SQL Server TDE encryption - sql-server-2017

The question is one of my clients ask whether they can BYOK (Bring your own key). When it comes to that;
1) I couldn't find any detailed information whether we can do it for a locally hosted SQL Server. But it seems possible for Azure SQL DB.
2) Using EKM Provider. Seems like all of them are 3rd party and Windows Server doesn't come with a default provider. Am I correct? I would like to use a EKM provider but don't want to spend more just for a single client. What are the options I have?

Related

AZURE SQL Database User

I created SQL account for an application but how do I restrict or deny the same account not to connect the database using SSMS or Azure data studio by the developers since the developers can view the user information in web.config file.
Thanks,
Sandeep
You can use Azure Active Directory to authenticate your app, so that you don't need to write the username and password in config file.
With Azure AD authentication, you can centrally manage the identities of database users and other Microsoft services in one central location.
Benefits:
It provides an alternative to SQL Server authentication.
It helps stop the proliferation of user identities across servers.
It allows password rotation in a single place.
You can read more details from this document.
Basically the answer to your question is... You can't...
There is no way to identify the client of a certain connection in Azure SQL. What you can do, for example, is restrict access to a certain server using s firewall. But if your dev env is on the same machine as your SSMS that won't work because you're then blocking the dev env as well.
In that case, the best practice is to create a dev database to which all devs have access. In that case, it doesn't matter for you everyone knows the password because it's the dev database.
For production environments, you need to treat database credentials as secrets and thus make sure they are stored in a safe place. When you're using Azure, the KeyVault may be a good place to store the password. This KeyVault has a fine grained way of allowing access to secrets for individuals as well as IT systems.

Azure SQL PaaS - Limitations

We are trying to evaluate possibility of migrating our in-house SQL DB server to Azure SQL as a PaaS.
Our legacy windows application which is written in VB6 and now running on VB.NET Framework 4.5
Clarifications I need if I migrate only DB server to Azure:
We use both trusted / credential based SQL connection from our desktop application to connect to SQL DB. If we migrate to Azure SQL, will it support trusted connection which should authenticate current organizations NT user?
We have lot of cross DB queries, do we need to face any challenge to use the queries as it is?
Run time we take a DB backup / restore for some business cases. Does this work?
Are there any restrictions on number of admin users on Azure DB?
Probably yes if you sync your local AD with an AAD (See: Use Azure Active Directory Authentication for authentication with SQL Database, Managed Instance, or SQL Data Warehouse)
Azure SQL Database (PaaS) doesn't support cross DB queries by default - you have to setup / use Elastic Query for that.
Yes, you can take a DB backup at runtime and also restore it. There is also a point-in-time restore feature available. See: Learn about automatic SQL Database backups.
I think you can only specify one server administrator (at least within the portal) but I doubt you will reach any limit on db users.
Instead of using the single database SQL Server PaaS service you should also consider using Managed Instance (preview)
You will have to extend your active directory to Azure active directory to keep using trusted connections. You will learn how to do it on this documentation and this one.
On Azure SQL Database you have elastic queries that allow you to run cross database queries. Learn how to create elastic queries here.
You can create bacpacs (export your databases) to Azure Storage or to on-premises location very easy.
You can configure one Server Admin or one Azure Active Directory Admin (it can be a group) for your Azure SQL Server. However, at the database level you can add many database users to the dbmanager role. You can have more information about this topic here.

Prevent man-in-the-middle attacks on ssms to SQL Server Connection

I'm connecting to a SQL Server instance in a shared environment using SQL Server Management Studio. I don't want to take the hosting service's word so I'd like to find a way to discover whether all communications are encrypted. Especially the password, since it seems from this answer that sometimes it's sent in plaintext and sometimes not (I've been trying to use Microsoft Network Monitor to find out if it's encrypted but haven't been successful yet.)
Even if the password is encrypted, what if someone uses the connection (as a man-in-the-middle) to enter his own data into the database? (I'm more worried about that, though reading from the database is also a problem, of course.)
So, to sum up, how can I force a secure connection or at least discover whether one is present, when I don't have administrator's privileges on the database?
SQL Server client drivers offer the ability to require encryption and also verify that the certificate on the SQL Server comes from a trusted provider. Most drivers for SQL Server (JDBC, ODBC, .NET client, etc) have these settings.
More information can be found here: https://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx

Azure Mobile Services Insert function

Is it possible to handling handling external inserts/updates to Azure SQL Database from Azure Mobile Services (INSERT, UPDATE, directly to db and etc.)
I know about scripting. All tables working fine, and visible from Mobile Service manage center.
I need to handle events like direct SQL requests to DB from DB management portal or Azure Web sites, without direct requests to Mobile Service (REST API, and etc.)
Is the question how to execute SQL commands from a mobile device directly against the database (SQL Database) without first going through the REST API and scripting layer Mobile Services provides?
If so, then the answer is essentially no. The mobile device needs some way to communicate with the database, it uses the API and scripting layer to do this. Of course, you could build your own web service layer that then works with the database. But, this layer is what Mobile Services is providing for you out-of-the-box.
However, if the question is can you issue SQL commands against the database using tools like SQL Server Management Studio or even other web sites, then the answer is yes. The SQL Database which Mobile Services provides is a regular SQL Database. You have full control over it. You can connect to it and issue commands just like you would with SQL Database (via an ORM or direct SQL statements).

Online SQL Server database accessed from my software

I have been working on the software using a SQL Server database. Now I am in the phase when I would like to provide this software for other people, but I don't know how to manage the database. The thing is that it is really inconvenient when installing my software to also install SQL Server at the users computer (many unexpected thing could happen).
Therefore I thought that I would pay for web hosting with SQL Server, but it is:
Expensive (just for database with few tables).
Most of the web hosting don't offer remote access to the SQL Server database (so I can't connect there from my software).
So there is my question, what would you do? My own virtual server? (even more expensive), or would you install SQL Server on users computer? Or do you know where to get only SQL Server hosting for low costs?
I don't advice using a remote SQL Server. SQL Connections strongly depend on network connection and the Internet is not "stable" enough for that. There are also performance issues that will make your application completely useless.
One important thing you didn't mention is whether different users will share the same data or will have their own. If each user will use their own data you can install a "local" SQL Server Edition (SQL Compact Edition, here is the reference)
http://msdn.microsoft.com/en-us/library/aa983341(v=vs.110).aspx
In case several users will share the same data, you shouldn't rely on the database solely. One possible approach is having an Application server that implements business logic whereas your desktop application stays actiong as a "dumb" client. This is a lot better for performance and reduce data transfer problems. You can implement webservices for you application server. This is a good solution as the data is transfered from he application server to the clients through HTTP/HTTPS and this relieves you from dealing with ports and other communication issues. An alternative is using Microsoft Communication Framework (WCF)
Good luck!