Azure Security for Data
- thierry sinassamy
Controlling Access to Azure Storage
Anonymous as access control
Access Keys as access control
Shared Access Signature as access control
RBAC as access control
Identity Based-Access - Delegation SAS as access control
If we revoke that identity, then we revoke this SAS as well.
Identity Based Access - Azure Files with Azure AD DS as access control
Protecting Data in Azure Storage
Storage Encryption
Customer-Managed Encryption Keys
SSE with Microsoft Managed Keys (Account Encryption Key) could be extended with a Customer-Managed Key stored in a Key Vault.
Azure Disk Encryption
Free protection for Microsoft Virtual Machines.
Supports both Virtual Machines and instances of a Virtual Machine Scale Set.
A VM Extension configures OS encryption (e.g Linux or Windows).
Only the VM can access the encryption key/secret in Key Vault
Immutable Storage
Immutable can be configured with 2 types of policies :
Time-Based policy
Legal Hold policiy
We need to make sure that the data can be retained for a lon long time and users can’t necessarily modify it or delete it.
Controlling Access to Azure SQL Services
SQL Authentication
Azure AD Authentication
To authenticate with Azure AD identities, we need to associate them with SQL logins or database users.
Protecting Data in Azure SQL Services
Transparent Data Encryption
Transparent Data Encryption : Customer-Managed Keys
TDE supports Bring Your Own Key (BKYOK), managed by customers. It’s called TDE Protector, just like Azure Storage Account.
Always Encrypted
Encrypts data within columns that we want to secure.