Azure Security

Himanshi Arora
Azure Data Engineer, Architect, Advisor
[email protected]
Learning Objectives
• Authentication
•Storage Account keys
•Shared access signature (SAS)
•Azure Active Directory (Azure AD)
•Access Control
•Role based access control (RBAC)
•Access control list (ACL)
•Network access
•Firewall and virtual network
•Data Protection
•Data encryption in transit
•Data encryption at rest
Shared Access Signature (SAS)
• Securitytoken string
• “SAS Token”
• Contains permission like start and end time
• Azure doesn’t track SAS after creation
• To invalidate, regenerate storage account key used to sign SAS
Stored access policy
• Reused by multiple SAS
• Defined on a resource container
• Permissions + validity period
• Service level SAS only
• Stored access policy can be revoked
Azure Active Directory (AD)

• Grand access to Azure Active directory (AD) Identities

• AD is an enterprise identity provider, Identity as a Service (IDaaS)
• Globally available from virtually any device
• Identities –user, group or application principle
• Assign role at Subscription, RG, Storage account, container level.
• No longer need to store credentials with application configfiles
• Similar to IIS Application pool identity approach
Role Based Access Control (RBAC)
• Access Control
Firewalls and Virtual Networks
Storage Account Access Keys(SAS)
• Authentication
Shared Access Signature
• Azure does not track SAS after creation
• To invalidate, regenerate storage account key used to sign SAS
Stored access policy
• Reused by multiple SAS
• Defined on a resource container
• Permissions + validity period
• Service level SAS only
• Stored access policy can be revoked
Azure Active Directory (AD)

• Grand access to Azure Active directory (AD) Identities

• AD is an enterprise identity provider, Identity as a Service (IDaaS)
• Globally available from virtually any device
• Identities –user, group or application principle
• Assign role at Subscription, RG, Storage account, container level.
• No longer need to store credentials with application configfiles
• Similar to IIS Application pool identity approach
Encrypting Data in Transit –Advance

• Site-to-site VPN
• Point-to-site VPN
• Azure ExpressRoute
Client-side Encryption

• Encrypt data within application

• Data is encrypted in transit and at rest
• Application decrypt data when retrieved
• HTTPS has integrity checks built-in
• Netand Java storage client libraries
• Can leverage Azure Key Vault to generate and/or store encryption
keys
Encrypting Data at Rest

• Encryption enabled by default

• Can’t be disabled
• Storage Service Encryption (SSE)
• Automatically encrypt and decrypt while writing and reading
• It’s free, no charge
• Applied to both standard and premium tiers
• 256 bit AES Encryption
•Option: Use your own encryption keys
• Blobs and files only
THANKS