Data Security: Key Vault, Encryption & Managed Identity
Enterprise data security with Key Vault, encryption, Managed Identities, and network isolation
Security Architecture
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DATA SECURITY ARCHITECTURE β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β LAYER 1: IDENTITY β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β’ Azure AD (Entra ID) authentication β β
β β β’ Managed Identities (System + User-assigned) β β
β β β’ Service Principals with certificate auth β β
β β β’ Conditional Access Policies β β
β β β’ MFA for privileged access β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β LAYER 2: NETWORK β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β’ Private Endpoints (no public exposure) β β
β β β’ VNet Integration β β
β β β’ NSG Rules β β
β β β’ Azure Firewall β β
β β β’ DDoS Protection β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β LAYER 3: DATA PROTECTION β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β’ Encryption at rest (Microsoft-managed / Customer-managed) β β
β β β’ Encryption in transit (TLS 1.2) β β
β β β’ Key Vault for key management β β
β β β’ Azure Confidential Computing β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β LAYER 4: MONITORING & AUDIT β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β’ Azure Monitor + Log Analytics β β
β β β’ Microsoft Defender for Storage β β
β β β’ Key Vault logging β β
β β β’ Diagnostic settings β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Key Vault Integration
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()
client = SecretClient(
vault_url="https://kv-dataengineering.vault.azure.net/",
credential=credential
)
# Store secret
client.set_secret("adls-storage-key", "your-storage-key")
# Retrieve secret
secret = client.get_secret("adls-storage-key")
print(f"Secret value: {secret.value}")
# Store connection string
client.set_secret(
"synapse-connection",
"Server=tcp:syn-prod.sql.azuresynapse.net,1433;..."
)
Customer-Managed Keys (CMK)
{
"resources": [
{
"type": "Microsoft.KeyVault/vaults/keys",
"apiVersion": "2023-02-01",
"name": "cmk-adls",
"properties": {
"kty": "RSA-HSM",
"keySize": 2048,
"keyOps": ["encrypt", "decrypt", "wrapKey", "unwrapKey"]
}
}
]
}
Encryption Configuration
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: 'stdatalake001'
location: location
kind: 'StorageV2'
sku: { name: 'Standard_LRS' }
properties: {
encryption: {
services: {
blob: { enabled: true, keyType: 'Account' }
file: { enabled: true, keyType: 'Account' }
}
keySource: 'Microsoft.Keyvault'
keyVaultProperties: {
keyName: 'cmk-adls'
keyVaultUri: 'https://kv-dataengineering.vault.azure.net/'
}
}
minimumTlsVersion: 'TLS1_2'
supportsHttpsTrafficOnly: true
allowBlobPublicAccess: false
}
}
β οΈ
Security Critical: Always use Customer-Managed Keys (CMK) for production workloads. Store keys in Key Vault with automatic rotation. Never hardcode credentials in code or configuration files.
Interview Questions
Q1: Explain the difference between Microsoft-managed keys and Customer-managed keys. A: Microsoft-managed keys are fully managed by Azure (simpler). Customer-managed keys are stored in Key Vault and managed by the customer (more control, compliance). Use CMK for regulated industries.
Q2: How do you implement zero-trust security for data engineering? A: 1) Private Endpoints for all services, 2) Managed Identities (no secrets), 3) RBAC with least privilege, 4) Network segmentation, 5) Encryption at rest and in transit, 6) Continuous monitoring and alerting.
Q3: What are the best practices for Key Vault security? A: 1) Enable purge protection, 2) Use soft delete, 3) Restrict access with RBAC, 4) Enable logging, 5) Use private endpoints, 6) Rotate keys regularly, 7) Use HSM-backed keys for high security.