Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 20 Next »

Applicative Security : Combining thes milestones 2 & 3

There are 2 favorite solutions : One using the AzCopy Utility because the extraction of data from the on-premise server is totally free. But, if we want to automate the process, then the utility could be questionable. The second one is ADF (Azure Data Factory) which is not normally the appropriate solution because of the following reason : the extraction from ADF is never free. In our situation, the use of ADF won’t be expensive.

image-20240422-154622.png

Azure Storage - Key Vault

  1. Azure Key Vault is a cloud service for securely storing and accessing secrets. It contains :

    1. 1 TOKEN for Azure Data Factory (ADF) : ADF accesses Key Vault via RBAC Permissions (Role-Based Access Control)

    2. OR 1 SAS TOKEN for AzCopy Utility : PowerShell accesses Key Vault via a Service Principal

$SecureStringPwd = $sp.PasswordCredentials.SecretText | ConvertTo-SecureString -AsPlainText -Force
$pscredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $sp.AppId, $SecureStringPwd
Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant $tenantId

  1. Retrieve Token from Azure Key Vault :

    1. ADF via Key Vault Reader & Key Vault Secrets User permissions can retrieve the Token

    2. PowerShell via the Service Pirncipal can retrieve the SAS Token

  2. Access the Storage Account (Blob Storage)

Azure AI Search - Key filter (document-level security) & Key Vault for encrypted objects & information, API Keys & RBAC for Service Ppal

Azure Web Apps - SSO (Enable single sign-on for an enterprise application - Microsoft Entra ID | Microsoft Learn), Key Vault,

Infra & Security : Combining the milestones 2 & 3

Network Security : Integrate Web App in Azure Virtual Network

Logging & threat detection : Defender for App Service & Diagnostic log with Azure Monitor.

Backup & recovery : regular automated backup (File content , App Configuration, DB if connected).

Identity Management : AAD Authentication, Service PPal, RBAC (Acess Policies), Restrict exposure credentials with Key Vault.

Privileged access : Least Privilege principle.

Data Protection : data discovery with Purview or Azure Information Protection, encyrpt data in transit (SSL/TLs certificates), prevent loss prevention but we can reduce data exfiltration with NSG or Azure Firewall, enable data at rest encryption using CMK

Network & CyberSecurity : Combining the milestones 2 & 3

- Azure security baseline for Azure Cognitive Search | Microsoft Learn

Inbound connection - IP Firewall or Private endpoint (for Azure AI search - Create a Private Endpoint for a secure connection - Azure AI Search | Microsoft Learn)

Outbound connection - Connect through Firewall (for Azure AI Search - Configure an IP firewall - Azure AI Search | Microsoft Learn)

Configure Azure Storage Firewall (Configure Azure Storage firewalls and virtual networks | Microsoft Learn)

Azure Web apps : Connect privately to an App Service apps using private endpoint - Azure App Service | Microsoft Learn, with NAT GATEWAY (Azure NAT Gateway integration - Azure App Service - Azure App Service | Microsoft Learn), control outbound with App Service outbound traffic control with Azure Firewall - Azure App Service | Microsoft Learn; Integrate your app with an Azure virtual network - Azure App Service | Microsoft Learn, access restriction : App Service Access restrictions - Azure App Service | Microsoft Learn

Tutorial: Isolate back-end communication with Virtual Network integration - Azure App Service | Microsoft Learn

static IP restrictions : Azure App Service access restrictions - Azure App Service | Microsoft Learn

Control outbound traffic with NSG : App Service outbound traffic control with Azure Firewall - Azure App Service | Microsoft Learn si notre app est intégré à a VNET. On peut aussi le faire de façon centralisée à travers les abonnements Azure (Azure Firewall Standard features | Microsoft Learn)

Web Apps - App Service Environment networking - Azure App Service Environment | Microsoft Learn

Data Protection

Azure Web Apps - Encrypt your application source at rest - Azure App Service | Microsoft Learn, Azure security baseline for App Service | Microsoft Learn

Azure AI Search - Move a search service across regions - Azure AI Search | Microsoft Learn, Encrypt data using customer-managed keys - Azure AI Search | Microsoft Learn, Azure security baseline for Cognitive Services | Microsoft Learn

Resilience for Azure AI Search - Reliability in Azure AI Search - Azure AI Search | Microsoft Learn

Azure Storage - Azure Storage encryption for data at rest | Microsoft Learn, Data protection overview - Azure Storage | Microsoft Learn, Azure security baseline for Storage | Microsoft Learn

  • No labels