1. Microsoft SQL Azure
MICROSOFT WINDOWS AZURE
SQL DATABASE SECURITY
FEBRUARY 2013
DAVID HABUSHA, VP PRODUCTS
2. Agenda
• Windows Azure SQL Database security capabilities
and resources
• Best practices securing Windows Azure SQL Database
• What actually happens within my database?
• Advanced Windows Azure SQL Database security
with GreenSQL
2
3. Before We Start…
• Windows Azure = Microsoft’s Cloud Platform
• Windows Azure SQL Database (was known as “SQL
Azure”, renamed by Microsoft on June 2012) is part
of Windows Azure data management features
• You can also run SQL Server on a virtual machine on
Windows Azure (!= SQL Database)
3
4. What is Windows Azure SQL Database?
• SQL Server engine, based on SQL Server 2012 with
restrictions
– New server-level roles, hashing algorithms, permissions
– Contained databases
– Security management enhancements
• Main restrictions
– Server auditing is not supported in SQL Database
– SQL Server authentication only
– USE command
– See more at http://msdn.microsoft.com/en-
us/library/ff394115.aspx and
http://msdn.microsoft.com/en-us/library/ff394102.aspx
4
5. Security Best Practices
• SQL Database clients
– TCP port 1433 open for outbound connections (for TDS
protocol)
– Block inbound connections on TCP port 1433
• SQL Database is always up-to-date, make sure you
use the most current version of clients (specifically
SSMS 2012)
• Configure Windows Azure SQL Database Firewall
• General Best Practices
– Prevent SQL Injection vulnerabilities during coding
– Perform regular penetration testing
5
6. Security Best Practices – Encryption and Certificates
• ALL communications between Windows Azure SQL
Database and your applications require encryption
(SSL) at all times (to avoid "man in the middle"
attacks)
• Apps need to explicitly request an encrypted
connection
• Don’t trust server certificates
– If your application code does not request an encrypted
connection, it will still receive one. However, it may not
validate the server certificates and will be subject to "man
in the middle" attacks
6
7. Security Best Practices - Authentication
• Only SQL Server authentication is supported
• Windows Authentication is NOT supported
• Users must provide credentials (login and password)
every time they connect to Windows Azure SQL
Database
• USE command is not allowed (connect to specific DB)
• Password reset
– Connections will not be immediately re-authenticated,
ALWAYS (unlike on-premise SQL Server)
– Re-authentication happens after more than 60 minutes
from last re-authentication
– If the password has been changed, the request will fail and
the session will disconnect (end)
7
8. Security Best Practices – Logins & Users
• Many restrictions apply. Main restrictions:
– The database user in the master database corresponding to the
server-level principal login cannot be altered or dropped
– To access the master database, every login must be mapped to a user
account in the master database
– If you do not specify a database in the connection string, you will be
connected to the master database by default
– You must be connected to the master database when executing the
CREATE/ALTER/DROP LOGIN and CREATE/ALTER/DROP DATABASE
statements
– CREATE USER statement with the FOR/FROM LOGIN option or the
ALTER USER statement with the WITH LOGIN option, it must be the
only statement in a batch
– Azure User Management Console – AUMC - open source project on
CodePlex http://aumc.codeplex.com/
8
9. Security Best Practices - Contained Databases
• Windows Azure SQL Database is a fully contained
database as it employs a multi-tenant environment
• SQL Databases have to be scoped to only allow users
the ability to consume database level assets
• This is the reason many SQL Server capabilities are
not yet currently available in Windows Azure SQL
Database
• Assuming that Microsoft will add these capabilities
to Windows Azure SQL Database with a contained
implementation
9
10. Security Best Practices – Hybrid Applications
• To access on-premise SQL Server,
use Windows Azure Connect (still
CTP)
• You can join Windows Azure
role instances to your domain, so
that you can use your existing
methods for
domain authentication
• Windows Azure Connect uses
industry-standard end-to-end
IPSEC protocol to establish secure
connections between on-premise
machines and roles in the cloud.
This allows you to connect to your
cloud app as if it were inside the
firewall.
10
11. Windows Azure SQL Database Firewall
• Access grant based on originating IP address only
• Default - SQL Database firewall prevents all access to
your SQL Databases
• Server-level firewall rules
– Restrict access to the whole SQL Database server (all
databases). Rules stored in master database.
– Configured via Windows Azure Platform management
portal, SQL Database Management REST API or System
SPs&views (sys.firewall_rules, sp_set_firewall_rule and
sp_delete_firewall_rule)
11
12. Windows Azure SQL Database Firewall
• Database-level firewall rules
– Restrict access to individual databases within a SQL
Database server. Rules stored in each databases (including
master). Rule extends server-level rules.
– Configured via System SPs&views
sys.database_firewall_rules,
sp_set_database_firewall_rule and
sp_delete_database_firewall_rule
12
15. Microsoft Resources
• Start with Windows Azure Trust Center
https://www.windowsazure.com/en-us/support/trust-center/
• You can carry out authorized penetration testing on Windows
Azure
http://download.microsoft.com/download/C/A/1/CA1E438E-
CE2F-4659-B1C9-
CB14917136B3/Penetration%20Test%20Questionnaire.docx
• Microsoft constantly adding compliance to more regulations
on Windows Azure
– SQL Database compliance is still behind but in the works
according to Microsoft
https://www.windowsazure.com/en-us/support/trust-
center/compliance/
15
16. GreenSQL for Windows Azure SQL Database
• Complete database security and regulatory
compliance for Windows Azure SQL Database
• Complements Windows Azure security capabilities
• Software-based reversed database proxy, easy to
install, maintain and use
• Easy on your budget
• Available for a FREE trial
• Also supports SQL Server 2000 to 2012 (“Denali”),
MySQL and PostgreSQL using same installation
16
17. GreenSQL for Windows Azure SQL Database
• Supports hybrid and fully hosted architectures
17
19. GreenSQL Offering
Activity Monitoring
Security • DAM (Database Activity
• Prevents SQL Injection Monitoring)
attacks • PCI-DSS,SOX,HIPAA reports
• Separation of duties • Email Alerts
• Database firewall • Before & after images
Performance Data Masking
• Offloading database • Hide sensitive data
workload with caching • Dynamic, real-time, instant
• Significant performance
19 improvement
20. SQL Database Security - Comparison
Security Concern Windows Azure SQL Database
Compliance & Regulations Limited, no server audit, Full administrative & SQL
(Auditing) required by 3rd party according
rd granular auditing, before &
to regulations after image
SQL Injection Protection None Full
Separation of Duties Limited with database firewall Full, based on variety of criteria
and database roles
Complete Database Firewall Limited with database firewall Full, based on variety of
criteria, customized actions
Database patching
Patching Frequent by Microsoft Virtual patching
Data masking
Masking None Dynamic, no code or schema
changes required
Unified security for hybrid and Limited with database firewall One management system with
fully hosted apps flexible policies
Direct database access SQL database is segregated Proxy, examines SQLs before
they hit the database,
performance acceleration
20
21. GreenSQL for Windows Azure SQL Database
• Recommended compute instance size is medium (2
CPU cores, 3.5 GB RAM)
• It can be installed on a Windows or Linux server
• Recommended Windows 2008R2 64-bits
• Web-based management, all major browsers
supported
• Flexible installation architecture
– Windows Azure/On-premises
21
22. Best of Breed Database Protection
+ =
Complete database security and regulatory
compliance for Windows Azure cloud
22
23. Microsoft SQL Azure
Thank you
Q&A
David Habusha, VP Product
david.habusha@greensql.com