMS Tips (IDf)
sqlserver.co.il
 
Azure Securtity Pro
Azure Securtity ProAzure Securtity Pro
Azure Securtity Pro
John Horn
 
Windows Azure Virtual Networks
Windows Azure Virtual NetworksWindows Azure Virtual Networks
Windows Azure Virtual Networks
Önder Değer
 
Design Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionDesign Practices for a Secure Azure Solution
Design Practices for a Secure Azure Solution
Michele Leroux Bustamante
 

En vedette (20)

Back 2 basics - SSMS Tips (IDf)
Back 2 basics - SSMS Tips (IDf)Back 2 basics - SSMS Tips (IDf)
Back 2 basics - SSMS Tips (IDf)
 
Best Practices for JSF, Gameduell 2013
Best Practices for JSF, Gameduell 2013Best Practices for JSF, Gameduell 2013
Best Practices for JSF, Gameduell 2013
 
JSF 2.3: Integration with Front-End Frameworks
JSF 2.3: Integration with Front-End FrameworksJSF 2.3: Integration with Front-End Frameworks
JSF 2.3: Integration with Front-End Frameworks
 
Nimbo/Alert Logic - Azure in the Cloud
Nimbo/Alert Logic - Azure in the CloudNimbo/Alert Logic - Azure in the Cloud
Nimbo/Alert Logic - Azure in the Cloud
 
Azure Securtity Pro
Azure Securtity ProAzure Securtity Pro
Azure Securtity Pro
 
Deep thoughts from the real world of azure
Deep thoughts from the real world of azureDeep thoughts from the real world of azure
Deep thoughts from the real world of azure
 
Security in windows azure
Security in windows azureSecurity in windows azure
Security in windows azure
 
Azure vnet connectivity solutions
Azure vnet connectivity solutionsAzure vnet connectivity solutions
Azure vnet connectivity solutions
 
Building a Computer Science Pathway in Your High School - Feb 2017
Building a Computer Science Pathway in Your High School - Feb 2017Building a Computer Science Pathway in Your High School - Feb 2017
Building a Computer Science Pathway in Your High School - Feb 2017
 
Windows Azure Virtual Networks
Windows Azure Virtual NetworksWindows Azure Virtual Networks
Windows Azure Virtual Networks
 
Design Practices for a Secure Azure Solution
Design Practices for a Secure Azure SolutionDesign Practices for a Secure Azure Solution
Design Practices for a Secure Azure Solution
 
Architecting large Node.js applications
Architecting large Node.js applicationsArchitecting large Node.js applications
Architecting large Node.js applications
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft Azure
 
Online bus pass management system
Online bus pass management systemOnline bus pass management system
Online bus pass management system
 
Microsoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure Security Infographic
Microsoft Azure Security Infographic
 
Learning jQuery in 30 minutes
Learning jQuery in 30 minutesLearning jQuery in 30 minutes
Learning jQuery in 30 minutes
 
Extended ER Model and other Modelling Languages - Lecture 2 - Introduction to...
Extended ER Model and other Modelling Languages - Lecture 2 - Introduction to...Extended ER Model and other Modelling Languages - Lecture 2 - Introduction to...
Extended ER Model and other Modelling Languages - Lecture 2 - Introduction to...
 
Relational Model and Relational Algebra - Lecture 3 - Introduction to Databas...
Relational Model and Relational Algebra - Lecture 3 - Introduction to Databas...Relational Model and Relational Algebra - Lecture 3 - Introduction to Databas...
Relational Model and Relational Algebra - Lecture 3 - Introduction to Databas...
 
NodeJS for Beginner
NodeJS for BeginnerNodeJS for Beginner
NodeJS for Beginner
 
Anatomy of a Modern Node.js Application Architecture
Anatomy of a Modern Node.js Application Architecture Anatomy of a Modern Node.js Application Architecture
Anatomy of a Modern Node.js Application Architecture
 

Similaire à Windows azure sql_database_security_isug012013

24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
SpanishPASSVC
 
Be05 introduction to sql azure
Be05 introduction to sql azureBe05 introduction to sql azure
Be05 introduction to sql azure
DotNetCampus
 
