azure云数据库

In today’s time where data breaches are highly expected to happen, there is a high need to ensure sensitive data in the Azure SQL databases is secured and which is why data security implementation is gaining momentum across each community. We covered one of the features of Advanced Data Security here in Advanced Data Security in Azure SQL Database – Data Discovery & Classification. Let’s dive further into the other two features that Azure SQL offers with this capability in this article.

在当今高度期望发生数据泄露的时代，迫切需要确保Azure SQL数据库中的敏感数据受到保护，这就是为什么数据安全性实现在每个社区中都得到了发展的原因。 我们在Azure SQL数据库的高级数据安全性-数据发现和分类中介绍了高级数据安全性的功能之一。 在本文中，让我们进一步探讨Azure SQL通过此功能提供的其他两个功能。

漏洞评估 (Vulnerability Assessment)

SQL professionals have to incessantly access ever changing and growing databases to check for any potential vulnerability (like SQL injection, misconfigurations etc.) in order to improve database security. There were times when SQL developers had to use external tools or even write customized scripts to discover, monitor and remediate these vulnerabilities, but fortunately, SQL Server came up with a built-in solution named Vulnerability Assessment tool via SSMS a couple of years ago and this feature was made available for Azure SQL Database users as well almost a year ago. Let’s keep the ball rolling and implement Vulnerability Assessment to identify, track and remediate vulnerabilities in Azure SQL Database. Select Azure Database (AdventureWorksDW2017 in our case) and click on Vulnerability Assessment tile present on the Advanced Data Security blade as shown below.

SQL专业人员必须不停地访问不断变化和发展中的数据库，以检查任何潜在的漏洞（例如SQL注入，配置错误等），以提高数据库的安全性。 有时候，SQL开发人员不得不使用外部工具，甚至编写自定义脚本来发现，监视和修复这些漏洞，但幸运的是，几年前，SQL Server 通过SSMS提出了一个名为Vulnerability Assessment工具的内置解决方案，大约一年前，Azure SQL数据库用户也可以使用此功能。 让我们保持一致并实施漏洞评估，以识别，跟踪和修复Azure SQL数据库中的漏洞。 选择Azure数据库（在我们的情况下为AdventureWorksDW2017），然后单击“高级数据安全”刀片上的“漏洞评估”图块，如下所示。

If you don’t see any records on the Vulnerability Assessment report, click on Scan to get the assessment report. You can also use the ‘Export Scan Results’ option to share the complete assessment report results with leads and auditors. An excel file gets ready to be downloaded on clicking this button. Additionally, you can click on Scan History to view all scans happened previously in a database.

如果您在“漏洞评估”报告中没有看到任何记录，请单击“扫描”以获取评估报告。 您还可以使用“导出扫描结果”选项与潜在客户和审核员共享完整的评估报告结果。 单击此按钮可以下载excel文件。 此外，您可以单击“扫描历史记录”以查看以前在数据库中进行的所有扫描。

漏洞评估报告 (Vulnerability Assessment Report)

The summary results of the Vulnerability Assessment report show two metrics – Total failing checks vs Total passing checks, along with the categorizations on the Risk (High, Medium and Low risk). It addresses issues row-wise in the report which are actionable. You can click on any result (Failed or Passed) to understand more insights on the security check. This tool provides the best practices that Azure SQL thinks should be implemented on the SQL Databases from the data security perspective. The failed results are self-descriptive and are organized in particular categories as shown above.

漏洞评估报告的摘要结果显示两个指标-失败检查总数与通过检查总数，以及风险的分类（高，中和低风险）。 它解决了报告中逐行执行的问题。 您可以单击任何结果（失败或通过）以了解有关安全检查的更多见解。 从数据安全的角度来看，此工具提供了Azure SQL认为应在SQL数据库上实现的最佳实践。 失败的结果是自描述性的，并且按照上面显示的特定类别进行组织。

识别和修复漏洞评估问题 (Identifying and remediating issues with Vulnerability Assessment)

Let’s drill down on the failed result that talks about Firewall rules to see why it failed in the first place and what steps we can take to remediate it in the Azure SQL Database. This drill down report gives the complete description on to what went wrong, in our case, it recommends to set a firewall on the server level to protect our data.

