Security improvements

[arthurclares]

📝 Scenario

This feature request outlines a set of security enhancements that can be implemented by the FinOps Toolkit team, along with actionable recommendations for customers to strengthen the security of their deployments.

📋 Tasks

FinOps Hubs security improvements

Network

Beta Give feedback

1. 1. Implement end-to-end support for private endpoint connections:
2. 1.1 Azure Data Explorer
3. 1.2 Azure Data Factory
4. 1.3 Key Vault
5. 1.4 Power BI
6. 1.5 Storage Account

Key Vault

Beta Give feedback

1. 1. Enable Key Vault Firewall (either Trusted Services Only or vNET):
2. 1.1 Learn more about Key Vault network security
3. 2. Use role-based access control (RBAC) to manage access to Key Vault instead of Vault Access Policies:
4. 2.1 Best practices for controlling access to your vault

Storage Account

Beta Give feedback

1. 4. Adopt client-side encryption for Storage

General

Beta Give feedback

1. 1. Review the list of suggested permissions on the deployment page and ensure these follow the least privilege principle. Recommend customers adopt the "just enough administration" approach.
2. TBD: Create a custom role to deploy FinOps Hubs ?

Actions to be documented for customers

Storage

Beta Give feedback

1. Enable Microsoft Defender for Storage to monitor anomalies and threats.

Key Vault

Beta Give feedback

1. Configure Private Link at the Power BI tenant level to restrict data access to private networks.
2. Enable Microsoft Defender for Key Vault to enhance threat protection.

Power BI

Beta Give feedback

1. Review the Power BI Security White Paper for best practices: Power BI Security White Paper.

General

Beta Give feedback

1. Recommend customers adopt the "just enough administration" (least privilege) principle.
2. Use diagnostic settings to send logs to another location, such as Log Analytics or a Storage Account, to retain logs for more than 90 days.
3. Enable Microsoft Defender for Cloud advanced threat protections, such as threat protection for Azure Network: Learn more about threat protections.

ℹ️ Additional Context

This threat model review is based on the publicly available version 0.6 of FinOps Hubs, with the inclusion of Azure Data Explorer as part of the deployment.

🙋‍♀️ Ask for the community

We could use your help:

1. Please vote this issue up (👍) to prioritize it.
2. Leave comments to help us solidify the vision.