Fabric Security: All you need to know

​

Agenda

1. Intro to fabric as a SaaS platform
2. Network and Identity security
3. Workplace and Item security
4. Secure and compliant by default
5. Data security and governance

There is more data in the world. How do we translate data into competitive advantage?

• there are more tools handle these data. But these leads into probelm. Need some integrated solution.

​

Intro to fabric as a SaaS platform

• complete analytics platform: unified product, architecture, and experience
• lake centric and open: common SaaS data lake shared by all compute engines. Onelake, one copy and always synced.
• empower every office user: familar experience, built into office.
• pervasive security and governance: built in security and governance. end to end visibility. always governed. secure by default.
• Purview, OneLake, AI (copilot), Data factory, Analytics (data engineering, data warehouse, data science), Databases, Real-time intelligence, and Power BI.

​

Modern data challenges

• Bring data to the masses, everyone in the organization should be able to use data to make decisions.
• Instant access to the latest data, no more waiting for data to be moved/copied or transformed.
• Modern workforce, anywhere, any device.
• At the same time, you need to secure, govern, and audit your data to protect customers and the company.
• SaaS platforms are designed with these challenges in mind.
• Shift from siloed PaaS to integrated SaaS.

​

Common network security requirements

• Need to be able to connect to data inside a firewall/private link from Fabric (outbound).
• Inbound protection (restrict inbound by network location)
• Secure access to the backend services.
• More stringent customers (FSI/HLS):
  • Traffic needs to be private (not via a public internet)
  • End points should not be open to the public internet

​

Existing PaaS world

• PaaS services are disconnected from the public internet.
• All communications between the services are configured to go through the private endpoint.
• Developers connect to a VPN and connect to the backend services.
• Data sources are connected through the self-hosted runtime inside a firewall.
• when you access the data in power bi report, the data is imported into Power BI or through the dateway with DirectQuery.

​

Microsoft fabric - SaaS world

• Users connect to the SaaS platform from global network.
• Endpoints and access are protected using Entra ID.
• All internal communications between the expecriences are happens through MS backbone network.
• When you access the data in Power BI report, the data is fetched directly from the OneLake instantly and securely without copying or moving.

​

Security layers in Microsoft Fabric

• Network security: All traffic is encrypted and private. No public internet access.\
• Workspace & item security: All workspaces and items are secured by default. No public access.
• Data security: All data is encrypted at rest and in transit. No public access.
• Governance: All data is governed by default.
  • Regulations & certification
  • Data encryption
  • HA and DR
  • E2E auditability with Microsoft Purview
  • Information protection labels with Microsoft Purview
  • Additional advanced tools in Microsoft Purview
  • 3rd party and in-house governance & security solutions.

​

Network security

• Users connect to “front end services” and we are using “Entra ID” to authenticate and trust all requests.
• All the clusters are protected behind “back-end services” and v-nets.
• Traffic between experiences is going over MS backend network.
• Traffic to fabric will be using at least TLS 1.2

​

Authentication

• Microsoft Entra ID is used to authenticate all requests to the fabric services.
• Inbound protection options:
  • Perimeter network security (from limited know locations)
    • Private link for Fabric (to connect to the service from a private network). For on-prem: Express Route/ VPN. For Azure VNet: Peering.
      • Fabric is disconnected from the public internet.
      • Every users needs to connect to the private network to get access on every device.
      • No longer able to load resources locally (slower reports).
      • Increases ExpressRoute bandwidth and added costs for private links.
    • Workspace level private link for Fabric
      • For example: Workspace_1 contains onelake, lakehouse, warehouse, notebook, spark jobs. This is access through private link. Public access is disabled through Entra conditional access policies.
        • Workspace_2 contains Power BI reports, pipeline, semantic model, KQL database etc. This is access through public link. Public access is enabled through Entra conditional access policies.
        • Workspace_2 can access workspace_1 through private data access.
      • Selected workspaces can be connected to a private links and closed from public internet.
      • Create a secure connection between public and private workspaces using private data access.
      • Public workspaces are secured through Entra policies for example to use Power BI.
  • Zero trust approach (to unknown locations)
    • Verify explicitly (all requests are authenticated and authorized)
    • Least privilege access (only the minimum permissions are granted to the user)
    • Assume breach (all requests are treated as untrusted until proven otherwise)
• Outbound protection options:
• MFA and passwordless authentication (to verify the identity of the user)
• Conditional access policies (to restrict access to the service based on the location, device, and user)
  • Common decisions: Block, Grant, Require MFA.
  • Based on users and groups, network location, applications, devices.
• Identity protection (to detect and respond to suspicious activity in the service)

​

Getting data into Fabric

How to connect/load data in the VNET from Fabric?

• Fabric pipelines (COPY) - on-prem data gateway
• Dataflows Gen2 - on-prem data gateway and VNET data gateway
• OneLake shortcuts - On-prem data gateway.
• Trusted workspace access: shortcut to ADLS gen2, Fabric pipelines (COPY), COPY INTO DW

​

Data Exfiltration

• Workspace level control to restrict outbound access to public network.
• Restrict outbound connections to permitted destinations only
  • For example: You will not be able to use non-allowlisted external storage or internet. But you can use allowlisted external storage.
• Currently (Q2 2025) it is only available for Data engineering experience. In future, it will be available for data factory, power bi and RTA.
• Fabric allows tracking user acti ities for connection creation and use in usage logs and purview audit.

​

Workspace and Item security

Multiple layers of security and access control.

• Platform level access
  • Entra ID (authentication and authorization)
  • Inbound through private link or conditional access policies
• Domain specific configuration by domain admin
• Workspace level access.
  • Boundary for managing artifacts. E.g., admin, contributor and viewer roles.
• Compute security
  • e.g., Warehouse access through GRANT/DENY or semantic models and Warehouse RLS \ OLS.
• Item level access
  • e.g., Read all only via OneLake or read access to only subset of data. More granual roles for files and folder.

OneLake Security (coming soon) for compute level, item level and onelake

• Define security once at the file and folder level in OneLake.
• Define security at once and propagated to OneLake and every compute engine for access and OLS \ RLS.

​

Fabric encryption multi-geo: Data Residency

• All data at rest is encrypted by default by Fabric. CMK for OneLake is coming soon in 2025 Q2.
• Fabric multi-geo capacities allows control over content storage location in one of 54 data centers world-wide.
• OneLake which logically spans the world, workspaces which can reside in different regions around the world while still being part of the same data lake.

​

Compliance with Fabric

• GDPR, EUDB, ISO 27001, SOC 1, SOC 2, SOX Complaint,HIPAA, HITRUST, FedRAMP, and more.

​

Data security and governance

1. Information protection - Once the data is classified, then the data protection labels are applied to all the places. Even if you export the data as excel file, you will see the data label. All the data lineage will contain the data label.
2. Data loss prevention - automatically identify sensitive data and apply protection policies to prevent data loss. For e.g., credit card numbers, social security numbers, and other sensitive information.
3. Insider risk management

• discover and auto clasify data and prevent it from unauthorized use across apps, services, and devices.
• understand the user intent and context around sensitive data to identify the most critical risks.
• enable adaptive protection to assign appropriate DLP policies to high-risk users.

​

Metadata & lineage

• Fabric lineage
• Onelake catalog
• Purview Unified catalog

​

Auditing

• Admin monitoring and auditing
• Purview audit

Source: Fabric security course