Hitchhiker's guide to Cloud and Security

Recommendations to secure your data in a storage account on Azure

  1. Use Azure Storage firewall to restrict public access to the storage account. Enable access only to select networks using specific IP addresses or subnets, making it more difficult for unauthorized users to access your data.
  2. Use pivate endpoints to assign a private IP address from your Azure Virtual Network (VNet) to the storage account. This secures all traffic between your VNet and the storage account over a private link. 
  3. Use Azure Active Directory (AD) authentication to control access to your storage account by specifying which users and resources (via managed identities) have access. Use built-in Azure RBAC roles to provide more granular permissions to these identities.
  4. If you use shared access signatures (SAS) and stored access policies, grant limited access to specific resources within your storage account, and specify expiration time, start time and IPs restrictions.
  5. Consider enabling Purge protection on the storage account to prevent data from being permanently deleted from a storage account, even if the data has been accidentally or intentionally deleted.
  6. Keep your storage account access keys safe in a secure location such as a Key Vault. Employ a process to rotate keys periodically either manually or through automation.
  7. Regularly monitor and audit your storage account to identify and address any security issues that may arise.
  8. In production environments, consider enabling Microsoft Defender for storage accounts which provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. When security alerts are triggered, subscription administrators are notified with the details of suspicious activity and recommendations on how to investigate and remediate threats.

It’s important to note that security is a continuous process, and these steps may not cover all the possible scenarios or may be the right fit for your specific use case. Additionally, there may be other requirements that are specific to your organization’s security policy and it’s always best to consult with Azure security experts and comply with industry standards and best practices.

prashanthpattabi