Azure Compliance allows you to quickly deploy legal, compliance, and regulation standard to your multi-cloud environments. Azure Compliance includes more than 100 standards, including certifications such ISO:27001, PCI DSS, GDPR, and much more.

The following post focus on Data Discovery & Classification for Azure SQL.

Azure SQL provides an easy and efficient means of standing up relational database services for their cloud and enterprise applications. As with any database platform, Security remains a top concern and has not been overlooked by Microsoft with the variety of security features available in Azure SQL, including those offered through the Advanced Data Security package.

Cloud services, apps, and services offer every organization freedom, creating substantial blind spots for every security team. Meanwhile, they’re still responsible for Azure Security and compliance. The question for every security team is how to extend your reach beyond on-premises security monitoring to Azure security monitoring without relying on different tools and monitoring approaches? And what about a multi-cloud environment?

In every cloud compliance, we need to cover the topics below:

• Manages risk and compliance of any system – on-prem, in any cloud, hybrid environments
• Azure Policy and Blueprints integration with centralized compliance policy management of Azure workloads
• Speeds compliance in the cloud with controls inheritance and automated continuous compliance
• Automates processes for risk assessment and compliance reporting
• Offers an executive dashboard for the at-a-glance status of risks
• Generates documentation required for enterprise information assurance

In many cases, I can see how companies and security pro’s struggle with cloud compliance, whether for structured or unstructured data. It becomes worst when it comes to a multi-cloud and hybrid environment.

While it has become a critical pain-point to address the issues of a map, identify discovery, Classification, auditing, encryption, and protection of sensitive data. Azure Security and compliance include many ways and security controls to achieve these challenges.

The ways to achieve compliance for structured and unstructured data is with the following security platforms:

• Azure Purview
• Compliance 365
• Data Discovery & Classification
• Defender for Cloud

The good news is that we can use each of those platforms alone or integrate them for a multi-cloud and hybrid environment.

Azure Advanced Data Security

Dynamic Data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much sensitive data to reveal with minimal impact on the application layer. It’s a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields. In contrast, the data in the database is not changed.

Data Discovery & Classification is built into Azure SQL Database. It provides essential capabilities for discovering, classifying, labeling, and reporting sensitive data in your databases. Azure SQL Managed Instance and Azure Synapse Analytics.

Microsoft Defender for Cloud includes two Microsoft Defender plans that extend Microsoft Defender for Cloud’s data security package to secure your databases and their data wherever they’re located. Microsoft Defender for SQL includes functionalities for discovering and mitigating potential database vulnerabilities and detecting anomalous activities that could indicate a threat to your databases.

Transparent Data encryption encrypts your databases, backups, and logs at rest without any changes to your application. To enable encryption, go to each database.

The Advanced Data Security package for Azure SQL provides administrators with a single go-to location for discovering and classifying data, assessing and addressing potential database vulnerabilities, and visibility into the anomalous and potentially malicious activity that is taking place. Once it’s enabled for your SQL Database server or managed instance, you will be provided with three distinct sets of functionality:

• Data Discovery & Classification – Discovery, classify, label, and protect the data within your Azure SQL databases.
• Vulnerability Assessment – Discover and track potential vulnerabilities and security misconfigurations, with actionable steps that can be taken to fortify your database security posture
• Advanced Threat Protection – Continuously monitor your database for suspicious activity, with real-time alerts on potential vulnerabilities

Data Discovery & Classification

Data Discovery & Classification currently supports the following capabilities:

• Discovery and recommendations: The classification engine scans your database and identifies columns that contain potentially sensitive data. It then provides you with an easy way to review and apply recommended Classification via the Azure portal.
• Labeling: You can apply sensitivity-classification labels persistently to columns by using new metadata attributes added to the SQL Server database engine. This metadata can then be used for sensitivity-based auditing scenarios.
• Query result-set sensitivity: The sensitivity of a query result set is calculated in real-time for auditing purposes.
• Visibility: You can view the database-classification state in a detailed dashboard in the Azure portal. Also, you can download a report in Excel format to use for compliance and auditing purposes and other needs.

Define Classification

Data Discovery & Classification comes with a built-in set of sensitivity labels, information types, and discovery logic. You can customize this taxonomy and define a group and ranking of classification constructs specifically for your environment.

You define and customize your classification taxonomy in one central place for your entire Azure organization. That location is in Microsoft Defender for Cloud as part of your security policy. Only someone with administrative rights in the organization’s root management group can do this task.

As part of policy management, you can define custom labels, rank them, and associate them with a selected set of information types. You can also add your custom information types and configure them with string patterns. The patterns are added to the discovery logic for identifying this type of data in your databases.

Benefits of the Data Discovery & Classification feature are:

• Compliance with the industry data privacy standards and regulatory requirements such as General Data Protection Regulation (GDPR).
• Extra security layer for data warehouses
• Monitoring and alerting on unauthorized access to sensitive data
• Data visualization dashboards in the Azure portal

These are the activities that are auditable with sensitivity information:

• ALTER TABLE … DROP COLUMN
• BULK INSERT
• DELETE
• INSERT
• MERGE
• UPDATE
• UPDATETEXT
• WRITETEXT
• Much more

NOTE: Data Discovery & Classification is built into Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. If you need to map, discover and classify other databases (MySQL, RDS, etc.), you can work with Azure Purview.

Work with Data Discovery & Classification

How to deploy, configure, discover and classify Azure SQL? Azure provides a simple approach to knowing what you’ve got and a more simple way to apply Classification.

First, to the relevant support Azure SQL database blade, and then to Security. From this view, go to the Data Discovery & Classification.

In the Data Discovery & Classification, in the Overview, choose Configure option. It will take you to SQL Information Protection.

Customize Information Types and Sensitivity Labels – While Azure SQL provides a built-in set of information types and sensitivity labels, you can define your set and rank classification constructs specifically for their environment.

This is done within the Azure Security Center for the Azure tenant and will not solely apply to Azure SQL. Once the tenant-wide policy has been defined, the custom types and labels can be leveraged through the Data Discovery & Classification feature for the individual Azure SQL databases.

From SQL Information Protection, you can Check, create and customize your existing or new Labels.

The advantage of SQL Information Protection is that information types can be attached to one or more Lable.

To configure a new classification, go to Classification and choose Add classification.

On the classification page, you can choose the option below:

• Schema
• Table Name
• Column Name
• Information Type
• Sensitivity Label

You can view all sensitivity labels applied by querying the sys.sensitivity_classifications table. Reference articles on managing these labels via the published REST API or Azure PowerShell are listed below.

• Manage Sensitivity Labels via published REST API
• Manage Sensitivity Labels via Azure PowerShell for Azure SQL Database
  • Get-AzSqlDatabaseSensitivityClassification
  • Set-AzSqlDatabaseSensitivityClassification
  • Remove-AzSqlDatabaseSensitivityClassification
  • Get-AzSqlDatabaseSensitivityRecommendation
• Manage Sensitivity Labels via Azure PowerShell for managed instance
  • Get-AzSqlInstanceDatabaseSensitivityClassification
  • Set-AzSqlInstanceDatabaseSensitivityClassification
  • Remove-AzSqlInstanceDatabaseSensitivityClassification
  • Get-AzSqlInstanceDatabaseSensitivityRecommendation

References

sys.fn_get_audit_file (Transact-SQL)

Data Discovery & Classification

Microsoft Defender for SQL

Azure SQL Transparent Data