Microsoft Azure Security Technologies (AZ-500): Data and Application Security
- Key Vault Security
Key Vault serves as a centralized storage for you to store SSL/TLS certificates, private keys, passwords (not intended for user passwords) for your Azure resources that can be accessed by privileged users at any time. Key Vault also provides key and secret rotation.
IMPORTANT! Study the diagrams below:
2. Storage Account Security
- Shared Access Signature (SAS)
We should never our storage account keys with external third-party application.
If these apps need access to our data, we can use Shared Access Signature (SAS). SAS is a string that contains security token that can be attached to a URI, which we can specify permissions and time range of access.
For example, you can give a customer a Shared Access Signature (SAS) token to upload pictures to a file system in Blob storage.
We can use Stored Access Policy in combination with Shared Access Signature (SAS) to provide additional restrictions for signatures. For example, you can use Stored Access Policy to change the start time, expiry time or permissions for a signature or to revoke it after it has been issued.
Do note that creating a new policy will not have any effects on your existing SAS, which means you would have to modify or delete the existing Stored Access Policy associated with the SAS.
- Anonymous Access to Containers and Blobs
If there is need to have your Blobs always available for anonymous read access, you can enable anonymous, public read access only.
For more fine-grained control, we can look into using Shared Access Signature (SAS).
- Secure Transfer Required
When secure transfer is enabled, any requests originating from an insecure connection are rejected.
Microsoft recommends that you always require secure transfer for all of your storage account.
3. Application Security
- Microsoft Identity Platform
With Microsoft Identity Platform, we can expand our reach to these kinds of users:
i. Work and school accounts (Azure AD provisioned accounts)
ii. Personal accounts (such as Outlook.com or Hotmail.com)
iii. Your customers who bring their own email or social identity (such as LinkedIn, Facebook, Google) via MSAL and Azure AD B2C
- Cloud App Security 
This is another cool feature offered by Azure where you could analyze the risk score of over 16,000 cloud apps to see if it is safe to be deployed in your organization.
Microsoft does not recommend you to deploy cloud app that has risk score lower than 8. There are few categories being considered when it comes to the app reliability assessment, which you can click on the risk score and check on the compliance:
i. General — This category refers to basic facts about the company that produces the app, including its domain, founding year, and popularity.
ii. Security — The security category accounts for all standards dealing with the physical security of the data used by the discovered app. This category includes fields such as multi-factor authentication, encryption, data classification, and data ownership.
iii. Compliance — This category displays which common best-practice compliance standards are upheld by the company that produces the app. The list of specifications includes standards such as HIPAA, CSA, and PCI-DSS.
iv. Legal — This category displays which apps have which regulations and policies in-place to ensure data protection and privacy of the app’s users such as GDPR, DMCA, and data retention policy.
4. Database Security 
There are few options to setup SQL on Azure:
i. IaaS — SQL on Azure VM (on-prem migration)
ii. PaaS — Azure SQL Database / Azure SQL Managed Instance
How to secure SQL Database?
i. SQL Database Authentication
When a user attempts to connect to a database, the user needs to provide a user account and authentication information.
- SQL Authentication — Username and Password where the Password will be stored in the master database.
- Azure Active Directory Authentication — Username and Credential Information stored in Azure Active Directory.
ii. SQL Database Firewalls
- By default, firewall denies all access.
- Database-level firewall rules add allowed client IP address and/or all Azure services and resources.
iii. SQL Database Auditing
- By default, it is disabled.
- Configure policies for the server or database level.
- A new server policy applies to all existing and newly created databases.
- Configure audit log destination.
iv. Data Discovery and Classification
- Built-in to Azure SQL Database.
- Scans your database and identifies columns that contain potentially sensitive data.
- Provides classification recommendations and reports.
- Let’s you apply sensitivity-classification labels.
v. Vulnerability Assessment
- Scans for database security vulnerabilities organized by severity.
- Findings provide actionable steps to remediate the issue.
- Set up periodic recurring scans and export reports.
vi. Advanced Threat Protection (ATP)
- By default, it is not enabled, you would need to subscribe for this service.
- SQL injection, Data exfiltration, Unsafe action, Brute force, Anomalous client login.
vii. Dynamic data Masking
Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics support dynamic data masking. Dynamic data masking limits sensitive data exposure by masking it to non-privileged users.
viii. Transparent Data Encryption (TDE)
Transparent Data Encryption can help protect against malicious offline activity by encrypting data at rest.
It performs real-time encryption and decryption of the database, associated backups and transaction log files at rest without requiring changes to the application.
By default, TDE supports only Azure SQL Database (enabled by default), SQL Managed Instance and Azure Synapse.