Hello, Siberians. Welcome to the slicing on Azure sequel Security.
This listen. This part of the eight Madu off the desert 500 Microsoft Azure security technologist costs
quick information on what will be covering in this lesson.
We'll start with an overview off sequel options in Azure, but then look at our responsibilities village into a just ical security. Who posted to this cause the following aspect off as you're sick? Well,
access management tried protection information protection.
Log in on auditing. Let's get right into this.
What we talk about sequel options in Hajer. Its importance to discuss the options that are available so that we clarify the scope off what the exam objectives cover.
We have two categories off options, namely infrastructure as a service and platform as a service on by infrastructure. As a service, we have the option to implement sequel on an azure virtual machine.
So this is typical off what most organizations already do on premises.
The downside studies is that we are responsible for managing the operating system on a sequel application. Going forward, we have to perform ongoing maintenance off this component 100 the past category.
We have the I just sequel option, which can be implemented as a single database with dedicated resources or as a pool of databases that shares the same resources are just sick. Well is the best option for modern cloud applications.
The advantage is that we don't have to manage operating system or application maintenance.
All of that is taking care half for horse by Microsoft. However, as you're sick, well, it's missing some capabilities that are available for on premises sequel databases, so it will not be the best destination for lived and shift scenarios. The second option under the past category
is the adjusted quo managed instance option.
This is still a platform service
with the operating system and application components managed by the platform. However, this option as a I degree off compatibility with on premises sick or seven, and it is also deployed into a private virtual network, which makes its the best destination for lift and shift scenario.
Sort of like the best of both watts.
We don't have to manage several operating systems or applications. However, we still get a majority of the benefit that we get with unpermitted sequel Now for the purpose off, discuss on the exam objectives. Our focus will be on Azure sequel. However,
what will be discussing is also applicable to the managed instance sequel in many cases.
So when we talk about a platform database service like I just sequel, it is true that we have less responsibilities to look after. We don't have to deal with the always an application patch in. As we mentioned earlier, however, we still have security responsibilities. We have to look after network security.
We have to look after access management,
trade protection, information protection, monitoring, logging on auditing. So let's go have a look at this different responsibilities that we still have to do it.
Let's start by looking at network security. Best practices off are just secret number one. Deny public access off. Restrict access toe only trusted I P addresses.
And to do these, we use the service firewall rules By the fourth. No one can connection, and I just see quote. Database, however, do not hard on any animal, as that will grant network access to the entire Internet, which is not good for the other. Best practice is to implement private endpoint
for private network access, as shown in the diagram on the screen
when it comes to sever and database access. The first thing that we want to control is what has access to the management plane on this is so that we can limit. We can make configuration changes. We use our back to control this, but when it comes to accessing our data bases,
they're too authentication options that we have. We have the sequel authentication option, which is sort of like a locally stogies. Anderman password. So what happens is when we create a sick or seven Hajer, we needs to specify a local sever admin credentials. We can then use that local admin credentials
to create other users locally to manage the data basis.
The second option is to configure as your active directory authentication
so that, as your lady can authenticate access to a sequel, sever and databases on When using Azure 80. This can be cloud on the identities or evil hybrid identities. Now the best practice is to implement as your A D authentication. As this provides stronger security on, it is also centrally managed.
Our go through these in the demo, which is in the next lesson
another security capability that we can never find your sequel. Straight protection. Trade protection is a service that's going toe analyze as sick or several logs
on is going to attempt to detect unusual behavior on armful, attempt toe access or exploit our data basis. This service is integrated with Azure Security Center
so that any suspicious or unusual activities detected who raised on a lot in Nigel Security Center would then be ableto view the details off the inspections and recommendations for for the investigation. Advanced Threat protection can be a neighborhood purse ever for an additional fee, so there's a cost components to consider.
When we talk about I just sequel information protection. We refer into encryption mainly on for encryption in transit. The best practice is to set a client connection string to use an encrypted connection
and not to trust the service certificate. So the benefit off this is this is going to force our clients to verify the service certificate
on this is gonna prevent vulnerability to man in the media type attacks for encryption at rest, all newly created databases are encrypted by default, using a plot from managed encryption key.
This is called transparent that are encryption TD. It cannot be disabled.
However, customers can prefer to use their own encryption keys instead, and it can configure the AKI's start in keyboard for this year's. We can also implement a technology called Always Encrypted On This helps to protect sensitive data at rest on the database. Ever.
This is an extra level of protection. This ensures their sensitive data, like credit card numbers on national identification numbers appear
as encrypted information inside the database system on. In this scenario, Onley acclaimed application that has access to the encryption keys can access the data. Not even a database administrator can read the data in plain text into the base
regarding Log in. The best practice is to configure diagnostic settings for just sequel to collect resource locks.
So a resource locks also referred to as data plane locks, the collects data base level information like evers timeouts blocks on deadlocks. When we enabled the collection, we can choose to send the information that we're collecting that's real organized six workspace
to as I went up auto an azure blob container.
I just equal auditing allows US Toe audit seven or database level events on, also to report on database activities we can configure other teen at the several or database level, and using the Ouija Pato, we can enable or disable the auditing policy.
We can also configure the destination for the events that were auditing.
However we have to use as your power shell, or is your FBI to configure the actual policies that includes the events that we want? Toe audit Here's some supplemental links for further studies on the topics covered in this lesson,
and there's a some have all recovered,
which started with an overview off sequel options. In Hajer. We had a look at our responsibilities relating to address sick or security, and that would discuss the following aspect. Off network security, access management, trade protection, information protection, logging on auditing
as it relates to just say cross security.
Thanks very much for watching, and I'll see you in the next lesson.