SQL Server on Azure VM datasheet.pptx
SQL Server on Azure VM datasheet.pptxSQL Server on Azure VM datasheet.pptx
SQL Server on Azure VM datasheet.pptx
MESBetise
 
SQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptxSQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptx
JustineGarcia32
 

Similaire à Windows azure sql_database_security_isug012013 (20)

KoprowskiT_SQLSat419_WADBforBeginners
KoprowskiT_SQLSat419_WADBforBeginnersKoprowskiT_SQLSat419_WADBforBeginners
KoprowskiT_SQLSat419_WADBforBeginners
 
A to z for sql azure databases
A to z for sql azure databasesA to z for sql azure databases
A to z for sql azure databases
 
Build modern and intelligent applications using Azure Database for PostgreSQL
Build modern and intelligent applications using Azure Database for PostgreSQLBuild modern and intelligent applications using Azure Database for PostgreSQL
Build modern and intelligent applications using Azure Database for PostgreSQL
 
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
 
Be05 introduction to sql azure
Be05 introduction to sql azureBe05 introduction to sql azure
Be05 introduction to sql azure
 
Security on Windows Azure
Security on Windows AzureSecurity on Windows Azure
Security on Windows Azure
 
Azure SQL Database Managed Instance - technical overview
Azure SQL Database Managed Instance - technical overviewAzure SQL Database Managed Instance - technical overview
Azure SQL Database Managed Instance - technical overview
 
Scalable relational database with SQL Azure
Scalable relational database with SQL AzureScalable relational database with SQL Azure
Scalable relational database with SQL Azure
 
SQL Server on Azure VM datasheet.pptx
SQL Server on Azure VM datasheet.pptxSQL Server on Azure VM datasheet.pptx
SQL Server on Azure VM datasheet.pptx
 
SQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptxSQL Server on Azure VM datasheet.dsadaspptx
SQL Server on Azure VM datasheet.dsadaspptx
 
Azure SQL Database
Azure SQL Database Azure SQL Database
Azure SQL Database
 
Tech-Spark: Azure SQL Databases
Tech-Spark: Azure SQL DatabasesTech-Spark: Azure SQL Databases
Tech-Spark: Azure SQL Databases
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
 
Presentation database security audit vault & database firewall
Presentation database security audit vault & database firewallPresentation database security audit vault & database firewall
Presentation database security audit vault & database firewall
 
Cloud computing & windows azure intro
Cloud computing & windows azure introCloud computing & windows azure intro
Cloud computing & windows azure intro
 
ScaleBase Webinar: Scaling MySQL - Sharding Made Easy!
ScaleBase Webinar: Scaling MySQL - Sharding Made Easy!ScaleBase Webinar: Scaling MySQL - Sharding Made Easy!
ScaleBase Webinar: Scaling MySQL - Sharding Made Easy!
 
Extending your data to the cloud
Extending your data to the cloudExtending your data to the cloud
Extending your data to the cloud
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
 
Tokyo azure meetup #8 azure update, august
Tokyo azure meetup #8 azure update, augustTokyo azure meetup #8 azure update, august
Tokyo azure meetup #8 azure update, august
 
Tokyo azure meetup #8 - Azure Update, August
Tokyo azure meetup #8 - Azure Update, AugustTokyo azure meetup #8 - Azure Update, August
Tokyo azure meetup #8 - Azure Update, August
 

Plus de sqlserver.co.il

Things you can find in the plan cache
Things you can find in the plan cacheThings you can find in the plan cache
Things you can find in the plan cache
sqlserver.co.il
 
Sql server user group news january 2013
Sql server user group news january 2013Sql server user group news january 2013
Sql server user group news january 2013
sqlserver.co.il
 
SQL Explore 2012: P&T Part 3
SQL Explore 2012: P&T Part 3SQL Explore 2012: P&T Part 3
SQL Explore 2012: P&T Part 3
sqlserver.co.il
 
SQL Explore 2012: P&T Part 2
SQL Explore 2012: P&T Part 2SQL Explore 2012: P&T Part 2
SQL Explore 2012: P&T Part 2
sqlserver.co.il
 
SQL Explore 2012: P&T Part 1
SQL Explore 2012: P&T Part 1SQL Explore 2012: P&T Part 1
SQL Explore 2012: P&T Part 1
sqlserver.co.il
 
