From 19d40f5c24c8408146c1855fad06c487e3a10274 Mon Sep 17 00:00:00 2001 From: Jose Moreno Date: Thu, 17 Oct 2024 09:22:51 +0200 Subject: [PATCH] Data security checklist Recos provided by Snehal --- checklists/datasecurity_checklist.en.json | 811 ++++++++++++++++++++++ 1 file changed, 811 insertions(+) create mode 100644 checklists/datasecurity_checklist.en.json diff --git a/checklists/datasecurity_checklist.en.json b/checklists/datasecurity_checklist.en.json new file mode 100644 index 000000000..9b36bb46e --- /dev/null +++ b/checklists/datasecurity_checklist.en.json @@ -0,0 +1,811 @@ +{ + "items": [ + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Restrict use of local users on sql workloads on Synapse", + "description": "Restrict the use of local authentication methods for data plane access. Instead, use Microsoft Entra ID as the default authentication method to control your data plane access.", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "32d41e36-11c8-417b-8afb-c410d4391898", + "id": "A01.01", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Use managed identity to authenticate to the services", + "description": "Use Microsoft Entra ID as the default authentication method to control your data plane access.", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "cd289bed-6b17-4cb8-8454-61e1aee3453a", + "id": "A01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/synapse-analytics/synapse-service-identity?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Separate and limit highly privileged/administrative users and enable MFA and conditional policies", + "description": "If not required for routine administrative operations, disable or restrict any local admin accounts for only emergency use.", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "ec823923-7a15-42d6-ac5e-402925388e5d", + "id": "A01.03", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Use Azure RBAC to control access on storage and Synapse RBAC to control access on workspace level depending on the personas of the team to fine grain the access on data and compute", + "description": "Azure Synapse also includes Synapse role-based access control (RBAC) roles to manage different aspects of Synapse Studio. Leverage these built-in roles to assign permissions to users, groups, or other security principals to manage who can Publish code artifacts and list or access published code artifacts,Execute code on Apache Spark pools and integration runtimes,Access linked (data) services that are protected by credentials,Monitor or cancel job executions, review job output and execution logs.", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "a9c27d9c-42bb-46cd-8c79-99a246f3389a", + "id": "A01.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-understand-what-role-you-need" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Implement RLS, CLS and data masking on sql workloads in dedicated sql pool to add additional layer of security", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "7f42c78e-78cb-46a2-8ad1-a0916e6a8d8f", + "id": "A01.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/sql/relational-databases/security/row-level-security?view=sql-server-ver16&context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext" + }, + { + "category": "Network Security", + "subcategory": " ", + "text": "Use managed vnet workspace to restrict the access over public internet", + "description": "When you create your Azure Synapse workspace, you can choose to associate it to a Microsoft Azure Virtual Network. The Virtual Network associated with your workspace is managed by Azure Synapse. This Virtual Network is called a Managed workspace Virtual Network. This can be selected when deploying a workspace", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "e2436b03-36db-455e-8796-0eee0bdf4cc2", + "id": "B01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-vnet?view=sql-server-ver16" + }, + { + "category": "Network Security", + "subcategory": " ", + "text": "Configure private endpoints to connect to the external services and disable public access", + "description": "To protect any sensitive data, it's recommended to disable public access to the workspace endpoints entirely. By doing so, it ensures all workspace endpoints can only be accessed using�private endpoints.", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "efc4d761-c31d-425f-bbb4-7a393a040ed3", + "id": "B01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints?view=sql-server-ver16" + }, + { + "category": "Network Security", + "subcategory": " ", + "text": "If enabling public access highly recommended to configure IP firewall rules", + "description": "If public access needs to be enabled, it's highly recommended to configure the IP firewall rules to allow inbound connections only from the specified list of public IP addresses.", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "294798b1-178a-42c5-a46c-eb544350d092", + "id": "B01.03", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/synapse-workspace-ip-firewall" + }, + { + "category": "Network Security", + "subcategory": " ", + "text": "Deploy SHIR VMs in your vnet if you are working with sensitive data that shouldn�t leave your corporate network", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "d234292b-7528-4537-a551-c5bf4e4f1854", + "id": "B01.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/data-factory/create-self-hosted-integration-runtime?tabs=data-factory" + }, + { + "category": "Network Security", + "subcategory": " ", + "text": "Enable Data Exfiltration Protection (DEP)", + "description": "This can be done only when deploying the workspace, but Python libraries installed from public repositories like PyPI are not supported. (Think about the limitation before enabling it)", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "287d5cdc-126c-4c03-8af5-b1fc6898a535", + "id": "B01.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/how-to-create-a-workspace-with-data-exfiltration-protection" + }, + { + "category": "Data Protection", + "subcategory": " ", + "text": "Data Encryption at rest using Customer managed Keys for workspace", + "description": "First layer of encryption is done by Microsoft managed keys, you can add a second layer of encryption using Customer managed Keys", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "e337897e-31b6-47d6-9be5-962a1193846d", + "id": "C01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/synapse-analytics/security/workspaces-encryption" + }, + { + "category": "Data Protection", + "subcategory": " ", + "text": "Data Encryption in transit ", + "description": "Azure Synapse leverages TLS to ensure data is encrypted in motion. SQL dedicated pools support TLS 1.0, TLS 1.1, and TLS 1.2 versions for encryption wherein Microsoft-provided drivers use TLS 1.2 by default. Serverless SQL pool and Apache Spark pool use TLS 1.2 for all outbound connections.", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "697cc391-ed16-4b2d-886f-0a1241bddde6", + "id": "C01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/synapse-analytics/guidance/security-white-paper-data-protection#data-in-transit" + }, + { + "category": "Data Protection", + "subcategory": " ", + "text": "Store passwords, secerts and keys in Azure key vault", + "description": "Use Keyvaults to store your secrets and credentials", + "waf": "Security", + "service": "Azure Synapse Analytics", + "guid": "8a477cde-b486-41bc-9bc1-0ae66e25e4d5", + "id": "C01.03", + "severity": "High" + }, + { + "category": " ", + "subcategory": " ", + "text": "Use Azure Key Vault secrets in pipeline activities", + "description": "You can store credentials or secret values in an Azure Key Vault and use them during pipeline execution to pass to your activities.", + "guid": "a3aec2c4-e243-46b0-936d-b55e17960eee", + "id": "D01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Restrict use of local users whereever necessary", + "description": "Restrict the use of local authentication methods for data plane access. Instead, use Microsoft Entra ID as the default authentication method to control your data plane access.", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "0bdf4cc2-efc4-4d76-8c31-d25ffbb47a39", + "id": "E01.01", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Use managed identity to authenticate to the services", + "description": "Managed identities eliminate the need to manage credentials. Managed identities provide an identity for the service instance when connecting to resources that support Microsoft Entra authentication.", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "3a040ed3-2947-498b-8178-a2c5a46ceb54", + "id": "E01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-service-identity" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Separate and limit highly privileged/administrative users and enable MFA and conditional policies", + "description": "If not required for routine administrative operations, disable or restrict any local admin accounts for only emergency use.", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "4350d092-d234-4292-a752-8537a551c5bf", + "id": "E01.03", + "severity": "High" + }, + { + "category": "Network Security", + "subcategory": " ", + "text": "Disable access over public internet and configure either firewall rules or trusted services rules", + "service": "Azure Data Factory", + "guid": "4e4f1854-287d-45cd-a126-cc032af5b1fc", + "id": "F01.01", + "severity": "Medium" + }, + { + "category": "Network Security", + "subcategory": " ", + "text": "Deploy SHIR VMs in your vnet if you are working with sensitive data that shouldn�t leave your corporate network", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "6898a535-e337-4897-b31b-67d67be5962a", + "id": "F01.02", + "severity": "Medium" + }, + { + "category": "Network Security", + "subcategory": " ", + "text": "Use managed vnet IR to restrict the access over public internet for Azure Integration Runtime", + "description": "When you create an Azure integration runtime within a Data Factory managed virtual network, the integration runtime is provisioned with the managed virtual network. It uses private endpoints to securely connect to supported data stores.", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "1193846d-697c-4c39-8ed1-6b2d186f0a12", + "id": "F01.03", + "severity": "Medium" + }, + { + "category": "Network Security", + "subcategory": " ", + "text": "Configure managed private endpoints to connect to resources using managed azure IR", + "description": "Managed private endpoints are private endpoints created in the Data Factory managed virtual network that establishes a private link to Azure resources. Data Factory manages these private endpoints on your behalf.", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "41bddde6-8a47-47cd-bb48-61bc3bc10ae6", + "id": "F01.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/data-factory/managed-virtual-network-private-endpoint#managed-private-endpoints" + }, + { + "category": " ", + "subcategory": " ", + "text": "Configure Private Links to connect to sources in customer Vnet and data factory", + "description": "By using Azure Private Link, you can connect to various platform as a service (PaaS) deployments in Azure via a private endpoint. A private endpoint is a private IP address within a specific virtual network and subnet", + "guid": "b47a393a-0804-4272-a479-8b1578b219a4", + "id": "G01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/data-factory/data-factory-private-link" + }, + { + "category": "Data Protection", + "subcategory": " ", + "text": "Data Encryption at rest by Microsoft managed keys", + "description": "This is a default setting", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "6ceb5443-5135-4922-9442-93bb628637a5", + "id": "H01.01", + "severity": "Medium" + }, + { + "category": "Data Protection", + "subcategory": " ", + "text": "Data Encryption in transit by Microsoft managed keys", + "description": "This is a default setting", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "5119b08e-8f58-4543-a7e9-cec166cd072a", + "id": "H01.02", + "severity": "Medium" + }, + { + "category": "Data Protection", + "subcategory": " ", + "text": "Data Encryption in transit by BYOK (Customer managed keys)", + "description": "When you specify a customer-managed key, Data Factory uses�both�the factory system key and the CMK to encrypt customer data. Missing either would result in Deny of Access to data and factory.", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "f9b241a9-98a5-435e-9378-97e71ca7da8c", + "id": "H01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/data-factory/enable-customer-managed-key" + }, + { + "category": "Data Protection", + "subcategory": " ", + "text": "Store passwords, secrets in Azure Key Vault", + "waf": "Security", + "service": "Azure Data Factory", + "guid": "faa62a15-9495-46da-a7dc-3a23267b2258", + "id": "H01.04", + "severity": "High", + "link": "https://learn.microsoft.com/azure/data-factory/store-credentials-in-key-vault, https:/learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities" + }, + { + "category": "Data Protection", + "subcategory": " ", + "text": "Use Azure Key Vault secrets in pipeline activities", + "description": "You can store credentials or secret values in an Azure Key Vault and use them during pipeline execution to pass to your activities.", + "service": "Azure Data Factory", + "guid": "6f4a1652-bddd-4ea8-a487-cdec4861bc3b", + "id": "H01.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/data-factory/how-to-use-azure-key-vault-secrets-pipeline-activities" + }, + { + "category": "Data Protection", + "subcategory": " ", + "text": "Encrypt credentials for on-premises using SHIR data stores in Azure Data Factory", + "description": "You can encrypt and store credentials for any of your on-premises data stores (linked services with sensitive information) on a machine with self-hosted integration runtime.", + "service": "Azure Data Factory", + "guid": "c14aeb7e-66e8-4d9a-9bec-218e6436b173", + "id": "H01.06", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/data-factory/encrypt-credentials-self-hosted-integration-runtime" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Define roles and responsibilities to manage Microsoft Purview in control plane and data plane", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "6db55f57-9603-4334-adf9-cc23418db612", + "id": "I01.01", + "severity": "Medium" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Define roles and tasks required to deploy and manage Microsoft Purview inside an Azure subscription (control plane)", + "description": "Use Azure RBACs for this", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "8126504b-b47a-4393-a080-427294798b15", + "id": "I01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/role-based-access-control/best-practices" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Define roles and task needed to perform data management and governance using Microsoft Purview. (Data plane for Data Map and Data Catalog.)", + "description": "Use Microsoft Purview roles for this.", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "78b219a4-6ceb-4544-9513-5922744293bb", + "id": "I01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/purview/classic-data-governance-permissions#roles, https://learn.microsoft.com/azure/role-based-access-control/best-practices" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Assign roles to Microsoft Entra groups instead of assigning roles to individual users.", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "628637a5-5119-4b08-b8f5-854387e9cec1", + "id": "I01.04", + "severity": "Medium" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Use Azure�Active Directory Entitlement Management�to map user access to Microsoft Entra groups using Access Packages.", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "66cd072a-f9b2-441a-a98a-535e737897e7", + "id": "I01.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/active-directory/governance/entitlement-management-overview" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Enforce multifactor authentication for Microsoft Purview users, especially, for users with privileged roles such as collection admins, data source admins or data curators.", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "1ca7da8c-faa6-42a1-9949-56da97dc3a23", + "id": "I01.06", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Use Microsoft Entra ID to provide authentication and authorization to all users, security groups registered in Entra, service principal and managed identities inside collections in Microsoft Purview", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "267b2258-6f4a-4165-8bdd-dea8a487cdec", + "id": "I01.07", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Define Least Privilege model and Lower exposure of privileged accounts", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "4861bc3b-c14a-4eb7-b66e-8d9a3bec218e", + "id": "I01.08", + "severity": "High" + }, + { + "category": "Network security", + "subcategory": " ", + "text": "Enable�end-to-end network isolation�using Private Link Service. (Microsoft Purview Data Map)", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "6436b173-6db5-45f5-9960-3334bdf9cc23", + "id": "J01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end" + }, + { + "category": "Network security", + "subcategory": " ", + "text": "Use�Microsoft Purview Firewall�to disable Public access. (Microsoft Purview Data Map)", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "418db612-8126-4504-ab47-a393a0804272", + "id": "J01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access" + }, + { + "category": "Network security", + "subcategory": " ", + "text": "Deploy�Network Security Group (NSG) rules�for subnets where Azure data sources private endpoints, Microsoft Purview private endpoints and self-hosted runtime VMs are deployed. (Microsoft Purview Data Map)", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "94798b15-78b2-419a-96ce-b54435135922", + "id": "J01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups" + }, + { + "category": "Network security", + "subcategory": " ", + "text": "Implement Microsoft Purview with private endpoints managed by a Network Virtual Appliance, such as�Azure Firewall�for network inspection and network filtering. (Microsoft Purview Data Map)", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "744293bb-6286-437a-9511-9b08e8f58543", + "id": "J01.04", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/firewall/overview" + }, + { + "category": "Network security", + "subcategory": " ", + "text": "Deploy private endpoints for Microsoft Purview accounts to add another layer of security, so only client calls that are originated from within the virtual network are allowed to access the Microsoft Purview account", + "description": "This private endpoint is also a prerequisite for the portal private endpoint. The Microsoft Purview�portal�private endpoint is required to enable connectivity to Microsoft Purview governance portal using a private network. Microsoft Purview can scan data sources in Azure or an on-premises environment by using ingestion private endpoints. Limitations on using private endpoints https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "87e9cec1-66cd-4072-af9b-241a998a535e", + "id": "J01.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/purview/concept-best-practices-network" + }, + { + "category": "Network security", + "subcategory": " ", + "text": "Block public access using Microsoft Purview firewall", + "description": "https://learn.microsoft.com/purview/catalog-private-link-end-to-end#firewalls-to-restrict-public-access. Limitation to be reviewed: https://learn.microsoft.com/purview/catalog-private-link-troubleshoot", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "b7bcdb3b-51eb-42ec-84ed-a6e59d8d9a2e", + "id": "J01.06", + "severity": "Medium" + }, + { + "category": "Network security", + "subcategory": " ", + "text": "Use Network Security Groups to filter network traffic to and from Azure resources in an Azure virtual network", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "db217e67-6abf-4669-aa48-e5a96f2223ec", + "id": "J01.07", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/private-link/disable-private-endpoint-network-policy, https:/learn.microsoft.com/purview/concept-best-practices-security#use-network-security-groups" + }, + { + "category": "Data Protection", + "subcategory": " ", + "text": "If you have sensitive data that cannot leave the boundary of your on-prem vnet it is highly recommended to use SHIR VMs inside your corporate vnet to extract your metadata ", + "description": "https://learn.microsoft.com/purview/concept-best-practices-security#apply-security-best-practices-for-self-hosted-runtime-vms", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "e8cb1231-8ca5-4017-b158-e3fb3aa3c2de", + "id": "K01.01", + "severity": "High" + }, + { + "category": "Data Protection", + "subcategory": " ", + "text": "Use Azure RBACs to restrict the access of your storage account (not managed by MS) only to intended users.", + "description": "Metadata is extracted and stored in Microsoft Purview Data Map, if you are not using managed storage account for your Purview account they are open to be accessed by all so implement proper RBACs and retrict the access of Data to only intended users. Applicable to Accounts deployed after December 15, 2023 (or deployed using API version 2023-05-01-preview onwards", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "7f3165c3-a87a-405b-9a20-9949bda47778", + "id": "K01.02", + "severity": "Medium" + }, + { + "category": "Data Protection", + "subcategory": " ", + "text": "Data in rest is encrypted by microsoft managed keys", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "f24d1167-85c2-4fa5-9c56-a948008be7d7", + "id": "K01.03", + "severity": "Medium" + }, + { + "category": "Data Protection", + "subcategory": " ", + "text": "Data in transit is encrypted by TLS 1.3", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "27f7b9e9-1be1-4f38-aff3-9812bd463cbb", + "id": "K01.04", + "severity": "Medium" + }, + { + "category": "Data Protection", + "subcategory": " ", + "text": "Always use Azure key vaults to store all credentials if not using managed identities or without password need methods", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "bc8ac199-ebb9-41a4-9d90-dae2cc881370", + "id": "K01.05", + "severity": "High" + }, + { + "category": "Protection against accidential deletion", + "subcategory": " ", + "text": "Prevent accidental deletion of Microsoft Purview accounts by applying resource Locks", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "6f7c0cba-fe61-4465-add4-57e927139b82", + "id": "L01.01", + "severity": "Medium" + }, + { + "category": " ", + "subcategory": " ", + "text": "Plan for a break glass strategy for your Microsoft Entra tenant, Azure subscription and Microsoft Purview accounts to prevent tenant-wide account lockout.", + "description": "https://learn.microsoft.com/purview/concept-best-practices-collections#design-recommendations", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "1102cac6-eae0-41e6-b842-e52f4722d928", + "id": "M01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access" + }, + { + "category": "Additional security recommendation", + "subcategory": " ", + "text": "Integrate with Microsoft 365 and Microsoft Defender for Cloud", + "waf": "Security", + "service": "Microsoft Purview", + "guid": "15f51296-5398-4e6d-bd23-7dd142b16c21", + "id": "N01.01", + "severity": "Medium" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Define Least Privilege model and Lower exposure of privileged accounts", + "description": "Separate admin accounts from normal user accounts.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "d7999a64-6f43-489a-af42-c78e78c06a73", + "id": "O01.01", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Configure single sign-on and unified login. Enable multi-factor authentication.", + "description": "Azure Databricks supports Microsoft Entra ID conditional access, which allows administrators to control where and when users are permitted to sign in to Azure Databricks. Conditional access policies can restrict sign-in to your corporate network or can require multi-factor authentication (MFA).", + "waf": "Security", + "service": "Azure Databricks", + "guid": "a22a4956-e7a8-4dc4-a20e-27c3e29711b1", + "id": "O01.02", + "severity": "High", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/#single-sign-on" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Use token management.", + "description": "Customers can use the Token Management API or UI controls to enable or disable personal access tokens (PATs) for REST API authentication, limit the users who are allowed to use PATs, set the maximum lifetime for new tokens, and manage existing tokens. Highly-secure customers typically provision a maximum token lifetime for new tokens for a workspace. This feature requires the Premium pricing tier.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "352beee0-79b5-488d-bfc5-972cd4cd21b0", + "id": "O01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/databricks/admin/access-control/tokens" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Separate admin accounts from normal user accounts", + "description": "If you have Databricks administrators who are also normal users of the Databricks platform (for example, there�s a lead data engineer who administers the platform and also does data engineering work), Databricks recommends creating a separate account for administrative tasks. It�s important to note that as part of the Azure RBAC model, users that are given Contributor or above permissions to the Resource Group for a deployed Azure Databricks workspace automatically become administrators when they login to that workspace. Therefore, the same considerations outlined above should be applied to Azure portal users too.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "77036e5e-6b4b-4fd3-b503-547c1447dc56", + "id": "O01.04", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "SCIM synchronization of users and groups.", + "description": "SCIM (System for Cross-domain Identity Management) allows you to sync users and groups from Microsoft Entra ID to Azure Databricks. There are three major benefits of this approach: 1. When you remove a user, the user is automatically removed from Databricks. 2. Users can also be disabled temporarily via SCIM. Customers have used this capability for scenarios where customers believe that an account may be compromised and need to investigate 3. Groups are automatically synchronized Please refer to the documentation for detailed instructions on how to configure SCIM for Azure Databricks. This feature requires the Premium pricing tier", + "waf": "Security", + "service": "Azure Databricks", + "guid": "028a71ff-f1ce-415d-b3f0-d5e872d42e36", + "id": "O01.05", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/databricks/admin/users-groups/scim/" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Limit cluster creation rights.", + "description": "Using either cluster policies or the older cluster ACLs, admins can define what users or groups within the organization are able to create clusters. Cluster ACLs allow you to specify which users can attach a notebook to a given cluster. Note that if a user shares a notebook already attached to a standard mode cluster, the recipient will also be able to execute code on that cluster. This does not apply to clusters that enforce user isolation: SQL Warehouses, high concurrency with table ACLs clusters, and high concurrency with credential passthrough clusters. Customers who use Unity Catalog can also enable single-user clusters to enforce isolation clusters.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "11cc57b4-a4b1-4410-b43a-58a9c2289b3d", + "id": "O01.06", + "severity": "Medium" + }, + { + "category": " ", + "subcategory": " ", + "text": "Restrict workspace admins", + "description": "Account admins can configure a workspace setting called RestrictWorkspaceAdmins to restrict workspace admins to only change a job owner to themselves and the job run as setting to a service principal that they have the Service Principal User role on.", + "guid": "6b57dfc6-5546-41e1-a3e3-453a3c863964", + "id": "P01.01", + "severity": "High", + "link": "https://learn.microsoft.com/azure/databricks/admin/workspace-settings/restrict-workspace-admins" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Store passwords, secrets in Azure Key Vault", + "description": "It�s important to note that even if customers use Azure Key Vault to store their secrets, access controls still need to be defined within Azure Databricks. This is because the same service identity is used to retrieve the secret for all users of an Azure Databricks workspace.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "8b662d6c-15f5-4129-9539-8e6ded237dd1", + "id": "Q01.01", + "severity": "High" + }, + { + "category": " ", + "subcategory": " ", + "text": "Regenerate/rotate keys if using them periodically", + "guid": "42b16c21-d799-49a6-96f4-389a8f42c78e", + "id": "R01.01", + "severity": "High" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Use clusters that support user isolation.", + "description": "Clusters with user isolation include enforcement such that each user runs as a different non-privileged user account on the cluster host. Languages are also limited to those that can be implemented in an isolated manner (SQL and Python), and Spark APIs must be on an allowlist of those we believe to be isolation-safe.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "78c06a73-a22a-4495-9e7a-8dc4a20e27c3", + "id": "S01.01", + "severity": "Medium" + }, + { + "category": "Identity and Access Management", + "subcategory": " ", + "text": "Use service principals to run production jobs. Use proper access control for workspace level (ACLs), account level (RBACs) and data level (Unity catalog) security controls", + "description": "It is against security best practices to tie production workloads to individual user accounts, and so we recommend configuring Service Principals within Databricks. Service Principles separate administrator and user actions from the workload and prevent workloads from being impacted if a user leaves an organization. With Databricks, you can configure jobs to run as service principals and generate Personal Access Tokens for Service Principals.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "e29711b1-352b-4eee-879b-588defc5972c", + "id": "S01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/databricks/security/auth/access-control/" + }, + { + "category": "Data Protection", + "subcategory": " ", + "text": "Avoid storing production data in DBFS.", + "description": "By default, DBFS is a filesystem that is accessible to all users of the given workspace and can be accessed via API. This is not necessarily a major data exfiltration concern as you can limit access to accessing data via the DBFS API or Databricks cli using IP access lists or private network access. However, as use of Azure Databricks grows and more users join a workspace, those users would have access to any data stored in DBFS, creating the potential for undesired information sharing. Databricks recommends that our customers do not store production data in DBFS.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "d4cd21b0-7703-46e5-b6b4-bfd3d503547c", + "id": "T01.01", + "severity": "High" + }, + { + "category": "Data Protection", + "subcategory": " ", + "text": "Encrypt storage and restrict access.", + "description": "For the storage accounts that you manage, it is your responsibility to ensure that the storage accounts are protected according to your requirements. Examples might include: Encryption with your customer-managed key, Restrict access to trusted networks with a storage firewall, Anonymous public access is not allowed", + "waf": "Security", + "service": "Azure Databricks", + "guid": "1447dc56-028a-471f-bf1c-e15dd3f0d5e8", + "id": "T01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys" + }, + { + "category": "Data Protection", + "subcategory": " ", + "text": "Add a customer-managed key for managed services and workspace storage", + "description": "Add a customer-managed key for select data stored within the Azure Databricks control plane, such as notebooks, secrets, Databricks SQL queries, and Databricks SQL query history and for the root storage account used for DBFS. Azure Databricks requires access to this key for ongoing operations. You can revoke access to the key to prevent Azure Databricks from accessing encrypted data within the control plane (or in our backups). This is like a �nuclear option� where the workspace ceases to function, but it provides an emergency control for extreme situations. This feature requires the Premium pricing tier.", + "waf": "Security", + "service": "Azure Databricks", + "guid": "72d42e36-11cc-457b-9a4b-1410e43a58a9", + "id": "T01.03", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/databricks/security/keys/customer-managed-keys" + }, + { + "category": "Networking", + "subcategory": " ", + "text": "Enable IP access lists to restrict access to certain IP addresses.", + "description": "Configure IP access lists that restrict the IP addresses that can authenticate to Databricks at account console and workspace level by checking if the user or API client is coming from a known good IP address range such as a VPN or office network. Established user sessions do not work if the user moves to a bad IP address, such as when disconnecting from the VPN. ", + "waf": "Security", + "service": "Azure Databricks", + "guid": "277de183-b1ac-4252-a9a9-b64608489a8f", + "id": "U01.01", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/databricks/security/network/front-end/ip-access-list" + }, + { + "category": "Networking", + "subcategory": " ", + "text": "Configure and use Azure Private Link to access Azure resources.", + "description": "Azure Private Link provides a private network route from one Azure environment to another. Private Link can be configured both between Azure Databricks users and the control plane, and also between the control plane and the data plane. Between Databricks users and the control plane, Private Link provides strong controls that limit the source for inbound requests. If a company already routes traffic through an Azure environment, they can use Private Link so that the communication between users and the Azure Databricks control plane does not traverse public IP addresses. This feature requires the Premium pricing tier. Use Azure Private Link to connect from Azure Databricks to your Azure resources. Not only does Private Link ensure", + "waf": "Security", + "service": "Azure Databricks", + "guid": "82db8eb9-d1ba-473b-86a5-a57eba8dd4b3", + "id": "U01.02", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/databricks/security/network/classic/private-link" + } + ], + "categories": [ + ], + "waf": [ + { + "name": "Reliability" + }, + { + "name": "Security" + }, + { + "name": "Cost" + }, + { + "name": "Operations" + }, + { + "name": "Performance" + } + ], + "yesno": [ + { + "name": "Yes" + }, + { + "name": "No" + } + ], + "status": [ + { + "name": "Not verified", + "description": "This check has not been looked at yet" + }, + { + "name": "Open", + "description": "There is an action item associated to this check" + }, + { + "name": "Fulfilled", + "description": "This check has been verified, and there are no further action items associated to it" + }, + { + "name": "Not required", + "description": "Recommendation understood, but not needed by current requirements" + }, + { + "name": "N/A", + "description": "Not applicable for current design" + } + ], + "severities": [ + { + "name": "High" + }, + { + "name": "Medium" + }, + { + "name": "Low" + } + ], + "metadata": { + "name": "Use the 'Import latest checklist' button to get the latest version of a review checklist", + "state": "Preview", + "waf": "Security", + "timestamp": "10/17/2024 09:16:59" + } +} +