Azure Data Warehouse Security Best Practices and Features
As a general guideline when securing your Data Warehouse in Azure you would follow the same security best practices in the cloud as you would on-premises.
General Security Best Practices
- Restrict IP addresses which can connect to the Azure Data Warehouse through DW Server Firewall
- Use Windows Authentication where possible, using domain-based accounts will allow you to enforce password complexity, password expiry and more centralized account and permission management.
- Implement Database level security though management of permissions with Custom Roles allowing you to specify explicit permissions at object level or Built in Roles
- When using SQL Server Authentication use complex passwords and assign explicit permissions to objects to reduce risk at a data level.
- Review the following article for guidelines and information on Logins and Accounts within Azure Data Warehouse
Azure Data Warehouse Features
Some features within Azure Data Warehouse allow you to secure and monitor your Data Warehouse and interaction with the Data Warehouse
Transparent Data Encryption (TDE) protects your Database, logs and backups through encryption at rest
https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-azure-sql
Restrict traffic and secure your Azure Data Warehouse by use of Network Service Endpoints
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview
When using Azure Data Factory as integration platform make use of Self-Hosted Integration Runtime to host your Data Factory Pipelines, this will allow you to limit the traffic to the Secure VNET only.
https://docs.microsoft.com/en-us/azure/data-factory/create-self-hosted-integration-runtime
Enable Auditing and Advanced Threat Protection in your Data Warehouse to receive security alerts on potential threats and anomalous activities.
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-threat-detection-overview
Additional Info
Securing your Azure Data Warehouse should not be your only priority, Securing of All Azure Services should be a requirement. The following article provided Best Practices for All Azure Solutions.
https://azure.microsoft.com/en-us/resources/security-best-practices-for-azure-solutions/