Talk: Running SQL Azure Securely — SQL Saturday #877 — 14-Sep-2019

Today I had the opportunity to speak at SQL Saturday #877 in Burlington, MA. As part of my series of talks on Running Azure Securely, my talk today was Running Azure SQL Database Securely and applied to Azure SQL DB and Azure SQL DB Managed Instances.

Some Resources Mentioned

The deck

Running Azure SQL DBs Securely – Bill Wilder – SQL Saturday #877 – 14-Sep-2019

Talk description

If you know your way around SQL Server, then you will find Azure SQL Database to be familiar territory. But some aspects are more familiar than others, which is especially true for security-related differences.

In this session we review the key differences around identity management and authentication (including multi-factor authentication), managing server credentials (or, even better, not needing to in some cases), how to audit logins (probably not what you expect), an overview of encryption and data masking options, and the supporting role of Azure Key Vault. We will also touch on compliance and disaster recovery to give the complete picture of powerful features you’ll definitely want to know about to protect your data.

This talk will cover relevant capabilities for both traditional Azure SQL Databases and the newer Azure SQL Managed Instances.

This talk assumes you are already familiar with SQL Server or another enterprise database.

Action Photo

(Credit Taiob Ali @SqlWorldWide)

Advertisements

Talk: Are all these #Azure security features for me?

On Tuesday July, 30, 2019 I had the opportunity to speak at North Boston Azure. The talk was part of a series on Running Azure Securely and was called Are all these Azure security features for me? and was not really a “talk” in that it was highly interactive. For those who attended, you will recall we filled in some slides collaboratively. Thus, they may not appear so polished for those of you who did not join live. Either way, please find the slides (“collaborative” and all) below.

highres_483599366

This was an experimental approach for me and the feedback from the audience tells me it worked pretty well. The group at North Boston Azure was already knowledgeable and engaged, so hopefully made for a interesting experience for all involved (was certainly fun for me).

Azure-DefenseInDepth-BillWilder-2019-July-30

You can follow me on Twitter (@codingoutloud).

You can also follow Boston Azure on Twitter (@bostonazure).

 

Event: Boston #Azure / MIT edition of Global Azure Bootcamp

We had a great event at MIT on Saturday 27-April-2019 — the Boston Azure edition of the Global Azure Bootcamp hosted at MIT. There were lots of great session contributions – making this a true community effort.

ORGANIZERS

Big thank you to local organizers Olimpia (@olimpiaestela), Veronika (@breakpointv16), Gladis, and Maura (@squdgy). We all worked closely with Jason (@haleyjason) who ran the Burlington MA event. And don’t forget those folks at the Global Azure Bootcamp level providing a platform making this possible for a coordinated day of #Global Azure cloudiness (https://global.azurebootcamp.net/).

SPONSORS

The thanks continue with sponsors: MIT Women in Technology, Insight (formerly Blue Metal – https://www.insight.com/en_US/solve/digital-innovation.html), Finomial, and the Global Sponsors (https://global.azurebootcamp.net/sponsors/).

SPEAKERS

And a big thank you to the speakers – all who gave up a chunk of weekend to join us on a Saturday to share their knowledge (in order of appearance):

Attached are my slides:

The above graphic is from here: https://docs.microsoft.com/en-us/azure/event-grid/overview#event-sources

Here are some more links of interest:

  1. Some collected links (some repeated below): https://github.com/codingoutloud/bostonazurebootcamp2019/blob/master/README.md
  2. C# Script is real – not a hoax! 🙂 – https://msdn.microsoft.com/en-us/magazine/mt614271.aspx
  3. Azure Functions support C# Script (.csx files) – but also regular compiled C# (.cs on .NET Core)
  4. Example Azure Function written in regular compiled C#: https://github.com/codingoutloud/opstoolbox (especially https://github.com/codingoutloud/opstoolbox/blob/master/SslCertificateExpirationChecker.cs)
  5. Here are some example uses of the above:
  6. Event Grid:
    1. https://docs.microsoft.com/en-us/azure/event-grid/event-sources
    2. https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-event-grid
    3. https://madeofstrings.com/2018/06/29/azure-event-grid-filters-with-logic-apps/
    4. “Slide” I showed is below – it is from here: https://docs.microsoft.com/en-us/azure/event-grid/media/overview/functional-model.png
  7. Combine Azure Logic Apps with Azure Functions – https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-azure-functions#add-function-logic-app
  8. Similar to “follow-along lab” that tied together Subscription changes to an Azure Function using EventGrid
  9. Azure Function in JavaScript that fails 75% of the time. Useful for testing retries and seeing how errors are handled: https://gist.github.com/codingoutloud/151976063b1e9367369f1505f6cca66e
  10. Azure Blockchain Workbench:
    1. https://azure.microsoft.com/en-us/features/blockchain-workbench/
    2. https://docs.microsoft.com/en-us/azure/blockchain/workbench/
    3. https://docs.microsoft.com/en-us/azure/blockchain/workbench/architecture
    4. https://docs.microsoft.com/en-us/azure/blockchain/workbench/use

 

Who logged into my #Azure SQL Database?

Ever try to figure out how to track who logged into your Azure SQL database? You checked all the usual ways you might handle that with a SQL Server database, but one-by-one find out they just don’t work. Here’s one way to do it.

To track who is logging into your Azure SQL database, enable auditing (here’s how to do that) with audit entries directed to an Azure storage blob. There are two ways to do this: at the database server level and at the individual database level. Either is fine, but for the example that follows, auditing is assumed to be at the db server level. The example query can be adjusted to work with auditing at the database level, but one of the two auditing options is definitely required to be on!

Run this query to find out all the principals (users) who have logged in so far today into your Azure SQL database.

The output is something like the following, assuming if I’ve logged in 12 times so far today with my AAD account (bill@example.com) and 1 time with a database-specific credential (myadmin):

09-Nov-2019 (Saturday) codingoutloud@example.com 12

09-Nov-2019 (Saturday) myadmin 1

The query might take a while time to run, depending on how much data you are traversing. In one of my test environments, it takes nearly 20 minutes. I am sure it is sensitive the amount of data you are logging, database activity, and maybe settings on your blob (not sure if premium storage is supported, but I’m not using it and didn’t test with it).

Note: There are other ways to accomplish this, but every way I know of requires use of Azure SQL auditing. In this post we pushed them to blobs, but other destinations are available. For example, you could send to Event Hubs for a more on-the-fly tracker.

Talk: Running Azure Securely — PART I — Boston Azure 18-Oct-2018

At most recent Boston Azure meeting I give (what turns out to be…) the first part of a multi-part talk on Running Azure Securely. Even though I did not cover all this content, I’ve attached the whole powerpoint deck below.

BostonAzure-RunningAzureSecurely-BillWilder-2018-Oct-18

Please watch for a Part II to be scheduled.

Talk: Running Securely On Azure

On Tuesday evening 27-Mar-2018 I had the pleasure of speaking to the Nashville Azure group about keeping workloads safe in the Azure cloud. Was a great group with a lot of interesting questions and dialog. They even helped to answer each others’ questions when I didn’t have answers, which is the best outcome of all.

For those interested in the deck I used, please find it below.

NashvilleAzure-RunningAzureSecurely-BillWilder-2018-Mar-27-Published