Synopsis: In this exercise, attendees will utilize Azure SQL features to data mask database data and utilize Azure Key Vault to encrypt sensitive columns for users and applications that query the database.
Task 1: Setup the database
- Return to the Azure portal window where you are logged in with your user account, not the Key Vault account.
- Navigate to your resource group by selecting Resource groups, entering your resource group name in the Filter box, and selecting it from the list.
- From the list of resources in your resource group, select the sampledb SQL database which was created by the ARM template you ran in the Before the hands-on lab exercise.
- In the summary section, select the Show database connection strings
- Take note of the connection string for later in this lab, specifically the Server parameter:
- Open SQL Server Management Studio.
- In the Connect to Server dialog:a. Server name: Enter the database server name from above
b. Authentication: Select SQL Server Authentication
c. Login: Enter wsadmin
d. Password: Enter p@ssword1rocks
e. Select Connect
- If presented with the New Firewall Rule dialog, select Sign In.
- Sign in as your Azure tenant admin.
- In the dialog, select OK, notice how your IP address will be added for connection.
- Right-select Databases, select Import Data-tier Application.
- In the Introduction dialog, select Next.
- Select Browse.
- Navigate to the extracted /Database directory, select the FourthCoffee.dacpac file.
- Select Open.
- On the Import Settings dialog, select Next.
- On the Database Settings dialog, select Next.
NOTE: If you get an error, close and re-open SSMS and try the import again.
- Select Finish, the database will deploy to Azure.
- Once completed, select Close.
- Ensure that the master database is selected.
- In SSMS, select File->Open->File.
- Browse to the extracted GitHub folder, select the \Database\00_CreateLogin.ps1 file.
- Press F5 to run the script to create a login called store.
- Ensure that the FourthCoffee database is selected.
- Browse to the extracted folder, select the \Database\01_CreateUser.ps1 file.
- Press F5 to run the script to create a non-admin user called store.
Task 2: Test the web application solution
- In the extracted directory, double-click the /WebApp/FourthCoffeeAPI/FourthCoffeeAPI.sln solution file to open the solution in Visual Studio 2017 Community edition.a. If prompted in the Visual Studio Version Selector, select Visual Studio 2017 as the program with which to open the solution.
b. Login to Visual Studio when prompted.
- In the Solution Explorer, navigate to and double select the web.config file to open it.
- In the web.config, locate the database connection string (line 72), and update the “data source” property to point to the FourthCoffee database created in Task 2. You should only need to update the server name to point to your Azure SQL Server.
- Save the Web.config file.
- Run the FourthCoffeeAPI solution, press F5.
- In the browser window that opens, browse to http://localhost:[PORT-NUMBER]/api/CustomerAccounts, and you should get a JSON response that shows an unmasked credit card column:
NOTE: depending on your browser, you may need to download to view the JSON response.
Task 3: Utilize data masking
- Switch to the Azure Portal.
- Select SQL databases.
- Select the FourthCoffee database.
- In the menu, select Dynamic Data Masking, then select +Add Mask.
- In the Add masking rule blade, enter the following:a. Schema: Leave dbo selected
b. Table: Select CustomAccount
c. Column: Select CreditCardNumber
d. Masking field format: Select Credit card value (xxxx-xxxx-xxxx-1234)
e. Select Add.
- Select Save.
- Switch back to your FourthCoffeeAPI solution, refresh the page, you should see the CreditCardNumber column is now masked with xxxx-xxxx-xxxx-1234.
NOTE: If you do not see this, then you are logged in as a user with dbo privileges
- Close Visual Studio.
Task 4: Utilize column encryption with Azure Key Vault
- Switch to SQL Management Studio.
- In the extracted directory, navigate to the Database directory.
- Open the 02_PermissionSetup.sql file, copy and paste the TSQL to the Query Window.
- Switch to the FourthCoffee database, execute the SQL statement.
- In the Object Explorer, expand the FourthCoffee node.
- Expand the Tables node.
- Expand the CustomerAccount table node.
- Expand the Columns node.
- Right-click the CreditCardNumber column, select Encrypt Column.
- Select Next on the intro screen.
- Notice that the State of the column is such that you cannot add encryption (data masking):
- Select Cancel, then Yes to confirm.
- Switch back to the Azure Portal, select the CustomerAccount.CreditCardNumber data masking.
- Select Delete.
- Select Save.
- Switch back to SQL Management Studio.
- Right-click the CreditCardNumber column, select Encrypt Column.
- Check the checkbox next to the CreditCardNumber column.
- For the Encryption Type, select Deterministic.
- Select Next.
- For the encryption, select Azure Key Vault, in the dialog.
- Select Sign In.
- Sign in with your Azure Portal credentials.
- Select your Azure Key Vault.
- Select Next.
- On the Run Settings, leave Proceed to finish now selected, and select Next.
- Select Finish, the configured will start. If prompted, login using your Azure Portal credentials.
NOTE: You may receive a “wrapKey” error, if so, ensure that your account has been assigned that permissions in the Azure Key Vault.
- Select Close
- Right-click the CustomerAccount table, select Select top 1000 rows.
- You will notice the CreditCardNumber column is encrypted based on the new Azure Key Vault key.
- Switch to the Azure Portal.
- Select Key Vaults.
- Select your Azure Key Vault, then select Keys. You should see the key created from the SQL Management Studio displayed:
Task 5: Enable Azure SQL Auditing & Threat Detection
- In the Azure portal, select SQL Databases, and select the FourthCoffee database.
- Select Auditing & Threat Detection.
- For Auditing, toggle to ON.
- Select Storage details.
- Select Storage account, select your storage account.
- Select OK.
- For Threat Detection, toggle to ON.
- Enter your email address.
- Select Save.
Task 6: Ensure SQL Azure Transparent Data Encryption (TDE) is enabled
- Select Transparent data encryption.
- For data encryption, ensure that the toggle is set to ON.