Protecting Microsoft Azure SQL Database-as-a-service

March 19, 2020

This post complements the earlier Illumio Labs research project: See it to Protect It: Agentless Azure Workload Visibility. If you have not looked at that post, I would suggest to give it a quick glance before diving into this one. 

 

Introduction

As we discussed in one of the previous post on databases in the cloud, the ease of use and accessibility that managed database services bring is great but it can also lead to security concerns. Azure SQL Database is another such Platform as a Service (PaaS) that that provides the broadest SQL Server engine compatibility and allows users to quickly deploy MS SQL databases in different form factors. What makes Azure SQL Database service popular among enterprises is the ease of frictionless migration from on-prem to cloud. 

Great, right?  Yes, it is great for business. But how do we protect a service like Azure SQL which does not offer access to a host OS where we can install an Illumio VEN?  

Enter Illumio Labs and our most recent project, securing Azure SQL Database servers by utilizing Illumio ASP in association with Azure server-level firewall (SLF) rules.

The previous integration gave us visibility into the network flows of the Azure database instances, and in this post, we will put the necessary segmentation controls in place to avoid high profile breaches of precious data. Let's dive in.

Architecture

It's a simple three step process:

  1. Start the Illumio enforcer (the python script found in the GitHub link) on any linux instance that can access the Azure API and the PCE.
  2. It communicates with Illumio's policy compute engine to fetch the segmentation policy for Azure SQL Database server that is written by the user.
  3. Based on the policy rules, it programs the server-level firewall guarding the Azure SQL Database server.

Once the rules are in place, all communications in and out of the Azure SQL Database server will be governed by the segmentation rules.

SQL

The Illumio enforcer will poll the rules every configurable time interval and program any changes in the server level firewall rules. 

That's it. Detailed installation and configuration steps are provided in the GitHub repo linked with this project.

Demo

let's see this integration in action in the screencast below

 

 

Conclusion

With good visibility, comes great segmentation and we have successfully achieved both on Azure cloud by combining the technique used in the previous post along with the one demonstrated here.

Segmentation is by far the most powerful tool to prevent lateral movement in public clouds. If you haven't got a chance to try out Illumio, please sign up for our free Test Drive to gain full Azure visibility and enforcement for free. 

For our customers, you’ll see your Illumination map reflect all Azure workloads and also the ruleset for segmenting Azure SQL Database servers.

We would love to hear how you heard about this project and how it helped you, so please send us a note to our Slack channel, http://slack.illumiolabs.com and for future updates, do subscribe to Illumio Labs.