How to choose between ledger in Azure SQL Database and Azure Confidential Ledger
Ledger technology is a way of storing data that ensures its integrity, immutability, and verifiability. It can be used for scenarios where trust and transparency are essential, such as financial transactions, supply chain tracking, or regulatory compliance. Azure offers two services that leverage ledger technology to provide tamper-proof data storage: ledger in Azure SQL Database and Azure Confidential Ledger. In this blog post, we will compare these two services and help you decide which one is best suited for your needs.
What is ledger in Azure SQL Database?
Ledger is a technology that offers the power of Blockchain in Azure SQL Database. We’re making the data in SQL verifiable using the same cryptographic patterns seen in Blockchain technology, while keeping the flexibility and performance of a traditional database. It is centrally managed while you can cryptographically attest to other parties, such as auditors or other business parties, that your data can be trusted and hasn’t been tampered with.
Each transaction that the database executes is cryptographically hashed (SHA-256). Transactions are then cryptographically linked together, like a Blockchain. Cryptographically hashed database digests represent the state of the database. They’re periodically generated and stored outside Azure SQL Database in a tamper-proof storage location such as Azure immutable Blob storage or Azure Confidential Ledger.
All historical data of ledger tables is transparently maintained in the database system and exposed to users for auditing and forensic purposes. Historical data can be used to analyze the operations executed on and detect unexpected or malicious modifications. However, malicious high privileged users or cloud operators can update the content of ledger tables, using other techniques like writing directly to the data files, and tampering with the data. These “under the covers attacks” will be detected through the cryptographic verification. Database digests can be used by auditors, business partners (in case of a multi-party scenario) or even end users to execute the database verification process that recomputes the hashes in the database and compares them to the input hashes provided by the user. When the verification is successful, you will have cryptographic proof that your data can be fully trusted.
What is Azure Confidential Ledger?
In the era of digital transformation, data integrity is paramount. As businesses increasingly rely on data-driven decisions, the accuracy and security of their data sources become critical. Azure Confidential Ledger (ACL) is a service that epitomizes our commitment to secure, reliable, and immutable data storage.
Azure Confidential Ledger is a managed, decentralized ledger service that leverages the power of blockchain technology to provide tamper-proof storage for sensitive data records. It runs on hardware-backed Trusted Execution Environments (TEEs), ensuring that data is protected not only at rest and in transit but also in use.
ACL offers unique advantages for maintaining data integrity:
Immutability: Once data is written to the ledger, it cannot be altered or deleted, ensuring a permanent record of transactions or changes.
Tamper-proofing: Cryptographic evidence backs every entry, providing verifiable proof against unauthorized modifications.
Confidentiality: Data is shielded from unauthorized access, including from cloud providers and administrators, thanks to the minimalistic Trusted Computing Base (TCB).
Enabling Data Integrity for SQL and Storage
SQL databases and storage systems are foundational to enterprise data architecture. ACL enhances these systems by providing an additional layer of integrity protection. For SQL databases, ACL can act as an external ledger where changes and transactions are recorded and verified, adding a new dimension of security and trust.
For Azure Blob Storage, ACL complements the existing security features by providing an immutable log of storage operations. This is particularly valuable for regulatory compliance and archival purposes, where the integrity of data over time is non-negotiable.
How to choose between ledger in Azure SQL Database and Azure Confidential Ledger?
Both ledger in Azure SQL Database and Azure Confidential Ledger provide tampering protection of data storage, but they have different trade-offs and use cases. Here are some factors to consider when choosing between them:
(De)centralized: Ledger in Azure SQL Database is centrally managed while you can cryptographically attest to other parties, such as auditors or other business parties. Azure Confidential Ledger is a decentralized system that keeps data tamper proof and decentralized.
Data model: Ledger in Azure SQL Database uses a relational data model, which means you can store your data in tables and use T-SQL to query and manipulate the data. Azure Confidential Ledger is used to store unstructured data and uses use REST APIs to access and update the data.
Cost: Ledger in Azure SQL Database doesn’t come with an extra cost. The only extra cost might be extra storage that is needed to store the historical information. Azure Confidential Ledger is charged based per instance of the ledger and competitively priced. Typically, one instance is sufficient to be used across all your data sources and tables.
This diagram summarizes options for ACL and ledger in Azure SQL Database.
Conclusion
Azure’s ledger technologies offer robust solutions for ensuring data integrity and trust. Ledger in Azure SQL Database is ideal for those seeking the performance of a traditional database with the added security of Blockchain’s cryptographic verification. It is suitable for centralized systems that require tamper-proof transaction records. On the other hand, Azure Confidential Ledger caters to decentralized systems, offering a higher level of confidentiality and immutability, leveraging blockchain technology and secure enclaves. It is particularly beneficial for use cases that demand stringent regulatory compliance and long-term data archival. When deciding between the two, you must weigh factors such as centralization, data model, and cost to determine the best fit for their specific needs. Ultimately, both services enhance the trustworthiness of data storage and transactions, reinforcing Azure’s commitment to providing secure and reliable cloud services.
Learn More
Ledger in Azure SQL Database
Explore the Azure SQL Database ledger documentation
Read the whitepaper
GitHub demo/sample
Data Exposed episode (video)
Azure Confidential Ledger
Explore the Azure confidential ledger documentation
Read the blog post on: Verify integrity of data transactions in Azure confidential ledger
View our recent webinar in the Security Community
Recent case studies: HB Antwerp & BeekeeperAI
Microsoft Tech Community – Latest Blogs –Read More