Sudarshan's Blog

My Thoughts, Findings & Experiences

SQL Azure Security: Transparent Data Encryption (TDE)

July 25, 2016 02:59

Transparent Data Encryption (TDE) keeps your data files and backups encrypted. TDE protects both physical data and transaction log files. If the files are moved to another server, those can’t be opened and viewed on other server. TDE protects data at rest while data tables are not directly encrypted. This means, if a user has permission to a database with TDE enabled, that user can see all the data. TDE was first introduced in on-premise version of SQL Server 2008.

SQL Azure TDE works similarly, but the configuration of is much simpler than on-premise SQL Server. Here is how you can enable TDE:

  • Go to Azure portal
  • Choose your database and go to settings
  • Click on Data Encryption On option (Check the below screenshot)

Change the Data Encryption value to ON and Save (at the top right hand corner of the page). Check for the ‘Encryption Status’’, after a while it will say Encrypted.

TDE in SQL Azure is implemented on top of the same data transparency feature running since SQL Server 2008. Some enhancements are made to the core technology to reduce the CPU overhead caused by turning on TDE.

Few important things to note about TDE feature in SQL Azure:

  • There are NO CHANGES required in the application
  • It encrypts database using symmetric key, also called as database encryption key
  • Database encryption key is protected by built-in server certificate which is unique for each SQL Azure Database Server
  • If there are multiple databases on same server then same certificate shared by them
  • Built-in certificates will be changed by Microsoft after every 90 days for security purposes
  • If you have enabled Geo Replication on the database, then it is protected by different keys on different servers
  • SQL Azure does not support Azure Vault integration with TDE

If you want to implement stronger security than encrypting data at rest (TDE) then please read this article “Always Encrypted”.

SQL Azure Security

July 24, 2016 16:40

Some organizations are concerned about moving their data to the cloud because of perceived security risks and unfamiliarity with new security paradigms to DB administrators, programmers and application users. Most of the concerns can be addressed by the better understanding of security options available in Azure and SQL Azure.

Azure provides robust security protection and its datacenters are resilient to attack. Azure datacenters are compliant to various regulatory & security requirements like HIPPA, ISO & PCI to name a few and audited regularly. Microsoft uses built-in analytics and comprehensive methodology to detect and respond to malicious behavior within Azure. It’s important to note that, not all datacenters are compliant with all certifications, so choose Azure datacenter based on your requirements.

While Azure is providing secure platform for your data, its your responsibility to take steps to ensure application security.

In this article series, we will discuss different options available in SQL Azure to secure your data. Security can be categorized into below categories:

  • Data Access
  • Monitoring and logging
  • Data Protection

We will look at following features

Data Access

  • Restricting access using Firewall administration
  • Authentication
  • Managing Permissions

Monitoring and logging

  • SQL Azure Auditing

Data Protection

Once you have a good understanding of your application’s security needs, you can choose appropriate features or combination of features to secure your data.