4.4. Reflection Checkpoint: Compute, Storage, and Database Mastery

You have now explored security controls for compute, storage, and databases. These controls protect the resources that run your applications and store your data.

Scenario Synthesis: An organization needs:

• Secure VM access without public IP exposure
• Time-limited access to storage for external testing
• Credit card data masked except for Finance team
• Data encrypted such that DBAs cannot access plaintext

Reflection Question: How would you configure Azure Bastion, SAS tokens, Dynamic Data Masking with UNMASK permissions, and Always Encrypted to meet these requirements?

Self-Assessment Prompts:

• Can you explain when to use service SAS vs. account SAS?
• Do you know how to revoke a compromised SAS token?
• Can you identify the correct masking function for credit cards?
• Do you understand why Always Encrypted protects against DBA access but TDE doesn't?
• Can you configure proper public access settings for blob storage?