167 C H A P T E R 8 | Improved Azure SQL Database
Important After you enable auditing, you must configure down-level clients to use a security-
enabled connection string by changing the fully qualified domain name from
.database.windows.net to .database.secure.windows.net, as described in
"SQL Database – Downlevel clients support for Auditing" at https://azure.microsoft.com/en-
us/documentation/articles/sql-database-auditing-and-dynamic-data-masking-downlevel-clients/.
Auditing data
After you enable auditing, you can view a summary of auditing data in a dashboard format in the
Azure Management Portal. To do this, navigate to the Settings blade for your SQL Database, click
Auditing & Threat Detection, and then click the Explore button in the Auditing & Threat Detection
blade to open the Audit Records blade. The audit records are displayed as a table consisting of the
following columns: Event Time, Application Name, Principal Name, Event Type, and Action Status. For
more detail, you can click the Open In Excel button at the top of the Audit Records blade. The Excel
workbook contains several predefined reports that analyze your database activity.
Important Another option is to use the Microsoft Power BI service to connect directly to your
auditing logs, as described at "Monitoring your Azure SQL Database Auditing activity with Power
BI," http://blogs.msdn.com/b/powerbi/archive/2015/05/14/monitor-your-azure-sql-database-
auditing-activity-with-power-bi.aspx.
Encrypting data
Database encryption is becoming a more common security requirement for many organizations. SQL
Database now includes the following features for data encryption:
Transparent Data Encryption (TDE) TDE encrypts the underlying database files. No one having
physical access to the files can read the data without also having the encryption key.
Cell-Level Encryption (CLE) By using CLE, you can secure sensitive data, such as Social Security
numbers, to prevent anyone from accessing that data without the decryption key.
Always Encrypted You can use a set of client libraries to encrypt and decrypt data in SQL
Database and protect your data end to end. The encryption and decryption keys remain under the
control of your application.
Important Although each of these features strengthens the security of SQL Database, you must
still employ security best practices when developing your application, including limiting access to
the people or applications requiring data and enforcing the principle of least privilege in the
database.
Transparent Data Encryption
TDE was introduced in SQL Server 2008 as a security measure for data at rest. Until SQL Server 2014, it
was the only method available for natively encrypting database backups. TDE encrypts only the
physical data files, transaction logs, and backups without directly encrypting data tables. That is, if a
user has read permission to a database with TDE enabled, the user can query the database and access
all the data without having an encryption key. If you move the encrypted files to another server, no
one can open and view them on that server.
TDE for SQL Database uses the same technology built for on-premises SQL Server, but it has been
enhanced to support Intel AES-NI hardware acceleration of encryption, which reduces the CPU/DTU
overhead of enabling TDE. In addition, it is easier to configure. To enable TDE, open the blade for your
SQL Database in the Azure Management Portal, click the All Settings link, and then click Transparent
