Infra & Security Architecture

APPLICATIVE SECURITY : Combining thes milestones 2 & 3

There are 2 potential solutions : One using the AzCopy Utility because the extraction of data from the on-premise server is totally free. But, if we want to automate the process, then the utility could be questionable. The second one is ADF (Azure Data Factory) which is not normally the appropriate solution because of the following reason : the extraction from ADF is never free. In our situation, the use of ADF won’t be expensive.

Azure Storage - Key Vault

Azure Key Vault is a cloud service for securely storing and accessing secrets. It contains :
1. 1 TOKEN for Azure Data Factory (ADF) : ADF accesses Key Vault via RBAC Permissions (Role-Based Access Control)
2. OR 1 SAS TOKEN for AzCopy Utility : PowerShell accesses Key Vault via a Service Principal

$SecureStringPwd = $sp.PasswordCredentials.SecretText | ConvertTo-SecureString -AsPlainText -Force
$pscredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $sp.AppId, $SecureStringPwd
Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant $tenantId

Retrieve Token from Azure Key Vault :
1. ADF via Key Vault Reader & Key Vault Secrets User permissions can retrieve the Token
2. PowerShell via the Service Pirncipal can retrieve the SAS Token
Access the Storage Account (Blob Storage) :
1. ADF using the Token can access the Blob Storage
2. AzCopy (triggered by PowerShell) using the SAS Token can access the Blob Storage without permissions (RBAC)
Retrieve the documents :
1. ADF via Integration Runtime with the synchronized authentication key can access the storage in the on-premise server
2. The connectivity between the on-premise servers is already set, no need to use a key

Azure Web Apps - SSO

Users can log into the Web App via SSO (Authentication Method allowing users to sign in using one set set of credentials to multiple software systems) - What is single sign-on? - Microsoft Entra ID | Microsoft Learn
Azure Web Apps via a Service Principal, can retrieve the Token from the Key Vault before using Azure AI Search
Azure Web Apps can access Azure AI Search via the Token

Azure AI Search - Key filter

Azure AI Search does not provide document-level permissions. As a workaround, we can create a filter that trims search results based on a string containing a group or user identity (Security filters for trimming results - Azure AI Search | Microsoft Learn)

POST https://[search service].search.windows.net/indexes/securedfiles/docs/index?api-version=2023-11-01
{
     "name": "securedfiles",  
     "fields": [
         {"name": "file_id", "type": "Edm.String", "key": true, "searchable": false },
         {"name": "file_name", "type": "Edm.String", "searchable": true },
         {"name": "file_description", "type": "Edm.String", "searchable": true },
         {"name": "group_ids", "type": "Collection(Edm.String)", "filterable": true, "retrievable": false }
     ]
 }
 //https://learn.microsoft.com/en-ca/azure/search/search-security-trimming-for-azure-search#create-security-field

In order to trim documents based on group_ids access, we should issue a search query with a filter.

{
   "filter":"group_ids/any(g:search.in(g, 'group_id1, group_id2'))"  
}

Azure AI Search is already connected to the Blob Storage via a connectionstring using an encrypted account key

DATA PROTECTION

Azure Storage

By default, all data stored in Azure Storage is automatically encrypted using service-side encryption (SSE) because data is persisted to the cloud. Moreoever, all metadata is also encrypted. And, there is no additional cost for that. However, we can manage our own encryption keys if we have specific security and compliance needs (Azure Storage encryption for data at rest | Microsoft Learn | Azure Data Encryption-at-Rest - Azure Security | Microsoft Learn).

Azure Web Apps

By default, all data stored in Azure is automatically encrypted without any additional configuration. If we have specific security or compliance needs, then we can add additional security and configure encryption at rest using customer-managed keys (Encrypt your application source at rest - Azure App Service | Microsoft Learn, Azure security baseline for App Service | Microsoft Learn).

Azure AI Search

By default, Azure AI Search automatically encrypts data at rest with service-managed keys. If we need more protection, we can supplement the dfault encryption with another layer of encryption using keys that we can create and manage in Azure Key Vault (Encrypt data using customer-managed keys - Azure AI Search | Microsoft Learn).

INFRA & SECURITY : Combining the milestones 2 & 3

Azure Web App : IP restriction and Azure VNET Integration

Access restrictions in App Service are equivalent to a firewall allowing you to block and filter traffic. Access restrictions apply to inbound access only (App Service Access restrictions - Azure App Service | Microsoft Learn). (The ability to restrict access to your web app from an Azure virtual network uses service endpoints. With service endpoints, you can restrict access to a multitenant service from selected subnets (Azure App Service access restrictions - Azure App Service | Microsoft Learn).
XXXX

Network Security : Integrate Web App in Azure Virtual Network

Logging & threat detection : Defender for App Service & Diagnostic log with Azure Monitor.

Backup & recovery : regular automated backup (File content , App Configuration, DB if connected).

Identity Management : AAD Authentication, Service PPal, RBAC (Acess Policies), Restrict exposure credentials with Key Vault.

Privileged access : Least Privilege principle.

Data Protection : data discovery with Purview or Azure Information Protection, encyrpt data in transit (SSL/TLs certificates), prevent loss prevention but we can reduce data exfiltration with NSG or Azure Firewall, enable data at rest encryption using CMK