I’m talking a lot on this blog about Azure SQL and its usage as a PaaS database engine for many applications, including Microsoft Dynamics NAV.
One of the latest features (actually in Preview) of Azure SQL is Data Discovery and Classification, a new feature for discovering, classifying, labeling & protecting the sensitive data in your databases.
SQL Information Protection (SQL IP) introduces a set of advanced services and new SQL capabilities, forming a new information protection paradigm in SQL aimed at protecting the data, not just the database:
- Discovery & recommendations – The classification engine scans your database and identifies columns containing potentially sensitive data. It then provides you an easy way to review and apply the appropriate classification recommendations via the Azure portal.
- Labeling – Sensitivity classification labels can be persistently tagged on columns using new classification metadata attributes introduced into the SQL Engine. This metadata can then be utilized for advanced sensitivity-based auditing and protection scenarios.
- Monitoring/Auditing – Sensitivity of the query result set is calculated in real time and used for auditing access to sensitive data (currently in Azure SQL DB only).
- Visibility – The database classification state can be viewed in a detailed dashboard in the portal. Additionally, you can download a report (in Excel format) to be used for compliance & auditing purposes, as well as other needs.
From the Azure Portal, select your Azure SQL Database instance and on the blade select Data discovery & classification:
The Azure SQL database is scanned, the built-in automated classification engine identifies columns containing potentially sensitive data and provides a list of classification recommendations, which can be easily applied as sensitivity metadata on top of columns, using new column sensitivity attributes that have been added to the SQL engine. You can also manually classify & label your columns:
You can accept all the proposed recommendations (by clicking on the Accept selected recommendations button):
or select a classification for a particular column by clicking on Add Classification and set the column and the sensitivity label:
To complete your classification and persistently tag the database columns with the new classification metadata, click on Save in the top menu of the window.
After saving the classification, on the Overview tab you’ve a clear representation of the confidential state of your database:
You can also export the report in Excel format:
This is the Excel report you obtain:
Obviously, this works with every SQL database, including NAV databases. I think this is very cool in order to have a GDPR-compliance overview of your database and take actions accordingly.
Last interesting notes: similar capabilities are also being introduced for on-premises SQL Server via SQL Server Management Studio. Data Discovery & Classification is supported for SQL Server 2008 and later.
More details on using SQL Information Protection can be found in:
- Azure SQL Database: Getting Started Data Discovery & Classification
- SQL Server (on-prem): Getting Started with Data Discovery & Classification