question

MarcGeorge-9076 avatar image
0 Votes"
MarcGeorge-9076 asked JarvanZhang-MSFT edited

Has OData Become FIPS Compliant Accessing Azure SQL?

When accessing externally Azure databases from a Xamarin app, is OData now FIPS compliant? Can it be? If so, what is necessary to be done? If not, what are the alternatives?

dotnet-xamarinazure-sql-database
· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @marcgeorge-9076 using Microsoft Q&A !!
Sorry but if I understand your question correctly you can find information about SQL being FIPS over [here][1]. As per the document - Microsoft attests to Azure SQL Database and SQL Managed Instance as being FIPS 140-2 Level 1 compliant.

Thanks
Saurabh

0 Votes 0 ·

@SaurabhSharma-msft Per NIST, the "Federal Information Processing Standard (140-2) specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. The areas covered, related to the secure design and implementation of a cryptographic module, include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks."

What I am trying to is determine if using OData from my Xamarin app meets the security requirements for use of "ports and interfaces; roles, services, and authentication" of the Azure SQL databases and managed instances. Several years ago it wasn't but was supposed to be under development.




0 Votes 0 ·

@MarcGeorge-6477 Thanks for sharing details.
@LeonLu-MSFT Do you have any insights on this.

Thanks
Saurabh

0 Votes 0 ·

Hi, MarcGeorge-9076. Please don't make the application connect to the remote database directly.

A mobile app should not connect directly to a database of any sort. There are many reasons for this, but the most important is security. A mobile app is a client based app, not a server based app. As such a mobile app can try to connect from almost any IP address, so that would require allowing the data base to accept connections from any IP address, and also it would potentially expose the database connection strings and username/password info to the internet at large, which is not a good idea. Also databases generally depend on low latency connections that one cannot guarantee in a mobile app as it may be on poor wifi networks or cellular networks.

As such it is definitely best practice to create a web service that the mobile client app connects to, and that web service would then connect to the database to fetch the database results and forward those results to the client app. In this way, the database only has to allow connections from the known IP address(es) of the web service server, and the connection from the web service to the database will be on a steady, fast, wired connection. Also this allows the web service to perform additional security checks when a request for data is received.

To create a web service API, you could check this doc: ASP.NET app with Azure SQL Database - Azure App Service | Microsoft Docs

0 Votes 0 ·

Thanks @jarvanzhang-msft
@marcgeorge-6477 Please let me know if you have any other questions.

0 Votes 0 ·

@JarvanZhang-MSFT @SaurabhSharma-msft Thanks for the reply, but my question hasn't been answered. I wasn't asking for architectural suggestions. OData is part of the .NET APIs like WCF, not a direct connection to SQL.

118508-image.png


0 Votes 0 ·
image.png (8.0 KiB)
image.png (5.7 KiB)

Hi, are you looking for the Microsoft security compliance service? Please check the following doc:
https://www.microsoft.com/en-us/msservices/security?activetab=pivot1%3aprimaryr4

0 Votes 0 ·

0 Answers