Design and Implement Data Security

Question 1

Describe Transparent Data Encryption (TDE) the services that use it.

Answer 1

TDE protects against the threat of malicious offline activity by encrypting data rest.

TDE is used for

1. SQL Database: Enabled automatically for all new, must be manually enabled for older DBs.
2. SQL Managed Instance: Enabled at the instance level and newly created DBs.
3. Azure Synapse Analytics: Must be manually enabled.

Question 2

Describe Shared Access Signatures (SAS) and how they are used.

Answer 2

SAS’ provide secure delegated access to resources in your storage account by defining 1) what resources the client may access, 2) what permissions they have to those resources and 3) how long the SAS is valid.

Question 3

Describe Role Based Access Control (RBAC) and it is used.

Answer 3

RBAC is used to manage who has access to Azure resources (Authentication) and what they can do with those resources and what areas they have access to (Authorization & Permissions).

Question 4

In regards to data security on Azure, what does CIA stand for?

Answer 4

Confidentiality, Integrity, Availability.
Confidentiality: least privilege.
Integrity: data integrity with hashing.
Availability: Protection against availability loss (ie DDoS).

Question 5

What are the main steps required to utilize SAS?

Answer 5

1. End device accesses a Provider Service to Authenticate.
2. Once Authenticated, a URI is generated based on Auth Info.
3. The end device can then access a Microsoft Azure Service based on the generated URI.

Question 6

Which environments have the encrypting data at rest service available? Paas, IaaS, Saas, or all of the above?

Answer 6

All of the above.

Question 7

What 3 types of SAS are there?

Answer 7

User delegation SAS
Service SAS.
Account SAS

Question 8

Describe the Access Control model for Data Lake Storage Gen 2

Answer 8

Uses these 4 authorization mechanisms:

1. Shared Key Authorization
2. Shared Access Signature (SAS) Authorization
3. Role-based Access Control (RBAC) or AD in this case
4. Access Control Lists (ACLs)

Shared Key and SAS authorization grants access to a user (or application) without requiring them to have an identity in Azure Active Directory (Azure AD). With these two forms of authentication, Azure RBAC and ACLs have no effect.

Azure RBAC and ACL both require the user (or application) to have an identity in Azure AD. Azure RBAC lets you grant “coarse-grain” access to storage account data, such as read or write access to all of the data in a storage account, while ACLs let you grant “fine-grained” access, such as write access to a specific directory or file.

Question 9

TDE is auto-enabled on many Azure big data solutions. True or false?

Answer 9

True. Although TDE is auto-enabled on most Azure big data solutions it is something that should always be considered and checked as part of Defense in Depth.