How To Secure Azure Storage Account


Azure Storage accounts give an abundance of security options that ensure your cloud-based informational data. Azure services like Blob storage, Files share, Table storage, and Data Lake Store all expand on Azure Storage. Because of this establishment, the services profit by the fine-grained security controls in Azure Storage.
How To Secure Azure Storage Account
From here you can know more about azure storage, click on the below link,

Explore Azure Storage security features

It depends intensely on huge measures of data in Azure Storage. The numerous applications by them depend on,
  1. blobs,
  2. unstructured table storage,
  3. Azure Data Lake, and
  4. Server Message Block (SMB)- based document shares.
As Data consultant, you guarantee the network administrator that Azure Storage accounts give a few significant level security benefits for the information in the cloud:
  • Protect the information very still
  • Protect the information on the way
  • Support program cross-domain access
  • Control who can get information
  • Audit storage access
Role-based access control
To access data in a storage account, the customer makes a request over HTTP or HTTPS. Every request to an authorized resource ensuring the client gets the permissions required to access the data. The most viable option is role-based access.
Azure Active Directory and role-based access control (RBAC) are supported by Azure Storage for resource management and data operations. RBAC are assigned roles for securing principals and configuration. Active Directory is supported for data operations on Blob and Queue storage. 
CORS support
Cross-origin resource sharing (CORS) supports the cross-domain access for Azure Storage. CORS uses HTTP headers allowing web applications at one domain to access information from a server of different domains allowing apps to load authorized data from the authorized domain. 
Encryption at rest
Storage Service Encryption (SSE) consequently encodes all the data written to Azure Storage with a 256-bit Advanced Encryption Standard (AES) cipher, and is FIPS 140-2 agreeable. SSE consequently encodes information when composing it to Azure Storage. At the point when someone reads the data from Azure Storage, Azure Storage unscrambles and decryptes the data prior to bringing it back. This procedure brings about no extra charges and doesn't debase the performance. It can't be disabled.
For virtual machines (VMs), Azure allows to scramble and encrypt virtual hard disks (VHDs) by utilizing Azure Disk Encryption. This encryption utilizes BitLocker for Windows pictures, and it utilizes dm-sepulcher for Linux.
Azure Key Vault stores the keys naturally to help control and deal with the disk encryption keys and privileged insights. So regardless of whether somebody gains admittance to the VHD picture and downloads it, they can't get to the information on the VHD.
Encryption in transit
Data can be kept secure by empowering transport-level security among Azure and the customer. Always use HTTPS to secure correspondence over the public web. At the point when someone call the REST APIs to access objects in storage accounts, implement the use of HTTPS by requiring secure transfer for the storage account. After empowering secure transfer, connections that use HTTP will be denied. This flag will also authorize secure transfer over SMB by requiring SMB 3.0 for all record file share mounts.
CORS support is an optional flag you can enable on Storage accounts.
Auditing access
Auditing is another piece of examining and controlling access. You can review and audit Azure Storage access by utilizing the underlying Storage Analytics service.
Storage Analytics logs each operation progressively, and you can look through the Storage Analytics logs for explicit solicitations. Filter dependent on the confirmation instrument i.e, authentication mechanism, the achievement of the activity, or the asset that was gotten to.

Understand storage account keys

Azure Storage accounts can make approved authorized apps in Active Directory to control access to the data in blobs and queues. This verification approach is the best.
One can use a shared key, or shared secret for different storage models. This authentication alternative is one of the easiest to use, and it supports blobs, files, queues, and tables. The shared key in the HTTP Authorization is embedded on header of each request, and the Storage account validates the key.
Storage account keys
In Azure Storage accounts, shared keys are called storage account keys.
Two Keys that are created by Azure for storage account are,
  • Primary
  • Secondary
The keys give access to everything in the account.
You'll find the storage account keys in the Azure portal view of the storage account. Just select Settings > Access keys.
How To Secure Azure Storage Account
Protect shared keys
The keys of the storage account gives full access to the account. Use these keys should be done with trusted in-house applications that can be controlled totally.
On the off chance that the keys are compromised, change the key values in the Azure portal.
How to recover your storage account keys?
  • Recover keys occasionally.
  • If someone hacks into an application, gets the key that was hard-coded or saved in a setup record, recover the key.
  • If your group is using a Storage Explorer application that keeps the storage account key, and one of the colleagues leaves, recover the key.
How to refresh keys?
  • Change each trusted application to use the secondary key.
  • Refresh the primary key in the Azure portal. It is worthy as the new secondary key.