SQL Explore 2012 - Tzahi Hakikat and Keren Bartal: Extended Events
SQL Explore 2012 - Tzahi Hakikat and Keren Bartal: Extended EventsSQL Explore 2012 - Tzahi Hakikat and Keren Bartal: Extended Events
SQL Explore 2012 - Tzahi Hakikat and Keren Bartal: Extended Events
sqlserver.co.il
 
SQL Explore 2012 - Michael Zilberstein: ColumnStore
SQL Explore 2012 - Michael Zilberstein: ColumnStoreSQL Explore 2012 - Michael Zilberstein: ColumnStore
SQL Explore 2012 - Michael Zilberstein: ColumnStore
sqlserver.co.il
 
SQL Explore 2012 - Aviad Deri: Spatial
SQL Explore 2012 - Aviad Deri: SpatialSQL Explore 2012 - Aviad Deri: Spatial
SQL Explore 2012 - Aviad Deri: Spatial
sqlserver.co.il
 
Bi303 data warehousing with fast track and pdw - Assaf Fraenkel
Bi303 data warehousing with fast track and pdw - Assaf FraenkelBi303 data warehousing with fast track and pdw - Assaf Fraenkel
Bi303 data warehousing with fast track and pdw - Assaf Fraenkel
sqlserver.co.il
 
Fast transition to sql server 2012 from mssql 2005 2008 for developers - Dav...
Fast transition to sql server 2012 from mssql 2005 2008 for developers - Dav...Fast transition to sql server 2012 from mssql 2005 2008 for developers - Dav...
Fast transition to sql server 2012 from mssql 2005 2008 for developers - Dav...
sqlserver.co.il
 
Extreme performance - IDF UG
Extreme performance - IDF UGExtreme performance - IDF UG
Extreme performance - IDF UG
sqlserver.co.il
 

Plus de sqlserver.co.il (20)

Things you can find in the plan cache
Things you can find in the plan cacheThings you can find in the plan cache
Things you can find in the plan cache
 
Sql server user group news january 2013
Sql server user group news january 2013Sql server user group news january 2013
Sql server user group news january 2013
 
DAC 2012
DAC 2012DAC 2012
DAC 2012
 
Query handlingbytheserver
Query handlingbytheserverQuery handlingbytheserver
Query handlingbytheserver
 
Products.intro.forum version
Products.intro.forum versionProducts.intro.forum version
Products.intro.forum version
 
SQL Explore 2012: P&T Part 3
SQL Explore 2012: P&T Part 3SQL Explore 2012: P&T Part 3
SQL Explore 2012: P&T Part 3
 
SQL Explore 2012: P&T Part 2
SQL Explore 2012: P&T Part 2SQL Explore 2012: P&T Part 2
SQL Explore 2012: P&T Part 2
 
SQL Explore 2012: P&T Part 1
SQL Explore 2012: P&T Part 1SQL Explore 2012: P&T Part 1
SQL Explore 2012: P&T Part 1
 
SQL Explore 2012 - Tzahi Hakikat and Keren Bartal: Extended Events
SQL Explore 2012 - Tzahi Hakikat and Keren Bartal: Extended EventsSQL Explore 2012 - Tzahi Hakikat and Keren Bartal: Extended Events
SQL Explore 2012 - Tzahi Hakikat and Keren Bartal: Extended Events
 
SQL Explore 2012 - Michael Zilberstein: ColumnStore
SQL Explore 2012 - Michael Zilberstein: ColumnStoreSQL Explore 2012 - Michael Zilberstein: ColumnStore
SQL Explore 2012 - Michael Zilberstein: ColumnStore
 
SQL Explore 2012 - Aviad Deri: Spatial
SQL Explore 2012 - Aviad Deri: SpatialSQL Explore 2012 - Aviad Deri: Spatial
SQL Explore 2012 - Aviad Deri: Spatial
 
מיכאל
מיכאלמיכאל
מיכאל
 
נועם
נועםנועם
נועם
 
עדי
עדיעדי
עדי
 
מיכאל
מיכאלמיכאל
מיכאל
 
Bi303 data warehousing with fast track and pdw - Assaf Fraenkel
Bi303 data warehousing with fast track and pdw - Assaf FraenkelBi303 data warehousing with fast track and pdw - Assaf Fraenkel
Bi303 data warehousing with fast track and pdw - Assaf Fraenkel
 
DBCC - Dubi Lebel
DBCC - Dubi LebelDBCC - Dubi Lebel
DBCC - Dubi Lebel
 
Fast transition to sql server 2012 from mssql 2005 2008 for developers - Dav...
Fast transition to sql server 2012 from mssql 2005 2008 for developers - Dav...Fast transition to sql server 2012 from mssql 2005 2008 for developers - Dav...
Fast transition to sql server 2012 from mssql 2005 2008 for developers - Dav...
 
