Merge pull request #107392 from tamram/tamram-0311

megvanhuygen · web-flow · commit be12f2240035 · 2020-04-22T11:22:23.000-07:00
service tags for storage
diff --git a/articles/data-lake-store/data-lake-store-security-overview.md b/articles/data-lake-store/data-lake-store-security-overview.md
@@ -2,20 +2,16 @@
 title: Overview of security in Azure Data Lake Storage Gen1 | Microsoft Docs
 description: Understand how Azure Data Lake Storage Gen1 is a more secure big data store
 services: data-lake-store
-documentationcenter: ''
 author: twooley
-manager: mtillman
-editor: cgronlun
 
-ms.assetid: ebd5b2ac-c5cc-46d4-9cfd-1a1ee70024c2
 ms.service: data-lake-store
-ms.devlang: na
 ms.topic: conceptual
-ms.date: 03/26/2018
+ms.date: 03/11/2020
 ms.author: twooley
 
 ---
 # Security in Azure Data Lake Storage Gen1
+
 Many enterprises are taking advantage of big data analytics for business insights to help them make smart decisions. An organization might have a complex and regulated environment, with an increasing number of diverse users. It is vital for an enterprise to make sure that critical business data is stored more securely, with the correct level of access granted to individual users. Azure Data Lake Storage Gen1 is designed to help meet these security requirements. In this article, learn about the security capabilities of Data Lake Storage Gen1, including:
 
 * Authentication
@@ -25,6 +21,7 @@ Many enterprises are taking advantage of big data analytics for business insight
 * Auditing
 
 ## Authentication and identity management
+
 Authentication is the process by which a user's identity is verified when the user interacts with Data Lake Storage Gen1 or with any service that connects to Data Lake Storage Gen1. For identity management and authentication, Data Lake Storage Gen1 uses [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md), a comprehensive identity and access management cloud solution that simplifies the management of users and groups.
 
 Each Azure subscription can be associated with an instance of Azure Active Directory. Only users and service identities that are defined in your Azure Active Directory service can access your Data Lake Storage Gen1 account, by using the Azure portal, command-line tools, or through client applications your organization builds by using the Data Lake Storage Gen1 SDK. Key advantages of using Azure Active Directory as a centralized access control mechanism are:
@@ -35,12 +32,14 @@ Each Azure subscription can be associated with an instance of Azure Active Direc
 * Federation with enterprise directory services and cloud identity providers.
 
 ## Authorization and access control
+
 After Azure Active Directory authenticates a user so that the user can access Data Lake Storage Gen1, authorization controls access permissions for Data Lake Storage Gen1. Data Lake Storage Gen1 separates authorization for account-related and data-related activities in the following manner:
 
 * [Role-based access control](../role-based-access-control/overview.md) (RBAC) provided by Azure for account management
 * POSIX ACL for accessing data in the store
 
 ### RBAC for account management
+
 Four basic roles are defined for Data Lake Storage Gen1 by default. The roles permit different operations on a Data Lake Storage Gen1 account via the Azure portal, PowerShell cmdlets, and REST APIs. The Owner and Contributor roles can perform a variety of administration functions on the account. You can assign the Reader role to users who only view account management data.
 
 ![RBAC roles](./media/data-lake-store-security-overview/rbac-roles.png "RBAC roles")
@@ -58,18 +57,23 @@ Note that although roles are assigned for account management, some roles affect
 For instructions, see [Assign users or security groups to Data Lake Storage Gen1 accounts](data-lake-store-secure-data.md#assign-users-or-security-groups-to-data-lake-storage-gen1-accounts).
 
 ### Using ACLs for operations on file systems
+
 Data Lake Storage Gen1 is a hierarchical file system like Hadoop Distributed File System (HDFS), and it supports [POSIX ACLs](https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#ACLs_Access_Control_Lists). It controls read (r), write (w), and execute (x) permissions to resources for the Owner role, for the Owners group, and for other users and groups. In Data Lake Storage Gen1, ACLs can be enabled on the root folder, on subfolders, and on individual files. For more information on how ACLs work in context of Data Lake Storage Gen1, see [Access control in Data Lake Storage Gen1](data-lake-store-access-control.md).
 
 We recommend that you define ACLs for multiple users by using [security groups](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). Add users to a security group, and then assign the ACLs for a file or folder to that security group. This is useful when you want to provide assigned permissions, because you are limited to a maximum of 28 entries for assigned permissions. For more information about how to better secure data stored in Data Lake Storage Gen1 by using Azure Active Directory security groups, see [Assign users or security group as ACLs to the Data Lake Storage Gen1 file system](data-lake-store-secure-data.md#filepermissions).
 
 ![List access permissions](./media/data-lake-store-security-overview/adl.acl.2.png "List access permissions")
 
 ## Network isolation
+
 Use Data Lake Storage Gen1 to help control access to your data store at the network level. You can establish firewalls and define an IP address range for your trusted clients. With an IP address range, only clients that have an IP address within the defined range can connect to Data Lake Storage Gen1.
 
