The Coeo Blog

How Vulnerable is Your Data? Stop Malware Attacks using Azure SQL Database

Written by Andy Jones | 09-Nov-2017 08:30:00

"We are going to see 2 or 3 more of these seismic events in the next 12 Months"  RunAsRadio, episode 546 http://runasradio.com/Shows/Show/546

Ransom Demands

People don't notice great security practice. End-users and Business Managers want new features and better performance, sometimes leaving security down the priority list for IT professionals. It is when ransomware such as WannaCry https://en.wikipedia.org/wiki/WannaCry_ransomware_attack or Petya https://en.wikipedia.org/wiki/Petya_(malware) decimates your network, compromises data and takes services offline that people tend to notice. The quote at the top refers to potential future attacks, if that worries you, this post will discuss using Azure SQL Database to mitigate your risk.

Great Benefits

We have long spoken about the vast benefits of using Azure SQL Database. To recap some fantastic features:

  • Faster speed to market with no delays in infrastructure procurement
  • No capital expenditure for hardware or licensing
  • Automatic patching
  • Receive security updates and new features automatically
  • Automatic checking of database integrity
  • High availability and disaster recovery built-in options
  • No definitive up-front decision required for CPU, memory and storage
  • Scaling up and down via the Azure portal
  • Data available for consumption by other services such as Power BI and Azure Machine Learning without requiring a data gateway
  • No access to the OS
  • SQL Database Threat Detection
  • Vulnerability assessment
  • Automatic tuning

All great features that should make Azure SQL Database the number one choice when designing the architecture of a new SQL Server solution. This post is going to specifically discuss the benefits in the context of security. A traditional on-premises SQL Server Security Audit might include checking the following items:

  • Windows patches applied
  • SQL Server patches applied
  • Different AD account for all services
  • Accounts running services are not domain admin
  • Remove high-privileged logins if appropriate
  • Trustworthy database property
  • Cross database ownership chaining
  • CLR enabled
  • xp_cmdshell enabled
  • Disable and rename the sa account
  • Windows authentication only if possible
  • Transparent Data Encryption
  • Always Encrypted
  • Dynamic Data Masking
  • SQL Injection / Dynamic SQL
  • Strong Passwords
  • Use Principal of Least Privilege
  • Audit failed logins and alert
  • Do users RDP to servers / what permissions does their account have?

What is fascinating is the items that we can remove from our check-list when using Azure SQL Database:

  • Windows patches applied
  • SQL Server patches applied
  • Different AD account for all services
  • Accounts running services are not domain admin
  • Remove high-privileged logins if appropriate
  • Trustworthy database property
  • Cross database ownership chaining
  • CLR enabled
  • xp_cmdshell enabled
  • Disable and rename the sa account
  • Windows authentication only if possible
  • Transparent Data Encryption (although on by default)
  • Always Encrypted
  • Dynamic Data Masking
  • SQL Injection / Dynamic SQL
  • Strong Passwords (password policy is enforced)
  • Use Principal of Least Privilege
  • Audit failed logins and alert
  • Do users RDP to servers / what permissions does their account have?


Good Practice by Design

The items removed from the list are simply not available with Azure SQL Database, making bad practice in these areas impossible. What is left is the control of data access. Define who can connect, from which IP range and grant them the minimum required permissions to fulfil their role only.  It was ever thus, the Principal of Least Privilege should be the cornerstone of any security strategy, regardless of the infrastructure platform. 

Bye to Remote Desktop

Data governance is as valid as it's ever been, however with Azure SQL Database, security of the infrastructure is abstracted away and provided as part of your subscription. You are then in a wonderful position the next time malware propagates around the world. Instead of hoping that all will be well and nobody will remote desktop to your unpatched SQL Servers with malicious intent, you can guarantee it. It is impossible to authenticate to Windows on a server hosting Azure SQL Database or to run a version of the platform not at the latest patch level. A truly re-assuring statement to give to your business stakeholders.

There has long been debate regarding the practice of installing SQL Server Management Studio on database servers:

  • Yes - you want to connect using the local dedicated admin connection if your database server is unresponsive
  • No - do not encourage users to logon to the database server

The no camp is all too aware of the danger of propagating malware via via directly logging on to the database server. With Azure SQL Database, there is no access to the Operating System, you are blocking that avenue of attack.

Security Concierge

You also have the might of Microsoft constantly working on security on your behalf. A problem discovered on one server is fixed and patched for everyone, this is the true power of cloud computing. Just last Month, in October 2017, the Bad Rabbit ransomware surfaced. Microsoft Threat Intelligence Center subsequently released the notification "Microsoft Antimalware for Azure services and virtual machines, were updated to detect and protect against this threat". Consumers of such Azure services are now protected, without having to take any action.

Microsoft is Better at Security

Some might be reluctant to hand-over control of their infrastructure to a third-party cloud provider, but Microsoft is better at security than most companies out there trying to manage these constant threats in-house. Microsoft are using Azure services and infrastructure themselves, and are working on improving security 24 hours per day on your behalf. You might be using features currently incompatible with Azure SQL Database requiring application changes. However, some engineering effort could unlock all the fantastic features that Azure SQL Database provides, the benefits are too great to ignore.

Are you interested in migrating your data to Azure SQL Database? Contact Coeo for assistance in all aspects:

  • Discovery phase - ensure your database is compatible
  • Migration phase - efficiently move your database to the cloud
  • Operational phase - performance monitoring, service level choice, cost management, high availability and security