|
| 1 | +### YamlMime:ModuleUnit |
| 2 | +uid: learn.wwl.implement-data-security-compliance.knowledge-check |
| 3 | +title: Module assessment |
| 4 | +metadata: |
| 5 | + ai_generated_module_assessment: true |
| 6 | + title: Module assessment |
| 7 | + description: Knowledge check for implementing data security and compliance in SQL databases. |
| 8 | + ms.date: 02/05/2026 |
| 9 | + author: JulianePadrao |
| 10 | + ms.author: jupadrao |
| 11 | + ms.topic: unit |
| 12 | + module_assessment: true |
| 13 | +azureSandbox: false |
| 14 | +labModal: false |
| 15 | +durationInMinutes: 5 |
| 16 | +quiz: |
| 17 | + questions: |
| 18 | + - content: "A financial services company needs to protect credit card numbers stored in an Azure SQL Database. The application must be able to perform equality searches on the encrypted column, but database administrators should not be able to view the plaintext values. Which encryption approach should you recommend?" |
| 19 | + choices: |
| 20 | + - content: "Transparent Data Encryption (TDE)" |
| 21 | + isCorrect: false |
| 22 | + explanation: "Incorrect. TDE encrypts data at rest but doesn't protect data from users with database access. Administrators with SELECT permissions can still view plaintext values." |
| 23 | + - content: "Always Encrypted with deterministic encryption" |
| 24 | + isCorrect: true |
| 25 | + explanation: "Correct. Always Encrypted keeps encryption keys outside the database engine, preventing even administrators from viewing plaintext. Deterministic encryption allows equality comparisons needed for searches." |
| 26 | + - content: "Column-level encryption with symmetric keys" |
| 27 | + isCorrect: false |
| 28 | + explanation: "Incorrect. Column-level encryption stores keys within the database. Users with appropriate permissions to the symmetric key can decrypt the data, including administrators." |
| 29 | + - content: "Always Encrypted with randomized encryption" |
| 30 | + isCorrect: false |
| 31 | + explanation: "Incorrect. While Always Encrypted with randomized encryption protects data from administrators, randomized encryption doesn't support equality searches or use in WHERE clauses." |
| 32 | + - content: "A retail company wants support staff to verify customer phone numbers by seeing only the last four digits. The actual phone numbers must remain unchanged in the database for billing system integration. Which security feature should you implement?" |
| 33 | + choices: |
| 34 | + - content: "Row-Level Security with a filter predicate" |
| 35 | + isCorrect: false |
| 36 | + explanation: "Incorrect. Row-Level Security filters which rows users can see, not which parts of column values. Support staff would either see the entire row or no row at all." |
| 37 | + - content: "A view that truncates phone numbers" |
| 38 | + isCorrect: false |
| 39 | + explanation: "Incorrect. While a view could display truncated numbers, this approach requires managing permissions on both the view and base table. It also doesn't prevent direct table access if permissions allow." |
| 40 | + - content: "Dynamic Data Masking with partial masking" |
| 41 | + isCorrect: true |
| 42 | + explanation: "Correct. Dynamic Data Masking with partial masking reveals only specified portions of the data (like the last 4 digits) while keeping the actual data unchanged. Users without UNMASK permission see the masked values." |
| 43 | + - content: "Always Encrypted with deterministic encryption" |
| 44 | + isCorrect: false |
| 45 | + explanation: "Incorrect. Always Encrypted completely encrypts values and doesn't support partial visibility. The billing system would also need the encryption keys to read the data." |
| 46 | + - content: "A multitenant SaaS application stores data for multiple customers in the same database tables. Each table includes a TenantID column. You need to ensure users can only query rows belonging to their own tenant, even if they write SELECT statements directly. Which implementation approach should you use?" |
| 47 | + choices: |
| 48 | + - content: "Create separate views for each tenant and grant SELECT only on views" |
| 49 | + isCorrect: false |
| 50 | + explanation: "Incorrect. Creating views per tenant doesn't scale well and requires view management for each new tenant. Users could still access base tables if they have permissions." |
| 51 | + - content: "Create a security policy with a filter predicate that checks TenantID against session context" |
| 52 | + isCorrect: true |
| 53 | + explanation: "Correct. Row-Level Security with a filter predicate automatically restricts query results based on the TenantID. The session context stores the authenticated tenant, and all queries are filtered transparently." |
| 54 | + - content: "Implement Dynamic Data Masking on the TenantID column" |
| 55 | + isCorrect: false |
| 56 | + explanation: "Incorrect. Dynamic Data Masking hides column values but doesn't filter rows. Users would still see all rows but with masked TenantID values, which doesn't provide data isolation." |
| 57 | + - content: "Use object-level permissions to deny SELECT on rows with other TenantIDs" |
| 58 | + isCorrect: false |
| 59 | + explanation: "Incorrect. Object-level permissions apply to entire objects (tables, views), not to individual rows. You cannot grant or deny permissions at the row level using standard permissions." |
| 60 | + - content: "A development team needs to deploy an Azure App Service that connects to Azure SQL Database. The security policy requires eliminating stored credentials from application configuration. What authentication method should the team implement?" |
| 61 | + choices: |
| 62 | + - content: "SQL authentication with credentials stored in Azure Key Vault" |
| 63 | + isCorrect: false |
| 64 | + explanation: "Incorrect. While Key Vault protects credentials, this approach still involves credential management. Credentials must be rotated, and any compromise requires secret rotation." |
| 65 | + - content: "Microsoft Entra authentication with a service principal and client secret" |
| 66 | + isCorrect: false |
| 67 | + explanation: "Incorrect. Service principals with client secrets still require credential management. The client secret must be stored, rotated, and protected." |
| 68 | + - content: "System-assigned managed identity with Microsoft Entra authentication" |
| 69 | + isCorrect: true |
| 70 | + explanation: "Correct. Managed identity eliminates credentials entirely. Azure manages the identity lifecycle, and the App Service authenticates to Azure SQL without any stored secrets." |
| 71 | + - content: "Contained database user with a complex password" |
| 72 | + isCorrect: false |
| 73 | + explanation: "Incorrect. Contained users with passwords still require credential management. The password must be stored in configuration and rotated periodically." |
| 74 | + - content: "An organization needs to track all data modifications to a sensitive table for compliance purposes. The audit logs must be retained for seven years and protected from deletion by database administrators. For Azure SQL Database, which auditing configuration meets these requirements?" |
| 75 | + choices: |
| 76 | + - content: "Database audit specification writing to the Windows Application log" |
| 77 | + isCorrect: false |
| 78 | + explanation: "Incorrect. Windows Application log is only available for on-premises SQL Server, not Azure SQL Database. Additionally, local logs don't provide the required protection from administrator deletion." |
| 79 | + - content: "Azure SQL auditing to Blob Storage with immutable storage policy" |
| 80 | + isCorrect: true |
| 81 | + explanation: "Correct. Azure SQL auditing to Blob Storage with an immutable storage policy prevents log deletion even by administrators. Lifecycle management policies can ensure seven-year retention." |
| 82 | + - content: "Extended Events session capturing data modifications" |
| 83 | + isCorrect: false |
| 84 | + explanation: "Incorrect. While Extended Events can capture modifications, the session data doesn't provide built-in protection against deletion. Extended Events also requires more complex setup for long-term retention." |
| 85 | + - content: "SQL Server Audit writing to a file share" |
| 86 | + isCorrect: false |
| 87 | + explanation: "Incorrect. File-based auditing isn't available for Azure SQL Database. This option applies only to on-premises SQL Server and doesn't provide immutable storage guarantees." |
0 commit comments