Azure security baseline for Synapse Analytics Workspace

This security baseline applies guidance from the Azure Security Benchmark version2.0 to Synapse Analytics Workspace. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to Synapse Analytics Workspace.

You can monitor this security baseline and its recommendations using Microsoft Defender for Cloud. Azure Policy definitions will be listed in the Regulatory Compliance section of the Microsoft Defender for Cloud dashboard.

When a section has relevant Azure Policy Definitions, they are listed in this baseline to help you measure compliance to the Azure Security Benchmark controls and recommendations. Some recommendations may require a paid Microsoft Defender plan to enable certain security scenarios.

Note

Controls not applicable to Synapse Analytics Workspace, and those for which the global guidance is recommended verbatim, have been excluded. To see how Synapse Analytics Workspace completely maps to the Azure Security Benchmark, see the full Synapse Analytics Workspace security baseline mapping file.

Network Security

For more information, see the Azure Security Benchmark: Network Security.

NS-1: Implement security for internal traffic

Guidance: When you deploy Azure Synapse Workspace resources, create or use an existing virtual network. Ensure that all Azure virtual networks follow an enterprise segmentation principle that aligns with the business risks. Any system that might incur higher risk for the organization should be isolated within its own virtual network and sufficiently secured with a network security group (NSG) and/or Azure Firewall.

Use Microsoft Defender for Cloud Adaptive Network Hardening to recommend network security group configurations that limit ports and source IPs based with the reference to external network traffic rules.

Azure Synapse Analytics provides Managed Virtual Network Workspace. It is a Synapse workspace SKU that's associated with the Virtual Network managed by Azure Synapse. You can only create Managed private endpoints in a workspace that has a Managed workspace Virtual Network associated with it.

Based on your applications and enterprise segmentation strategy, restrict or allow traffic between internal resources based on your network security group rules. For specific, well-defined applications (such as a 3-tier app), this can be a highly secure deny by default

Managed Virtual Network Workspace allows inbound NSG rules on your own Virtual Networks to allow Azure Synapse management traffic to enter your Virtual Network. Additionally, you don't need to create a subnet for your Spark clusters based on peak load.

Use Azure Sentinel to discover the use of legacy insecure protocols such as SSL/TLSv1, SMBv1, LM/NTLMv1, wDigest, Unsigned LDAP Binds, and weak ciphers in Kerberos.

Synapse SQL in Azure Synapse Analytics allows connections using all TLS versions. You cannot set the minimal TLS version for Synapse SQL in Azure Synapse Analytics. Other Synapse capabilities use TLS 1.2 by default.

Make sure that the firewall on your network and local computer allows outgoing communication on TCP ports 80, 443 and 1443 for Synapse Studio. Also, you need to allow outgoing communication on UDP port 53 for Synapse Studio. To connect using tools such as SSMS and Power BI, you must allow outgoing communication on TCP port 1433.

The firewall setting on Azure Synapse Portal can block all the public network connectivity.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Sql:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Audit, Deny, Disabled 1.1.0

NS-2: Connect private networks together

Guidance: Use Azure ExpressRoute or Azure virtual private network (VPN) to create private connections between Azure datacenters and on-premises infrastructure in a colocation environment. ExpressRoute connections don't go over the public internet, and they offer more reliability, faster speeds, and lower latencies than typical internet connections. For point-to-site VPN and site-to-site VPN, you can connect on-premises devices or networks to a virtual network using any combination of these VPN options and Azure ExpressRoute.

To connect two or more virtual networks in Azure together, use virtual network peering. Network traffic between peered virtual networks is private and is kept on the Azure backbone network.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Sql:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0

NS-3: Establish private network access to Azure services

Guidance: You can create Managed private endpoints from your Azure Synapse workspace to access Azure services (such as Azure Storage or Azure Cosmos DB) and Azure hosted customer/partner services.

Use Azure Private Link to enable private access to Azure Synapse Workspace from your virtual networks without crossing the internet.

Private access is an additional defense in depth measure to the authentication and traffic security offered by Azure services.

There are two steps to connect to Synapse Studio using private links. First, you must create a private link hubs resource. Second, you must create a private endpoint from your Azure virtual network to this private link hub. You can then use private endpoints to securely communicate with Synapse Studio. You must integrate the private endpoints with your DNS solution, either your on-premise solution or Azure Private DNS.

Use Azure Virtual Network service endpoints to provide secure access to Azure Synapse Workspace via an optimized route over the Azure backbone network without crossing the internet.

Private access is an additional defense in depth measure to the authentication and traffic security offered by Azure services.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Sql:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0

NS-4: Protect applications and services from external network attacks

Guidance: Protect your Azure Synapse Workspace resources against attacks from external networks, including distributed denial of service (DDoS) attacks, application-specific attacks, and unsolicited and potentially malicious internet traffic. Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations. Protect your assets against DDoS attacks by enabling DDoS standard protection on your Azure virtual networks. Use Microsoft Defender for Cloud to detect misconfiguration risks to your network related resources.

Azure Synapse Workspace is not intended to run web applications, and does not require you to configure any additional settings or deploy any extra network services to protect it from external network attacks targeting web applications.

Responsibility: Customer

NS-7: Secure Domain Name Service (DNS)

Guidance: Follow the best practices for DNS security to mitigate against common attacks like dangling DNS, DNS amplifications attacks, DNS poisoning and spoofing, etc.

When Azure DNS is used as your authoritative DNS service, ensure DNS zones and records are protected from accidental or malicious modification using Azure RBAC and resource locks.

Responsibility: Customer

Identity Management

For more information, see the Azure Security Benchmark: Identity Management.

IM-1: Standardize Azure Active Directory as the central identity and authentication system

Guidance: Azure Synapse Workspace uses Azure Active Directory (Azure AD) as the default identity and access management service. You should standardize Azure AD to govern your organization's identity and access management in:

  • Microsoft Cloud resources, such as the Azure portal, Azure Storage, Azure Virtual Machine (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications.
  • Your organization's resources, such as applications on Azure or your corporate network resources.

Securing Azure AD should be a high priority in your organization's cloud security practice. Azure AD provides an identity secure score to help you assess identity security posture relative to Microsoft's best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.

Note: Azure AD supports external identities that allows users without a Microsoft account to sign in to their applications and resources with their external identity.

Users with Azure Owner or Contributor (Azure RBAC) roles on the resource group will be able to manage dedicated SQL pools, Spark pools, and Integration runtime in Synapse. In addition to this, Synapse RBAC extends the capabilities of Azure RBAC to control who can read or publish code artifacts, execute code, access linked services, and monitor or cancel job execution.

Azure AD authentication uses contained database users or pool level users to authenticate identities at the database level for SQL Pools in Azure Synapse Analytics. Synapse also supports SQL authentication for SQL pools. With this authentication method, the user submits a user account name and associated password to establish a connection. This password is stored in the master database for user accounts linked to a login or stored in the database containing the user accounts not linked to a login.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Sql:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0

IM-2: Manage application identities securely and automatically

Guidance: Azure Synapse Workspace supports managed identities for its Azure resources. Use managed identities with Azure Synapse Workspace instead of creating service principals to access other resources. Azure Synapse Workspace can natively authenticate to the Azure services/resources that supports Azure AD authentication through a pre-defined access grant rule without using credentials hard coded in source code or configuration files.

Azure Synapse Analytics uses the managed identity to integrate pipelines.

Azure Synapse Workspace recommends using Azure AD to create a service principal with restricted permissions at the resource level to configure service principals with certificate credentials and fall back to client secrets. In both cases, Azure Key Vault can be used to in conjunction with Azure-managed identities so that the runtime environment (such as an Azure function) can retrieve the credential from the key vault.

Azure Synapse Analytics supports customer managed keys (CMK) for encryption. This encryption uses keys generated in Azure Key Vault.

Responsibility: Customer

IM-3: Use Azure AD single sign-on (SSO) for application access

Guidance: Azure Synapse Workspace uses Azure Active Directory to provide identity and access management to Azure resources, cloud applications, and on-premises applications. This includes enterprise identities, such as employees, as well as external identities like partners, vendors, and suppliers. This enables single sign-on (SSO) to manage and secure access to your organization's data and resources on-premises and in the cloud. Connect all your users, applications, and devices to the Azure AD for seamless, secure access and greater visibility and control.

