Scribd
Upload
8 views

Data Lake Security

Uploaded by

kdravidamani
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
8 views

Data Lake Security

Uploaded by

kdravidamani
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

The consensus of industry experts is to apply to data lakes the best

security practices for legacy database environments. These


generally fall into six categories. Here is a checklist:

 Administration. Data administrators must be able to set policies for


all users across all data resources.
 Authentication. End users must be able to prove who they are.
Multifactor authentication is recommended.
 Authorization. Different users are given permission to access
specific resources and perform different tasks, according to roles,
privileges, profiles, and resource limitations.
 Auditing. Administrators must maintain a record of what was done
by monitoring and recording user actions, and they must ensure that
those without permission do not access data resources.

 Data protection. Sensitive data should be encrypted both in


transit and at rest, wherever it is located, whether on premises or in
the cloud. Encryption key management, including key generation,
storage, and access, is essential.
 Backup. Ensuring that the data lake is securely backed up is
particularly important to help guard against the potential cost and
headache of ransomware attacks. Being able to restore data from
backup will overcome the necessity of paying a cybercriminal to get it
back.

Effective Hadoop security depends on a holistic approach that revolves around five pillars of security:
administration, authentication and perimeter security, authorization, auditing, and data protection.
Azure

Enterprise customers demand a data analytics cloud platform that is secure and
easy to use. Azure Data Lake Store is designed to help address these requirements
through identity management and authentication via Azure Active Directory
integration, ACL-based authorization, network isolation, data encryption in transit
and at rest (coming in the future), and auditing.

It is vital for an enterprise to make sure that critical business data is stored more securely, with the
correct level of access granted to individual users. Azure Data Lake Store is designed to help meet these
security requirements. In this article, learn about the security capabilities of Data Lake Store, including:

•Authentication

•Authorization

•Network isolation

•Data protection

•Auditing

Authentication and identity management

Authentication is the process by which a user's identity is verified when the user interacts with Data
Lake Store or with any service that connects to Data Lake Store. For identity management and
authentication, Data Lake Store uses Azure Active Directory, a comprehensive identity and access
management cloud solution that simplifies the management of users and groups.

Authorization and access control


After Azure Active Directory authenticates a user so that the user can access
Azure Data Lake Store, authorization controls access permissions for Data
Lake Store. Data Lake Store separates authorization for account-related and
data-related activities in the following manner:

 Role-based access control (RBAC) provided by Azure for account


management
 POSIX ACL for accessing data in the store

RBAC for account management

Four basic roles are defined for Data Lake Store by default. The roles permit
different operations on a Data Lake Store account via the Azure portal,
PowerShell cmdlets, and REST APIs. The Owner and Contributor roles can
perform a variety of administration functions on the account. You can assign
the Reader role to users who only interact with data.
Using ACLs for operations on file systems

Data Lake Store is a hierarchical file system like Hadoop Distributed File
System (HDFS), and it supports POSIX ACLs. It controls read (r), write (w),
and execute (x) permissions to resources for the Owner role, for the Owners
group, and for other users and groups. In Data Lake Store, ACLs can be
enabled on the root folder, on subfolders, and on individual files. For more
information on how ACLs work in context of Data Lake Store, see Access
control in Data Lake Store.

We recommend that you define ACLs for multiple users by using security
groups. Add users to a security group, and then assign the ACLs for a file or
folder to that security group.
Network isolation

Use Data Lake Store to help control access to your data store at the network
level. You can establish firewalls and define an IP address range for your
trusted clients. With an IP address range, only clients that have an IP address
within the defined range can connect to Data Lake Store.

Network isolation

Use Data Lake Store to help control access to your data store at the network
level. You can establish firewalls and define an IP address range for your
trusted clients. With an IP address range, only clients that have an IP address
within the defined range can connect to Data Lake Store
Data protection

Azure Data Lake Store protects your data throughout its life cycle. For data
in transit, Data Lake Store uses the industry-standard Transport Layer
Security (TLS) protocol to secure data over the network.

Data Lake Store also provides encryption for data that is stored in the account. You
can chose to have your data encrypted or opt for no encryption. If you opt in for
encryption, data stored in Data Lake Store is encrypted prior to storing on
persistent media. In such a case, Data Lake Store automatically encrypts data prior
to persisting and decrypts data prior to retrieval, so it is completely transparent to
the client accessing the data. There is no code change required on the client side to
encrypt/decrypt data

Auditing and diagnostic logs

You can use auditing or diagnostic logs, depending on whether you are
looking for logs for management-related activities or data-related activities.

You might also like