Microsoft Fabric Data Security

MS Fabric Logo

It seems like a trusim that as you “Democratize your data”, and spread the power of accurate decision making to more and more of your people, the risk of data breaches must increase?  Microsoft have worked hard to make your data more secure even while broadening access to it.  Some of this s just the way that Fabric has been built, but there’s also tools to manage access to sensitive data in your reports and control to whom your reports are distributed.  

Comset’s Analysts will work through this with you as a key part of your data project, but here are some of the tools at an analysts disposal.

Security built into Fabric and Azure

It is worth highlighting that strong organizational security is built into every aspect of these products.  Most importantly Microsoft “Active Directory”, now called “Entra” manages each log-in account in most organizations and ensures that access to the correct assets can be granted and removed as required. 

Entra also works with third party products so you can control access to all your tools with a single login.  And this is right at the heart of Azure and Fabric security.

How Microsoft manage their Azure data centres, physical and digital access, encryption, firewalls and so on is an essential contributor to the security if your data, but beyond the scope of this article.

Security built into your data

As your data is going to be shared widely and used to help reporting and decision making, it makes sense to control access rules as far upstream as possible.  Sensitive data can be marked as close to the source as possible in Microsoft OneLake.  For example if your organizational salaries list is only available to your HR department and directors, then this can be defined for those groups in One Lake.  When your data is fed out into data sets, reports and potentially exported to other file formats, it won’t be included except to those groups.  This is known as “Column” level security, where a whole column of data (in this case Salary), is controlled wherever it goes in the organization.

Microsoft also build another level of data security with their OneLake technology.  Each piece of data, table, column or file once written to OneLake as a Parquet file is never altered or removed.  Instead over time other Parquet files are added to record changes, additions or deletions.  This means that at any point in time the entire history of your data can be reassembled, including every alteration that has been carried out.  Clearly this gives you a high level of visibility over the history of your data, and what has been done by whom and when.   

Security built into your reports

Some elements of security need to be built into the report itself.
For example you have a report listing the status of properties under management by a number of different agents, but you want each agent to see only their own data.

“Row level security” attaches the logged in user (in this case let’s say Julie at landonproperties.com) to the Landon Properties organization, which in turn is linked to all the properties under management by that company.

When Julie logs in she can only ever see her own data, while Tony Thompson from Maytree Estates sees all his own properties on the same report.  This prevents you from having to create a separate report for each of your 120 property agents.

There are also a set of permissions built into Power BI to control what can be done by the end user. Read-only access is available to those you don’t want editing reports.

Security based on Report Distribution Method

Different distribution methods imply different levels of access control. 

  • A report sent to a user as a PBIX file can be viewed, edited or administered depending on that user’s permissions within Microsoft Fabric.
  • A report published in a “Power BI App” can’t be edited but its data remains dynamic. 
  • The same report exported as a Tabular report or a PDF is read only and non-interactive.
  • A report embedded on a web page can be viewed by anyone with access to that web page, its data will be interactive, but the viewer will be unable to make changes.

Security Accreditations in Microsoft Fabric

In A blog post on 1st February 2024, Microsoft Announced a number of important security accreditations for Microsoft Fabric. These are: HIPAA and ISO 27017, ISO 27018, ISO 27001, ISO 27701. A very short summary of each:

  • HIPAA – a US Act relating to the management of sensitive health data. [HIPAA]
  • ISO 27017 – Security controls for Cloud Services [BSI] [ISO 27017]
  • ISO 27018 – Standards for the protection of PII in Public Clouds [BSI] [ISO 27018]
  • ISO 27001 – Risk Management Framework for Information Security [BSI] [ISO 27001]
  • ISO 27701 – Security Techniques for Privacy Information Management [BSI] [ISO 27701]

Related data security tools

Microsoft Purview is an important tool that helps you manage data security and access throughout your organization.  Without going into too much detail, it interrogates all your data, makes its own decisions as to how sensitive that data is, and has a system for marking up data to make its consumers aware.  So a set of data containing PII (Personally identifiable information) will be marked with a note, both in reports or if exported to another file format, warning the user of the sensitivity level of the data.  Purview also tracks user actions and flags up any suspicious use of data to Admins.  And it is deeply integrated throughout Fabric, so that all your data benefits from the additional level of audit and security that it provides. [Microsoft Purview]

Additional security in a Power BI Premium Capacity

If you purchase a premium Fabric capacity there are some additional security enhancements.  While all data at-rest anywhere in OneLake is encrypted, this is taken to another level in a Premium capacity as you can bring your own encryption key (BYOK).  With BYOK you have the additional compliance advantage of being in control of your own security key, and should there be a serious data breach you can

Security Summary

We’ve seen that there are many levels to security within Microsoft Fabric and Power BI, as is essential for what will be a flagship product in the world of Data Management and Analytics. While the aspiration is to make data more accessible and usable by those that need it in an organization, the access controls have had to keep pace with that, making data quality and access more controllable and more easy to control.

Despite the range of security features already available, expect further development in this area as Fabric is still early in its life.