2

I'm not sure how secure are environment settings in Azure Batch. Do I need to use certificates?

I am running tasks in Azure Batch, currently passing storage token with EnvironmentSetting. I cannot find any details in documentation on how secure is that. After reading security with certificates I feel like this is the way to go ("You typically need to use certificates when you encrypt or decrypt sensitive information for tasks, like the key for an Azure Storage account."), yet I'm not 100% convinced.

So, are environment settings secure or not?

cpt-planet
  • 133
  • 5

1 Answers1

1

If you just talk about the secure itself, it's a too broad question. In addition, you have many ways to add its security.

First, the environment variables are visible only in the context of the task user, the user account on the node under which a task is executed. And you cannot see them if you connect remotely. It's a secure setting. Then you can set the certificate as you provide, it's also a secure setting. They are the settings of Azure Batch itself.

For more, you can also control the permission to access your batch account. It's also a secure setting. So relatively speaking, it's secure. Hope my opinion will help you understand the security of the batch environment variables.

Charles Xu
  • 29,862
  • 2
  • 22
  • 39
  • You're right, my question was not precise enough. By "secure" I meant if there is no way for any unauthorized person to obtain values of those environment variables. This could be the case if someone can sniff on the network traffic and environment variables are not encrypted while transferring. I haven't found any info on how EnvironmentSetting is handled internally and if any I should be concerned on ANY possibility of leaking the data transferred with EnvironmentSetting. So this question is not about permissions/access control - I'm ok if my (authorized) users have access to those values. – cpt-planet Apr 04 '19 at 11:11
  • @cpt-planet Of curse, it's secure. When you use the Azure Python SDK to interact with Azure, you need to get permission through credentials. And the SDK need the Azure API support, all the API will need your authentication. For example, you can see the [Azure Batch REST API](https://learn.microsoft.com/en-us/rest/api/batchservice/task/add). The requests are encrypted with the authentication. So don't worry, it's secure. – Charles Xu Apr 05 '19 at 02:56
  • I was more concerned about internal azure communication (azure - batch pools) rather than Python SDK - Azure API. Do you know if internal communication with compute nodes is encrypted by default? If yes, then what is the use of [certificates in Batch](https://learn.microsoft.com/en-us/azure/batch/batch-api-basics#security-with-certificates)? – cpt-planet Apr 05 '19 at 06:44
  • @cpt-planet If you mean to communicate between the nodes in the pool, there no encrypt. They communicate inside Azure private network, nobody can get the request from the internet. The certificate in Batch is used for other service communicate with Batch. And Azure Batch uses Https. So why do you question the security? – Charles Xu Apr 08 '19 at 09:06
  • I wasn't concerned about communication between the nodes in the pool. I was concerned about how azure batch service (resource which receives start task requests, starts tasks and passed env variables to nodes) communicates with the node on which the task is started. – cpt-planet Apr 11 '19 at 06:55