Responsibility: Customer

IM-7: Eliminate unintended credential exposure

Guidance: Azure Synapse Analytics may allow customers to deploy or run the following entities that may have identities or secrets:

  • Code
  • Configurations
  • Persisted data

Implement Credential Scanner to identify credentials within those entities. Credential Scanner will also encourage moving discovered credentials to more secure locations, such as Azure Key Vault. For GitHub, use the native secret scanning feature. This feature identifies credentials or other forms of secrets within the code.

Responsibility: Customer

Privileged Access

For more information, see the Azure Security Benchmark: Privileged Access.

PA-1: Protect and limit highly privileged users

Guidance: The most critical built-in roles for Azure AD are the Global Administrator and the Privileged Role Administrator, as users assigned to these two roles can delegate administrator roles:

  • Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that use Azure AD identities.
  • Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units.

Note: You might have other critical roles that need to be governed if you use custom roles with certain privileged permissions assigned. You might also want to apply similar controls to the administrator account of critical business assets.

You should limit the number of highly privileged accounts or roles and protect these accounts at an elevated level. Users with this privilege can directly or indirectly read and modify every resource in your Azure environment.

You can enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD PIM. JIT grants temporary permissions to perform privileged tasks only when users need it. PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization.

Azure Synapse workspace has these highly privileged accounts:

  • Azure Owner at the resource group
  • Azure Contributor at the resource group
  • Storage Blob Data Contributor at the ADLS g2 storage container associated with Synapse
  • Synapse Administrator
  • Synapse SQL Administrator
  • Synapse Spark Administrator

Create standard operating procedures around the use of dedicated administrative accounts.

When you first create an Azure Synapse workspace, you may specify an admin login and password for SQL pools within the Synapse workspace. This administrative account is called Server admin. You can identify the Server admin account for Synapse by opening the Azure portal and navigating to the overview tab of your Synapse workspace. You can also configure an Azure AD admin account with full administrative permissions, this is required if you want to enable Azure Active Directory authentication.

Responsibility: Customer

PA-3: Review and reconcile user access regularly

Guidance: Azure Synapse Workspace uses Azure Active Directory (Azure AD) accounts to manage its resources, review user accounts, and access assignments regularly to ensure the accounts and their access are valid. You can use Azure AD and access reviews to review group memberships, access to enterprise applications, and role assignments. Azure AD reporting can provide logs to help discover stale accounts. You can also use Azure AD Privileged Identity Management (PIM) to create access review report workflows to facilitate the review process.

In addition, Azure AD PIM can also be configured to alert you when an excessive number of administrator accounts are created, and to identify administrator accounts that are stale or improperly configured.

Note: Some Azure services support local users and roles which are not managed through Azure AD. You will need to manage these users separately.

Azure Synapse workspaces require users in Azure Owner or Azure Contributor roles at the resource-group to control management of its dedicated SQL pools, Spark pools, and Integration runtimes. In addition to this, users and the workspace system-identity must be granted Storage Blob Data Contributor access to the ADLS Gen2 storage container associated with the Synapse workspace. When using SQL authentication, create contained database users in the SQL pools. Ensure that you place one or more database users into a custom database role with specific permissions appropriate to that group of users.

Responsibility: Customer

PA-6: Use privileged access workstations

Guidance: Secured, isolated workstations are critically important for the security of sensitive roles like administrator, developer, and critical service operator. Use highly secured user workstations and/or Azure Bastion for administrative tasks. Use Azure Active Directory (Azure AD), Microsoft Defender Advanced Threat Protection (ATP), and/or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. The secured workstations can be centrally managed to enforce secured configuration including strong authentication, software and hardware baselines, and restricted logical and network access.

Responsibility: Customer

PA-7: Follow just enough administration (least privilege principle)

Guidance: Azure Synapse Workspace is integrated with Azure role-based access control (Azure RBAC) to manage its resources. Azure RBAC allows you to manage Azure resource access through role assignments. You can assign these roles to users, groups service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, or the Azure portal. The privileges you assign to resources through the Azure RBAC should be always limited to what is required by the roles. This complements the just-in-time (JIT) approach of Azure AD Privileged Identity Management (PIM) and should be reviewed periodically.

Use built-in roles to allocate permissions and only create custom roles when required.

Azure Synapse Analytics requires users in Azure Owner or Azure Contributor roles at the resource-group to control management of its dedicated SQL pools, Spark pools, and Integration runtimes. In addition to this, users and the workspace system-identity must be granted Storage Blob Data Contributor access to the ADLS Gen2 storage container associated with the Synapse workspace.

