Databases Reference
In-Depth Information
Chapter 3
Security
Compared to other systems in most corporations, database environments are probably the weakest point when it
comes to security, with a few exceptions such as the banking sector. The reason is that databases are considered
well within the boundaries of internal networks, which are considered secured and usually inaccessible directly
from the Internet.
With the advent of SQL Database and most Database as a Service solutions, the focus on database security rises
all the way to the top for two primary reasons: you're no longer in control of your data, and the data can be directly
accessed from the Internet. As a result, it becomes even more important to take advantage of all the capabilities of
SQL Database and understand its limitations.
Overview
Before diving into the specifics of SQL Database, let's look at a general security framework to assess how Database
as a Service can impact you. The following discussion is based on the basic security principles encapsulated by
confidentiality, integrity, and availability (CIA). This is referred to as the
CIA triad
and is one of the most accepted
forms of security categorization. SQL Database has different strengths and weaknesses than traditional SQL Server
installations, so it is important to review each area of the CIA triad to understand how to deal with its weaknesses and
to leverage its strengths.
Confidentiality
Confidentiality
is the ability to ensure that data can be accessed only by authorized users. It's about protecting your
data from prying eyes or from inadvertent leakage, and it's achieved by using multiple technologies, including the
following:
•
Encryption
. Creates a
ciphertext
(encrypted information) that can be decrypted through the
use of a shared key or a certificate.
•
Hashing
. Generates a ciphertext that can't be decrypted (typically used for password storage).
•
Access control
. Controls access to data based on contextual information.
•
Authentication
. Controls who can access the database and which objects in the database a
user can access.
•
Firewall
. Uses technology to limit network connectivity to a list of known machines.
SQL Database offers new features, such as a firewall (as previously discussed); however, it doesn't yet support
data encryption natively (such as Transparent Data Encryption [TDE] and field-level encryption), which places more
emphasis on the other confidentiality techniques.
