Security Recommendations for Azure Data and Analytics Services

Akash Verma 21 Reputation points
2020-09-02T20:20:43.98+00:00

I am working on Securing Data and Analytics Services on Azure. I want to know what security controls i can apply after creating of services and what i can apply only during the service creation. Below are the recommendation i have found as of now. Could someone please let me know if there are more to enhance security ( any preview features is also fine)

  1. Azure Data Factory

a. Self-Hosted Integration Runtime (compute infrastructure) must be setup in order to allow orchestration of data between on-premises data source to an Azure Data Source.
b. The in-built linked service within ADF must be connected to Key Vault instance in order to ensure that sensitive information such as passwords are pulled from the Key Vault.
c. Diagnostic logs must be enabled on ADF and should be connected to a Log Analytics workspace.
d. Encrypt Azure Data Factory with customer-managed keys

  1. Azure Synapse (SQL Pool and Synapse Workspace)

a. Advanced data security must be enabled on Azure Synapse
b. Use Azure Active Directory authentication on Azure Synapse
c. Enable Azure SQL Transparent Data Encryption with customer-managed key
d. Server level Auditing should be enabled on Azure Synapse and connect it to a Log Analytics Workspace.
e. Network Restriction
f. Dynamic Data Masking

  1. Azure Databricks

a. Utilize Azure Key Vault-backed secret scope
b. Configure customer-managed keys on default (root) DBFS
c. Enable customer-managed keys for notebooks
d. Encrypt traffic between cluster worker nodes
e. Diagnostic logs must be enabled on Databricks and should be connected to a Log Analytics workspace.
f. Enable Access Control on Individual Azure Databricks resources

  1. Azure HDInsight

a. Utilize HTTPS endpoint within the virtual network CLUSTERNAME-int.azurehdinsight.net for connection only over Private IP
b. Enable Enterprise Security Package while creating HDInsight Cluster
c. Enable Encryption at rest using Customer-managed keys while creating HDInsight cluster

Thanks in advance.

Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,369 questions
Azure HDInsight
Azure HDInsight
An Azure managed cluster service for open-source analytics.
199 questions
Azure Databricks
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
1,917 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
9,539 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. PRADEEPCHEEKATLA-MSFT 77,081 Reputation points Microsoft Employee
    2020-09-03T09:22:18.55+00:00

    Hello @Akash Verma ,

    Welcome to Microsoft Q&A platform.

    This article contains security baselines for entire Azure Services.

    Here is the list of documents for the Azure security baseline for the services (ADF, Synapse, Databricks, HDInsight) contains recommendations that will help you improve the security posture of your deployment.

    The baseline for this service is drawn from the Azure Security Benchmark version 1.0, which provides recommendations on how you can secure your cloud solutions on Azure with our best practices guidance.

    Hope this helps. Do let us know if you any further queries.

    ----------------------------------------------------------------------------------------

    Do click on "Accept Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    1 person found this answer helpful.