SQL information protection policy in Azure Security Center

SQL information protection's data discovery and classification mechanism provides advanced capabilities for discovering, classifying, labeling, and reporting the sensitive data in your databases. It's built into Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics.

The classification mechanism is based on the following two elements:

  • Labels – The main classification attributes, used to define the sensitivity level of the data stored in the column.
  • Information Types – Provides additional granularity into the type of data stored in the column.

The information protection policy options within Security Center provide a predefined set of labels and information types which serve as the defaults for the classification engine. You can customize the policy, according to your organization's needs, as described below.

Important

To customize the information protection policy for your Azure tenant, you'll need administrative privileges on the tenant's root management group. Learn more in Gain tenant-wide visibility for Azure Security Center.

The page showing your SQL information protection policy

How do I access the SQL information protection policy?

There are three ways to access the information protection policy:

  • (Recommended) From the pricing and settings page of Security Center
  • From the security recommendation "Sensitive data in your SQL databases should be classified"
  • From the Azure SQL DB data discovery page

Each of these is shown in the relevant tab below.

Access the policy from Security Center's pricing and settings page

From Security Center's pricing and settings page, select SQL information protection.

Note

This option only appears for users with tenant-level permissions. Grant tenant-wide permissions to yourself.

Accessing the SQL Information Protection policy from the pricing and settings page of Azure Security Center

Customize your information types

To manage and customize information types:

  1. Select Manage information types.

    Manage information types for your information protection policy

  2. To add a new type, select Create information type. You can configure a name, description, and search pattern strings for the information type. Search pattern strings can optionally use keywords with wildcard characters (using the character '%'), which the automated discovery engine uses to identify sensitive data in your databases, based on the columns' metadata.

    Configure a new information type for your information protection policy

  3. You can also modify the built-in types by adding additional search pattern strings, disabling some of the existing strings, or by changing the description.

    Tip

    You can't delete built-in types or change their names.

  4. Information types are listed in order of ascending discovery ranking, meaning that the types higher in the list will attempt to match first. To change the ranking between information types, drag the types to the right spot in the table, or use the Move up and Move down buttons to change the order.

  5. Select OK when you are done.

  6. After you completed managing your information types, be sure to associate the relevant types with the relevant labels, by clicking Configure for a particular label, and adding or deleting information types as appropriate.

  7. To apply your changes, select Save in the main Labels page.

Exporting and importing a policy

You can download a JSON file with your defined labels and information types, edit the file in the editor of your choice, and then import the updated file.

Exporting and importing your information protection policy

Note

You'll need tenant level permissions to import a policy file.

Manage SQL information protection using Azure PowerShell

Next steps

In this article, you learned about defining an information protection policy in Azure Security Center. To learn more about using SQL Information Protection to classify and protect sensitive data in your SQL databases, see Azure SQL Database Data Discovery and Classification.

For more information on security policies and data security in Security Center, see the following articles: