Fabric Fortresses: Setting Up Microsoft Fabric for Your Enterprise Needs

Fabric Fortresses Who am I? Sam Debruyn 📍 Heist-op-den-Berg, BE 💼 Consultant / Cloud & Data Platform Architect 5⃣ years in data 🔟 years in software / architecture / cloud 🫶 Fabric, Azure, modern data platform What we'll talk about Context & Concepts Security (concepts) More security (networking) Even more security (auth) Monitoring Resiliency Enterprise context Problems at scale 🚀 Automation is key Risks increase More (sensitive) data More ways to access that data More weak links Ageing: solutions must be maintained Less “playground” mentality, proper processes in place ⏳ Things take more time 💰 Less focus on lowest possible cost as a decision maker Security common practices Defense in depth Authentication / authorization Networking primer: public vs. private networking The DNS (Domain Name System) translates every domain into an IP address 3 private IP ranges : 10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0 – 192.168.255.255 Every other IP address is deemed to be publicly accessible E.g. the address 10.1.2.3 will only be accessible within our own network. The address 11.1.2.3 will be globally accessible. Private services can be exposed through NAT (Network Address Translation) and port forwarding. Networking primer Outgoing tra+ic / egress ➡ Connections made from inside the network to the internet. E.g. when you load data from a public CSV file, your Fabric instance makes an outgoing connection. Protecting this is a safeguard to avoid data exfiltration. ➡ Incoming tra,ic / ingress Everything reaching a certain service from outside. E.g. users connecting to a Power BI dashboard is incoming traAic from the perspective of Power BI. Protecting this is a safeguard for security failures on the authentication side. Data Exfiltration Protection (DEP) Data exfiltration is unauthorized transfer of (sensitive) data from your environment to an unapproved entity. When a malicious user has gained access to your data, they usually want to copy/move your data to their own systems or make it publicly available. DEP detects and monitors egress traIic to block any unauthorized movement of data. Data Exfiltration Protection (DEP) Data Exfiltration Protection (DEP) Private networking in Fabric: incoming tra:ic Enabling private networking in Fabric Private networking in Microsoft Fabric: outgoing tra6ic Authentication & authorization Microsoft Entra ID Conditional Access Multiple layers working together Just-in-time access Instead of providing access 24/7, only provide access when needed 💡 Could be a good way to protect sensitive data Access limited in time Users can be asked to provide a justification Optionally let another user approve the access Workspace Identity & Trusted Access Avoid linking access to resources (e.g. Azure Storage Accounts used in Shortcuts) to individual users ❓ What if users leaves / account is compromised / … Service principals are a common solution but still have certain risks: ⚠ Client secret could be leaked ♻ Rotation of client secrets is often overlooked / prone to secret leakage In the Entra ID world, Managed Identities are the solution. In Fabric: Workspace Identity Fabric access controls Tenant-level : who can use any Fabric feature Workspace-level : admin/member/contributor/viewer Shared items : single item without Workspace access read/edit/share/read all with SQL/read all with Spark/build/execute Row-level security ( RLS ) / column-level security ( CLS ) / object-level security ( OLS ) Data source SSO vs. fixed credential Fabric endpoints Fabric UI Power BI reports SQL queries through SQL Analytics Endpoint / Data Warehouse via external tools (SSMS, Azure Data Studio, dbt, Python, …) OneLake APIs Fabric APIs & connectors (e.g. Excel) … Monitoring Power BI audit log Azure Firewall / 3 rd party firewall Azure PIM access request (with justifications and/or approvals) Microsoft Purview Disaster recovery & resiliency Multiple aspects Compute access: Less critical E.g. when disaster strikes, maybe a delay on intensive data pipelines is acceptable Lakehouses, Data Warehouses, Reports No “state” in this layer, so in worst case no data can be processed/accessed Data access: OneLake access Storage layer is critical as the worst case is data loss OneLake is the ZRS version of ADLS, you might want to check your Shortcut sources as well Disaster recovery & resiliency: Availability Zones Recap Startup requirements <> enterprise requirements ↗ Security controls are easily manageable when starting small but can become a challenge at scale Build security in isolated layers ↗ Defense in Depth, Least Privilege, Zero Trust, … Starting points / recommendations 👉 Assign permissions in Fabric to Entra ID Groups 👉 Private networking 👉 Privileged Identity Management 👉 Entra ID Conditional Access 👉 Monitoring through Microsoft Purview Slides Slides available at https://debruyn.dev/ fabsectechorama Questions? sam@debruyn.dev https://debruyn.dev