In the days before cell phones and even before video games, there was only one toy that stood at the top of every child’s wish list. It stood head and shoulders above all other possessions a child could have: a bicycle. So, why was it so special? Because it offered a promise that no other toy did back then, freedom. In those days of yore, ye olden days when life had neither hue nor saturation, a bicycle meant that you could get further and faster than any Chuck Taylors could carry you. Even as video games made inroads into the hearts and minds of children everywhere, the bicycle stood in proud defiance against the paths that the electron and microprocessor forged. Many a kid rode his bicycle to ogle the new Atari or Nintendo in the front window of his local toy shop.

Blog_Security(1)

But, with the freedom it offered, bicycle ownership came at a cost. Enter responsibility.

One day, after many months of enjoying my awesome ride, I made a rash decision. Rather than securing my bicycle in our suburban garage or even towing it into our backyard, I carelessly tossed my bike outside in the front yard. The next day, I awoke and found that my bike was gone. After days of wailing and gnashing my teeth, I learned the harsh truth. If you’ve got stuff, you need to make sure your stuff is secured from the hands of nefarious ne’er-do-wells.

With the internet reaching every corner of the earth now-a-days, the information superhighway gives far greater exposure to the world than a relatively isolated suburban street. Don’t tell my ten-year-old self this, but a company’s treasure trove of data is worth far more than a kid’s bicycle. If left unsecured, it will appeal greatly to hackers and other digital ne’er-do-wells. It should be no surprise, then, that the security standards of today’s cloud solutions need to be more intense than the relative isolation of on-premises networks. IT groups need to be continuously vigilant in policing their security and continuously exploring new ways to secure their data.

So, what’s your privacy strategy for 2022? How are you going to improve the security of your Azure data solution or Power BI workspace this year? There are many options with varying degrees of impact. Some are nearly trivial, while others may set up roadblocks that hamper innovation. The trick is to find that sweet spot in-between satisfying your security requirements and minimizing hassle and opportunity cost. Here are some thoughts you might contemplate, or consider old hat.

Have you implemented multi-factor authentication (MFA)? It has exploded in popularity the last few years. MFA supplements passwords by adding out-of-band authentication to the old username and password standard. It includes text messaging codes, hardware tokens, and smartphone-based authentication applications. Azure Active Directory (AAD) includes MFA authentication options by default. They can be used for all authentication or specific actions, like changing your password. In November 2021, Microsoft showed its confidence in its Authenticator app by allowing it to function as a complete replacement for passwords. AAD administrators can now allow users to forego a password entirely if they use the Microsoft Authenticator app. Times have certainly changed from yesterday’s username and password authentication.

Are your Azure solutions using managed identities where possible? Continuing the rebellion from usernames and passwords, managed identities might be considered the service and application equivalent to Microsoft’s Authenticator move. Managed identities allow those services to authenticate to other services and be given permissions to assets without having to worry about credentials. Rather than create service principals and dealing with storing and retrieving passwords, managed identities handle all that authentication in the background. They’re used extensively by services like Azure Synapse or Data Factory, and even things like Azure Functions or Logic Apps.

When managed identities are not available, are you using Key Vault for your credentials? Azure Key Vault securely stores secrets and certificates, so that applications and solutions never need to store them in code or config files. It also integrates with other Azure products, including Synapse, Data Factory, and Databricks. Your Function Apps and other custom code can use Key Vault libraries as well.

How are you going to fortify your networking? Are you applying firewalls to your Azure services? Are you going to invest in an Azure private network and isolate your Azure resources from the internet at large? Are you going to route your traffic to Microsoft through a VPN or ExpressRoute circuit? Networking can be tricky, but when used properly, it can be an effective tool to prevent security risks.

Security, though, is not just authentication and networking. It needs to be a central part of system planning and architecture. Are you using the least privilege model for permissions? Are you using ACLs in your data lake and row-based security in your Power BI models and SQL databases? Are you auditing personally identifiable information (PII)? Do you really need names, phone numbers, or Social Security Numbers for your analytics? Are you tightly controlling who can access the PII? Are you planning to implement AI-based threat detection?

What ended up on your security checklist this year? Let’s make this year not only a year of data and insights, but a year of security as well. At BlueGranite, we have experience discovering and implementing best practice security features for ultimate safety within your organization. If you need advice and guidance on the current standing or future enhancements of your security setup, let BlueGranite offer some words of wisdom, contact us today!