The Challenge
As developers, we are up against odds that push us to make trade-offs in order to go into production on time. More often than not, it’s a race where security becomes an afterthought.
Securing Azure SQL Databases
Security mechanisms come in many flavors. It is a requirement that needs to be defined and implemented on day 1. These rituals (policies and practices), must become natural in your application life cycle management. Consider these as a starting point from which you can develop your own security practices.
- Do not use the default user for development, testing or for deployments
- Create a user specifically for deployments (can perform schema alterations)
- Create a user on a per application basis (cannot alter schema and has limited write access)
- Create a user for support investigations (this should be read-only)
- Create individual accounts for members of DevOps who will need to act upon the database. (these accounts should have limited write access)
- Reference data should be read-only (immutable versions) and should only be updated through deployments. This type of data can be stored in NoSQL data services to augment the overall scalability of your application.
- Enable Auditing for Azure SQL Database, this feature will give you deep insight in how the database is manipulated and about how it is used.
- Use SQL Database Projects to design, build, version and deploy
- Use schemas to segregate tenants, reference data, activity data and resouce (shared) data.
- Use schemas to keep track of ownership chaining
- Encrypt connection string passwords at rest
- Use strong passwords
- Set Trusted_Connection=False in the connection string. This forces server certificate validation
- Set Encrypt=True in the connection string to force the client to use SSL
- Ensure that you are covered against SQL Injection
- SQL Database Firewall rules should block everything except the consuming applications
- SQL Database Firewall rules should be set on both the Server and Database