Security & Compliance Interview Q&A
25 interview questions on Azure data security, compliance, and access control
Question 1: What is the difference between Microsoft-managed and Customer-managed keys?
Answer: Microsoft-managed: Fully managed by Azure (simpler). Customer-managed: Stored in Key Vault, controlled by customer (more control, compliance). Use CMK for regulated industries.
Question 2: How do you implement zero-trust security?
Answer: 1) Private Endpoints, 2) Managed Identities, 3) RBAC with least privilege, 4) Network segmentation, 5) Encryption at rest/transit, 6) Continuous monitoring.
Question 3: What is the benefit of Managed Identities?
Answer: No credential management, automatic rotation, Azure AD integration, granular RBAC. Always prefer over storage keys or connection strings.
Question 4: How do you implement data encryption at rest?
Answer: Use Microsoft-managed keys (default) or Customer-managed keys (CMK) in Key Vault. Enable encryption for all storage accounts and databases.
Question 5: What is the purpose of Key Vault?
Answer: Secure storage for secrets, keys, and certificates. Integrate with Azure services for credential management. Enable audit logging and access control.
Question 6: How do you implement RBAC for data services?
Answer: Assign roles at appropriate scope (subscription, resource group, resource). Use built-in roles or custom roles. Prefer RBAC over access policies.
Question 7: What is the benefit of Private Endpoints?
Answer: Private IP address in VNet, no public exposure, full NSG control, DNS resolution via Private DNS Zones. Essential for enterprise security.
Question 8: How do you handle GDPR compliance?
Answer: Classify PII with Purview, implement DSAR (Data Subject Access Requests), enable right to erasure, track consent, and maintain audit logs.
Question 9: What is the benefit of sensitivity labels?
Answer: Classify data by sensitivity (Public, Internal, Confidential). Trigger protection policies (encryption, access controls). Auto-labeling with Purview.
Question 10: How do you audit data access?
Answer: Enable diagnostic settings, send to Log Analytics, create KQL queries, implement alerts, and maintain logs for required retention periods.
Question 11: What is the difference between encryption at rest and in transit?
Answer: At rest: Data encrypted when stored (AES-256). In transit: Data encrypted during transfer (TLS 1.2). Both required for compliance.
Question 12: How do you implement HIPAA compliance?
Answer: Encrypt PHI with CMK, implement access controls, enable audit logging, maintain BAA with Azure, and implement data retention policies.
Question 13: What is the benefit of Azure Defender for Storage?
Answer: Detects sensitive data exposure, anomalous access, and malware. Provides recommendations and alerts for security issues.
Question 14: How do you handle data retention policies?
Answer: Use lifecycle management for storage, configure retention periods in databases, implement Purview retention labels, and automate cleanup.
Question 15: What is the difference between authentication and authorization?
Answer: Authentication: Verify identity (Azure AD). Authorization: Grant permissions (RBAC). Both required for secure access.
Question 16: How do you implement MFA for data engineering?
Answer: Configure Azure AD MFA, Conditional Access policies, and Privileged Identity Management for admin access.
Question 17: What is the benefit of network security groups?
Answer: Filter traffic at subnet/NIC level, implement micro-segmentation, and enforce network policies for data engineering workloads.
Question 18: How do you handle secret rotation?
Answer: Use Azure Functions with timer triggers, Key Vault integration, and automated updates to linked services and connection strings.
Question 19: What is the benefit of Purview for compliance?
Answer: Automated data discovery, classification, lineage tracking, and compliance reporting for GDPR, HIPAA, SOC2, and FedRAMP.
Question 20: How do you implement row-level security?
Answer: Use Synapse SQL row-level security, Cosmos DB partition-level access, or application-level filtering based on user identity.
Question 21: What is the difference between soft delete and purge protection?
Answer: Soft delete: Allows recovery of deleted items. Purge protection: Prevents permanent deletion within retention period. Both recommended for Key Vault.
Question 22: How do you handle cross-tenant security?
Answer: Use Azure AD B2B, guest accounts, and conditional access policies. Implement least-privilege access for external users.
Question 23: What is the benefit of Azure Sentinel for data security?
Answer: SIEM capabilities, threat detection, incident response, and advanced analytics for security monitoring.
Question 24: How do you implement data masking?
Answer: Use dynamic data masking in Synapse SQL, column-level security, and Purview sensitivity labels for data protection.
Question 25: What is the future of data security?
Answer: Confidential computing, AI-powered threat detection, zero-trust architectures, and enhanced compliance automation.