```html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Azure Data Lake Storage Security - Documentation</title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <style>
        :root {
            --primary:#0078d4;
            --bg:#f3f4f6;
            --text:#202124;
            --sidebar:#fff;
            --hover:#e5f1fb;
        }
        body{margin:0;font-family:Segoe UI,Arial,sans-serif;background:var(--bg);color:var(--text);}
        header{
            background:var(--primary);
            color:#fff;
            padding:1rem 2rem;
            display:flex;align-items:center;justify-content:space-between;
        }
        header h1{margin:0;font-size:1.5rem;}
        nav{
            width:260px;
            background:var(--sidebar);
            position:fixed;
            top:64px;bottom:0;
            overflow-y:auto;
            border-right:1px solid #e0e0e0;
        }
        nav ul{list-style:none;padding:0;margin:0;}
        nav li{border-bottom:1px solid #e0e0e0;}
        nav a{
            display:block;padding:0.75rem 1rem;
            text-decoration:none;color:var(--text);
        }
        nav a:hover{background:var(--hover);}
        main{
            margin-left:260px;
            padding:2rem;
        }
        h2{border-bottom:2px solid var(--primary);padding-bottom:0.3rem;}
        pre{background:#e8e8e8;padding:1rem;overflow:auto;}
        code{background:#e2e2e2;padding:2px 4px;border-radius:3px;}
        .toc{background:#fff;padding:1rem;margin-bottom:2rem;border:1px solid #ddd;}
        .toc ul{list-style:none;padding-left:0;}
        .toc li{margin:0.5rem 0;}
        .badge{display:inline-block;background:#0f6; color:#fff;padding:0.2rem 0.5rem;border-radius:3px;font-size:0.8rem;vertical-align:middle;}
        .copy-btn{
            background:none;border:none;color:var(--primary);cursor:pointer;margin-left:0.5rem;
        }
        .copy-btn:hover{text-decoration:underline;}
        footer{
            text-align:center;padding:1rem;margin-top:3rem;border-top:1px solid #ddd;color:#666;
        }
        @media(max-width:768px){
            nav{position:relative;width:auto;height:auto;border:none;}
            main{margin-left:0;}
        }
    </style>
</head>
<body>
<header>
    <h1>Azure Data Lake Storage Security</h1>
    <a href="../index.html" style="color:#fff;text-decoration:underline;">← Documentation Home</a>
</header>
<nav>
    <ul>
        <li><a href="../overview.html">Overview</a></li>
        <li><a href="../quickstart.html">Quickstart</a></li>
        <li><a href="../authentication.html">Authentication</a></li>
        <li><a href="security.html" style="font-weight:bold;">Security</a></li>
        <li><a href="../performance.html">Performance</a></li>
        <li><a href="../troubleshooting.html">Troubleshooting</a></li>
    </ul>
</nav>
<main>
    <section class="toc">
        <h2>Table of Contents</h2>
        <ul>
            <li><a href="#authentication">Authentication & Identity</a></li>
            <li><a href="#network-security">Network Security</a></li>
            <li><a href="#encryption">Encryption at Rest & In‑Transit</a></li>
            <li><a href="#access-control">Access Control (IAM & ACLs)</a></li>
            <li><a href="#best-practices">Security Best Practices</a></li>
        </ul>
    </section>

    <section id="authentication">
        <h2>Authentication &amp; Identity</h2>
        <p>Azure Data Lake Storage (ADLS) integrates with Azure Active Directory (Azure AD) to provide secure, token‑based authentication. Use Azure AD for:</p>
        <ul>
            <li>Managed identities for Azure resources</li>
            <li>Service principals and client secrets</li>
            <li>Conditional Access policies</li>
        </ul>
        <p>Example: Acquire a token with Azure CLI</p>
        <pre><code>az account get-access-token --resource https://storage.azure.com/</code></pre>
        <button class="copy-btn" data-copy="az account get-access-token --resource https://storage.azure.com/">Copy</button>
    </section>

    <section id="network-security">
        <h2>Network Security</h2>
        <p>Restrict connectivity using:</p>
        <ul>
            <li>Virtual Network Service Endpoints</li>
            <li>Private Endpoints (Azure Private Link)</li>
