Management plane security
The action that directly impacts the storage account is referred to as the management plane. Using Azure Active Directory, we can manage who has access to the services that impact the storage account.
![Azure storage security]()
Role-based access control
As we are all aware, every Azure subscription has an associated Azure Active Directory. Users, groups, and apps are all contained in the Azure active directory. We can grant them access to the Azure subscription's resources for management. This resource might be a storage account, and we regulate the user's level of access to storage accounts by giving them the proper role. Therefore, we can specify an owner role, contributor role, or reader role.
Data Plane security
The techniques used to safeguard data objects (blobs, queues, tables, and files) inside the storage account are referred to by this phrase.
![Azure storage security]()
You can restrict who has access to the data in the storage account in three different ways.
Azure active directory
access to queues and containers is authorized. Compared to other authorization methods, Azure Active Directory has benefits, such as eliminating the need for secret storage in your code.
Storage account keys
Access to each information object in the storage account is made possible by storage account keys.
Shared Access Signatures
Suppose we want to restrict access to specific services, such as blobs, queues, or a combination of both. Additionally, if we want to restrict access to certain levels, such as read-only, update, and delete, as well as if we want to offer access that is only valid for a certain period of time. Due to security concerns, we only want to grant access for a year at a time, and then we issue a new SAS and give it to them. We then employ shared access signatures in that scenario.
![Azure storage security]()
Encryption in transit
HTTPS-based transport-level encryption
- HTTPS should always be used when utilizing REST APIs or gaining access to a stored item.
- We can specify that only HTTPS should be used if SAS is used.
Utilizing in-transit encryption for Azure file sharing
- Since 1 does not support encryption, connections are limited to those made within one region.
- 0 permits cross-region access and supports encryption.
Encryption on the client side
- Before sending data to Azure storage, encrypt it.
- Data is received on the client side and then decrypted before being retrieved from Azure.
![Azure storage security]()
Resource Sharing (CORS)
Cross-origin HTTP requests are those made by a web browser for resources located on another domain.
CORS support is available through Azure Storage. We can designate domains that have access to a certain storage account's resources for each storage account.
![Azure storage security]()
Summary
In this article, we learned Azure storage security focuses on five key areas. In our next article, we will learn about Azure File Storage Service.