Merge pull request #307860 from msmbaldwin/sec-fundamentals-key-management

Refine Azure Security Fundamentals Articles and Update Links Ahead of Ignite

Author: denrea

articles/azure-government/azure-secure-isolation-guidance.md

@@ -601,7 +601,7 @@ You can enable IPsec in addition to MACsec on your ExpressRoute Direct ports, as
 #### Traffic across Microsoft global network backbone
 Azure services such as Storage and SQL Database can be configured for geo-replication to help ensure durability and high availability especially for disaster recovery scenarios. Azure relies on [paired regions](../reliability/cross-region-replication-azure.md) to deliver [geo-redundant storage](../storage/common/storage-redundancy.md) (GRS) and paired regions are also recommended when configuring active [geo-replication](/azure/azure-sql/database/active-geo-replication-overview) for Azure SQL Database. Paired regions are located within the same geography; however, network traffic isn't guaranteed to always follow the same path from one Azure region to another. To provide the reliability needed for the Azure cloud, Microsoft has many physical networking paths with automatic routing around failures for optimal reliability.
 
-Moreover, all Azure traffic traveling within a region or between regions is [encrypted by Microsoft using MACsec](../security/fundamentals/encryption-overview.md#data-link-layer-encryption-in-azure), which relies on AES-128 block cipher for encryption. This traffic stays entirely within the Microsoft [global network backbone](../networking/microsoft-global-network.md) and never enters the public Internet. The backbone is one of the largest in the world with more than 250,000 km of lit fiber optic and undersea cable systems.
+Moreover, all Azure traffic traveling within a region or between regions is [encrypted by Microsoft using MACsec](../security/fundamentals/encryption-overview.md#data-link-layer-encryption), which relies on AES-128 block cipher for encryption. This traffic stays entirely within the Microsoft [global network backbone](../networking/microsoft-global-network.md) and never enters the public Internet. The backbone is one of the largest in the world with more than 250,000 km of lit fiber optic and undersea cable systems.
 
 > [!IMPORTANT]
 > You should review Azure **[best practices for the protection of data in transit](../security/fundamentals/data-encryption-best-practices.md#protect-data-in-transit)** to help ensure that all data in transit is encrypted. For key Azure PaaS storage services (for example, Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics), data encryption in transit is **[enforced by default](/azure/azure-sql/database/security-overview#transport-layer-security-encryption-in-transit)**.

articles/logic-apps/biztalk-server-migration-overview.md

@@ -308,7 +308,7 @@ Based on the software vendor who implements the underlying service that a connec
 
 Microsoft provides strong layers of protection by [encrypting data during transit](../security/fundamentals/encryption-overview.md#encryption-of-data-in-transit) and at rest. When Azure customer traffic moves between datacenters, outside physical boundaries that aren't controlled by Microsoft or on behalf of Microsoft, a data-link layer encryption method that uses [IEEE 802.1AE MAC Security Standards (MACsec)](https://1.ieee802.org/security/802-1ae/) applies from point-to-point across the underlying network hardware.
 
-Microsoft gives you the option to use [Transport Layer Security (TLS) protocol](../security/fundamentals/encryption-overview.md#tls-encryption-in-azure) for protecting data that travels between cloud services and customers. Microsoft datacenters negotiate a TLS connection with client systems that connect to Azure services. TLS provides strong authentication, message privacy, and integrity, which enables detection of message tampering, interception, and forgery along with interoperability, algorithm flexibility, and ease of deployment and use.
+Microsoft gives you the option to use [Transport Layer Security (TLS) protocol](../security/fundamentals/encryption-overview.md#tls-encryption) for protecting data that travels between cloud services and customers. Microsoft datacenters negotiate a TLS connection with client systems that connect to Azure services. TLS provides strong authentication, message privacy, and integrity, which enables detection of message tampering, interception, and forgery along with interoperability, algorithm flexibility, and ease of deployment and use.
 
 While this section focused on RESTful connectivity through connectors, you can implement SOAP web service connectivity through the custom connector experience or by using the API Management experience, which provides great SOAP capabilities. For more information, see [Increasing business value by integrating SOAP legacy assets with Azure logic Apps and Azure APIM](https://techcommunity.microsoft.com/t5/azure-integration-services-blog/increasing-business-value-by-integrating-soap-legacy-assets-with/ba-p/4238077).
 

articles/security/fundamentals/database-security-checklist.md

@@ -1,57 +1,65 @@
 ---
-title: Azure database security checklist| Microsoft Docs
-description: Use the Azure database security checklist to make sure that you address important cloud computing security issues.
+title: Azure database security checklist
+description: Use the Azure database security checklist to ensure you address important cloud database security controls for Azure SQL Database and Azure SQL Managed Instance.
 services: security
 author: msmbaldwin
-manager: rkarlin
 
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
-ms.date: 09/29/2024
+ms.date: 11/04/2025
 ms.author: mbaldwin
 ---
 
 # Azure database security checklist
 
-To help improve security, Azure Database includes many built-in security controls that you can use to limit and control access.
+To help improve security, Azure SQL Database and Azure SQL Managed Instance include built-in security controls that you can use to limit and control access, protect data, and monitor threats.
 
 Security controls include:
 
-* A firewall that enables you to create [firewall rules](/azure/azure-sql/database/firewall-configure) limiting connectivity by IP address,
-* Server-level firewall accessible from the Azure portal
-* Database-level firewall rules accessible from SSMS
-* Secure connectivity to your database using secure connection strings
-* Use access management
-* Data encryption
-* SQL Database auditing
-* SQL Database threat detection
+* Firewall rules limiting connectivity by IP address and virtual network
+* Microsoft Entra authentication for centralized identity management
+* Secure connectivity using TLS encryption
+* Access management and authorization
+* Data encryption at rest and in transit
+* Database auditing and threat detection
+* Advanced data security features
 
 ## Introduction
-Cloud computing requires new security paradigms that are unfamiliar to many application users, database administrators, and programmers. As a result, some organizations are hesitant to implement a cloud infrastructure for data management due to perceived security risks. However, much of this concern can be alleviated through a better understanding of the security features built into Microsoft Azure and Microsoft Azure SQL Database.
+
+Cloud computing requires new security paradigms that may be unfamiliar to many application users, database administrators, and programmers. Organizations can leverage Azure SQL's comprehensive security features to protect sensitive data and meet regulatory compliance requirements.
 
 ## Checklist
-We recommend that you read the [Azure Database Security Best Practices](/azure/azure-sql/database/security-best-practice)  article prior to reviewing this checklist. You'll be able to get the most out of this checklist after you understand the best practices. You can then use this checklist to make sure that you've addressed the important issues in Azure database security.
 
+We recommend that you read the [Azure SQL Database security best practices](/azure/azure-sql/database/security-best-practice) article before reviewing this checklist. Understanding the best practices will help you get the most value from this checklist. Use this checklist to verify that you've addressed the important security controls in Azure database security.
 
