Hello Team,
We are using self hosted Octopus Deploy which is in 2019.9.10LTS version. Recently we have migrated the Octopus DB to Azure SQL (PaaS), previously it used to be in one of our SQL VMs. On Azure Vulnerability Assessment, the below item came in the assessment report.
“Sensitive data in your Octopus DB should be classified - 5 columns -> Username, EmailAddress, Username, ConcurrencyTag, AccountType -> are recommended by azure to be classified as confidential”
Rule: VA1288 - Sensitive data columns should be classified
RULE DESCRIPTION: This rule discovers and characterizes potentially sensitive data in the database. The result is a collection of sensitive database columns, which should be reviewed and classified using SQL Data Discovery & Classification. This allows database columns to be persistently labeled according to their sensitivity, which enables tracking (auditing) the use of classified data and creating reports. If your sensitive database columns are unprotected, you should also consider applying one of SQL Database’s built-in security capabilities to restrict access to and protect your sensitive data.
IMPACT: The data residing in your database can have varying levels of business and privacy sensitivity. It is important to be aware of the location of your most sensitive data elements, so that their access can be monitored and tracked. SQL Data Discovery & Classification enables you to assign a distinct classification label to each database column and persist this information as column metadata within the database. This classification metadata can then be used for tracking and monitoring objectives. In addition, access to sensitive data should be more tightly controlled. Built-in SQL security capabilities like Always Encrypted, Dynamic Data Masking, and Row-Level Security can be used to control access and protect data.
Please let us know are we good to implement this?
Cheers,
Karthikeyan
