Embed Size (px)
Citation preview
Microsoft SQL Azure
FEBRUARY 2013
DAVID HABUSHA, VP PRODUCTS
MICROSOFT WINDOWS AZURE SQL DATABASE SECURITY
Agenda
• Windows Azure SQL Database security capabilities and resources
• Best practices securing Windows Azure SQL Database
• What actually happens within my database?
• Advanced Windows Azure SQL Database security with GreenSQL
2
Before We Start…
• Windows Azure = Microsoft’s Cloud Platform
• Windows Azure SQL Database (was known as “SQL Azure”, renamed by Microsoft on June 2012) is part of Windows Azure data management features
• You can also run SQL Server on a virtual machine on Windows Azure (!= SQL Database)
3
What is Windows Azure SQL Database?
• SQL Server engine, based on SQL Server 2012 with restrictions – New server-level roles, hashing algorithms, permissions – Contained databases – Security management enhancements
• Main restrictions
– Server auditing is not supported in SQL Database – SQL Server authentication only – USE command – See more at http://msdn.microsoft.com/en-
us/library/ff394115.aspx and http://msdn.microsoft.com/en-us/library/ff394102.aspx
4
Security Best Practices
• SQL Database clients – TCP port 1433 open for outbound connections (for TDS
protocol) – Block inbound connections on TCP port 1433
• SQL Database is always up-to-date, make sure you use the most current version of clients (specifically SSMS 2012)
• Configure Windows Azure SQL Database Firewall
• General Best Practices – Prevent SQL Injection vulnerabilities during coding – Perform regular penetration testing
5
Security Best Practices – Encryption and Certificates
• ALL communications between Windows Azure SQL Database and your applications require encryption (SSL) at all times (to avoid "man in the middle" attacks)
• Apps need to explicitly request an encrypted connection
• Don’t trust server certificates
– If your application code does not request an encrypted connection, it will still receive one. However, it may not validate the server certificates and will be subject to "man in the middle" attacks
6
Security Best Practices - Authentication
• Only SQL Server authentication is supported • Windows Authentication is NOT supported • Users must provide credentials (login and password)
every time they connect to Windows Azure SQL Database
• USE command is not allowed (connect to specific DB) • Password reset
– Connections will not be immediately re-authenticated, ALWAYS (unlike on-premise SQL Server)
– Re-authentication happens after more than 60 minutes from last re-authentication
– If the password has been changed, the request will fail and the session will disconnect (end)
7
Security Best Practices – Logins & Users
• Many restrictions apply. Main restrictions: – The database user in the master database corresponding to the
server-level principal login cannot be altered or dropped
– To access the master database, every login must be mapped to a user account in the master database
– If you do not specify a database in the connection string, you will be connected to the master database by default
– You must be connected to the master database when executing the CREATE/ALTER/DROP LOGIN and CREATE/ALTER/DROP DATABASE statements
– CREATE USER statement with the FOR/FROM LOGIN option or the ALTER USER statement with the WITH LOGIN option, it must be the only statement in a batch
– Azure User Management Console – AUMC - open source project on CodePlex http://aumc.codeplex.com/
8
Security Best Practices - Contained Databases
• Windows Azure SQL Database is a fully contained database as it employs a multi-tenant environment
• SQL Databases have to be scoped to only allow users the ability to consume database level assets
• This is the reason many SQL Server capabilities are not yet currently available in Windows Azure SQL Database
• Assuming that Microsoft will add these capabilities to Windows Azure SQL Database with a contained implementation
9
Security Best Practices – Hybrid Applications
• To access on-premise SQL Server, use Windows Azure Connect (still CTP)
• You can join Windows Azure role instances to your domain, so that you can use your existing methods for domain authentication
• Windows Azure Connect uses industry-standard end-to-end IPSEC protocol to establish secure connections between on-premise machines and roles in the cloud. This allows you to connect to your cloud app as if it were inside the firewall.
10
Windows Azure SQL Database Firewall
• Access grant based on originating IP address only
• Default - SQL Database firewall prevents all access to your SQL Databases
• Server-level firewall rules
– Restrict access to the whole SQL Database server (all databases). Rules stored in master database.
– Configured via Windows Azure Platform management portal, SQL Database Management REST API or System SPs&views (sys.firewall_rules, sp_set_firewall_rule and sp_delete_firewall_rule)
11
Windows Azure SQL Database Firewall
• Database-level firewall rules
– Restrict access to individual databases within a SQL Database server. Rules stored in each databases (including master). Rule extends server-level rules.
