You wouldn’t allow simple single-factor authentication for your social media or personal email accounts, so is it appropriate for your corporate highly-sensitive data?
Many companies have experienced security incidents with data loss and ransomware attacks. It is no longer good enough to secure the network layer and hope for the best. The solution is to follow the Zero-Trust security principles of:
- Verify explicitly
- Least privilege access
- Assume breach
In this post, I want to discuss one feature of Azure SQL Database and Azure SQL Managed Instance that became Generally Available in November 2021, namely Azure AD-only authentication.
Users have long had the option to authenticate to SQL Server using a simple username and password or integrated Windows authentication. The Platform-as-a-Service Azure SQL offerings also offer Azure Active Directory authentication in a cloud-first world.
Assume breach means you acknowledge a hacker will reach and attempt to authenticate to your database. With SQL authentication, you are at the mercy of a password to prevent access. Do all your users choose unique, strong passwords they regularly cycle and not log them in plain text format? If not, the question is, what can you do about it? Enter Azure AD-only authentication.
Below is a snippet of the bicep file to include in your deployment pipeline with azureADOnlyAuthentication set to true. The excerpt shown is a section of a script to deploy an Azure SQL Database.
The result is the box “Support only Azure Active Directory authentication for this server” is checked in the Azure portal below, and SQL logins cannot authenticate to this server. You then build your authentication and authorisation in one place, Azure Active Directory, to take advantage of its rich security capabilities and adhere to the Verify Explicitly zero-trust principle. In Azure Active Directory, you can specify multi-factor authentication, trusted locations, all devices must be compliant and much more to significantly enhance your security posture.
Of course, before configuring Azure AD-only authentication, you must perform due diligence and a login audit to verify if SQL Logins are still a requirement for your Azure SQL database. For example, you might support a third-party app that requires SQL logins. The critical point here is to consider if SQL logins are an absolute necessity or just how you have always done things. You wouldn’t allow simple single-factor authentication for your social media or personal email accounts, so is it appropriate for your corporate highly-sensitive data?