ISUG 113: File stream
ISUG 113: File streamISUG 113: File stream
ISUG 113: File stream
 
Extreme performance - IDF UG
Extreme performance - IDF UGExtreme performance - IDF UG
Extreme performance - IDF UG
 

Windows azure sql_database_security_isug012013

  • 1. Microsoft SQL Azure MICROSOFT WINDOWS AZURE SQL DATABASE SECURITY FEBRUARY 2013 DAVID HABUSHA, VP PRODUCTS
  • 2. Agenda • Windows Azure SQL Database security capabilities and resources • Best practices securing Windows Azure SQL Database • What actually happens within my database? • Advanced Windows Azure SQL Database security with GreenSQL 2
  • 3. Before We Start… • Windows Azure = Microsoft’s Cloud Platform • Windows Azure SQL Database (was known as “SQL Azure”, renamed by Microsoft on June 2012) is part of Windows Azure data management features • You can also run SQL Server on a virtual machine on Windows Azure (!= SQL Database) 3
  • 4. What is Windows Azure SQL Database? • SQL Server engine, based on SQL Server 2012 with restrictions – New server-level roles, hashing algorithms, permissions – Contained databases – Security management enhancements • Main restrictions – Server auditing is not supported in SQL Database – SQL Server authentication only – USE command – See more at http://msdn.microsoft.com/en- us/library/ff394115.aspx and http://msdn.microsoft.com/en-us/library/ff394102.aspx 4
  • 5. Security Best Practices • SQL Database clients – TCP port 1433 open for outbound connections (for TDS protocol) – Block inbound connections on TCP port 1433 • SQL Database is always up-to-date, make sure you use the most current version of clients (specifically SSMS 2012) • Configure Windows Azure SQL Database Firewall • General Best Practices – Prevent SQL Injection vulnerabilities during coding – Perform regular penetration testing 5
  • 6. Security Best Practices – Encryption and Certificates • ALL communications between Windows Azure SQL Database and your applications require encryption (SSL) at all times (to avoid "man in the middle" attacks) • Apps need to explicitly request an encrypted connection • Don’t trust server certificates – If your application code does not request an encrypted connection, it will still receive one. However, it may not validate the server certificates and will be subject to "man in the middle" attacks 6
  • 7. Security Best Practices - Authentication • Only SQL Server authentication is supported • Windows Authentication is NOT supported • Users must provide credentials (login and password) every time they connect to Windows Azure SQL Database • USE command is not allowed (connect to specific DB) • Password reset – Connections will not be immediately re-authenticated, ALWAYS (unlike on-premise SQL Server) – Re-authentication happens after more than 60 minutes from last re-authentication – If the password has been changed, the request will fail and the session will disconnect (end) 7
  • 8. Security Best Practices – Logins & Users • Many restrictions apply. Main restrictions: – The database user in the master database corresponding to the server-level principal login cannot be altered or dropped – To access the master database, every login must be mapped to a user account in the master database – If you do not specify a database in the connection string, you will be connected to the master database by default – You must be connected to the master database when executing the CREATE/ALTER/DROP LOGIN and CREATE/ALTER/DROP DATABASE statements – CREATE USER statement with the FOR/FROM LOGIN option or the ALTER USER statement with the WITH LOGIN option, it must be the only statement in a batch – Azure User Management Console – AUMC - open source project on CodePlex http://aumc.codeplex.com/ 8
  • 9. Security Best Practices - Contained Databases • Windows Azure SQL Database is a fully contained database as it employs a multi-tenant environment • SQL Databases have to be scoped to only allow users the ability to consume database level assets • This is the reason many SQL Server capabilities are not yet currently available in Windows Azure SQL Database • Assuming that Microsoft will add these capabilities to Windows Azure SQL Database with a contained implementation 9
