Data security in Azure Cloud and SQL environment

What is better than automation and security while developing code and digital products?

“While the goal of DevOps Services automation is to help development teams in faster deployment and monitoring of applications, DevSecOps adds security to the automation and contributes to enhancing the quality and efficiency of the software.”

(anchore.com)

A step towards DevSecOps approach is to use Azure Resource Manager deployment model and configure Vulnerability Assessment Baseline Rules for SQL server and database. Let’s take a look at how and why we do just that.

Activate, set and configure Vulnerability Assessments Baseline Rules

The first step is to activate Vulnerability Assessments (VA) on the SQL server. This can be done in several ways; through the Azure portal, with PowerShell Script, Azure Command Line Interface (CLI) or with Azure Resource Manager Template. This article will focus on Azure Resource Manager Templates only.

Activate VA on the SQL server

You can choose to have one big ARM-template deploying all your resources, or dedicated ARM-templates for the different levels of resource deployment and configuration.

When using a dedicated ARM-template for your SQL server level of resources, add the VA template reference in the resource section, as the one shown below:

(Docs.Microsoft.com, 2019)

Set and configure VA Baseline Rules

The next step is to set and configure the VA Baseline Rules in the ARM-template. Add into the resource part of the template the specific Baseline Rule to configure, use the type:

"type":"Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines"

Ensure to have Vulnerability Assessments enabled on the SQL Server prior to adding baselines.

Note that the Master database and the User database are named differently, but have the same parameters.

  • Master database: “name”: “[concat(parameters(‘server_name’),’/’, parameters(‘database_name’) , ‘/default/VA1143/master’)]”
  • User database: “name”: “[concat(parameters(‘server_name’),’/’, parameters(‘database_name’) , ‘/default/VA2065/default’)]”,

Then go ahead and add it into the ARM-template, see the example for a baseline rule configured with a binary input “true”. (Docs.Microsoft.com)

Why make use of Vulnerability Assessment Baseline Rules?

By enabling and use the SQL Vulnerability Assessment service in Azure, a Microsoft service (advanced data security (ADS)) discover, track, and help remediate potential database vulnerabilities. With this capability it will proactively improve database security.

“The service employs a knowledge base of rules that flag security vulnerabilities and highlight deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. The rules are based on Microsoft’s best practices and focus on the security issues that present the biggest risks to your database and its valuable data” (Docs.Microsoft.com)

Since data today is so valuable this is a great tool to help keep them safer.