How to protect sensitive data in Azure?

Schmitz, Simon 40 Reputation points
2024-06-24T06:30:46.3766667+00:00

I would like to load sensitive data in an Azure Data Lake Storage Gen2. I need to make sure that this data can not be read by the global administrator or any other kind of super user. How can this be realized?

I think role-based access control is not really sufficient for this. I was thinking about access control lists (ACL) but how can you make sure that the global administrator can not just change the ACLs again?

But maybe this is the completely wrong approach. If you have any idea on how to realize this I would very much appreciate it. Thank you in advance!

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,490 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
831 questions
{count} votes

Accepted answer
  1. Sumarigo-MSFT 47,106 Reputation points Microsoft Employee
    2024-06-24T13:17:59.9566667+00:00

    @Schmitz, Simon Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    You cannot effectively control it. Essentially, global administrators have the authority to gain full access to all resources in Azure.

    Therefore, if they possess this permission at the subscription or tenant level, they might not have direct access to the storage account. However, they can grant themselves the necessary permissions to access the storage account.

    Azure roles, Microsoft Entra roles, and classic subscription administrator roles

    Additional information: You can try using CEK (Client-Side Encryption) or CPK (Customer-Provided Keys). Essentially, a key is provided during the data upload, so the key is required to read the data. Client-Side Encryption or Customer-Provided Keys Encryption

    Use Azure Private Link: Azure Private Link allows you to access Azure services (such as Azure Data Lake Storage Gen2) over a private endpoint in your virtual network. This means that the data is not exposed to the public internet and can only be accessed by authorized users within your virtual network. You can create a private endpoint for Azure Data Lake Storage Gen2 in your virtual network and use it to access the data.

    Use RBAC and ACLs: While RBAC alone may not be sufficient to protect sensitive data, it can still be used in conjunction with ACLs to provide an additional layer of security. You can use RBAC to control who has access to the Azure Data Lake Storage Gen2 account, and use ACLs to control who has access to specific files and folders within the account. By using a combination of RBAC, ACLs, CMK, and Azure Private Link, you can ensure that your sensitive data is protected from unauthorized access. I haven't tried this option.

    Difference between Global Admin and Owner in Microsoft Azure

    Please let us know if you have any further queries. I’m happy to assist you further.     


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


1 additional answer

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.