Keeping Application Data Safe with Azure SQL

Posted on 18 May 2016

Moving your organisations applications to the cloud can be a pretty scary prospect. How do you ensure that your clients data is secure and that their private information will be adequately protected?

We recently worked on the security of a large scale health application we are building in Australia. The application is hosted on Microsoft Azure and uses Azure SQL database services. Security is of the utmost importance for this system as it contains patient identifiable data.

Here are some of the key security features Azure SQL provides that form part of the solution and ensure data is protected at all times.

Row Level Security

One of the hardest parts of building any application is making sure that users can only access the data they are entitled to see. For instance in a health application you want to make sure that one hospital can’t see another hospital’s patients.

With Row Level Security you can build the segregation of data as rules in the database through a set of security policies. So whenever a query is made against a table the user can only see the data that the rules say they have access to. The great advantage of this is that it will flow across all your applications, whether they be the transactional system, Power BI, API etc.

Individual developers no longer have to worry about baking these rules into each of their applications, reducing the potential for data leaks and the surface area of data exposed in an external attack should a third parties procure a username and password.

Encryption at Rest

Azure databases support encryption at rest. Azure encrypts database files ensuring the data held in the physical database files cannot be read without the encryption key. Your database backups will be encrypted as well. No more worrying about hackers stealing your physical database files!

Dynamic Data Masking

Using this feature means that values retrieved from the database can be automatically masked if the accessing user does not have the required permissions. For instance, you could ensure that a person’s name and contact details are shown as *** everywhere across all systems if the user does not have the permissions to view them. Protecting credit card details is another possible use of this feature.

Like Row Level Security this is a feature of the SQL Server database engine and masking takes place at the lowest level, regardless of client application.

Azure Key Vault

Often one of the headaches in dealing with encryption is making sure that all the encryption keys and passwords are stored securely. With Azure Key Vault your keys can be stored centrally in hardware security modules (HSMs). The HSMs are certified to Federal Information Processing Standard (FIPS) Level 2, meaning that the keys stay within the HSM boundary. This prevents tampering and provides a high level of security.

Access permissions to the keys can be granted by an administrator for use by applications as needed, which can be logged to provide auditing.

Why Azure SQL?

These features of Azure ensure that data is secure, reduce the risk of accidental data leaks and reduce the development and testing effort. Most importantly, it gives our client confidence that the solution can securely store patient data and this is backed by Microsoft's world class cloud security.

Azure SQL is a pay as you go service with no upfront infrastructure costs. It allows users to start small and scale up (or down) as needed without termination fees. It also provides enterprise level functionality for a fraction of the price of on-premises SQL server licensing.

We're happy to help answer any questions you may have about Azure SQL.

More details:

Contact Us

Level 1
518 Colombo Street
Christchurch Central

PO Box 2386
Christchurch 8140
New Zealand

+64-3 376 4525

Copyright 2021 All Rights Reserved