Database Reference
In-Depth Information
the hands-on activities in this chapter, you will learn about some management tools for SQL
Database management, user management, and service monitoring.
12.2 Windows Azure SQL Database Security
When a database is running in the cloud environment, database security becomes the top concern.
Your database shares the storage device with other databases. It is exposed to the Internet and is no
longer protested by the private network.
To be secure, in general, a database should meet the requirements of conidentiality, integrity,
and availability, which are deined in the following:
◾
Conidentiality
: Preventing information from being viewed by unauthorized individuals
◾
Integrity
: Preventing information from being intentionally or unintentionally altered
◾
Availability
: Making sure that information is available to the authorized users when needed
Conidentiality
: In the cloud environment, to protect data from unauthorized people, a secu-
rity policy should clearly deine who can access to what information, who should be allowed to
do what, and what data should be encrypted. Sensitive data should be encrypted before being
transferred over the Internet or be stored in databases. In such a way, even if the ciphertext is cap-
tured by hackers, it is not readable without the decryption key. For conidentiality, a well-deined
authentication and authorization system should also be in place.
For encryption, Windows Azure SQL Database supports encrypted connections between
SQL Database and client applications. Windows Azure SQL Database supports the Tabular Data
Stream (TDS) protocol. he protocol is used to securely transfer data between a database server
and a client.
.NET libraries include the Cryptographic Service Provider (CSP), which implements the cryp-
tographic standards, algorithms, and functions. CSPs can be used to encrypt data and store the
encrypted data in SQL Database, and decrypt data in a Windows Azure application. During the
data synchronization, encryption and decryption can also be carried out for the data communica-
tion between SQL Database and the database on an on-promises server.
he encryption and decryption can also be implemented with the programming language C#
while developing an application. he Advanced Encryption Standard (AES) algorithm or other
encryption algorithms are supported by Visual Studio. he security keys used by AES can be pro-
grammed with C#. he ciphertext returned by these algorithms can be safely stored in Windows
Azure SQL Database. Visual Studio also provides decryption methods.
One can also take advantage of ADO.NET encryption and trusted server certiicates. ADO.
NET does not pass user IDs and passwords in clear text. You can also set the encrypt property in
the connection string to encrypt the communication channel.
Integrity
: Although encryption can prevent unauthorized users from reading the content
stored in Windows Azure SQL Database, it may not prevent them from altering the stored con-
tent. Hashing is the technology to ind out if sensitive information is altered by an unauthorized
user. he hashing technology can be used for detecting duplicated data, message signatures, and
password veriication. When transferring or storing passwords or keys, one can use hashing to
generate the ciphertext that can never be decrypted. he ciphertext generated by hashing can be
compared with another hashing value to detect the diference. For example, if a password has
been altered during the transaction, the hashing value of the original password will not match the