 ![Firewall settings and IP access](./media/data-lake-store-security-overview/firewall-ip-access.png "Firewall settings and IP address")
 
+Azure virtual networks (VNet) support service tags for Data Lake Gen 1. A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change. For more information, see [Azure service tags overview](../virtual-network/service-tags-overview.md).
+
 ## Data protection
+
 Data Lake Storage Gen1 protects your data throughout its life cycle. For data in transit, Data Lake Storage Gen1 uses the industry-standard Transport Layer Security (TLS 1.2) protocol to secure data over the network.
 
 ![Encryption in Data Lake Storage Gen1](./media/data-lake-store-security-overview/adls-encryption.png "Encryption in Data Lake Storage Gen1")
@@ -79,12 +83,14 @@ Data Lake Storage Gen1 also provides encryption for data that is stored in the a
 For key management, Data Lake Storage Gen1 provides two modes for managing your master encryption keys (MEKs), which are required for decrypting any data that is stored in Data Lake Storage Gen1. You can either let Data Lake Storage Gen1 manage the MEKs for you, or choose to retain ownership of the MEKs using your Azure Key Vault account. You specify the mode of key management while creating a Data Lake Storage Gen1 account. For more information on how to provide encryption-related configuration, see [Get started with Azure Data Lake Storage Gen1 using the Azure Portal](data-lake-store-get-started-portal.md).
 
 ## Activity and diagnostic logs
+
 You can use activity or diagnostic logs, depending on whether you are looking for logs for account management-related activities or data-related activities.
 
 * Account management-related activities use Azure Resource Manager APIs and are surfaced in the Azure portal via activity logs.
 * Data-related activities use WebHDFS REST APIs and are surfaced in the Azure portal via diagnostic logs.
 
 ### Activity log
+
 To comply with regulations, an organization might require adequate audit trails of account management activities if it needs to dig into specific incidents. Data Lake Storage Gen1 has built-in monitoring and it logs all account management activities.
 
 For account management audit trails, view and choose the columns that you want to log. You also can export activity logs to Azure Storage.
@@ -94,18 +100,21 @@ For account management audit trails, view and choose the columns that you want t
 For more information on working with activity logs, see [View activity logs to audit actions on resources](../azure-resource-manager/management/view-activity-logs.md).
 
 ### Diagnostics logs
+
 You can enable data access audit and diagnostic logging in the Azure portal and send the logs to an Azure Blob storage account, an event hub, or Azure Monitor logs.
 
 ![Diagnostics logs](./media/data-lake-store-security-overview/diagnostic-logs.png "Diagnostics logs")
 
 For more information on working with diagnostic logs with Data Lake Storage Gen1, see [Accessing diagnostic logs for Data Lake Storage Gen1](data-lake-store-diagnostic-logs.md).
 
 ## Summary
+
 Enterprise customers demand a data analytics cloud platform that is secure and easy to use. Data Lake Storage Gen1 is designed to help address these requirements through identity management and authentication via Azure Active Directory integration, ACL-based authorization, network isolation, data encryption in transit and at rest, and auditing.
 
 If you want to see new features in Data Lake Storage Gen1, send us your feedback in the [Data Lake Storage Gen1 UserVoice forum](https://feedback.azure.com/forums/327234-data-lake).
 
 ## See also
+
 * [Overview of Azure Data Lake Storage Gen1](data-lake-store-overview.md)
 * [Get started with Data Lake Storage Gen1](data-lake-store-get-started-portal.md)
 * [Secure data in Data Lake Storage Gen1](data-lake-store-secure-data.md)
diff --git a/articles/storage/blobs/security-recommendations.md b/articles/storage/blobs/security-recommendations.md
@@ -8,7 +8,7 @@ author: tamram
 ms.service: storage
 ms.subservice: blobs
 ms.topic: conceptual
-ms.date: 12/18/2019
+ms.date: 03/11/2020
 ms.author: tamram
 ms.custom: security-recommendations
 ---
@@ -53,6 +53,7 @@ Azure Security Center periodically analyzes the security state of your Azure res
 | Enable firewall rules | Configure firewall rules to limit access to your storage account to requests that originate from specified IP addresses or ranges, or from a list of subnets in an Azure Virtual Network (VNet). For more information about configuring firewall rules, see [Azure File Sync proxy and firewall settings](../files/storage-sync-files-firewall-and-proxy.md). | - |
 | Allow trusted Microsoft services to access the storage account | Turning on firewall rules for your storage account blocks incoming requests for data by default, unless the requests originate from a service operating within an Azure Virtual Network (VNet) or from allowed public IP addresses. Requests that are blocked include those from other Azure services, from the Azure portal, from logging and metrics services, and so on. You can permit requests from other Azure services by adding an exception to allow trusted Microsoft services to access the storage account. For more information about adding an exception for trusted Microsoft services, see [Azure File Sync proxy and firewall settings](../files/storage-sync-files-firewall-and-proxy.md).| - |
 | Use private endpoints | A private endpoint assigns a private IP address from your Azure Virtual Network (VNet) to the storage account. It secures all traffic between your VNet and the storage account over a private link. For more information about private endpoints, see [Connect privately to a storage account using Azure Private Endpoint](../../private-link/create-private-endpoint-storage-portal.md). | - |
+| Use VNet service tags | A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change. For more information about service tags supported by Azure Storage, see [Azure service tags overview](../../virtual-network/service-tags-overview.md). For a tutorial that shows how to use service tags to create outbound network rules, see [Restrict access to PaaS resources](../../virtual-network/tutorial-restrict-network-access-to-resources.md). | - |
 | Limit network access to specific networks | Limiting network access to networks hosting clients requiring access reduces the exposure of your resources to network attacks. | [Yes](../../security-center/security-center-sql-service-recommendations.md) |
 