When you first create an Azure Synapse workspace, you may specify an admin login and password for SQL pools within the Synapse workspace. This administrative account is called Server admin. You can identify the Server admin account for Synapse by opening the Azure portal and navigating to the overview tab of your Synapse workspace. You can also configure an Azure AD admin account with full administrative permissions, this is required if you want to enable Azure Active Directory authentication

Responsibility: Customer

PA-8: Choose approval process for Microsoft support

Guidance: In support scenarios where Microsoft needs to access customer data, Azure Synapse Workspace supports Customer Lockbox to provide an interface for you to review and approve or reject customer data access requests.

In support scenarios where Microsoft needs to access data related to the SQL Database in your dedicated SQL pool, Azure Customer Lockbox provides an interface for you to review and approve or reject data access requests.

Responsibility: Customer

Data Protection

For more information, see the Azure Security Benchmark: Data Protection.

DP-1: Discovery, classify and label sensitive data

Guidance: Data discovery and classification is built into Azure SQL and supports the following capabilities: Discovery and recommendations- The classification engine scans your database and identifies columns that contain potentially sensitive data. It then provides you with an easy way to review and apply recommended classification via the Azure portal.

Labeling- You can apply sensitivity-classification labels persistently to columns by using new metadata attributes that have been added to the SQL Server database engine. This metadata can then be used for sensitivity-based auditing and protection scenarios.

Query result-set sensitivity- The sensitivity of a query result set is calculated in real time for auditing purposes.

Visibility- You can view the database-classification state in a detailed dashboard in the Azure portal. Also, you can download a report in Excel format to use for compliance and auditing purposes and other needs.

Discover, classify, and label your sensitive data so that you can design the appropriate controls to ensure sensitive information is stored, processed, and transmitted securely by the organization's technology systems.

Use Azure Information Protection (and its associated scanning tool) for sensitive information within Office documents on Azure, on-premises, Microsoft 365, and other locations.

You can use Azure SQL Information Protection to assist in the classification and labeling of information stored in Azure SQL Databases.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Sql:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Sensitive data in your SQL databases should be classified Microsoft Defender for Cloud monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security AuditIfNotExists, Disabled 3.0.0-preview

DP-2: Protect sensitive data

Guidance: Protect sensitive data by restricting access using Azure role-based access control (Azure RBAC), network-based access controls, and specific controls in Azure services (such as encryption).

To ensure consistent access control, all types of access control should be aligned with your enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems.

For the underlying platform (managed by Microsoft), Microsoft treats all customer content as sensitive and guards against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented some default data protection controls and capabilities.

Azure Synapse Analytics offers double encryption with a customer-managed key for data in SQL pools, Spark pools, and Azure Data Factory integration runtimes, pipelines, and datasets.

Use the Azure Synapse SQL Data Discovery and Classification feature. Additionally, you can set up a dynamic data masking (DDM) policy in the Azure portal. The DDM recommendations engine flags certain fields from your database as potentially sensitive fields which may be good candidates for masking.

Transparent data encryption (TDE) helps protect data in Synapse dedicated SQL pools against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Sql:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 2.0.0

DP-3: Monitor for unauthorized transfer of sensitive data

Guidance: Azure Synapse Workspace supports transferring of customer data but does not support monitoring for unauthorized transfer of sensitive data natively.

Azure Storage Advanced Threat Protection (ATP) and Azure SQL ATP can alert on anomalous transfer of information that might indicate unauthorized transfers of sensitive information.

If required for compliance of data loss prevention (DLP), you can use a host-based DLP solution to enforce detective and/or preventative controls to prevent data exfiltration.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Sql:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2

DP-4: Encrypt sensitive information in transit

Guidance: To complement access controls, data in transit should be protected against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.

Azure Synapse Workspace supports data encryption in transit with TLS v1.2 or greater.

While this is optional for traffic on private networks, this is critical for traffic on external and public networks. For HTTP traffic, ensure that any clients connecting to your Azure resources can negotiate TLS v1.2 or greater. For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsolete SSL, TLS, SSH versions and protocols, and weak ciphers should be disabled.

By default, Azure provides encryption for data in transit between Azure data centers.

