Browsers are difficult Please wait, loading your map...
Through MS trusted services (Network authentication with Synapse MSI)Through MS trusted services (Network authentication with Synapse MSI)Spark script created in synapse studio contacts this to run script on hostsAzure Synapse Securitymindmap kindlyprovided by DMARC-EXPERT.COMSecure networkingTo Azure SynapseservicesDedicated SQL poolPublished through PEServerless SQL poolsPublished through PESynapse studioPublished through PEintegrated ADFSynapse studioPublished through PESpark poolsSynapse studioPublished through PEDevelopment endpoint(for devops to publishcode for example or torun spark script)Published through PEAccess to externalassetsFrom Serverless SQLpoolsAccess to externalstorage (networkauthentication)Data lakeFrom Dedicated SQLpoolsAccess to externalstorage (networkauthentication)Data lakeFrom spark poolsManaged VNETManaged privateendpointData Lake andsupported sourcesData exfiltrationsecurityFrom integrated ADFManaged VNETManaged privateendpointData Lake andsupported sourcesData exfiltrationsecurityVnetSelf hosted IR VM to beprivilegedAvailabilityDedicated SQL poolBackupSave all Synapseworkspaceconfigurations in AzuredevopsAzure devops securityto considerEncryptionSynapse WorkspaceencryptionDedicated SQL poolEncryptionCollum lvl encryptionTransparent dataencryptionServerless SQL poolsNo  data in serverlessSQL pool to encrypt (alldata are in externalstorages)Secure authenticationand authorizationSynapse RBACCan be given atindividual object lvl(more details here)SQL poolsAuthenticationLocal SQLauthenticationAzure ADauthentication withexternal identitiesAuthorizationSQL role securityRaw lvl securityData maskingAccess to externalstorage from  serverlessSQL poolsDefault  is user passtrough authenticationwith AAD (no credentialin code). Issue :Connection to data lakeis not done viaMicrosoft trustedservices. It is done viaAzure IPs : all Azure IPmust be whitelisted :0.0.0.0)Data lakeUse Managed systemidentity of Synapseworkspace and createdatabase tables scopedto some folders andonly accessible by someSQL usersIssue :Connection to data lakeis done via Microsofttrusted services whichis great to secure thestorage access frominternet. But by usingthe MSI of Synapse weare losing the ADLSaudit traiil. To seeactions performed byusers in SQL pool SQLaudit must be activatedData lakeConsideration for Sparkpools to authenticate toexternal sourcesDefault  is user passtrough authenticationwith AAD (no credentialin code)Can store credential inKV and access it (becarefull of losing useraccountability)Access KV secret fromspark poolTo do that user shouldhave access tocredentials (SynapseRBAC) role scoped in thecredentials.Use MSI of SynapseWorkspace (be carefullof losing useraccountability. Preferconnection withmanaged privateendpoint)To do that user shouldhave access tocredentials user accessto the MSI(SynapseRBAC)Consideration forintegrated ADF toauthenticate toexternal sourcesCan store credential inKV and access itUse internal ADF toaccess data source withpassword in KVUse MSI of SynapseWorkspaceLogsSQL poolsAudit logs activatedSparks no logs so auditaccess to ADLSConsideration forserverless SQL pool :audit access to ADLS

Created using MindMup.com