Secured data in the cloud: Microsoft Fabric & Nitrogen Control Center

In today’s data-driven world, ensuring the security and privacy of information is not just a technical requirement, it’s a strategic imperative. Microsoft Fabric and InSpark’s Nitrogen Control Center (NCC) offer a powerful combination for organizations seeking to build future-proof, secure, and compliant data platform. This post explores how these technologies implement robust data protection through encryption, governance, and privacy-by-design principles.

Data at Rest: Encryption by Default

All data stored in Microsoft Fabric whether customer data, system data, or metadata is encrypted at rest using Microsoft-managed keys by default. This foundational layer of protection ensures that even if physical storage is compromised, the data remains unreadable without the appropriate cryptographic keys.

For organisations with advanced compliance or sovereignty requirements, Fabric also supports Customer Managed Keys (CMK).

Data in Transit: Seamless Protection

Microsoft Fabric ensures that all data in transit is encrypted by default. This means that data moving between services, users, and storage is automatically protected without requiring manual configuration. This baseline protection is critical in preventing interception or tampering during data transmission 

Customer Managed Keys (CMK): Maximum Control, With Serious Responsibility

For organisations with advanced compliance or data sovereignty requirements, Microsoft Fabric offers support for Customer Managed Keys (CMK), a powerful feature that allows customers to take full control of the encryption keys used to protect their data at rest.

Why is this important?

Because with CMK, only you can decrypt your data, not even Microsoft has access. This is essential for organisations that must meet strict regulatory requirements or want to ensure that their sensitive data remains entirely under their own control.

But with great control comes great responsibility:
By choosing CMK, the customer becomes fully responsible for key management and rotation. This is not a light responsibility, losing access to your keys means losing access to your data. Organisations must ensure robust operational processes for key lifecycle management, access control, and auditing.

By integrating with Azure Key Vault, CMK enables organisations to use their own keys to secure data within Fabric workspaces. This adds an additional layer of protection beyond the default Microsoft-managed encryption and provides greater flexibility in:

• Managing key rotation
• Controlling access
• Auditing key usage

Fabric uses envelope encryption to secure data:

• A Data Encryption Key (DEK) encrypts the actual data.
• A Key Encryption Key (KEK), managed by the customer in Azure Key Vault encrypts the DEK.
• The KEK never leaves Key Vault, ensuring that encryption keys remain under customer control.

This architecture helps organisations meet stringent data governance and encryption standards such as GDPR and HIPAA, while also enhancing their overall security posture.

Privacy by Design with the Nitrogen Control Center

Column-Level Encryption

The Nitrogen Control Center, built on top of Microsoft Fabric, takes data privacy a step further. It implements column-level encryption using the open-source framework Presidio in combination with Azure Key Vault. This approach ensures that sensitive data, such as personally identifiable information (PII), is encrypted at the most granular level and can only be decrypted by authorized users during operational processes.

Example: Encrypt / Decrypt PII
Text: "His name is Mr. Jones and his phone number is 212-555-5555"
Anonymized Text: "His name is M4lla0kBCzu6SwCONL6Y+ZqsPqhBp1Lhdc3t0FKnUwM= and his phone number is H74oS90kBC+ksJSwCON2Dj9SqhBppLhdc3t0FKnOx9="

Use case
Suitable for secure storage or transmission where data may need to be decrypted later.

Column-Level Anonymization and Pseudonymization

In addition to encryption, Nitrogen Control Center is introducing anonymization and pseudonymization capabilities. These features are designed to further enhance data privacy by masking or transforming sensitive data, making it unreadable or unlinkable to individuals unless explicitly required. This aligns with the principles of Privacy by Design, embedding privacy into the architecture of the platform from the outset 

Example: Replacing PII
Text: "His name is Mr. Jones and his phone number is 212-555-5555"
Anonymized Text: "His name is <PERSON> and his phone number is <PHONE-NUMBER>"

Use case: Ideal for structured data pipelines where PII needs to be removed but the data format must remain intact.

Example: Masking PII
Text: "His name is Mr. Jones and his phone number is 212-555-5555"
Anonymized Text: "His name is *******es and his phone number is **********55"

Use case: 
Masking is particularly useful when partial visibility of data is required, for example, during validation, debugging, or support scenarios, while still protecting sensitive information.

By masking only parts of the data, teams can perform their tasks without needing access to the full, highly sensitive content. This enables organizations to delegate data processing responsibilities to broader teams or external partners without compromising privacy. As a result, it becomes possible to achieve an exceptionally high level of privacy and compliance, even in complex operational environments.

Metadata-Driven, Governance and Automation

Strong data governance is the foundation of any secure and compliant data platform. Without clearly defined access controls and automated enforcement, even the most advanced encryption and privacy tools can fall short, leaving data vulnerable to misuse or accidental exposure.

To address this, the Nitrogen Control Center leverages a metadata-driven governance framework that ensures consistent, automated policy enforcement across the entire data lifecycle, from ingestion to visualization. Every action is governed, logged, and auditable by design.

This approach not only simplifies compliance but also accelerates development by up to 80%, thanks to standardized pipelines and reusable notebooks that reduce manual overhead and promote best practices.

Nitrogen Control Center from InSpark integrates seamlessly with Microsoft Fabric workloads such as OneLake, Power BI, Data Factory, Data Science, and Data Engineering. This enables organizations to build secure, scalable, and AI-ready data platforms with minimal friction, ensuring privacy and performance go hand in hand.

Conclusion: A Secure Foundation for Innovation

With Microsoft Fabric delivering enterprise-grade encryption and InSpark’s Nitrogen Control Center offering fine-grained privacy controls, metadata-driven governance, and automation, organisations are empowered to manage their data assets with confidence.

Whether you're modernizing legacy systems or building a new data platform from the ground up, this combination provides a robust, scalable, and compliant foundation. It ensures that security and privacy are not afterthoughts, but integral to every layer of your data architecture.

Together, Fabric and NCC enable secure, privacy-conscious innovation, ready for the demands of AI, analytics, and tomorrow’s regulatory landscape.