question

AkashVerma-9570 avatar image
0 Votes"
AkashVerma-9570 asked PRADEEPCHEEKATLA-MSFT commented

Security Recommendations for Azure Data and Analytics Services

I am working on Securing Data and Analytics Services on Azure. I want to know what security controls i can apply after creating of services and what i can apply only during the service creation. Below are the recommendation i have found as of now. Could someone please let me know if there are more to enhance security ( any preview features is also fine)

  1.  Azure Data Factory
    

a. Self-Hosted Integration Runtime (compute infrastructure) must be setup in order to allow orchestration of data between on-premises data source to an Azure Data Source.
b. The in-built linked service within ADF must be connected to Key Vault instance in order to ensure that sensitive information such as passwords are pulled from the Key Vault.
c. Diagnostic logs must be enabled on ADF and should be connected to a Log Analytics workspace.
d. Encrypt Azure Data Factory with customer-managed keys

  1.  Azure Synapse (SQL Pool and Synapse Workspace)
    

a. Advanced data security must be enabled on Azure Synapse
b. Use Azure Active Directory authentication on Azure Synapse
c. Enable Azure SQL Transparent Data Encryption with customer-managed key
d. Server level Auditing should be enabled on Azure Synapse and connect it to a Log Analytics Workspace.
e. Network Restriction
f. Dynamic Data Masking

  1.  Azure Databricks
    

a. Utilize Azure Key Vault-backed secret scope
b. Configure customer-managed keys on default (root) DBFS
c. Enable customer-managed keys for notebooks
d. Encrypt traffic between cluster worker nodes
e. Diagnostic logs must be enabled on Databricks and should be connected to a Log Analytics workspace.
f. Enable Access Control on Individual Azure Databricks resources

  1.  Azure HDInsight
    

a. Utilize HTTPS endpoint within the virtual network CLUSTERNAME-int.azurehdinsight.net for connection only over Private IP
b. Enable Enterprise Security Package while creating HDInsight Cluster
c. Enable Encryption at rest using Customer-managed keys while creating HDInsight cluster

Thanks in advance.

azure-data-factoryazure-synapse-analyticsazure-databricksazure-hdinsight
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

PRADEEPCHEEKATLA-MSFT avatar image
1 Vote"
PRADEEPCHEEKATLA-MSFT answered PRADEEPCHEEKATLA-MSFT commented

Hello @AkashVerma-9570,

Welcome to Microsoft Q&A platform.

This article contains security baselines for entire Azure Services.

Here is the list of documents for the Azure security baseline for the services (ADF, Synapse, Databricks, HDInsight) contains recommendations that will help you improve the security posture of your deployment.

The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.

Hope this helps. Do let us know if you any further queries.


Do click on "Accept Answer" and Upvote on the post that helps you, this can be beneficial to other community members.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @AkashVerma-9570,

Just checking in to see if the above answer helped. If this answers your query, do click “Accept Answer” and Up-Vote for the same. And, if you have any further query do let us know.

0 Votes 0 ·

Hello @AkashVerma-9570,
Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

0 Votes 0 ·