Azure Storage Security Best Practices

Cloud Computing
Using the Azure Cloud for Backup and Disaster Recovery
April 15, 2020
Show all

Azure Storage Security Best Practices

The popularity of the cloud, while advantageous to many, also carries security risks like data loss and data leaks. Companies storing their data in cloud environments should follow security practices to protect their data. This article provides an overview of Microsoft Azure Storage security services and best practices to protect your data in Azure.

What Is Azure Storage?

Azure Storage is a Microsoft cloud storage offering. Azure provides storage for data objects, files, messages, and NoSQL databases. Some of the advantages of Azure Storage include:

  • High availability—you can replicate data across regions to ensure availability in the event of failure. 
  • Secure—Azure encrypts data at rest and in transit. The platform also provides Role-Based Access Control (RBAC) for protecting the access to your data. 
  • Scalable—you can easily add storage by adding more blob containers or Virtual Machines (VM). 
  • Flexible—the platform supports all major programming languages, such as Python, Ruby, .NET, Java, and Node. js. 

Azure Storage Types

Azure Storage offers four types of services. Each one of these services is designed for a different type of data.  

Blob storage

An object storage solution designed for storing unstructured data. You can use blob storage for serving images to a browser and streaming video. Blob storage is also useful for storing data for backup and restore

File Storage

You can use Azure File Storage (AFS) to set up network file shares accessible by the Server Message Block (SMB) protocol. This gives the user the advantage of having multiple VMs with reading and write access sharing the same file.

Unlike an on-premises file-share, AFS enables you to enjoy the accessibility of the cloud. You can access AFS files from anywhere via a URL. Regarding security, the service enables you to create a Shared Access Signature (SAS) token to control access to sensitive assets.

Queue Storage

Azure Queue Storage is a service for storing messages through HTTP or HTTPS. A queue message can have up to 64 KB in size, and a queue can store millions of messages. You can use Queue Storage to create a workload for storing and retrieving messages asynchronously. This enables you to store large numbers of messages via authenticated calls. 

Disk Storage

A Virtual Hard Disk (VHD) service. When using this type of storage you can choose between Solid State Drive (SSD) or Hard Disk Drive (HDD). Azure disk storage provides high availability by replicating the data three times. Disk storage provides scalability by enabling you to create up to 50,000 VM disks per region. 

Security in Azure Storage

Azure provides a number of security services. One of the offerings is the Azure Security Center—a built-in centralized security management system. It provides threat protection for cloud, hybrid, and on-premises workloads. The Security Center features a Security Advisor that provides recommendations for fixing security vulnerabilities. 

Azure provides key features for securing your data in storage. For example, Shared Access Signatures (SAS) enables you to control who can access the data in your storage account. Here are more security features you can take advantage of to secure data stored in Azure: 

  • Automated data encryption—Azure encrypts all data written into Azure Storage by using Storage Service Encryption (SSE). This includes metadata. 
  • Role-Based Access Control (RBAC)—for resource management and data operations. You can assign roles to a security principal, a resource group, a storage account, or individual containers. 
  • Data in transit security—the platform provides three options to encrypt data in transit: client-side encryption, HTTPS, or SMB 3.0. 

6 Security Best Practices

1. Multi-factor authentication for administrator accounts

Applying Multi-Factor authentication (MFA) in admin accounts ensures that only authorized users can access the admin account. Otherwise, if an admin account is compromised, an attacker can create or delete resources, and steal money or intellectual property. 

2. Enable “secure transfer required”

This option only allows requests to the storage account via a secure connection. For example, requiring a connection through HTTPS, instead of HTTP. 

3. Storage service encryption

You should enable data encryption at rest for blobs. This feature enables you to encrypt the data as it’s written in the data center. The storage then automatically decrypts it when you access it. 

4. SQL database security practices

When using Azure SQL database you should ensure to follow the best practices below:

  • Enable auditing—the auditing function tracks and logs database events. This helps you comply with regulations and strengthen your security posture. 
  • Enable threat detection—threat detection provides a layer of security by sending alerts when suspicious activities are detected. The user receives an alert when the system detects an anomaly. Early detection of vulnerabilities enables security officers to prevent threats, especially SQL injection attacks
  • Enable “transparent data encryption”—you should enable this option when configuring the database. This ensures the data gets encrypted in real-time. 

5. Minimize the number of admins

Since each additional person in the admin role increases the risk of internal threats and compromised credentials it is a good practice to keep admin roles to a minimum. 

6. Do not grant permissions to external accounts

External accounts can put your data at risk. These accounts may have different security standards than your company account. 

Wrap Up

Azure provides a good security base for protecting your data in storage. However, Azure’s shared responsibility model means users need to secure their side by following standard security practices and leveraging the security functions the platform provides. With the right practices, organizations can keep their data secure.

James Lee
James Lee
James Lee is a passionate software wizard working at one of the top Silicon Valley-based startups specializing in big data analysis. In the past, he has worked on big companies such as Google and Amazon In his day job, he works with big data technologies such as Cassandra and ElasticSearch, and he is an absolute Docker technology geek and IntelliJ IDEA lover with strong focus on efficiency and simplicity.

Leave a Reply

Your email address will not be published.

LEARN HOW TO GET STARTED WITH DEVOPS

get free access to this free guide, downloaded over 200,00 times !

You have Successfully Subscribed!

Level Up Big Data Pdf Book

LEARN HOW TO GET STARTED WITH BIG DATA

get free access to this free guide, downloaded over 200,00 times !

You have Successfully Subscribed!

Jenkins Level Up

Get started with Jenkins!!!

get free access to this free guide, downloaded over 200,00 times !

You have Successfully Subscribed!