让我们深入研究失败的结果，该结果讨论防火墙规则，以首先了解为什么失败，以及可以采取哪些步骤在Azure SQL数据库中对其进行修复。 此向下钻取报告提供了发生问题的完整说明，在我们的情况下，建议在服务器级别设置防火墙以保护我们的数据。

It provides the remediation script that we can run against query editor to resolve this issue, alternatively, this report also provides a remediation link for the quick resolution. This way in the Vulnerability Assessment report, we get clear visibility and actionable remediation steps to manage and resolve issues in the Azure SQL Databases.

它提供了可以针对查询编辑器运行的修复脚本来解决此问题，或者，此报告还提供了用于快速解决的修复链接。 这样，在漏洞评估报告中，我们获得了清晰的可见性和可行的补救步骤，以管理和解决Azure SQL数据库中的问题。

批准为漏洞评估的基准 (Approve as Baseline in Vulnerability Assessment)

We can set the selected security check result as an approved baseline by clicking Yes in the screenshot below. Next time the scan runs, this alert is no longer considered as a failure and gets the status as PASS (per custom baseline). In our case, there are just 4 failed results, but in a real scenario, there are failures in large numbers. This allows us to focus more on the relevant issues once baseline security is made on such large assessment results.

通过单击下面的屏幕快照中的“是”，我们可以将选定的安全检查结果设置为批准的基准。 下次运行扫描时，此警报将不再视为失败，而将状态变为PASS（根据自定义基准）。 在我们的案例中，只有4个失败的结果，但是在实际情况下，会有大量的失败。 一旦对如此庞大的评估结果进行了基线安全性评估，这便使我们可以将更多精力放在相关问题上。

Run a new scan to view the customized report with failures being 3 in number and the security check with applied baseline rule is moved to the count of ‘Passed’ metrics.

运行新的扫描以查看失败的自定义报告，其失败次数为3，并且带有基准规则的安全检查将移动到“通过”指标的计数。

Vulnerability Assessment in Azure SQL Database is gaining popularity in monitoring databases for a higher level of security. This tool is extremely helpful in discovering, tracking and managing vulnerabilities in the database. This provides in-depth actionable remediation steps for any issue found in the assessment report. Since this tool is intuitive to work with, one doesn’t have to be a security expert to work on this.

Azure SQL数据库中的漏洞评估在监视数据库以提高安全级别方面正变得越来越流行。 该工具在发现，跟踪和管理数据库中的漏洞方面非常有用。 这提供了针对评估报告中发现的任何问题的深入可行的补救措施。 由于该工具使用起来很直观，因此不必一定要是安全专家。

服务器级别的高级数据安全性 (Advanced Data Security on Server level)

Before we talk about our last yet important security feature, let’s quickly peek at how we can manage these security traits on the server level.

在讨论最后一个重要的安全功能之前，让我们快速了解一下如何在服务器级别上管理这些安全特征。

Alternately, these features except Data Discovery & Classification can be configured on the server level too. By configuring them on the server level, these will be enabled for all the SQL databases present in the server. Click the SQL Server name, (sqlshackdemoserver in our case) and go to the Advanced Data Security blade. Toggle the advanced data security switch to ON, and select the subscription in the subscription textbox. Configure the storage account and you can select the frequency of the vulnerability assessment scan, by default, scan happens every Sunday at 12 midnight. So apart from the manual scan showed earlier, we can set up a periodic scan on this. Additionally, you can share the scan summary reports with the email address(s) provided.