  • 10. Security Best Practices – Hybrid Applications • To access on-premise SQL Server, use Windows Azure Connect (still CTP) • You can join Windows Azure role instances to your domain, so that you can use your existing methods for domain authentication • Windows Azure Connect uses industry-standard end-to-end IPSEC protocol to establish secure connections between on-premise machines and roles in the cloud. This allows you to connect to your cloud app as if it were inside the firewall. 10
  • 11. Windows Azure SQL Database Firewall • Access grant based on originating IP address only • Default - SQL Database firewall prevents all access to your SQL Databases • Server-level firewall rules – Restrict access to the whole SQL Database server (all databases). Rules stored in master database. – Configured via Windows Azure Platform management portal, SQL Database Management REST API or System SPs&views (sys.firewall_rules, sp_set_firewall_rule and sp_delete_firewall_rule) 11
  • 12. Windows Azure SQL Database Firewall • Database-level firewall rules – Restrict access to individual databases within a SQL Database server. Rules stored in each databases (including master). Rule extends server-level rules. – Configured via System SPs&views sys.database_firewall_rules, sp_set_database_firewall_rule and sp_delete_database_firewall_rule 12
  • 13. Windows Azure SQL Database Firewall SQL Database Firewall architecture 13
  • 14. Windows Azure SQL Database Firewall 14
  • 15. Microsoft Resources • Start with Windows Azure Trust Center https://www.windowsazure.com/en-us/support/trust-center/ • You can carry out authorized penetration testing on Windows Azure http://download.microsoft.com/download/C/A/1/CA1E438E- CE2F-4659-B1C9- CB14917136B3/Penetration%20Test%20Questionnaire.docx • Microsoft constantly adding compliance to more regulations on Windows Azure – SQL Database compliance is still behind but in the works according to Microsoft https://www.windowsazure.com/en-us/support/trust- center/compliance/ 15
  • 16. GreenSQL for Windows Azure SQL Database • Complete database security and regulatory compliance for Windows Azure SQL Database • Complements Windows Azure security capabilities • Software-based reversed database proxy, easy to install, maintain and use • Easy on your budget • Available for a FREE trial • Also supports SQL Server 2000 to 2012 (“Denali”), MySQL and PostgreSQL using same installation 16
  • 17. GreenSQL for Windows Azure SQL Database • Supports hybrid and fully hosted architectures 17
  • 18. GreenSQL for Windows Azure SQL Database 18
  • 19. GreenSQL Offering Activity Monitoring Security • DAM (Database Activity • Prevents SQL Injection Monitoring) attacks • PCI-DSS,SOX,HIPAA reports • Separation of duties • Email Alerts • Database firewall • Before & after images Performance Data Masking • Offloading database • Hide sensitive data workload with caching • Dynamic, real-time, instant • Significant performance 19 improvement
  • 20. SQL Database Security - Comparison Security Concern Windows Azure SQL Database Compliance & Regulations Limited, no server audit, Full administrative & SQL (Auditing) required by 3rd party according rd granular auditing, before & to regulations after image SQL Injection Protection None Full Separation of Duties Limited with database firewall Full, based on variety of criteria and database roles Complete Database Firewall Limited with database firewall Full, based on variety of criteria, customized actions Database patching Patching Frequent by Microsoft Virtual patching Data masking Masking None Dynamic, no code or schema changes required Unified security for hybrid and Limited with database firewall One management system with fully hosted apps flexible policies Direct database access SQL database is segregated Proxy, examines SQLs before they hit the database, performance acceleration 20
  • 21. GreenSQL for Windows Azure SQL Database • Recommended compute instance size is medium (2 CPU cores, 3.5 GB RAM) • It can be installed on a Windows or Linux server • Recommended Windows 2008R2 64-bits • Web-based management, all major browsers supported • Flexible installation architecture – Windows Azure/On-premises 21
  • 22. Best of Breed Database Protection + = Complete database security and regulatory compliance for Windows Azure cloud 22
  • 23. Microsoft SQL Azure Thank you Q&A David Habusha, VP Product david.habusha@greensql.com