 |Checklist Category| Description|
 | ------------ | -------- |
 |**Protect Data**||
-| <br> Encryption in Motion/Transit| <ul><li>[Transport Layer Security](/windows-server/security/tls/transport-layer-security-protocol), for data encryption when data is moving to the networks.</li><li>Database requires secure communication from clients based on the [TDS(Tabular Data Stream)](/openspecs/windows_protocols/ms-tds/893fcc7e-8a39-4b3c-815a-773b7b982c50) protocol over TLS (Transport Layer Security).</li></ul> |
-|<br>Encryption at rest| <ul><li>[Transparent Data Encryption](/azure/azure-sql/database/transparent-data-encryption-tde-overview), when inactive data is stored physically in any digital form.</li></ul>|
+| <br> Encryption in transit| <ul><li>[Transport Layer Security (TLS)](/windows-server/security/tls/transport-layer-security-protocol) encrypts data in motion between clients and databases. Azure SQL requires TLS 1.2 or higher for secure connections.</li><li>Database requires secure communication from clients based on the TDS (Tabular Data Stream) protocol over TLS.</li></ul> |
+|<br>Encryption at rest| <ul><li>[Transparent Data Encryption (TDE)](/azure/azure-sql/database/transparent-data-encryption-tde-overview) encrypts data and log files at rest. TDE is enabled by default on all new Azure SQL databases.</li><li>[Bring Your Own Key (BYOK)](/azure/azure-sql/database/transparent-data-encryption-byok-overview) allows you to manage TDE encryption keys in Azure Key Vault.</li></ul>|
+|<br>Encryption in use| <ul><li>[Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine) protects sensitive data by encrypting it within client applications. Encryption keys never reach the database engine, ensuring separation between data owners and data managers.</li><li>[Column-Level Encryption (CLE)](/sql/relational-databases/security/encryption/encrypt-a-column-of-data) encrypts specific columns using symmetric encryption for additional protection of sensitive data.</li></ul>|
 |**Control Access**||  
-|<br> Database Access | <ul><li>[Authentication](/azure/azure-sql/database/logins-create-manage) (Microsoft Entra authentication) AD authentication uses identities managed by Microsoft Entra ID.</li><li>[Authorization](/azure/azure-sql/database/logins-create-manage) grant users the least privileges necessary.</li></ul> |
-|<br>Application Access| <ul><li>[Row level Security](/sql/relational-databases/security/row-level-security) (Using Security Policy, at the same time restricting row-level access  based on a user's identity,role, or execution context).</li><li>[Dynamic Data Masking](/azure/azure-sql/database/dynamic-data-masking-overview) (Using Permission & Policy, limits sensitive data exposure by masking it to non-privileged users)</li></ul>|
+|<br> Database access | <ul><li>[Microsoft Entra authentication](/azure/azure-sql/database/authentication-aad-overview) provides centralized identity management with single sign-on (SSO) capabilities.</li><li>[SQL authentication](/sql/relational-databases/security/choose-an-authentication-mode) with strong passwords provides an alternative authentication method.</li><li>[Authorization](/azure/azure-sql/database/logins-create-manage) grants users the minimum privileges necessary using role-based access control.</li></ul> |
+|<br>Network access control| <ul><li>[Server-level IP firewall rules](/azure/azure-sql/database/firewall-configure) restrict access based on originating IP addresses.</li><li>[Database-level IP firewall rules](/azure/azure-sql/database/firewall-configure) provide granular access control per database.</li><li>[Virtual Network service endpoints](/azure/azure-sql/database/vnet-service-endpoint-rule-overview) allow connectivity from specific Azure virtual networks.</li><li>[Private Link](/azure/azure-sql/database/private-endpoint-overview) provides private connectivity to Azure SQL Database using a private IP address within your virtual network.</li></ul>|
+|<br>Application access control| <ul><li>[Row-Level Security (RLS)](/sql/relational-databases/security/row-level-security) restricts row-level access based on a user's identity, role, or execution context.</li><li>[Dynamic Data Masking](/azure/azure-sql/database/dynamic-data-masking-overview) limits sensitive data exposure by masking it to non-privileged users without changing the underlying data.</li><li>[Data Discovery and Classification](/azure/azure-sql/database/data-discovery-and-classification-overview) identifies, classifies, and labels sensitive data for improved protection and compliance.</li></ul>|
 |**Proactive Monitoring**||  
-| <br>Tracking & Detecting| <ul><li>[Auditing](/azure/azure-sql/database/auditing-overview) tracks database events and writes them to an Audit log/ Activity log in your [Azure Storage account](../../storage/common/storage-account-create.md).</li><li>Track Azure Database health using [Azure Monitor Activity Logs](/azure/azure-monitor/essentials/platform-logs-overview).</li><li>[Threat Detection](/azure/azure-sql/database/threat-detection-configure) detects anomalous database activities indicating potential security threats to the database. </li></ul> |
-|<br>Microsoft Defender for Cloud| <ul><li>[Data Monitoring](../../security-center/security-center-remediate-recommendations.md) Use Microsoft Defender for Cloud as a centralized security monitoring solution for SQL and other Azure services.</li></ul>|        
+| <br>Auditing and detection| <ul><li>[Auditing](/azure/azure-sql/database/auditing-overview) tracks database events and writes them to an audit log in your Azure Storage account, Log Analytics workspace, or Event Hubs.</li><li>Track Azure SQL Database health using [Azure Monitor](/azure/azure-monitor/essentials/platform-logs-overview) and diagnostic settings.</li><li>[Microsoft Defender for SQL](/azure/defender-for-cloud/defender-for-sql-introduction) detects anomalous database activities indicating potential security threats including SQL injection, brute-force attacks, and vulnerability exploits.</li></ul> |
+|<br>Vulnerability assessment| <ul><li>[Vulnerability Assessment](/azure/azure-sql/database/sql-vulnerability-assessment) discovers, tracks, and helps remediate potential database vulnerabilities.</li><li>Provides actionable security recommendations and risk reports for compliance.</li></ul>|
+|<br>Centralized security management| <ul><li>[Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) provides centralized security monitoring and management for Azure SQL Database and other Azure services.</li><li>Security recommendations based on the [Microsoft cloud security benchmark](/security/benchmark/azure/introduction).</li></ul>|
+|**Data Integrity**||
+|<br>Ledger capability| <ul><li>[Ledger](/sql/relational-databases/security/ledger/ledger-overview) provides tamper-evident capabilities by creating an immutable record of database transactions.</li><li>Helps meet compliance requirements for data integrity verification.</li></ul>|
 
