Data auditing. Microsoft Purview can review your Azure data real estate and provide a report on what exists. You can use the report to analyze the database columns in order to determine the type of data stored in them and what level of sensitivity label they require. Sensitivity labels range from Publicly Viewable to Highly Confidential. Azure Synapse Analytics dedicated SQL pools include a feature called Data Discovery & Classification that can be used to discover and classify your data. You should perform an audit of your data resources before beginning to design your data security solution. You need to know what you have before you begin creating something to protect it.
Encryption‐at‐rest and in‐transit. Most of the data stored on the Azure platform is encrypted at rest. The data is encrypted by a Microsoft key, but it is possible to use your own key for the encryption. The encryption and decryption of the data happens by default on the platform; you do not need to do anything. The default encryption is helpful in the very unlikely scenario that a hard drive containing your data is stolen. If that happens, the data will be unusable because the data is encrypted. When data moves between two machines, it needs to be encrypted as well. Using TLS with HTTP is enough to implement data encryption‐in‐transit.
Managed identities. Many Azure products come with a default system‐assigned identity. Only the platform has any knowledge of the credentials, which makes using them for granting permissions very secure. The other type is a user‐assigned managed identity. The identity is provisioned manually, and instead of being managed by the platform and bound to an Azure product, it is a standalone credential, identical to a service principal. A user‐assigned managed identity can be used to authenticate between products and applications in the same manner as system‐assigned managed identity.
Azure Key Vault. Azure Key Vault stores keys, secrets, and certificates. When performing encryption and decryption, you can use Azure Key Vault to generate and store a key. You can also use Azure Key Vault to store passwords and tokens. When the password is needed, the credentials assigned to a system‐assigned managed identity can be used to retrieve the password from Azure Key Vault and used in the application. Certificates for securing data transmissions or client certificate authentication can be stored and retrieved from Azure Key Vault.
RBAC and ACLs. RBAC roles enable you to grant access to Azure Active Directory groups for managing Azure products. Only a few RBAC roles grant access to data. Mostly, they grant access to the product or feature in Azure Data Lake. ACLs cannot be used to reduce the permission level granted by an RBAC role; however, they can increase the level. For example, an ACL can provide write access to an individual who is part of an RBAC role that has read‐only permissions.
