Azure Data Warehouse Security Best Practice Guidelines and Features

Published Jul 02 2019 11:05 AM 4,968 Views
Microsoft

Azure Data Warehouse Security Best Practices and Features

As a general guideline when securing your Data Warehouse in Azure you would follow the same security best practices in the cloud as you would on-premises.  

 

General Security Best Practices

  • Restrict IP addresses which can connect to the Azure Data Warehouse through DW Server Firewall
  • Use Windows Authentication where possible, using domain-based accounts will allow you to enforce password complexity, password expiry and more centralized account and permission management.
  • Implement Database level security though management of permissions with Custom Roles allowing you to specify explicit permissions at object level or Built in Roles
  • When using SQL Server Authentication use complex passwords and assign explicit permissions to objects to reduce risk at a data level.
  • Review the following article for guidelines and information on Logins and Accounts within Azure Data Warehouse

 

Azure Data Warehouse Features

Some features within Azure Data Warehouse allow you to secure and monitor your Data Warehouse and interaction with the Data Warehouse

 

Transparent Data Encryption (TDE) protects your Database, logs and backups through encryption at rest

https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-azure-sql

 

Restrict traffic and secure your Azure Data Warehouse by use of Network Service Endpoints

https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vnet-service-endpoint-rule-overview

 

When using Azure Data Factory as integration platform make use of Self-Hosted Integration Runtime to host your Data Factory Pipelines, this will allow you to limit the traffic to the Secure VNET only.

https://docs.microsoft.com/en-us/azure/data-factory/create-self-hosted-integration-runtime

 

Enable Auditing and Advanced Threat Protection in your Data Warehouse to receive security alerts on potential threats and anomalous activities.

https://docs.microsoft.com/en-us/azure/sql-database/sql-database-threat-detection-overview

 

Additional Info

Securing your Azure Data Warehouse should not be your only priority, Securing of All Azure Services should be a requirement.  The following article provided Best Practices for All Azure Solutions.

https://azure.microsoft.com/en-us/resources/security-best-practices-for-azure-solutions/

%3CLINGO-SUB%20id%3D%22lingo-sub-722768%22%20slang%3D%22en-US%22%3EAzure%20Data%20Warehouse%20Security%20Best%20Practice%20Guidelines%20and%20Features%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-722768%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EAzure%20Data%20Warehouse%20Security%20Best%20Practices%20and%20Features%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAs%20a%20general%20guideline%20when%20securing%20your%20Data%20Warehouse%20in%20Azure%20you%20would%20follow%20the%20same%20security%20best%20practices%20in%20the%20cloud%20as%20you%20would%20on-premises.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EGeneral%20Security%20Best%20Practices%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ERestrict%20IP%20addresses%20which%20can%20connect%20to%20the%20Azure%20Data%20Warehouse%20through%20DW%20Server%20Firewall%3C%2FLI%3E%0A%3CLI%3EUse%20Windows%20Authentication%20where%20possible%2C%20using%20domain-based%20accounts%20will%20allow%20you%20to%20enforce%20password%20complexity%2C%20password%20expiry%20and%20more%20centralized%20account%20and%20permission%20management.%3C%2FLI%3E%0A%3CLI%3EImplement%20Database%20level%20security%20though%20management%20of%20permissions%20with%20Custom%20Roles%20allowing%20you%20to%20specify%20explicit%20permissions%20at%20object%20level%20or%20Built%20in%20Roles%3C%2FLI%3E%0A%3CLI%3EWhen%20using%20SQL%20Server%20Authentication%20use%20complex%20passwords%20and%20assign%20explicit%20permissions%20to%20objects%20to%20reduce%20risk%20at%20a%20data%20level.%3C%2FLI%3E%0A%3CLI%3EReview%20the%20following%20article%20for%20guidelines%20and%20information%20on%20Logins%20and%20Accounts%20within%20Azure%20Data%20Warehouse%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-manage-logins%3Ftoc%3D%2Fazure%2Fsql-data-warehouse%2Ftoc.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-manage-logins%3Ftoc%3D%2Fazure%2Fsql-data-warehouse%2Ftoc.json%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAzure%20Data%20Warehouse%20Features%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ESome%20features%20within%20Azure%20Data%20Warehouse%20allow%20you%20to%20secure%20and%20monitor%20your%20Data%20Warehouse%20and%20interaction%20with%20the%20Data%20Warehouse%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETransparent%20Data%20Encryption%20(TDE)%20protects%20your%20Database%2C%20logs%20and%20backups%20through%20encryption%20at%20rest%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Ftransparent-data-encryption-azure-sql%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Ftransparent-data-encryption-azure-sql%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERestrict%20traffic%20and%20secure%20your%20Azure%20Data%20Warehouse%20by%20use%20of%20Network%20Service%20Endpoints%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-vnet-service-endpoint-rule-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-vnet-service-endpoint-rule-overview%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20using%20Azure%20Data%20Factory%20as%20integration%20platform%20make%20use%20of%20Self-Hosted%20Integration%20Runtime%20to%20host%20your%20Data%20Factory%20Pipelines%2C%20this%20will%20allow%20you%20to%20limit%20the%20traffic%20to%20the%20Secure%20VNET%20only.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-factory%2Fcreate-self-hosted-integration-runtime%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-factory%2Fcreate-self-hosted-integration-runtime%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEnable%20Auditing%20and%20Advanced%20Threat%20Protection%20in%20your%20Data%20Warehouse%20to%20receive%20security%20alerts%20on%20potential%20threats%20and%20anomalous%20activities.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-threat-detection-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-threat-detection-overview%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAdditional%20Info%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ESecuring%20your%20Azure%20Data%20Warehouse%20should%20not%20be%20your%20only%20priority%2C%20Securing%20of%20All%20Azure%20Services%20should%20be%20a%20requirement.%20%26nbsp%3BThe%20following%20article%20provided%20Best%20Practices%20for%20All%20Azure%20Solutions.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fresources%2Fsecurity-best-practices-for-azure-solutions%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fresources%2Fsecurity-best-practices-for-azure-solutions%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-722768%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20article%20we%20summarize%20security%20best%20practices%20and%20provide%20insight%20into%20Azure%20Data%20Warehouse%20Security%20features%20which%20allow%20you%20to%20secure%20and%20monitor%20your%20Azure%20Data%20Warehouse.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-722768%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESynapse%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESynapse%20Support%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Apr 20 2020 02:24 PM
Updated by: