# Understand network security options for Azure Synapse Analytics

There are a range of network security steps that you should consider to secure Azure Synapse Analytics. One of the first aspects that you will consider is securing access to the service itself. This can be achieved by creating the following network objects including:

* Firewall rules
* Virtual networks
* Private endpoints


## Configure Conditional Access
Conditional Access is a feature that enables you to define the conditions under which a user can connect to your Azure subscription and access services. Conditional Access provides an additional layer of security that can be used in combination with authentication to strengthen the security access to your network.


* User or group membership names
* IP address information
* Device platforms or type
* Application access requests
* Real-time and calculated risk detection
* Microsoft Cloud App Security (MCAS)
 

## Configure Authentication
Authentication is the process of validating credentials as you access resources in a digital infrastructure. This ensures that you can validate that an individual, or a service that wants to access a service in your environment can prove who they are. Azure Synapse Analytics provides several different methods for authentication

## Types of Security

* Microsoft Entra ID
* Managed identities
* SQL Authentication
* Key
* SAS (Shared Acess Siognature): for third-party applications

# Manage authorization through column and row level security

###  Column-level Security
The way to implement column level security is by using the GRANT T-SQL statement. Using this statement, SQL and Microsoft Entra ID support the authentication.

In [None]:
GRANT <permission> [ ,...n ] ON
    [ OBJECT :: ][ schema_name ]. object_name [ ( column [ ,...n ] ) ] // specifying the column access
    TO <database_principal> [ ,...n ]
    [ WITH GRANT OPTION ]
    [ AS <database_principal> ]
<permission> ::=
    SELECT
  | UPDATE
<database_principal> ::=
      Database_user // specifying the database user
    | Database_role // specifying the database role 
    | Database_user_mapped_to_Windows_User
    | Database_user_mapped_to_Windows_Group

### Row level security in Azure Synapse Analytics
The way to implement RLS is by using the CREATE SECURITY POLICY[!INCLUDEtsql] statement. The predicates are created as inline table-valued functions. It is imperative to understand that within Azure Synapse, only supports filter predicates. If you need to use a block predicate, you won't be able to find support at this moment within Azure synapse.

# Implement encryption in Azure Synapse Analytics

Transparent data encryption (TDE) is an encryption mechanism to help you protect Azure Synapse Analytics. It will protect Azure Synapse Analytics against threats of malicious offline activity. The way TDE will do so is by encrypting data at rest. TDE performs real-time encryption as well as decryption of the database, associated backups, and transaction log files at rest without you having to make changes to the application. In order to use TDE for Azure Synapse Analytics, you will have to manually enable it.