AzSDKPreview

2.0.5

Framework/Configurations/SVT/Services/DataFactory.json

                                {

  "FeatureName": "DataFactory",

  "Reference": "aka.ms/azsdkosstcp/adf",

  "IsManintenanceMode": false,

  "Controls": [

    {

      "ControlID": "Azure_DataFactory_DP_LinkSvc_Encrypt_In_Transit",

      "Description": "Linked Service must use encryption in transit",

      "Id": "DataFactory110",

                         "ControlSeverity":  "High",

      "Automated": "Yes",

      "MethodName": "CheckDataFactoryLinkedService",

      "Recommendation": "Linked Service acts as channel to transfer data between data source and ADF. Channel must be encrypted throughout the transit of the data. (e.g. Linked services of type Azure Storage account must have HTTPS endpoint in the service json, similarly, service json config of type SQL Server Linked Service must have Encrypt=True in their connection strings, etc.)",

      "Tags": [

        "SDL",

        "TCP",

        "Automated",

        "DP"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_DataFactory_AuthZ_Grant_Min_Access",

      "Description": "User accounts/roles connecting to data source must have minimum required permissions",

      "Id": "DataFactory120",

                         "ControlSeverity":  "Medium",

      "Automated": "No",

      "MethodName": "",

      "Recommendation": "All user accounts/roles which are involved in Azure Data Factory must have minimum required access rights to data source. (e.g. If ADF is fetching data from data source then user role must have read-only access.)",

      "Tags": [

        "SDL",

        "TCP",

        "Manual",

        "AuthZ"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_DataFactory_Config_Lockdown_DMG_Server",

      "Description": "Data Management Gateway (if used) must be installed on a locked down machine",

      "Id": "DataFactory130",

                         "ControlSeverity":  "Medium",

      "Automated": "No",

      "MethodName": "",

      "Recommendation": "Locking down machine isolates DMG tool and prevents malfunctioning programs from damaging or snooping on the data source machine. ",

      "Tags": [

        "SDL",

        "TCP",

        "Manual",

        "Config"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_DataFactory_Deploy_Register_DMG_Securely",

      "Description": "Data Management Gateway (if used) must be registered in secure way",

      "Id": "DataFactory140",

                         "ControlSeverity":  "Medium",

      "Automated": "No",

      "MethodName": "",

      "Recommendation": "The gateway key needs to be exchanged between Azure Portal and DMG tool for registration. Manual handling of this key may impose an operational risk and thus registration of DMG tool must be done via PowerShell. More info visit https://docs.microsoft.com/en-us/azure/data-factory/data-factory-data-management-gateway#powershell-cmdlets",

      "Tags": [

        "SDL",

        "TCP",

        "Manual",

        "Deploy"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_DataFactory_DP_Rotate_Gateway_Key",

      "Description": "Data Gateway (on Azure Portal) key must be rotated at regular interval",

      "Id": "DataFactory150",

                         "ControlSeverity":  "Medium",

      "Automated": "No",

      "MethodName": "",

      "Recommendation": "Key rotation is largely perceived as a security measure to defend against potential brute force attacks. So Data Gateway key must be rotated at every six months/ whenever the DMG service account password is renewed.",

      "Tags": [

        "SDL",

        "TCP",

        "Manual",

        "DP"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_DataFactory_AuthZ_Use_Svc_Acct_for_DMG",

      "Description": "Linked Service must be configured using Service account when Data Management Gateway is used ",

      "Id": "DataFactory160",

                         "ControlSeverity":  "Medium",

      "Automated": "No",

      "MethodName": "",

      "Recommendation": "Configuration of Linked Service involves credentials(username, password etc.) for data source. To avoid involvement of credentials, service account should be used when DMG is used to access data source.",

      "Tags": [

        "SDL",

        "TCP",

        "Manual",

        "AuthZ"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_DataFactory_DP_Encrypt_Sensistive_Fields",

      "Description": "Sensitive data which is not part of computation must be encrypted",

      "Id": "DataFactory170",

                         "ControlSeverity":  "Medium",

      "Automated": "No",

      "MethodName": "",

      "Recommendation": "Sensitive data like email addresses, phone numbers, credit card numbers, passwords must be encrypted by any strong encryption mechanism throughout the ADF life cycle.",

      "Tags": [

        "SDL",

        "TCP",

        "Manual",

        "DP"

      ],

      "Enabled": true

    },

    {

      "ControlID": "Azure_DataFactory_Audit_Enable_Logging_and_Monitoring",

      "Description": "Monitoring must be enabled in Azure Data Factory",

      "Id": "DataFactory180",

                         "ControlSeverity":  "Medium",

      "Automated": "No",

      "MethodName": "",

      "Recommendation": "For more information visit: https://docs.microsoft.com/en-us/azure/data-factory/data-factory-monitor-manage-app",

      "Tags": [

        "SDL",

        "TCP",

        "Manual",

        "Audit"

      ],

      "Enabled": true

    }

  ]

}