search

microsoft / finops-toolkit

Tools and resources to help you adopt and implement FinOps capabilities that automate and extend the Microsoft Cloud.
https://aka.ms/finops/toolkit
MIT License
310 stars 108 forks source link

Security improvements #1156

Open arthurclares opened 6 days ago

arthurclares commented 6 days ago

📝 Scenario

This feature request outlines a set of security enhancements that can be implemented by the FinOps Toolkit team, along with actionable recommendations for customers to strengthen the security of their deployments.

📋 Tasks

FinOps Hubs security improvements

#### Network
- [ ] 1. Implement end-to-end support for private endpoint connections:  
  - [ ] 1.1 Azure Data Explorer  
  - [ ] 1.2 Azure Data Factory  
  - [ ] 1.3 Key Vault  
  - [ ] 1.4 Power BI  
  - [ ] 1.5 Storage Account  
#### Key Vault
- [ ] 1. Enable Key Vault Firewall (either Trusted Services Only or vNET):  
  - [ ] 1.1 [Learn more about Key Vault network security](https://learn.microsoft.com/azure/key-vault/general/network-security)  
- [ ] 2. Use role-based access control (RBAC) to manage access to Key Vault instead of Vault Access Policies:  
  - [ ] 2.1 [Best practices for controlling access to your vault](https://learn.microsoft.com/azure/key-vault/general/best-practices#control-access-to-your-vault)  
#### Storage Account
- [ ] 4. Adopt client-side encryption for Storage
####  General
- [ ] 1. Review the list of suggested permissions on the deployment page and ensure these follow the least privilege principle. Recommend customers adopt the "just enough administration" approach.  
- [ ] TBD: Create a custom role to deploy FinOps Hubs ?

Actions to be documented for customers

####  Storage  
- [ ] Enable Microsoft Defender for Storage to monitor anomalies and threats.
#### Key Vault
- [ ] Configure Private Link at the Power BI tenant level to restrict data access to private networks.
- [ ] Enable Microsoft Defender for Key Vault to enhance threat protection.
#### Power BI
- [ ] Review the Power BI Security White Paper for best practices: [Power BI Security White Paper](https://learn.microsoft.com/power-bi/guidance/whitepaper-powerbi-security).
#### General  
- [ ] Recommend customers adopt the "just enough administration" (least privilege) principle.  
- [ ] Use diagnostic settings to send logs to another location, such as Log Analytics or a Storage Account, to retain logs for more than 90 days.  
- [ ] Enable Microsoft Defender for Cloud advanced threat protections, such as threat protection for Azure Network: [Learn more about threat protections](https://learn.microsoft.com/en-us/azure/defender-for-cloud/other-threat-protections).

ℹī¸ Additional Context

This threat model review is based on the publicly available version 0.6 of FinOps Hubs, with the inclusion of Azure Data Explorer as part of the deployment.

🙋‍♀ī¸ Ask for the community

We could use your help:

  1. Please vote this issue up (👍) to prioritize it.
  2. Leave comments to help us solidify the vision.
arthurclares commented 2 days ago

@allcontributors please add claudiazambella for security

allcontributors[bot] commented 2 days ago

@arthurclares

I've put up a pull request to add @claudiazambella! :tada: