0
0
Blog Post

Home / Education / Azure Storage Security

Education, General, Technology

Azure Storage Security

Author varunsngh, 3 years ago | 6 min read | 45

Azure Storage security is broken down into five main areas.

Management plane security

The management plane is the operations that affect the storage account in itself. The way we manage access to services which impact accounts is through making use of Azure Active Directory. In addition Are you looking to know more about Microsoft Azure deep understanding and the wealth of information? You can take the Microsoft Azure Architect Technology (AZ-305) exam and become an Azure Solutions Architect. This certification will allow you to effectively develop cloud architect solutions making use of Microsoft services. This exam will allow you to design advanced networking configurations, and design security as well as authentication. security for the infrastructure of your network. Utilize PaaS as well as other services to build full cloud-based solutions. This AZ 305 certification will enable you to build the necessary skills to develop security and identity solutions including solutions for data storage and business continuity solutions as well as infrastructure-related solutions. Make sure you’ve got Azure Architect Course.

  • Azure Storage Security
  • Access control based on role
  • We are all aware that each Azure subscription is associated with an Azure Active Directory. It is the Azure active directory includes groups, users, and applications. For them, we give access to control resources in Azure. Azure subscription. The resource could represent a stored account and the method we manage access on storage accounts can be done to assign the appropriate role to the user. This means that we have an owner role , or a reader role or contributor role we can assign.

Important Points to Remember:

  • When we assign an account a role, we have the ability to restrict access to the operations that are used in managing the accounts, but there are no data objects inside the account.
  • However, we are able to grant permission to access data items through the provision of the ability to access keys for storage accounts because keys to storage accounts allow users the ability to access data items.
  • Every role comes with an action list.
  • There are several typical roles that are available, e.g., Owner Reader, Contributor etc.
  • You can create a new custom role by choosing an action from the list of actions.

Data Plane security

It is a reference to the techniques employed to protect data objects (blobs queues, tables, blobs and files) in an account of storage.

Azure Storage SecurityThree ways you can restrict access to the information within the storage account.

  • Azure Active Directory grants access to queues and containers. Azure Active Directory has advantages over other methods for authorization, for example, it eliminates the requirement to keep secrets within your code.
  • Keys to the storage account give accessibility to every data object contained within the account.
  • Shared Access Signatures, in this instance, we need to grant access to specific services, such as limited access to blobs exclusive to queues or any combination of both. Additionally, if you wish to limit the amount of access, such as updates, read-only and delete and we also want to grant access with a time limit. Therefore, we would like to grant access for a period of one year. After the one year mark we generate a second SAS and then present the SAS to them to use for security reasons. In this case we will use signed access certificates that are shared.

Azure Storage SecurityWe can grant access to the public to our blobs, by setting the access levels for the container that contains the blob in accordance with.

Transmitting encryption

Transport level Encryption using HTTPS

  • Always make sure to use HTTPS when using REST APIs, or when accessing an object stored in the storage.
  • If we’re using SAS We can also stipulate that only HTTPS is to be used.

Encrypting the transit of data to Azure file shares

  • 1 is not able to support encryption, therefore connections can only be made within the same area.
  • The 0 version supports encryption and cross-region access is permitted.

Client-side encryption

  • Make sure that the data is encrypted prior to it is transferred to Azure storage
  • In the process of retrieving data from Azure the data is decrypted once it has been received on the client’s side.

Azure Storage SecurityThe encryption at rest

Client-side encryption

  • Secure the data prior to transfer onto Azure storage.
  • In the process of retrieving data from Azure the data is encrypted once it has been received on the client’s side.

Storage Service Encryption (SSE)

This is the method we typically do to protect the REST data Azure storage

  • It is available for all storage accounts , and cannot be turned off.
  • It automatically secures data in every performance level (Standard and Premium) as well as the two deployment types (Azure Resource Manager as well as Classic) as well as each of Azure storage offerings (Blob Queue, Table as well as File). It is therefore a universal protection across every Azure storage.
  • We can make use of Microsoft-managed keys or your own keys to secure the data.

Azure Disk Encryption

This is a preferred method by Microsoft to secure disks, particularly using Azure disks.

  • Encrypt the OS and data disks utilized in the IaaS Virtual Machine
  • It is possible to enable encryption for your existing IaaS VMs.
  • You can also use encryption provided by the customer keys

CORS (Cross-Origin Resource Sharing)

  • If a web browser sends an HTTP request to access an item from another domain, it is known as cross-origin HTTP request.
  • Azure Storage allows us to enable CORS to be enabled. Each storage account are able to select domains that have access to the resources within that storage account. For example, enable CORS on the mystorage.blob.core.windows.net storage account and configure it to allow access to mywebsite.com.
  • CORS provides access but it does not offer security, so we must still use SAS keys to gain access to private storage facilities.
  • CORS is disabled for the majority of services. It is possible to enable it via Power Shell or the Azure portal , or Power Shell, and we can select the domains from which the request will originate to access the data stored in your cloud storage account. If you’re seeking for more detailed info about Azure FAQs for interview, through Azure administrator interview questions in 2022.
Author

varunsngh