            <li>Firewall rules & IP allow lists</li>
        </ul>
        <p>Sample firewall rule to allow a single IP:</p>
        <pre><code>az storage account network-rule add \
    --resource-group MyResourceGroup \
    --account-name mystorageaccount \
    --ip-address 203.0.113.5</code></pre>
        <button class="copy-btn" data-copy="az storage account network-rule add --resource-group MyResourceGroup --account-name mystorageaccount --ip-address 203.0.113.5">Copy</button>
    </section>

    <section id="encryption">
        <h2>Encryption at Rest &amp; In‑Transit</h2>
        <p>Data is encrypted using Microsoft-managed keys by default (CMK). For compliance, you can use customer‑managed keys (CMK) stored in Azure Key Vault.</p>
        <p>Enable customer‑managed keys:</p>
        <pre><code>az storage account update \
    --name mystorageaccount \
    --resource-group MyResourceGroup \
    --encryption-key-source Microsoft.Keyvault \
    --encryption-key-vault myKeyVault \
    --encryption-key-name myKey</code></pre>
        <button class="copy-btn" data-copy="az storage account update --name mystorageaccount --resource-group MyResourceGroup --encryption-key-source Microsoft.Keyvault --encryption-key-vault myKeyVault --encryption-key-name myKey">Copy</button>
        <p>All data transfers use HTTPS (TLS 1.2+). Enforce HTTPS‑only requests:</p>
        <pre><code>az storage account update \
    --name mystorageaccount \
    --resource-group MyResourceGroup \
    --allow-blob-public-access false \
    --https-only true</code></pre>
        <button class="copy-btn" data-copy="az storage account update --name mystorageaccount --resource-group MyResourceGroup --allow-blob-public-access false --https-only true">Copy</button>
    </section>

    <section id="access-control">
        <h2>Access Control (IAM &amp; ACLs)</h2>
        <p>Control access at two levels:</p>
        <ul>
            <li><strong>IAM role assignments</strong> – grant permissions on the storage account or container.</li>
            <li><strong>POSIX‑style ACLs</strong> – fine‑grained file‑and‑directory permissions.</li>
        </ul>
        <p>Assign the built‑in <code>Storage Blob Data Owner</code> role:</p>
        <pre><code>az role assignment create \
    --assignee <span class="badge">user@example.com</span> \
    --role "Storage Blob Data Owner" \
    --scope /subscriptions/<span class="badge">xxxx-xxxx</span>/resourceGroups/MyResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount</code></pre>
        <button class="copy-btn" data-copy="az role assignment create --assignee user@example.com --role \"Storage Blob Data Owner\" --scope /subscriptions/xxxx-xxxx/resourceGroups/MyResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount">Copy</button>
        <p>Set an ACL on a directory via Azure CLI:</p>
        <pre><code>az storage fs access set \
    --account-name mystorageaccount \
    --file-system myfilesystem \
    --path /data/finance \
    --acl "user::rwx,group::r-x,other::---"</code></pre>
        <button class="copy-btn" data-copy="az storage fs access set --account-name mystorageaccount --file-system myfilesystem --path /data/finance --acl \"user::rwx,group::r-x,other::---\"">Copy</button>
    </section>

    <section id="best-practices">
        <h2>Security Best Practices</h2>
        <ol>
            <li>Enable <strong>Azure Defender for Storage</strong> for threat detection.</li>
            <li>Use <strong>Private Endpoints</strong> to eliminate exposure to the public internet.</li>
            <li>Rotate <strong>customer‑managed keys</strong> regularly via Azure Key Vault policies.</li>
            <li>Audit access with <strong>Azure Monitor</strong> and enable diagnostic logs.</li>
            <li>Apply <strong>least‑privilege IAM</strong> – assign only the needed roles.</li>
        </ol>
    </section>
</main>
<footer>
    © 2025 Microsoft Azure Documentation
</footer>
<script>
    document.querySelectorAll('.copy-btn').forEach(btn=>{
        btn.addEventListener('click',()=>{
            const text=btn.getAttribute('data-copy');
            navigator.clipboard.writeText(text).then(()=>{
                btn.textContent='Copied!';
                setTimeout(()=>{btn.textContent='Copy';},1500);
            });
        });
    });
</script>
</body>
</html>
```