I am working on Securing Data and Analytics Services on Azure. I want to know what security controls i can apply after creating of services and what i can apply only during the service creation. Below are the recommendation i have found as of now. Could someone please let me know if there are more to enhance security ( any preview features is also fine)
Azure Data Factory
a. Self-Hosted Integration Runtime (compute infrastructure) must be setup in order to allow orchestration of data between on-premises data source to an Azure Data Source.
b. The in-built linked service within ADF must be connected to Key Vault instance in order to ensure that sensitive information such as passwords are pulled from the Key Vault.
c. Diagnostic logs must be enabled on ADF and should be connected to a Log Analytics workspace.
d. Encrypt Azure Data Factory with customer-managed keys
Azure Synapse (SQL Pool and Synapse Workspace)
a. Advanced data security must be enabled on Azure Synapse
b. Use Azure Active Directory authentication on Azure Synapse
c. Enable Azure SQL Transparent Data Encryption with customer-managed key
d. Server level Auditing should be enabled on Azure Synapse and connect it to a Log Analytics Workspace.
e. Network Restriction
f. Dynamic Data Masking
a. Utilize Azure Key Vault-backed secret scope
b. Configure customer-managed keys on default (root) DBFS
c. Enable customer-managed keys for notebooks
d. Encrypt traffic between cluster worker nodes
e. Diagnostic logs must be enabled on Databricks and should be connected to a Log Analytics workspace.
f. Enable Access Control on Individual Azure Databricks resources
a. Utilize HTTPS endpoint within the virtual network CLUSTERNAME-int.azurehdinsight.net for connection only over Private IP
b. Enable Enterprise Security Package while creating HDInsight Cluster
c. Enable Encryption at rest using Customer-managed keys while creating HDInsight cluster
Thanks in advance.