4

I am hosting a web application and SQL server database on Azure and I would like to ensure that no individual at the company can access customer data without the access being logged. It seems that with all the security options in Azure there is always a way for at least one admin with malicious intent can gain access to keys and anonymously access the data or storage of the data. What option are there to secure the data from access without an audit log?

(This scope of this question does not include the trust in the cloud provider and is specifically only concerned with securing against employees of the technology company)

Improve this question
1
  • 1
    Keep in mind that when you run your SQL database on Microsoft's servers, a sufficiently paranoid compliance concept also needs to address the possibility of Microsoft employees accessing your data. Commented Jan 27, 2016 at 15:11

2 Answers 2

Reset to default
2

If there's a way to access data without an audit log, secure the credentials required to access it that way and audit their access. Software such as Vault is geared toward this. Physical control of an MFA token such as storing it on a YubiKey and then putting that in a safe place with somebody who doesn't control the password would provide you with dual control.

Improve this answer
1
  • @jbferland, thanks for the suggestion. The challenge with that is securing the keys or secrets on the web server itself. The system must at some time access the key vault by itself to decrypt the data. I do not see a mechanism that prevents an admin from pulling the secrets from the server or recording the secrets when they create the server initially. They can impersonate the server and access the keys/data looking like they are the application. Commented Jan 27, 2016 at 20:52
1

I think it's going to be extremely difficult, if not impossible to do this.

Think about ALL the places where customer data exists, or can be accessed from:

Production SQL servers. Development SQL servers. Backup servers. Production webservers. Development webservers.

You probably are already auditing production webservers. But what about development webservers, and is the audit trail preserved, or does it get blown away when you refresh the environment?

Even then, you'd still need audit trails on both your SQL servers, and backup servers. This may or may not be even possible depending on what you're using for your SQL server, and for backup.

In essence, auditing all access to data isn't a trivial task because data needs to flow around easily to get work done, and auditing of any access it isn't built into every product.

Improve this answer
12
  • "what about development webservers" There shouldn't ever be PII on development webservers. Databases contents should be mocked mercilessly and often. If the database contents were a person, you'd want them to accuse you of harassment for all the mockery. Commented Jan 27, 2016 at 18:44
  • 1
    @ParthianShot And the world shouldn't contain any SQL injection attacks either, since it's been a well understood problem with known solutions for more than a decade. The real world is quite different from the way things "should be". Commented Jan 27, 2016 at 19:59
  • @SteveSether hit the nail on the head with the real world comment... Commented Jan 27, 2016 at 22:56
  • The point about consumer data in fact being stored in non-production databases by plenty of security-sloppy organizations is a good one, certainly. But @Partian Shot's point is certainly correct as well. If you have customer data on non-production systems you have a far more urgent problem than the one the OP asks about. Commented Jan 27, 2016 at 23:51
  • @halfinformed Like everything in security, it depends. Not all customer data is sensitive enough to restrict all access to it to a small amount of people. Commented Jan 28, 2016 at 2:48

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.