I would like to load sensitive data in an Azure Data Lake Storage Gen2. I need to make sure that this data can not be read by the global administrator or any other kind of super user. How can this be realized? I think role-based access control is not really sufficient for this. I was thinking about access control lists (ACL) but how can you make sure that the global administrator can not just change the ACLs again? But maybe this is the completely wrong approach. If you have any idea on how to realize this I would very much appreciate it. Thank you in advance!

@Schmitz, Simon Welcome to Microsoft Q&A Forum, Thank you for posting your query here! You cannot effectively control it. Essentially, global administrators have the authority to gain full access to all resources in Azure. Therefore, if they possess this permission at the subscription or tenant level, they might not have direct access to the storage account. However, they can grant themselves the necessary permissions to access the storage account. Azure roles, Microsoft Entra roles, and classic subscription administrator roles Additional information: You can try using CEK (Client-Side Encryption) or CPK (Customer-Provided Keys). Essentially, a key is provided during the data upload, so the key is required to read the data. Client-Side Encryption or Customer-Provided Keys Encryption Use Azure Private Link : Azure Private Link allows you to access Azure services (such as Azure Data Lake Storage Gen2) over a private endpoint in your virtual network. This means that the data is not exposed to the public internet and can only be accessed by authorized users within your virtual network. You can create a private endpoint for Azure Data Lake Storage Gen2 in your virtual network and use it to access the data. Use RBAC and ACLs : While RBAC alone may not be sufficient to protect sensitive data, it can still be used in conjunction with ACLs to provide an additional layer of security. You can use RBAC to control who has access to the Azure Data Lake Storage Gen2 account, and use ACLs to control who has access to specific files and folders within the account. By using a combination of RBAC, ACLs, CMK, and Azure Private Link, you can ensure that your sensitive data is protected from unauthorized access. I haven't tried this option. Difference between Global Admin and Owner in Microsoft Azure Please let us know if you have any further queries. I’m happy to assist you further. Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

How to protect sensitive data in Azure?

Accepted answer

Sumarigo-MSFT 47,021 Reputation points Microsoft Employee

2024-06-24T13:17:59.9566667+00:00

@Schmitz, Simon Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

You cannot effectively control it. Essentially, global administrators have the authority to gain full access to all resources in Azure.

Therefore, if they possess this permission at the subscription or tenant level, they might not have direct access to the storage account. However, they can grant themselves the necessary permissions to access the storage account.

Azure roles, Microsoft Entra roles, and classic subscription administrator roles

Additional information: You can try using CEK (Client-Side Encryption) or CPK (Customer-Provided Keys). Essentially, a key is provided during the data upload, so the key is required to read the data. Client-Side Encryption or Customer-Provided Keys Encryption

Use Azure Private Link: Azure Private Link allows you to access Azure services (such as Azure Data Lake Storage Gen2) over a private endpoint in your virtual network. This means that the data is not exposed to the public internet and can only be accessed by authorized users within your virtual network. You can create a private endpoint for Azure Data Lake Storage Gen2 in your virtual network and use it to access the data.

Use RBAC and ACLs: While RBAC alone may not be sufficient to protect sensitive data, it can still be used in conjunction with ACLs to provide an additional layer of security. You can use RBAC to control who has access to the Azure Data Lake Storage Gen2 account, and use ACLs to control who has access to specific files and folders within the account. By using a combination of RBAC, ACLs, CMK, and Azure Private Link, you can ensure that your sensitive data is protected from unauthorized access. I haven't tried this option.

Difference between Global Admin and Owner in Microsoft Azure

Please let us know if you have any further queries. I’m happy to assist you further.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Please sign in to rate this answer.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Schmitz, Simon 40 Reputation points

2024-06-27T08:36:47.26+00:00

Thank you very much for your quick and detailed reply @Sumarigo-MSFT ! Those are some promising approaches. However, since the sensitive data is also to be processed in Azure, I think client-side encryption could be problematic or at least cumbersome.

One question that crossed my mind was whether it is possible to implement a person who has to approve when something is changed by the owner or global administrator. For example, let's say we disable all permissions of sensitive data for all kinds of superuser roles via the ACLs. Only the developer who processes the data has read permission. Now the question would be: Can we implement a mechanism that as soon as someone wants to change the ACLs, a person is notified and has to approve it before it can be changed? That would be a sufficient approach for me. Is that possible? I know that there are action groups, for example, where a warning can be sent as soon as an action is taken. But this is only a warning and not an approval procedure. Thank you for your help in advance!

Sumarigo-MSFT 47,021 Reputation points Microsoft Employee

2024-07-09T06:52:27.32+00:00

@Schmitz, Simon Based on the provided documents, it seems that you are looking for a way to implement an approval mechanism for changes made to ACLs. Azure Active Directory Privileged Identity Management (PIM) provides a way to implement an approval workflow for Azure AD roles. You can use PIM to manage Azure AD roles, and require approval for activation of the role.

However, it is important to note that PIM is not designed to manage access control lists (ACLs) for resources. PIM is designed to manage Azure AD roles, which are collections of permissions that can be assigned to users or groups.

If you are looking to implement an approval mechanism for changes made to ACLs, you may want to consider using Azure Policy. Azure Policy is a service that allows you to create, assign, and manage policies that enforce rules and effects over your resources. You can use Azure Policy to enforce policies that require approval for changes to ACLs.

To learn more about Azure Policy, you can refer to the following document: https://docs.microsoft.com/en-us/azure/governance/policy/overview.

I hope this helps! Let me know if you have any further questions.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to protect sensitive data in Azure?

1 additional answer

Your answer