Rajnish, MCT

Rajnish Kumar Jha, MCT: DevOps, Azure, Microsoft Certified Trainer

DevOps, Cloud, Azure resources & blog

You are here :► Rajnish Kumar Jha, MCT: DevOps, Azure, Microsoft Certified TrainerBlogAzure StorageLearn about best practices in Azure Storage security

Learn about best practices in Azure Storage security

Written by

Rajnish Kumar Jha

/

Under the topic

/

Dated:

Table Of Content

To enhance the security of your Azure Storage, follow these best practices for configuration and management:

Secure Access to Azure Storage

Enforce HTTPS

Enable Secure Transfer Required to enforce HTTPS for all data in transit.

Azure Portal

Navigate to the Configuration blade of your storage account and ensure Secure transfer required is set to Enabled.

CLI Command

Use Private Endpoints

  • Integrate the storage account with Azure Private Link to restrict access to your virtual network.

  • Disable public network access to reduce the risk of unauthorized access.

Steps

  1. Go to your storage account.

  2. Under Networking, choose Private Endpoint and create a private link.

  3. Disable public network access in the Firewall and Virtual Networks tab.

Configure Firewall and Network Rules

  • Allow access only from trusted IP ranges or subnets.

  • Restrict access to specific services within your network.

  • Enable Azure Virtual Network integration for secure connectivity.

Manage Authentication and Authorization

Use Azure AD Authentication

  • Replace Shared Key authentication with Azure Active Directory (Azure AD) to enforce identity-based access.

  • Use RBAC (Role-Based Access Control) to grant fine-grained permissions.

    • Assign built-in roles like Storage Blob Data Reader or Storage Blob Data Contributor.

Avoid Using Account Keys

  • Use SAS (Shared Access Signatures) or Azure AD for granular access.

  • Rotate account keys periodically if they are used.

  • Rotate Account Keys in the Azure Portal under Access Keys.

Use Shared Access Signatures (SAS) Wisely

  • Define a short validity period for SAS tokens.

  • Restrict SAS token permissions to the minimum required (e.g., Read-only for downloads).

  • Use IP restrictions and HTTPS enforcement for SAS tokens.

Data Encryption

Encryption at Rest

  • Use Customer-Managed Keys (CMK) in Azure Key Vault for additional control over encryption.

  • Rotate encryption keys regularly.

Encryption in Transit

  • Use TLS (Transport Layer Security) for all communications with Azure Storage.

  • Enforce HTTPS-only connections.

Client-Side Encryption

  • Encrypt sensitive data before uploading to Azure Storage using Azure SDKs or tools.

Monitoring and Auditing

Enable Logging and Metrics

  • Use Azure Monitor to track storage account access and operations.

  • Enable Storage Analytics to monitor request-level activity.

Enable Diagnostic Settings

  • Route logs and metrics to Log Analytics, Event Hub, or a storage account.

  • Example: Audit read/write/delete operations on blobs or files.

Configure Alerts

  • Set up alerts for suspicious activities (e.g., access from untrusted IPs, large volume deletions).

Use Microsoft Defender for Storage

  • Enable Microsoft Defender for Storage to detect anomalies, threats, and suspicious activities.

Data Redundancy and Backup

Enable Geo-Redundant Storage (GRS)

  • Use Read-Access Geo-Redundant Storage (RA-GRS) for disaster recovery.

  • Regularly test failover for storage accounts with replication enabled.

Set Up Backup Solutions

  • Use Azure Backup or third-party tools to create snapshots and backups for critical data.

Automate Security with Azure Policies

Define Azure Policies to enforce storage account security configurations, such as:

  • Requiring HTTPS-only access.

  • Disabling public network access.

  • Enforcing the use of customer-managed keys.

Regularly Review Access and Configurations

Periodic Access Review

  • Review RBAC assignments and permissions.

  • Remove unnecessary users, roles, and access rights.

Audit Configuration

Use Azure Security Center recommendations to identify misconfigurations and vulnerabilities.

Secure Data Deletion

  • Use Soft Delete for blobs, containers, and file shares to recover accidentally deleted data.

  • Enable versioning to protect against accidental overwrites.

Use Tags and Resource Naming Standards

  • Apply consistent tags to storage accounts for easier identification and governance.

  • Use naming conventions to group and classify resources securely.

Stay Updated

Regularly update your security practices based on Azure's new features or changes in security recommendations.

Summary

By applying these best practices, you can significantly enhance the security of your Azure Storage environment while ensuring compliance with organizational and regulatory requirements.

Related Articles

Learn how to delegate access to Azure Storage using Stored access policies

Learn how to delegate access to Azure Storage u…

Stored access policies in Azure Storage allow you to cr…

Learn how to use Azure Storage Explorer

Learn how to use Azure Storage Explorer

Azure Storage Explorer is a free, standalone desktop ap…

Explore the different Replication Strategies in Azure Storage

Explore the different Replication Strategies in…

Azure Storage offers several replication strategies to …

How to add Blob Lifecycle Management rules in Azure

How to add Blob Lifecycle Management rules in A…

Azure Blob Storage offers Lifecycle Management to autom…

Tags attached to this Post

About the Author

Rajnish Kumar Jha

MCT, MCSA, MCSE, MCAD, MCPD, MCTS, MCSD

My name is Rajnish Kumar Jha. I am Technical architect on Azure Cloud and .NET since 21+ years. I’ve worked for pioneer companies and as freelance trainer/consultant helping my clients to achieve their IT goals.

I find blogging, a great way to share back what I’ve learned all through my professional journey. You are welcome to connect or share feedback/suggestion here or through an email.

Featured Courses

Learn Azure DevOps from Scratch for Free

Rajnish Kumar Jha

MCT, MCSA, MCSE, MCAD, MCPD, MCTS, MCSD

My name is Rajnish Kumar Jha. I am Technical architect on Azure Cloud and .NET since 21+ years. I’ve worked for pioneer companies and as freelance trainer/consultant helping my clients to achieve their IT goals.

I find blogging, a great way to share back what I’ve learned all through my professional journey. You are welcome to connect or share feedback/suggestion here or through an email.

My MCT card (Microsoft)

My Certifications

Rajnish, MCT

Popular Posts

Popular TAGS

AZ-104 (41) Azure (41) Azure Administration (41) Azure ARM Template (2) Azure Bicep (2) Azure Policy (2) Azure RBAC (4) Azure Solution Expert (41) Cloud (41) Cloud Administration (41) Microsoft Azure (41) Microsoft Entra (11)

Popular Category

Azure Backup (29) Azure Compute (63) Azure DevOps (351) Azure Fundamentals (14) Azure Governance (12) Azure Identity (14) Azure Monitoring (40) Azure Storage (51) Azure Virtual Networks (48)

Table Of Content

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected

Unlock the full potential of Azure Cloud with me
– Your trusted guide to Azure mastery!

SUBSCRIBE

My newsletter for exclusive content and offers. Type email and hit Enter.

No spam ever. Unsubscribe anytime.
Read the Privacy Policy.

Follow me on social media

Stay ahead of the curve
with the latest Azure tips, trends, and updates.

LinkedIn -|- GitHub -|- YouTube -|- Facebook -|- Twitter-|- Pinterest -|- Instagram