Platform: AZURE
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | False | Authentication is managed through connection strings and database users, not API keys. | Not applicable. |
| Authentication & Authorization | IAM Integration | True | Azure RBAC is used to manage the database server and its resources. Azure AD authentication can be used to manage database users. | |
| Authentication & Authorization | MFA | True | MFA can be enforced for database users when using Azure AD authentication. | Supported with Azure AD authentication. |
| Authentication & Authorization | Service Account Support | True | Managed identities can be used to access the database. | |
| Authentication & Authorization | Standard Protocols | True | Azure SQL Database supports standard authentication protocols. | |
| Compliance & Certifications | Compliance Documentation | True | Compliance documentation is available through the Azure Trust Center. | |
| Compliance & Certifications | Industry Certifications | True | Azure holds numerous industry certifications. | |
| Data Loss Prevention (DLP) | Data Masking/Redaction | True | Dynamic Data Masking can be used to mask sensitive data in query results. | |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | True | Azure SQL Database provides data discovery and classification for identifying sensitive data. | Requires enabling data discovery and classification. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | Data is not replicated to other regions unless geo-replication is configured by the customer. | Customer is responsible for configuring geo-replication. |
| Data Residency & Sovereignty | Data Location Transparency | True | The location of the database is visible in the Azure Portal. | |
| Data Residency & Sovereignty | Region Selection | True | Customers can choose the Azure region where their SQL database will be deployed. | |
| Encryption | Encryption at Rest | True | Transparent Data Encryption (TDE) is enabled by default, encrypting data at rest. Customer-managed keys are also supported. | |
| Encryption | Encryption in Transit | True | Connections to Azure SQL Database are encrypted using TLS. | |
| Logging & Monitoring | Access Logging | True | Audit logs can be configured to capture login events. | Requires configuration. |
| Logging & Monitoring | Audit Logging | True | Auditing can be enabled to track database events. | Requires configuration. |
| Logging & Monitoring | Log Retention | True | Log retention can be configured for audit logs. | |
| Logging & Monitoring | Monitoring & Alerting | True | Azure Monitor provides metrics and alerting for Azure SQL Database. | |
| Network Security | API Gateway Integration | True | Azure API Management can be used to expose a REST API on top of an Azure SQL Database. | Indirectly. |
| Network Security | DDoS Protection | True | Azure provides DDoS protection for the underlying infrastructure. | Inherited from the Azure platform. |
| Network Security | Firewall Rules | True | IP firewall rules can be configured to restrict access to the database server. | |
| Network Security | Private Access | True | Private endpoints can be used to connect to Azure SQL Database from within a VNet. | |
| Secure Development Lifecycle (SDL) | API Design Principles | True | The Azure REST API follows Microsoft's SDL. | Applies to the Azure management API. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | Microsoft performs security testing and code reviews of the Azure platform. | Applies to the Azure platform. |
| Vulnerability Management & Patching | Security Updates | True | Microsoft is responsible for patching the SQL Database service. | Microsoft manages the service. |
| Vulnerability Management & Patching | Vulnerability Scanning | True | Microsoft Defender for SQL provides vulnerability assessment and threat detection. | Requires enabling Microsoft Defender for SQL. |