 ## Logging/Monitoring
diff --git a/articles/storage/common/storage-security-controls.md b/articles/storage/common/storage-security-controls.md
@@ -1,20 +1,20 @@
 ﻿---
-title: Security controls for Azure Storage
-description: A checklist of security controls for evaluating Azure Storage
+title: Security controls
+titleSuffix: Azure Storage
+description: A checklist of security controls for evaluating Azure Storage.
 services: storage
-
 author: msmbaldwin
 
 ms.service: storage
 ms.subservice: common
 ms.topic: conceptual
-ms.date: 09/04/2019
+ms.date: 03/11/2020
 ms.author: mbaldwin
-
 ---
+
 # Security controls for Azure Storage
 
-This article documents the security controls built into Azure Storage. 
+This article documents the security controls built into Azure Storage.
 
 [!INCLUDE [Security controls Header](../../../includes/security-controls-header.md)]
 
@@ -33,8 +33,9 @@ This article documents the security controls built into Azure Storage.
 | Security control | Yes/No | Notes |
 |---|---|--|
 | Service endpoint support| Yes |  |
+| Service tags support| Yes | See [Azure service tags overview](../../virtual-network/service-tags-overview.md) for more information about service tags supported by Azure Storage. |
 | VNet injection support| N/A |  |
-| Network isolation and firewalling support| Yes | |
+| Network isolation and firewall support| Yes | |
 | Forced tunneling support| N/A |  |
 
 ## Monitoring & logging
diff --git a/articles/storage/queues/security-recommendations.md b/articles/storage/queues/security-recommendations.md
@@ -8,7 +8,7 @@ author: tamram
 ms.service: storage
 ms.subservice: queues
 ms.topic: conceptual
-ms.date: 12/12/2019
+ms.date: 03/11/2020
 ms.author: tamram
 ms.custom: security-recommendations
 ---
@@ -49,6 +49,7 @@ Azure Security Center periodically analyzes the security state of your Azure res
 | Enable firewall rules | Configure firewall rules to limit access to your storage account to requests that originate from specified IP addresses or ranges, or from a list of subnets in an Azure Virtual Network (VNet). For more information about configuring firewall rules, see [Azure File Sync proxy and firewall settings](../files/storage-sync-files-firewall-and-proxy.md). | - |
 | Allow trusted Microsoft services to access the storage account | Turning on firewall rules for your storage account blocks incoming requests for data by default, unless the requests originate from a service operating within an Azure Virtual Network (VNet) or from allowed public IP addresses. Requests that are blocked include those from other Azure services, from the Azure portal, from logging and metrics services, and so on. You can permit requests from other Azure services by adding an exception to allow trusted Microsoft services to access the storage account. For more information about adding an exception for trusted Microsoft services, see [Azure File Sync proxy and firewall settings](../files/storage-sync-files-firewall-and-proxy.md).| - |
 | Use private endpoints | A private endpoint assigns a private IP address from your Azure Virtual Network (VNet) to the storage account. It secures all traffic between your VNet and the storage account over a private link. For more information about private endpoints, see [Connect privately to a storage account using Azure Private Endpoint](../../private-link/create-private-endpoint-storage-portal.md). | - |
+| Use VNet service tags | A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change. For more information about service tags supported by Azure Storage, see [Azure service tags overview](../../virtual-network/service-tags-overview.md). For a tutorial that shows how to use service tags to create outbound network rules, see [Restrict access to PaaS resources](../../virtual-network/tutorial-restrict-network-access-to-resources.md). | - |
 | Limit network access to specific networks | Limiting network access to networks hosting clients requiring access reduces the exposure of your resources to network attacks. | [Yes](../../security-center/security-center-sql-service-recommendations.md) |
 
 ## Logging/Monitoring
