Compliance Controls & Advanced Security
Security Feature Architecture Map
Data Classification
Discovers, labels, and protects sensitive data columns.
| Label | Example Data | Sensitivity |
|---|---|---|
| Public | Product names, categories | Low |
| General | Employee names, department | Medium |
| Confidential | Email addresses, phone numbers | High |
| Highly Confidential | SSN, credit card, medical records | Critical |
How it works:
- Azure SQL scans columns using built-in patterns (SSN, credit card, email, etc.)
- Recommends classifications → you accept or customize
- Labels are stored as extended properties on columns
- Integrated with auditing — queries on classified data are logged with sensitivity labels
Data Classification is informational — it does NOT enforce access control. It works with Auditing to track who accessed sensitive data. For enforcement, combine with RLS (row filtering) or Dynamic Data Masking (column masking).
Always Encrypted with VBS Enclaves
Standard Always Encrypted has limitations (no LIKE, no range queries). VBS Enclaves solve this.
| Capability | Standard AE | AE with Enclaves |
|---|---|---|
Equality (=) | ✅ (deterministic) | ✅ |
LIKE / pattern match | ❌ | ✅ |
Range (>, <, BETWEEN) | ❌ | ✅ |
ORDER BY / GROUP BY | ❌ | ✅ |
| In-place encryption | ❌ (requires client) | ✅ (in enclave) |
| Index creation on encrypted | ❌ | ✅ |
If the exam says "encrypt columns but still need LIKE or range queries" → Always Encrypted with VBS Enclaves. Standard AE only supports equality comparisons.
Database Ledger
Provides tamper-proof audit trail using cryptographic hashing. Proves data hasn't been modified.
Two types:
- Updatable ledger tables — normal DML allowed, but all changes are cryptographically recorded
- Append-only ledger tables — INSERT only (no UPDATE/DELETE)
Use case: Financial records, regulatory compliance, legal evidence where you must prove data integrity.
Ledger is NOT encryption — it's integrity verification. It proves data hasn't been tampered with after the fact. For encryption → TDE or Always Encrypted. For access control → RLS. For tamper-proof audit → Ledger.
Change Tracking vs Change Data Capture
| Feature | Change Tracking (CT) | Change Data Capture (CDC) |
|---|---|---|
| What it tells you | Which rows changed (PK only) | What changed (old + new values) |
| Performance impact | Low | Medium |
| Storage | Minimal (PK + version) | Higher (full change records) |
| Cleanup | Automatic | Automatic (configurable retention) |
| Async | Synchronous | Asynchronous (reads log) |
| Available on | SQL DB, MI, VM | MI, VM (SQL DB: limited) |
| Best for | Sync scenarios (Data Sync) | ETL, auditing, replication |
CT = "did this row change?" (lightweight, for sync). CDC = "what exactly changed and when?" (detailed, for ETL/audit). The exam tests whether you can choose the right one based on requirements.
Microsoft Purview Integration
Purview provides unified data governance across your entire Azure estate.
| Purview Feature | What It Does for SQL |
|---|---|
| Data Map | Auto-discovers and catalogs SQL databases, schemas, tables |
| Data Classification | Scans and labels sensitive data in SQL databases |
| Data Lineage | Tracks data flow from source → transforms → SQL |
| Access Policies | Enforce access governance from Purview (preview) |
Microsoft Defender for SQL — Deep Dive
| Feature | What It Detects |
|---|---|
| Vulnerability Assessment | Weak passwords, excessive permissions, unencrypted sensitive columns, missing TDE |
| Advanced Threat Protection | SQL injection attempts, anomalous access patterns, brute-force login, data exfiltration |
| Security Alerts | Real-time alerts to email, Security Center, SIEM |
Defender for SQL = Vulnerability Assessment + Advanced Threat Protection in one package. If the exam asks about "detecting SQL injection" → ATP. "Finding misconfigured databases" → Vulnerability Assessment. "Both" → Defender for SQL.