## Storage

Depending on the type of resource that you create on the Azure platform, there are some security aspects that are pertinent onto that resource.

For storage accounts, we have different levels of authorization.

Note: the hierarchical namespace of an Azure Data Lake Gen 2 gives the opportunity of using <b>Access Control List</b>, giving separate permissions to the identities on the folder and Blob level (Read R, Write W, Execute X)

<b>Access Keys</b>: Access to all data and services - Containers, Files, Queues, Tables.

<b>Shared Access Signature</b>: Access only to assigned services

<b>Microsoft Entra ID</b>: identity provider - create users, groups, devices and give them access accordingly RBAC (Role-based Acess Control)
 * Managed Identities: Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials.

<b>Access Control (IAM)</b>: gives roles to users/groups

#### Azure Key Vault

Embedding keys in the code as for example in the azure databricks notebooks I've done before is not a good idea. Azure Key Vault is a platform where you can host your secrets (passowrds, encryption keys, certificates). So for example, if we had a database secret, a password that is required by an application for connectivity purposes, we could store that password as a secret in the Azure Key Vault service. When the application wants to connect onto the database, it would first make a secure call onto the Key Vault service, fetch the value of the database password, and then make the connection. 

1. We have to create a Scope to have access to the key vault (adding /#secrets/createScope to the URL of the service we want to give access to) 

### Firewall and Network

Only allow connections from a certain set of IP addresses.

## ADF

Encryption &rarr; customer-managed keys: can only be created in an empty ADF workspace

## Azure Synapse 

#### Encryption

By default the data in the workspace is encrypted using PLatformd Managed Keys. We can enable double encryption by also using customer managed keys in the Azure Key Vault Service

For the dedicated SQL pool, Transparent Data Encryption can be enabled.

#### Dynamic Data Masking

Limit exposure of data: can be done in the UI &rarr; Dynamic Data Masking in the SQL pool blade 
 * Create rules to mask the data (credit card, emai, etc)
 
#### Column-Level security

```GRANT SELECT ON [dbo].[Orders](OrderID,Course,Quantity) TO UserA; ```

#### Row-Level Security

* Create a schema for the security function

`CREATE SCHEMA Security`

* Create an inline table function 

```
CREATE FUNCTION Security.securitypredicate(@Agent AS nvarchar(50))  
    RETURNS TABLE  
WITH SCHEMABINDING  
AS  
    RETURN SELECT 1 AS securitypredicate_result
WHERE @Agent = USER_NAME() OR USER_NAME() = 'Supervisor';
``` 

* Create a security policy adding the function

```
CREATE SECURITY POLICY Filter  
ADD FILTER PREDICATE Security.securitypredicate(Agent
ON [dbo].[Orders] 
WITH (STATE = ON);  
GO
```

#### Data Discovery & Classification

Basic capabilities for discovering, classifying, labeling, and reporting the sensitive data in your databases.

#### Entra ID Authentication

Leverage the users defined in Entra, reducing the burden of identity maintenance