– Configured via System SPs&views sys.database_firewall_rules, sp_set_database_firewall_rule and sp_delete_database_firewall_rule
12
Windows Azure SQL Database Firewall
13
SQL Database Firewall architecture
Windows Azure SQL Database Firewall
14
Microsoft Resources
• Start with Windows Azure Trust Center https://www.windowsazure.com/en-us/support/trust-center/
• You can carry out authorized penetration testing on Windows Azure http://download.microsoft.com/download/C/A/1/CA1E438E-CE2F-4659-B1C9-CB14917136B3/Penetration%20Test%20Questionnaire.docx
• Microsoft constantly adding compliance to more regulations on Windows Azure – SQL Database compliance is still behind but in the works
according to Microsoft https://www.windowsazure.com/en-us/support/trust-center/compliance/
15
GreenSQL for Windows Azure SQL Database
• Complete database security and regulatory compliance for Windows Azure SQL Database
• Complements Windows Azure security capabilities
• Software-based reversed database proxy, easy to install, maintain and use
• Easy on your budget
• Available for a FREE trial
• Also supports SQL Server 2000 to 2012 (“Denali”), MySQL and PostgreSQL using same installation
16
GreenSQL for Windows Azure SQL Database
17
• Supports hybrid and fully hosted architectures
GreenSQL for Windows Azure SQL Database
18
GreenSQL Offering
Performance • Offloading database
workload with caching • Significant performance
improvement
Data Masking • Hide sensitive data • Dynamic, real-time, instant
Security • Prevents SQL Injection
attacks • Separation of duties • Database firewall
Activity Monitoring • DAM (Database Activity
Monitoring) • PCI-DSS,SOX,HIPAA reports • Email Alerts • Before & after images
19
Security Concern Windows Azure SQL Database
Compliance & Regulations (Auditing)
Limited, no server audit, required by 3rd party according to regulations
Full administrative & SQL granular auditing, before & after image
SQL Injection Protection None Full
Separation of Duties Limited with database firewall and database roles
Full, based on variety of criteria
Complete Database Firewall Limited with database firewall Full, based on variety of criteria, customized actions
Database patching Frequent by Microsoft Virtual patching
Data masking None Dynamic, no code or schema changes required
Unified security for hybrid and fully hosted apps
Limited with database firewall One management system with flexible policies
Direct database access SQL database is segregated Proxy, examines SQLs before they hit the database, performance acceleration
Security Concern Windows Azure SQL Database
Compliance & Regulations (Auditing)
Limited, no server audit, required by 3rd party according to regulations
Full administrative & SQL granular auditing, before & after image
SQL Injection Protection None Full
Separation of Duties Limited with database firewall and database roles
Full, based on variety of criteria
Complete Database Firewall Limited with database firewall Full, based on variety of criteria, customized actions
Database patching Frequent by Microsoft Virtual patching
Data masking None Dynamic, no code or schema changes required
Unified security for hybrid and fully hosted apps
Limited with database firewall One management system with flexible policies
Security Concern Windows Azure SQL Database
Compliance & Regulations (Auditing)
Limited, no server audit, required by 3rd party according to regulations
Full administrative & SQL granular auditing, before & after image
SQL Injection Protection None Full
Separation of Duties Limited with database firewall and database roles
Full, based on variety of criteria
Complete Database Firewall Limited with database firewall Full, based on variety of criteria, customized actions
Database patching Frequent by Microsoft Virtual patching
Data Masking None Dynamic, no code or schema changes required
Security Concern Windows Azure SQL Database
Compliance & Regulations (Auditing)
Limited, no server audit, required by 3rd party according to regulations
Full administrative & SQL granular auditing, before & after image
SQL Injection Protection None Full
Separation of Duties Limited with database firewall and database roles
Full, based on variety of criteria
Complete Database Firewall Limited with database firewall Full, based on variety of criteria, customized actions
Database Patching Frequent by Microsoft Virtual patching
Security Concern Windows Azure SQL Database
Compliance & Regulations (Auditing)
Limited, no server audit, required by 3rd party according to regulations
Full administrative & SQL granular auditing, before & after image
SQL Injection Protection None Full
Separation of Duties Limited with database firewall and database roles
Full, based on variety of criteria
Complete Database Firewall Limited with database firewall Full, based on variety of criteria, customized actions
Security Concern Windows Azure SQL Database
Compliance & Regulations (Auditing)
Limited, no server audit, required by 3rd party according to regulations
Full administrative & SQL granular auditing, before & after image
SQL Injection Protection None Full
Separation of Duties Limited with database firewall and database roles
Full, based on variety of criteria
Security Concern Windows Azure SQL Database
Compliance & Regulations (Auditing)
Limited, no server audit, required by 3rd party according to regulations
Full administrative & SQL granular auditing, before & after image
SQL Injection Protection None Full
Security Concern Windows Azure SQL Database
Compliance & Regulations (Auditing)
Limited, no server audit, required by 3rd party according to regulations
Full administrative & SQL granular auditing, before & after image
Security Concern Windows Azure SQL Database
20
SQL Database Security - Comparison
GreenSQL for Windows Azure SQL Database
• Recommended compute instance size is medium (2 CPU cores, 3.5 GB RAM)
• It can be installed on a Windows or Linux server
• Recommended Windows 2008R2 64-bits
• Web-based management, all major browsers supported
• Flexible installation architecture
– Windows Azure/On-premises
21
Best of Breed Database Protection
22
+ =
Complete database security and regulatory compliance for Windows Azure cloud
