Secure Azure Key Vault

Security is key factor in your operational consistency. You might have a Azure Key Vault configured like this;

Click on “Private endpoint and selected networks”. Click on “Add existing virtual networks” to allow communication between internal network.

This setting will enable internal services to access key vault. The selected internet facing IPv4 addresses will have access to key vault resource.

How to verify SQL Server is using NTLM / Kerberos authentication

You can execute the below TSQL Query to verify authentication used by SQL Server Connections.

USE master
GO

SELECT auth_scheme FROM sys.dm_exec_connections 
WHERE session_id = @@SPID;
GO

Expected Results

SQL – When SQL Server authentication is used
NTLM – When NTLM authentication is used
KERBEROS – When KERBEROS authentication is used

Reference

Azure Security and Encryption

Azure Active Directory is used for access controls. Azure AD can be used stand-alone. It offers Single sign-on, MFA, providing identities to services.

Encryption is the process of making data unreadable and unusable to unauthorized viewers. To read encrypted data, it must be decrypted, which requires the use of a secret key. There are two top-level types of encryption: symmetric and asymmetric. Symmetric encryption uses the same key to encrypt and decrypt the data.

Asymmetric encryption uses a public key and private key pair. Either key can encrypt but a single key can’t decrypt its own encrypted data. To decrypt, you need the paired key. Asymmetric encryption is used for things like Transport Layer Security (TLS), used in HTTPS.

By default, Azure encrypt/decrypt file storage data. It’s transparent to the user. Azure SQL Database used Transparent data encryption. It performs real-time encryption/decryption of the database at rest without requiring changes to the application. It’s enabled by default. TDE uses symmetric key called database encryption key. By default, Azure provides a unique encryption key per logical SQL server instance and handles all the details.

Azure key vault is used to keep application secrets.

Azure Security Monitor. Monitoring service that provides threat protection across all of your services. Azure Security Center is offered on Standard tier subscription. It’s $15 per node per month.

Does Azure commercial follow FEDRAMP guidelines?

This is the first question that will always be asked if you are setting up Azure for a client that works with government.

Both Azure and Azure Government uses same security controls. They are accessed and authorized at the FedRAMP high impact level. Azure Government provides an additional layer of protection to customers to screened US persons. This is used to store and process data subject to US export control regulation’s such as EAR, ITAR, and DoE 10 CFR Part 810.

Refer to this Microsoft article for details;

https://azure.microsoft.com/en-us/blog/all-us-azure-regions-now-approved-for-fedramp-high-impact-level/

Take time to see which environments meet your needs.  Many people are surprised at how robust the Azure [commercial] compliance space is.  https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings

Resources;