Today, we are excited to launch conditional access support for Azure Data Explorer (ADX). This was an important ask from our enterprise & government customers to achieve Zero Trust Security with Azure Data Explorer (ADX).
What is Conditional Access?
Today’s modern security perimeter extends beyond an organization's network to include user and device identity. Organizations can use identity-driven signals as part of their access control decisions. If you are familiar with AAD (Azure Active Directory) Conditional Access, it brings signals together, to make decisions, and enforce organizational policies.
Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. For example, a data engineer wants to access Azure Data Explorer then she is required to perform a multi-factor authentication.
Why is it important?
Nowadays, organizations & governments are increasingly security conscious (for all the right reasons) and are looking for granular controls to secure their business applications & data. As the attackers become more & more sophisticated, there is a constant need for the product teams to provide best in class security controls & stay ahead of the curve.
Consider how the authentication process has traditionally worked - organizations require users to supply a user ID and password. Most of the time, it is the legitimate user typing them in and everything is okay — the user can go on to access all the data, and applications they’ve been granted access to. But sometimes, a malicious entity can steal or guess a user’s credentials and put your organization at risk of ending up in the data breach headlines.
To reduce these risks, organizations can enforce additional authentication hurdles viz. multi-factor authentication (MFA) or enforce access from recognized devices. AAD Conditional Access helps to further strengthen your authentication process based on analyzing certain signals viz user’s location, device platform, device state etc. and enforce policies if necessary.
For example, in the context of Azure Data Explorer -
How does it work?
Azure Active Directory (AAD) is the preferred method for authenticating to Azure Data Explorer (ADX) - ADX is now supported as an app in AAD conditional access allowing to enforce various condition-based policies on top of ADX.
Let’s assume an enterprise wants to apply a data access policy on Azure Data Explorer (ADX) - any data analyst outside Singapore should be prompted for MFA, while not burdening in-country analysts accessing from trusted locations.
Let's configure this scenario -
Please note Conditional Access policies are only applied to ADX Data plane operations, it does not affect any Control plane operations, for example – you can still create a cluster or create database via the Azure portal or cli irrespective of your location.
Conclusion
Conditional access is an important feature in strengthening security and ensuring regulatory compliance for your Azure Data Explorer (ADX) deployments. We hope this further helps you embrace proactive security with Zero Trust on Azure
We would love to hear how you plan to use the feature in comments, you can also share your proposals and ideas around ADX Security and other topics here - https://aka.ms/adx.ideas .
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.