或者，除了数据发现和分类以外，这些功能也可以在服务器级别上配置。 通过在服务器级别配置它们，将为服务器中存在的所有SQL数据库启用它们。 单击SQL Server名称（在本例中为sqlshackdemoserver），然后转到“高级数据安全性”刀片服务器。 将高级数据安全开关切换到“开”，然后在订阅文本框中选择订阅。 配置存储帐户，您可以选择漏洞评估扫描的频率，默认情况下，扫描在每个星期日的午夜12点进行。 因此，除了前面显示的手动扫描之外，我们还可以对此进行定期扫描。 此外，您可以与提供的电子邮件地址共享扫描摘要报告。

在服务器级别配置漏洞评估设置 (Configuring Vulnerability Assessment settings on the Server level)

在服务器级别配置高级威胁防护 (Configuring Advanced Threat Protection on the Server level)

You can enable Advanced Threat Protection that comes under Advanced Threat protection settings by providing the Email Address(s) where you want alerts to be sent and can also customize the type of alerts (like SQL injection, Data exfiltration etc.) experienced in the Azure SQL Databases as shown below. Do not forget to hit the Save button to save these changes.

您可以通过提供要在其中发送警报的电子邮件地址来启用“高级威胁防护”设置下的“高级威胁防护”，还可以自定义Azure中遇到的警报类型（如SQL注入，数据渗透等）。 SQL数据库如下所示。 不要忘记点击“保存”按钮来保存这些更改。

Once these server level configurations are done, you can see the below notification confirming Advanced Data Security is configured on the Server dashboard page.

完成这些服务器级别的配置后，您可以在服务器仪表板页面上看到以下通知，确认已配置高级数据安全性。

Let’s move forward and look at the last chunk of the Advanced Data Security feature.

让我们继续前进，看看高级数据安全功能的最后一部分。

先进的威胁防护 (Advanced Threat Protection)

Advanced Threat Protection is basically a real-time threat detection service. Not so long ago, this security feature was briefly demonstrated by one of my fellow authors in this article, Security considerations for your Azure SQL Databases. At that time, this feature was under “Auditing & Threat detection” heading and as of today, it is known as “Advanced Threat Protection” in Advanced Data Security blade in Azure SQL Databases. Click on the third tile in the Advanced Data Security blade to see the list of Security Alerts addressed by this feature as shown below.

高级威胁防护基本上是一种实时威胁检测服务。 不久之前，我的一位同伴在本文“ Azure SQL数据库的安全注意事项”中简要地演示了此安全功能。 当时，此功能位于“审核和威胁检测”标题下，并且到今天为止，在Azure SQL数据库的“高级数据安全性”刀片中被称为“ 高级威胁防护 ”。 单击“高级数据安全”刀片中的第三个图块，以查看此功能解决的安全警报列表，如下所示。

This feature works continuously in the background to detect or monitor any threats or any suspicious activities happening on the Azure SQL database. As soon as it senses any unusual behavior, it will automatically send an email with in-depth details on the activity, investigation and remediation steps. The best part of this feature is its integration with the Azure Security Center, which is a centralized center responsible for managing all of the Azure security. The reported alerts are viewed from this center.

此功能在后台连续运行，以检测或监视Azure SQL数据库上发生的任何威胁或任何可疑活动。 一旦检测到任何异常行为，它将自动发送电子邮件，其中包含有关活动，调查和补救步骤的详细信息。 此功能的最好之处在于它与Azure安全中心的集成，该中心是一个集中式中心，负责管理所有Azure安全。 可从该中心查看报告的警报。

高级威胁防护演示–蛮力登录攻击 (Advanced Threat Protection demo – Brute force login attack)

Since I have created a new server and a couple of databases in it for the demo purpose here, this feature hasn’t accounted for any potential security threats as of now. I am going to stimulate a brute force login- attack on one of my databases by continuously attempting to login with invalid passwords. As we have configured the email address above in the Advanced Protection settings on the server level, I receive the below email notifying the potential threat being acknowledged by this feature.

