Azure Cosmos DB Security – Nonrelational Databases in Azure
Azure Cosmos DB Security
Data security for Azure Cosmos DB is implemented at multiple levels in Azure. Just as with data stored in a relational database in Azure, unauthorized access to Azure Cosmos DB is prevented using network isolation and identity management. Data stored in Azure Cosmos DB is also encrypted at rest and in transit to protect data from malicious activity. The following sections examine the methods Azure uses to secure data stored in Azure Cosmos DB in further detail.
Network Isolation
We briefly examined the two network isolation options for Azure Cosmos DB while going over how to deploy an account using the Azure Portal. These options include the following:
- Using the Azure Cosmos DB firewall to set IP-based access controls that restrict communication to an approved set of IP addresses. This can be taken a step further by allowing access for entire subnets by enabling the Azure Cosmos DB service endpoint on them.
- Assigning a private IP address from a VNet Azure Cosmos DB account with a private endpoint. This will restrict access to only applications that can communicate with the VNet that the private endpoint is associated with.
While there is an option to open Azure Cosmos DB access to requests from any network, it is important to consider the security implications, if any, of that setting. Rarely are security requirements satisfied with just access management and data encryption methods being put in place. Network isolation is an important design consideration and should be discussed when building a data-driven solution that uses Azure Cosmos DB.
Access Management
Azure Cosmos DB provides three approaches to control data access: key-based access control, role-based access control (RBAC), and resource tokens. Not only do each of these options restrict access to only users who should have access, they also determine whether the user has read-write or read-only access to database objects. The following sections provide an overview of these options.