 ## Conclusion
-Azure Database is a robust database platform, with a full range of security features that meet many organizational and regulatory compliance requirements. You can easily protect data by controlling the physical access to your data, and using various options for data security at the file-, column-, or row-level with Transparent Data Encryption, Cell-Level Encryption, or Row-Level Security. Always Encrypted also enables operations against encrypted data, simplifying the process of application updates. In turn, access to auditing logs of SQL Database activity provides you with the information you need, allowing you to know how and when data is accessed.
+
+Azure SQL Database and Azure SQL Managed Instance provide robust database platforms with comprehensive security features meeting organizational and regulatory compliance requirements. You can protect data throughout its lifecycle—at rest, in transit, and in use—using Transparent Data Encryption, Always Encrypted, and TLS. Fine-grained access controls including Row-Level Security, Dynamic Data Masking, and Microsoft Entra authentication ensure only authorized users access sensitive data. Continuous monitoring through auditing, Microsoft Defender for SQL, and Vulnerability Assessment helps identify and remediate security threats proactively.
 
 ## Next steps
-You can improve the protection of your database against malicious users or unauthorized access with just a few simple steps. In this tutorial you learn to:
 
-* Set up [firewall rules](/azure/azure-sql/database/firewall-configure) for your server and or database.
-* Protect your data with [encryption](/sql/relational-databases/security/encryption/sql-server-encryption).
-* Enable [SQL Database auditing](/azure/azure-sql/database/auditing-overview).
+You can improve the protection of your database against malicious users or unauthorized access with a few simple steps:
+
+* Configure [firewall rules](/azure/azure-sql/database/firewall-configure) for your server and databases
+* Protect your data with [encryption](/sql/relational-databases/security/encryption/sql-server-encryption)
+* Enable [SQL Database auditing](/azure/azure-sql/database/auditing-overview)
+* Enable [Microsoft Defender for SQL](/azure/defender-for-cloud/defender-for-sql-introduction) for threat detection
+* Review [security best practices](/azure/azure-sql/database/security-best-practice)