Understand shared access signatures

Shared access signature (SAS) is used for non-trustworthy clients. A SAS is a string that contains a security token that can be appended to a URI. Using SAS to assign access to storage objects and specify constraints.
For instance, a SAS token can be given to the customer, for uploading pictures to a document system in Blob storage. A web application permission can be permitted to peruse those pictures. This will permit just the access that the application needs to do the task.
Types of shared access signatures
Service-level SAS is used to permit access to specific resources in a storage account. This used for instance, to permit an application to recover a list of files in a document system. Use of account-level SAS permits access to service-level SAS allows and extra resources-abilities. Accounts that store user data have two commonplace designs,
  • In any case, if the service must deal with a lot of data or high-volume transactions, you may think that its convoluted or expensive to scale this service to coordinate with the request. Clients transfer and download data through a front-end intermediary service, which performs confirmation. This front-end intermediary service has the benefit of permitting approval of business rules.

  • A lightweight service authenticates the customer, as required. Then, it generates a SAS. In the wake of getting the SAS, the customer can access storage account resources straightforwardly.

Control network access to your storage account

Naturally, storage accounts acknowledge connections from clients on any network. To restrict access to selected networks, change the default activity.
Changing network rules can affect your application's ability to connect to Azure Storage. If you set the default network rule to deny, you'll block all access to the data unless specific network rules grant access. Before you change the default rule to deny access, be sure to use network rules to grant access to any allowed networks.
Manage default network access rules
Default network access rules for storage accounts across Azure portal, PowerShell, or the Azure CLI.
Steps to change default network access,
  • Go to the storage account you need to secure.
  • Select Networking.
  • Select Selected networks for restricting traffic from selected networks and select All networks for permitting traffic from all networks.
  • Select Save.

    How To Secure Azure Storage Account

Understand advanced threat protection for Azure Storage

An additional layer of security knowledge is provided for Azure Defender Storage that detects unusual and conceivably unsafe attempts to access or endeavor storage accounts. This layer permits addressing problems without being a security master or overseeing security monitoring systems.
Anomalies in activity trigger security alerts. Integrated with Azure Security Center security alerts are also sent via email to subscription administrators, with details of suspicious activity and recommendations on how to investigate and commence threats.
Azure Defender for Storage is presently accessible for Blob storage, Azure Files, and Azure Data Lake Storage Gen2. Accounts supporting Azure Defender incorporate general-purpose v2, block blob, and Blob storage accounts. Azure Defender for Storage is accessible in all public clouds and US government clouds, however not in other sovereign or Azure Government cloud regions.
Using both the Azure Blob storage APIs and the Data Lake Storage APIs with accounts with progressive namespaces empowered for Data Lake Storage support transactions. Transactions over SMB are supported by Azure File Shares.
Turn on Azure Defender for Storage in the Azure portal by the configuration page of the Azure Storage account. Steps for the following are,
  1. Launch the Azure portal.
  2. Navigate to your storage account. Under Settings, select Advanced security.
  3. Select Enable Azure Defender for Storage.

    How To Secure Azure Storage Account
Explore security anomalies
You will receive an email about the suspicious security event in case of any storage activities anomalies happen. These events can be,
  • Nature of the anomaly
  • Storage account name
  • Event time
  • Storage type
  • Potential causes
  • Investigation steps
  • Remediation steps
Azure Security Center's Security alerts tile helps you review and manage your current security alerts. Selecting a specific alert provides details and actions for investigating the current threat and addressing future threats.

Explore Azure Data Lake Storage security features

Azure Data Lake Storage Gen2 allows enterprises to combine their data, based on Azure Blob storage, it inherits the entirety of the security features.
Access control lists (ACLs) which is POSIX-consistent are enabled alongside role-based access control (RBAC), Azure Data Lake Storage Gen2 restricting access to just approved users, groups, or service principals. Azure Data Lake Storage Gen2 authenticates through Azure Active Directory OAuth 2.0 breaker tokens allowing flexible authentication schemes.
All the more significantly, these verification schemes are incorporated into the primary analytics services that use the data. These services incorporate Azure Databricks, HDInsight, and Azure Synapse Analytics. The board tools, such as Azure Storage Explorer, are also included. After verification finishes, permissions are applied.
The Azure Storage end-to-end encryption of data and transport layer protections complete the security shield for an enterprise data lake. The complete security of your analytics pipelines is the result of the same set of analytics engines and tools exploiting these extra layers of insurance.


Azure Storage provides a layered security model. Use this model to secure your storage accounts to a specific set of supported networks. When you set up network rules, only applications that request data over the specified networks can access your storage account.
Authorization is supported by a public preview of Azure Active Directory credentials (for blobs and queues), a valid account access key, or a shared access signature (SAS) token. Data encryption is enabled by default, and you can proactively monitor systems by using Advanced Threat Protection.
Here you can read these articles too,