Encryption for data at rest, data in transmission, and data in use
In this, we will learn and understand about encryption processes in transmission, at rest and in use. Moreover, we will know about the concepts of security management.
Information protection and encryption
Transport Layer Security (Encryption-in-transit)
By encrypting data in motion with Transport Layer Security, SQL Database and SQL Managed Instance protect client data (TLS). SQL Database and SQL Managed Instance, on the other hand, need all connections to be encrypted (SSL/TLS) at all times. Furthermore, regardless of whether Encrypt or TrustServerCertificate is set in the connection string, all data is encrypted “in transit” between the client and server.
As a recommended practice, you should specify an encrypted connection in the connection string utilized by the programme. Your application will be forced to check the server certificate as a result of this. As a result, man-in-the-middle attacks against your application will be prevented.
Transparent Data Encryption (Encryption-at-rest)
Transparent Data Encryption (TDE) is a security feature for Azure SQL Database and SQL Managed Instance that helps safeguard data at rest from unauthorised or offline access to raw files or backups. However, data centre theft or insecure disposal of hardware or media such as disc drives and backup tapes are regular instances. TDE encrypts the whole database using the AES encryption technique, requiring no modifications to current applications from application developers.
Always Encrypted (Encryption-in-use)
Always Encrypted is a feature that prevents unauthorised access to sensitive data stored in certain database columns. Credit card numbers, national identity numbers, and data with a need-to-know basis are examples of this. Database administrators or other privileged users who are permitted to access the database to undertake administration activities are also included. The data is always encrypted in this case, which means it is only decrypted for processing by client apps that have access to the encryption key. The encryption key, on the other hand, is never exposed to SQL Database or SQL Managed Instance, and it may be kept in the Windows Certificate Store or Azure Key Vault.
Dynamic data masking
Dynamic data masking (DDM) is a technique for minimising sensitive data exposure to non-privileged users by disguising it. DDM, on the other hand, detects potentially sensitive data in Azure SQL Database and SQL Managed Instance automatically. It also offers practical advice for hiding certain variables with minimum impact on the application layer. It operates by obscuring sensitive data in the return set of a query over database fields while no data in the database changes.
Security management
Vulnerability assessment
Vulnerability assessment is a way for configuring services that can discover, track, and help remediate potential database vulnerabilities with the motive to improve overall database security. However, VA is part of the advanced data security offering, which is a unified package for advanced SQL security capabilities. Further, the VA can be accessed and managed via the central SQL Advanced Data Security portal.
Data discovery and classification
Data discovery and classification provides advanced capabilities built into Azure SQL Database and SQL Managed Instance. This is for discovering, classifying, labeling, and protecting the sensitive data in your databases. However, discovering and classifying sensitive data can play a crucial role in your organizational Information protection stature. It can serve as infrastructure for:
- Firstly, various security scenarios, such as monitoring and alerting on anomalous access to sensitive data.
- Secondly, controlling access to, and hardening the security of, databases containing highly sensitive data.
- Lastly, helping in meeting data privacy standards and regulatory compliance requirements.
Reference: Microsoft Documentation