Responsibility: Customer

DP-5: Encrypt sensitive data at rest

Guidance: To complement access controls, Azure Synapse Workspace encrypts data at rest to protect against 'out of band' attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data.

Azure provides encryption for data at rest by default. For highly sensitive data, you have options to implement additional encryption at rest on all Azure resources where available. Azure manages your encryption keys by default, but Azure also provides options to manage your own keys (customer-managed keys) for certain Azure services to meet regulatory requirements.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Sql:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
SQL managed instances should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. AuditIfNotExists, Disabled 1.0.2
SQL servers should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. AuditIfNotExists, Disabled 2.0.1
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 2.0.0

Asset Management

For more information, see the Azure Security Benchmark: Asset Management.

AM-1: Ensure security team has visibility into risks for assets

Guidance: Ensure security teams are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Microsoft Defender for Cloud.

Depending on how security team responsibilities are structured, monitoring for security risks could be the responsibility of a central security team or a local team. That said, security insights and risks must always be aggregated centrally within an organization.

Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions.

Note: Additional permissions might be required to get visibility into workloads and services.

Responsibility: Customer

AM-2: Ensure security team has access to asset inventory and metadata

Guidance: Ensure that security teams have access to a continuously updated inventory of assets on Azure, like Azure Synapse Workspace. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input to continuous security improvements. Create an Azure Active Directory (Azure AD) group to contain your organization's authorized security team and assign them read access to all Azure Synapse Workspace resources, which can be simplified by a single high-level role assignment within your subscription.

Apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name "Environment" and the value "Production" to all the resources in production.

Use Azure Virtual Machine Inventory to automate the collection of information about software on Virtual Machines. Software Name, Version, Publisher, and Refresh Time are available from the Azure portal. To get access to install dates and other information, enable guest-level diagnostics and bring the Windows Event Logs into a Log Analytics Workspace.

Azure Synapse Workspace does not allow running an application or the installation of software on its resources.

Responsibility: Customer

AM-3: Use only approved Azure services

Guidance: Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected.

Responsibility: Shared

Logging and Threat Detection

For more information, see the Azure Security Benchmark: Logging and Threat Detection.

LT-1: Enable threat detection for Azure resources

Guidance: Use the Microsoft Defender for Cloud built-in threat detection capability and enable Azure Defender (formerly Azure Advanced Threat Protection) for your Azure Synapse Workspace resources. Azure Defender for Azure Synapse Workspace provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your Azure Synapse Workspace resources.

Forward any logs from Azure Synapse to Azure Sentinel which can be used to set up custom threat detections. Ensure you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Sql:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2

LT-2: Enable threat detection for Azure identity and access management

Guidance: Azure Active Directory (Azure AD) provides the following user logs, which can be viewed in Azure AD reporting or integrated with Azure Monitor, Azure Sentinel, or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases:

  • Sign-ins - The sign-ins report provides information about the usage of managed applications and user sign-in activities.
  • Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD, like adding or removing users, apps, groups, roles, and policies.
  • Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
  • Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.

Microsoft Defender for Cloud can also trigger alerts on certain suspicious activities, such as excessive number of failed authentication attempts or deprecated accounts in the subscription. In addition to the basic security hygiene monitoring, Microsoft Defender for Cloud's Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (virtual machines, containers, app service), data resources (SQL DB and storage), and Azure service layers. This capability allows you to have visibility on account anomalies inside individual resources.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Sql:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Microsoft Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2

LT-3: Enable logging for Azure network activities

Guidance: Enable and collect network security group (NSG) resource logs, NSG flow logs, Azure Firewall logs, and Web Application Firewall (WAF) logs for security analysis to support incident investigations, threat hunting, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide insights.

Azure Synapse Workspace logs all network traffic that it processes for customer access. Enable the network flow capability within your deployed offering resources

When connecting to your dedicated SQL pool, and you have enabled network security group (NSG) flow logs, logs are sent into an Azure Storage Account for traffic auditing.

You may also send NSG flow logs to a Log Analytics workspace and use Traffic Analytics to provide insights into traffic flow in your Azure cloud. Some advantages of Traffic Analytics are the ability to visualize network activity and identify hot spots, identify security threats, understand traffic flow patterns, and pinpoint network misconfigurations.

Ensure that you are collecting DNS query logs to assist in correlating other network data. Implement a third-party solution from Azure Marketplace for DNS logging as per your organization's need.

