Data Integration Elastic Administration > Data Integration Elastic on Microsoft Azure > Security


Different forms of security protect the data that is used for processing, including access to the account and the data that you hold with your cloud provider.

Security principals

Security principals are required to create an elastic cluster and to perform cluster operations in an Azure environment.
The following security principals are required:
A managed identity to create the cluster.
The Secure Agent uses a managed identity to log in to Azure and to create an elastic cluster. You create the managed identity with a minimal set of permissions to your Azure account and assign the managed identity to the Secure Agent machine.
The managed identity must be able to access the key vault that stores the credentials for the service principal for cluster operations. If you run the and commands, the Secure Agent also uses the managed identity to authenticate to the Azure CLI.
A service principal to perform cluster operations.
An elastic cluster requires a service principal to perform cluster operations. You specify the service principal in the elastic configuration.
For more information about the cluster operations that the service principal performs, refer to the Microsoft Azure documentation.

Data encryption

Encryption protects the data that is used to process elastic jobs. You can use encryption to protect data at rest, temporary data, and data in transit.
Encryption is available for the following types of data:
Data at rest
By default, Microsoft Azure Blob Storage encrypts staging data and log files. For more information, refer to the Microsoft Azure documentation.
For information about encrypting source and target data, see the help for the appropriate connector in the Data Integration help.
Temporary data
Temporary data includes cache data and shuffle data that the Serverless Spark engine generates on cluster nodes.
To encrypt temporary data, enable encryption in the elastic configuration. If you enable encryption, temporary data is encrypted using the HMAC-SHA1 algorithm by default. To use a different algorithm, contact Informatica Global Customer Support.
Data in transit
By default, Microsoft Azure Blob Storage uses the Transport Layer Security (TLS) protocol to encrypt data in transit to and from Blob Storage, including staging data and log files.
When encryption is enabled on Blob Storage, you can specify the WASBS protocol when you configure the staging and log locations in an elastic configuration. If encryption is not enabled, you must use the WASB protocol.