由于我在此处出于演示目的创建了一个新服务器和几个数据库，因此该功能到目前为止尚未解决任何潜在的安全威胁。 我将通过不断尝试使用无效密码进行登录来激发对我的一个数据库的暴力登录攻击。 在服务器级别的“高级保护”设置中配置了以上电子邮件地址后，我收到以下电子邮件，通知此功能已确认潜在威胁。

Information on this security alert like database name, server name, severity etc. is provided as shown below.

如下所示，提供了有关此安全警报的信息，例如数据库名称，服务器名称，严重性等。

Additionally, it helps with the investigation and remediation steps as well to mitigate this anomalous activity.

此外，它还有助于调查和补救步骤，以减轻这种异常活动。

Click on the View recent alerts link in the email received to navigate to Azure portal and locate these details in the centralized dashboard view – Azure Security Center alerts page. Below is the overview of the detected threats in the SQL Database, fortunately, we just have one.

单击收到的电子邮件中的“查看最近的警报”链接以导航到Azure门户，并在集中式仪表板视图“ Azure安全中心警报”页面中找到这些详细信息。 下面是在SQL数据库中检测到的威胁的概述，幸运的是，我们只有一个。

We can drill down the specific alert – SQL brute force attack by clicking on it. Select View suspicious activity to gain more insights on where and what has gone wrong. It also offers to run relevant queries in the query editor to understand what all transactions took place in this event in the database.

我们可以通过单击特定警报进行深入研究-SQL暴力攻击。 选择查看可疑活动，以获取有关问题出在哪里和出了什么问题的更多见解。 它还提供了在查询编辑器中运行相关查询，以了解在此事件中数据库中发生了所有事务的情况。

Click on the Remediation steps to mitigate this alert. For this alert, this feature not only recommends to turn on the firewall settings but also assists user in making the required changes.

单击“修复”步骤以缓解此警报。 对于此警报，此功能不仅建议打开防火墙设置，而且还可以帮助用户进行所需的更改。

Apart from the brute force SQL credentials attack seen above, I would like to highlight other most commonly occurring potential security threats or anomalous activities below here:

除了上面看到的暴力SQL凭据攻击之外，我还要在下面重点介绍其他最常见的潜在安全威胁或异常活动：

1. SQL injection – This attack is basically an attempt to insert specially coded sql commands into a data field, to try to cause the database to run the command. Usually, this happens when data is passed into a SQL statement without being checked. for eg – select * from dimcustomer where columname = ‘drop table tablename’ SQL注入 –这种攻击基本上是试图将经过特殊编码的sql命令插入到数据字段中，以试图使数据库运行该命令。 通常，将数据传递到SQL语句而不进行检查时会发生这种情况。 例如–从dimcustomer中选择*，其中columname ='drop table tablename'
2. Login anomalies– This is the case when someone is trying to log in to the Azure SQL Database from a strange location or the unusual location that no one has used before. This will cause a detection alert 登录异常 –有人尝试从一个陌生位置或一个从未有人使用过的不寻常位置登录到Azure SQL数据库的情况。 这将导致检测警报
3. Potential vulnerabilities like database misconfigurations, managing sensitive data etc. 潜在漏洞，例如数据库配置错误，管理敏感数据等。

To learn more on Advanced Threat Protection, read over here.

要了解有关高级威胁防护的更多信息，请阅读此处 。

结论 (Conclusion)

We covered 3 main pillars of Advanced Data Security available with Azure SQL Database. It is evident that how easy it is implementing these security features with just a few clicks. It also provides great visibility into our SQL databases thus strengthening the ‘Azure Security structure’. I hope this series will encourage readers to keep their data more safe and secure.

我们介绍了Azure SQL数据库提供的高级数据安全性的3个主要Struts。 显然，只需单击几下即可轻松实现这些安全功能。 它还提供了对我们SQL数据库的良好可见性，从而增强了“ Azure安全性结构”。 我希望本系列文章能鼓励读者保持其数据的安全性。

目录 (Table of contents)

翻译自: https://www.sqlshack.com/vulnerability-assessment-and-advanced-threat-protection-in-azure-sql-database/

azure云数据库