Unlocking the 90-9-1 Rule for Security of your Azure Data Platform
Over the years I’ve had the great privilege of working with some brilliant folks inside of Microsoft. One of their engineers, who became a mentor to me when I first started working within Microsoft Azure, gave me some advice that I took to heart and have followed ever since. What he told me was this: When it comes to the security of your Azure Data Platform, you need to adhere to the 90-9-1 rule.
Here’s how the 90-9-1 rule breaks down.
Let’s start with 90%.
As a data engineer, my mentor informed me that I am personally responsible for 90% of the security, design, and implementation of that Azure data platform. It’s up to me to ensure that the system is appropriately hardened.
Now, 90% sounds like a lot. It is a lot. But what he meant by that is that I’m responsible for making sure that the checkboxes are all checked. If I’m not an expert in one area, I need to ensure that I find an expert and that what needs to be done is done. I then go through a security threat model exercise to ensure that there are no gaps.
It also means that I need to be able to account for security, compliance, and privacy being baked into everything I’m designing and building. This includes data in flight, as well as encrypted data at rest. I have to make sure that the right people are provided appropriate access to data, and that others are restricted. It also accounts for building certain capabilities into the platform, such as enabling time-activated access for occasional users, such as consultants.
Next, we move to the 9%.
This 9% represents the security capabilities that Microsoft provides within the Azure platform. This includes all of the investments that Microsoft has made in terms of security and compliance in Azure, including AI and machine learning.
Here’s an example of what’s covered in this 9%. Let’s say a CEO logs into his company’s system at 2:00 pm. By leveraging the Advanced Threat Protection capability within Azure his connection is identified through the ISP that the login occurred within the Toronto area. At 2:03 pm, that same individual logs in from Taipei. Immediately understanding that there is physically no way to get from Toronto to Taipei in such a short span of time, the threat detection within Microsoft Azure flags the anomaly and drops the connection.
Microsoft’s security suite allows users to set up conditions, including anomalies like these that maybe haven’t been pre-planned for, reducing the risk of data exposure.
Now, for the 1%.
The 1% in this equation represents the data security professionals that work within an organization. These are the professionals who understand and manage critical data that has high business impact,
such as personally identifiable information, healthcare information, financial information, and regulations.
While 1% might seem minuscule in the equation, these professionals take on 99% of the work going on within an organization from a security perspective. Their role is vital to making sure an organization is protected and secure.
In fact, in my opinion it is critical for organizations to understand that these security professionals are brought in early and often in discussions on moving to the cloud. These individuals are often afterthoughts in the planning process, but their importance shouldn’t be underestimated. The data platform that I build and deploy has a dependency on these security and infrastructure teams, and the earlier they’re involved in what I’m doing, the better that migration will happen.
Understanding the 90-9-1 rule for your own Azure Data Platform is important before you begin migration. Who’s responsible for what pieces, where might there be gaps, and how can you best avoid a breach?
In today’s ever-evolving environment with increasingly savvy methods to illegally access data, breaches are happening with more frequency. Make sure that when it comes to security your company is covered the full 100%.
Want to learn more about how to make sure your data is secure in the cloud? Click here.