Learning Objectives

• Configure security policies to classify, protect, and manage data
• Configure data retention for storage and databases
• Set up Azure SQL security features and auditing
• Learn how to configure storage account security and access
• Learn how to secure HDInsight clusters
• Configure Cosmos DB security
• Configure Data Lake security
• Learn good design features of an Azure application
• See how Azure App Services can secure your app
• See how a governance policy can help formalize security requirements

Intended Audience

• People preparing for Microsoft’s AZ-500 exam
• System administrators
• App developers

Prerequisites

• Experience with Microsoft Azure
• Experience with Office 365
• Basic knowledge of computer security principles
• Basic networking knowledge

Securing your organization's data lake is no trivial matter, but you have several lines of defense. There is authentication via Azure Active Directory OAuth bearer tokens. You can manage access with role-based access control, as we have seen earlier with storage accounts, and access control lists. Access control lists, or ACLs, as the name suggests, lists what read, write or execute access is permitted on a file or directory for a user. Data Lake Storage ACLs follow the open POSIX standard. POSIX stands for Portable Operating System Interface. This is an important consideration as Hadoop uses the same POSIX ACL structure.

Your stored data is encrypted, whether that is with a system-created key, or one that you have created or imported yourself, as we saw earlier in customer-managed keys. When the data is being transferred to lake storage it is also encrypted.

In addition to these measures, you can secure your data lake by integrating it with a virtual network. A virtual network provides another layer of access filtering, in as much as users have to be authenticated to access the network.