These are the main security challenges with a cloud data platform
These are the key security challenges with a cloud data platform in Azure
26 Nov, 2023
More and more organizations are moving to the Microsoft Azure cloud to realize their modern data platforms. For excellent reasons: usage is simple, scalable and cost-effective. Yet another issue of critical importance comes into play when moving to Azure: security. What about security when moving to Azure?
"By choosing Microsoft Azure as the foundation for your data platform, you take advantage of the layered security provided by Microsoft in physical data centers, infrastructure and operations in Azure. You benefit from excellent security delivered in Azure data centers worldwide. You can rely on a cloud built with custom hardware that has far-reaching security measures integrated into all hardware and firmware components.
Moreover, this platform provides additional security against threats such as DDoS attacks. Microsoft has a team of more than 3,500 cybersecurity experts worldwide working together to protect your business assets and data in Azure."
Insufficient awareness of own responsibility
We state without question that Microsoft provides a secure infrastructure for your cloud environment, including your data platform. However, correctly configuring the platform and associated services is your own responsibility. The same goes for taking specific security measures and maintaining access control for users and applications. Unfortunately, many organizations are not sufficiently aware of this, resulting in too little attention being paid to securing their data platform as a whole. This puts them at unnecessary risk, such as unwanted access to the platform, data breaches and failure to comply with GDPR legislation.
On-premises data platform vs. Azure data platform
With a traditional on-premises data platform, the role of developer and database administrator is present within the in-house organization. The developer focuses on developing analytical products and obtaining the associated functional requirements. The database administrator focuses on management, configuration, security and access to the on-premises environment.
In many cases, an Azure data environment is set up by a developer to test certain features or to get a low-level start working in Azure. Later, this type of environment is promoted as the central place for everything relating to data and analytics. In this case, the role of the database administrator is less clear, since Microsoft manages the underlying platform and the platform was created by a developer. In this situation, focusing on and implementing security best practices often falls by the wayside. This happens not only in situations like the one described above, but also in the case of Azure environments that have been in use for some time.
Based on our experience
- 1
Azure services and resources are opened up to everyone
Firewall settings often allow Azure services and resources to access the database server. This option can often be selected in the firewall with one click, either for convenience, or due to a lack of knowledge. It configures the firewall to allow all Azure connections, including connections from other customers' subscriptions.
- 2
Storage and processing of personal data is not carried out in accordance with AVG legislation
Personal data is often processed in reports and made available to end users. As an organization, you are responsible for the secure storage and processing of this sensitive data. There are various data classification, labeling and data masking options to safely handle sensitive data in your Azure data platform. However, these options are by no means always used.
- 3
Azure Storage Access Key is not rotated regularly
An Azure Storage Access Key can be used to gain access to the Azure Storage environment. If this key is not regularly or automatically re-generated, anyone who has ever been given or acquired access to the key retains access to the entire Azure Storage environment.
- 4
The least privilege principle is not applied
The principle of least privilege states that users should be assigned sufficient rights to perform specific tasks, but no more. In practice, employees often get access to all resources because it is the fastest way to work. Thus, it is often possible for employees to access Azure Key Vault and see all the passwords.
Security really is a specialist area
Microsoft shares many security best practices in its online documentation and through its various communities. In reality, unfortunately, many best practices are not applied, resulting in concrete security risks. Even among developers who have taken the proper training and are certified, we see in practice that the focus is on development. Security really is a specialist area.
Data Platform Security Check
Based on various studies, Microsoft guidelines and its own practical experience, HSO has compiled a list of more than 100 checks and best practices for a secure data platform: the Data Platform Security Check. The Data Platform Security Check is constantly updated and is built from a maturity model for ten essential security sub-areas within a modern data platform.
Based on a targeted assessment on the sub-areas relevant to you, we assess where your organization stands in terms of the security of your cloud data platform. Upon completion of the Data Platform Security Check, you will have a concrete roadmap for achieving a secure cloud data platform in Azure.
"With a Data Platform Security Check you will have a clear roadmap towards a secure cloud data platform in Azure"
Want to learn more?
Connect with our Security and Data Platform experts!
Read more
From our Azure Data Platform, Infra and Security experts