Hyperconscious of the cloud's need to appear secure by design, Microsoft announced new encryption and data-protection features today for Azure SQL Database. Microsoft not only wants to encrypt data at rest; it's also attempting to provide other protections that matter more with data used in applications.
Azure SQL's new functionality comes in roughly three categories: encryption, data masking, and access security. Transparent Data Encryption provides the most obvious and basic encryption, protecting data at rest and on disk, as well as automating encryption on databases for replication and backup/restore operations.
But at-rest encryption protects against only so much: if a server is physically accessed, the data is safe, but at-rest protection offers little defense against access by SQL injection, still a common and fruitful attack on databases. That said, Microsoft is also trying to add security layers outside the database, via auditing and threat-detection technology.
The Always Encrypted feature attempts to address sensitive-data leakage through such attacks. Data in a particular column (such as credit card numbers) is encrypted courtesy of keys stored in Azure Key Vault, and access to the keys is permissions-controlled. Those who own the data can inspect it directly, while those who manage or work with the data can handle it at only arm's length -- they never actually see it.
Dynamic Data Masking provides a little more flexibility. Here, nonprivileged users can access user data -- say, for testing and development -- but with the most sensitive segments masked or replaced with dummy data. The options for masking are limited; it appears that you can't use a custom function to generate data that needs custom validation rules (such as a credit card number for testing, complete with CVV and expiration data). In the same vein is Row-Level Security, where queries for specific rows in a database can be controlled by permissions.
Data protection technologies are no good if they aren't deployed, and one surefire barrier to uptake is to require applications be rewritten to make use of them. Microsoft seems aware of this issue, as a company spokesperson stated in email: "Transparent Data Encryption, Dynamic Data Masking, and Threat Detection do not require any application changes. Each can be enabled with no impact to the application." On the other hand, Always Encrypted, Row Level Security, and Azure Active Directory authentication "may require some applications changes."
Both Google and Amazon offer encryption at rest for their databases, but the more granular control afforded by Azure is limited by the underlying database products in use. Amazon RDS is the clearest example since it offers access to multiple database engines, including SQL Server and Oracle. Oracle, for instance, has selective data-encryption features, and Transparent Data Encryption is available in SQL Server 2008 edition and higher. Google Cloud SQL currently uses only MySQL 5.5/5.6, so data-protection features are limited to what they offer.