Responsibility: Customer

LT-4: Enable logging for Azure resources

Guidance: Activity logs, which are automatically available, contain all write operations (PUT, POST, DELETE) for your Azure Synapse Workspace resources except read operations (GET). Activity logs can be used to find an error when troubleshooting or to monitor how a user in your organization modified a resource.

Enable Azure resource logs for Azure Synapse Workspace. You can use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting. These logs can be critical for investigating security incidents and performing forensic exercises.

Azure Monitor provides base-level infrastructure metrics, alerts, and logs for most Azure services. Azure diagnostic logs are emitted by a resource and provide rich, frequent data about the operation of that resource. Azure Synapse Analytics can write diagnostic logs in Azure Monitor. In particular, the logs Synapse RABC Operations.

Azure Synapse Workspace also produces security audit logs for the local administers accounts. Enable these local admin audit logs

Auditing for Azure SQL Azure Synapse Analytics tracks database events and writes them to an audit log in your Azure storage account, Log Analytics workspace, or Event Hubs. These audit logs help you maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Sql:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0

LT-5: Centralize security log management and analysis

Guidance: Centralize logging storage and analysis to enable correlation. For each log source, ensure that you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements.

Ensure that you are integrating Azure activity logs into your central logging. Ingest logs via Azure Monitor to aggregate security data generated by endpoint devices, network resources, and other security systems. In Azure Monitor, use Log Analytics workspaces to query and perform analytics, and use Azure Storage accounts for long term and archival storage.

In addition, enable and onboard data to Azure Sentinel or a third-party SIEM.

Many organizations choose to use Azure Sentinel for 'hot' data that is used frequently and Azure Storage for 'cold' data that is used less frequently.

For applications that may run on Azure Synapse Workspace, forward all security-related logs to your SIEM for centralized management.

Auditing for Azure Synapse Analytics tracks database events and writes them to an audit log in your Azure storage account, Log Analytics workspace, or Event Hubs. These audit logs help you maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.

Responsibility: Customer

LT-6: Configure log storage retention

Guidance: Ensure that any storage accounts or Log Analytics workspaces used for storing Azure Synapse Workspace logs have the log retention period set according to your organization's compliance regulations.

Auditing for Azure Synapse Analytics tracks database events and writes them to an audit log in your Azure storage account, Log Analytics workspace, or Event Hubs. These audit logs help you maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.

Responsibility: Customer

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Sql:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. AuditIfNotExists, Disabled 3.0.0

LT-7: Use approved time synchronization sources

Guidance: Microsoft maintains time sources for most Azure platform PaaS and SaaS services. For your virtual machines, use a Microsoft default network time protocol (NTP) server for time synchronization unless you have a specific requirement. If you need to stand up your own NTP server, ensure that you secure the UDP service port 123.

All logs generated by resources within Azure provide time stamps with the time zone specified by default.

Responsibility: Microsoft

Posture and Vulnerability Management

For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.

PV-1: Establish secure configurations for Azure services

Guidance: You can use Azure Blueprints to automate deployment and configuration of services and application environments including Azure Resources Manager templates, Azure RBAC controls, and policies, in a single blueprint definition.

SQL Server should use a virtual network service endpoint.

You can use Azure Blueprints to automate deployment and configuration of services and application environments including Azure Resources Manager templates, Azure RBAC controls, and policies, in a single blueprint definition.

There are a number of offering-specific security policies attributed to Synapse Analytics in addition to Microsoft Defender for Cloud based controls. For instance, you can secure your Azure SQL Server to a virtual network via Private Link; monitor and log configuration and traffic of virtual networks, subnets, and network interfaces using NSG flow logs and Traffic Analytics; deny communications with known-malicious IP addresses using Advanced Threat Protection (ATP).

Responsibility: Customer

PV-2: Sustain secure configurations for Azure services

Guidance: Use Microsoft Defender for Cloud to monitor your configuration baseline and enforce using Azure Policy [deny] and [deploy if not exist] to enforce secure configuration across Azure compute resources including VMs, containers, and others.

Define an SQL auditing policy for a specific database. Or define it as a default server policy in Azure (which hosts dedicated SQL pools). The default auditing policy includes all actions and a set of action groups. The actions and action groups will audit:

Responsibility: Customer

PV-3: Establish secure configurations for compute resources

Guidance: Use Microsoft Defender for Cloud and Azure Policy to establish secure configurations on all compute resources including VMs, containers, and others.

