Azure Data Security – Data Classification – Part 3
Hello and welcome to the final part of our three part series on Azure data security where we will demo Data Classification and Data Masking. In the previous posts we looked at network level security for protecting data at the perimeter. From there we explained that after the network level we need to protect the authentication layer. The authentication layer controls who has access and what level of access they have. The goal is to ensure we limit access to only the data and operations required.
In this post and video we look at what we can do to protect our data once we have secured the network and authentication layers.
Azure SQL Data Masking and Classification
Azure Data Security Layers
This post and demo, look at how we leverage the Advanced Data Security feature of Azure SQL Server which includes Threat Detection, Data Classification and Data Masking. With this feature we can control how our data is classified and even obfuscated for sensitive information, to ensure only allowed identities have the correct access. We also need to know who is accessing the sensitive data, when they are accessing it and from where.
We will demonstrate how data columns in a SQL Server database can be classified to allow reporting and visibility of sensitive information. We will also show how this information can be managed, reported on and monitored.
Securing Data in Azure – Data Classification Dashboard
Code example here for granting an Azure AD identity read access to an Azure SQL Database
GRANT SELECT ON dbo.Customers TO "email@example.com" >
Data can also be classified using the “add” or “drop” T-SQL statement as shown below.
DROP sensitivity classification FROM dbo.customers.first_name
DROP sensitivity classification FROM dbo.customers.last_name
DROP sensitivity classification FROM dbo.customers.NationalInsuranceNo
DROP sensitivity classification FROM dbo.customers.SocialSecurityNo
DROP sensitivity classification FROM dbo.customers.AccountManager
Log Analytics Query
| WHERE Category == "SQLSecurityAuditEvents"
| WHERE data_sensitivity_information_s contains "Confidential" AND server_principal_name_s != "firstname.lastname@example.org"
| project TimeGenerated, server_instance_name_s, database_name_s , statement_s, affected_rows_d , server_principal_name_s, client_ip_s ,data_sensitivity_information_s
| ORDER BY TimeGenerated DESC
We hope you found the information in this post and video useful !
Please visit our YouTube channel (and subscribe) to see our other videos in this series and more at https://LANETYouTube
Also, visit us at www.lanet.co.uk and check out our Azure Market place offering/s here http://bit.ly/LaNetSecurity
LANET is a Microsoft Gold Cloud Platform and Silver Security Partner specialising in Microsoft Azure cloud infrastructure security.
Leave a comment below if you thought this was useful !