Responsibility: Customer

PV-6: Perform software vulnerability assessments

Guidance: Microsoft performs vulnerability management on the underlying systems that support Azure Synapse Workspace.

Responsibility: Microsoft

Microsoft Defender for Cloud monitoring: The Azure Security Benchmark is the default policy initiative for Microsoft Defender for Cloud and is the foundation for Microsoft Defender for Cloud's recommendations. The Azure Policy definitions related to this control are enabled automatically by Microsoft Defender for Cloud. Alerts related to this control may require an Microsoft Defender plan for the related services.

Azure Policy built-in definitions - Microsoft.Sql:

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.0.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 2.0.0

PV-7: Rapidly and automatically remediate software vulnerabilities

Guidance: For third-party software, use a third-party patch management solution. Or use System Center Updates Publisher for Configuration Manager. Azure Synapse Analytics doesn't use or require any third-party software.

Responsibility: Microsoft

PV-8: Conduct regular attack simulation

Guidance: As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings.

Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Responsibility: Customer

Endpoint Security

For more information, see the Azure Security Benchmark: Endpoint Security.

ES-2: Use centrally managed modern anti-malware software

Guidance: Protect your Azure Synapse Workspace or its resources with a centrally managed modern anti-malware software.

  • Use a centrally managed endpoint anti-malware solution capable of real-time and periodic scanning.

  • Microsoft Defender for Cloud can automatically identify the use of several popular anti-malware solutions for your virtual machines (VMs), report the endpoint protection running status, and then make recommendations.

  • Microsoft Antimalware for Azure Cloud Services is the default anti-malware for Windows VMs. For Linux VMs, use a third-party anti-malware solution. You can use Microsoft Defender for Cloud's Threat detection for data services to detect malware uploaded to Azure Storage accounts.

  • How to configure Microsoft Antimalware for Cloud Services and Virtual Machines

  • Supported endpoint protection solutions

Responsibility: Customer

ES-3: Ensure anti-malware software and signatures are updated

Guidance: Not applicable; Azure Synapse Workspace is not comprised of any virtual machines or containers which would require Endpoint Detection and Response (EDR) protection.

Responsibility: Microsoft

Backup and Recovery

For more information, see the Azure Security Benchmark: Backup and Recovery.

BR-1: Ensure regular automated backups

Guidance: Snapshots of your Synapse dedicated SQL pools are automatically taken throughout the day creating restore points that are available for seven days. This retention period cannot be changed. Dedicated SQL pools supports an eight-hour recovery point objective (RPO). You can restore your SQL pool in the primary region from any one of the snapshots taken in the past seven days. Note that you can also manually trigger snapshots if necessary. If you are using a customer-managed key to encrypt your Database Encryption Key, ensure your key is being backed up.

Responsibility: Shared

BR-2: Encrypt backup data

Guidance: Snapshots of your Synapse dedicated SQL pools are automatically taken throughout the day creating restore points that are available for seven days. This retention period cannot be changed. Dedicated SQL pools supports an eight-hour recovery point objective (RPO). You can restore your SQL pool in the primary region from any one of the snapshots taken in the past seven days. Note that you can also manually trigger snapshots if necessary. If you are using a customer-managed key to encrypt your Database Encryption Key, ensure your key is being backed up.

Responsibility: Customer

BR-3: Validate all backups including customer-managed keys

Guidance: Snapshots of your dedicated SQL pool are automatically taken throughout the day creating restore points that are available for seven days. This retention period cannot be changed. Dedicated SQL pool supports an eight-hour recovery point objective (RPO). You can restore your data warehouse in the primary region from any one of the snapshots taken in the past seven days. Note that you can also manually trigger snapshots if necessary.

Periodically ensure that you can restore backed-up customer-managed keys.

Synapse supports customer managed keys (CMK) for encryption. This encryption uses keys generated in Azure Key Vault.

Responsibility: Shared

BR-4: Mitigate risk of lost keys

Guidance: Ensure that you have measures in place to prevent and recover from the loss of keys. Enable soft delete and purge protection in Azure Key Vault to protect keys against accidental or malicious deletion.

Responsibility: Shared

Next steps