Securing your Azure Storage accounts

This post was originally published here by gregg rodriguez.

Enterprise data is growing exponentially and becoming more complex, making it harder to manage, and an even bigger challenge to store. That’s why more organizations are looking to public cloud storage options, such as Azure Storage, as a way to get the scalability, durability, maintenance and accessibility they need to keep them competitive–benefits often difficult to get from on-prem data centers. While the benefits are significant, securing your Azure storage accounts require additional focus and responsibility.

The growing popularity is expected to send the cloud storage market soaring to over $112 billion by 2022, from a 2015 total of $18.9 billion, according to Stratistics MRC.

What is Azure Storage?

Azure Storage is part of Microsoft’s cloud solution for many modern data storage scenarios. It offers a massively scalable object store for data objects, a file system service for the cloud, a messaging store for reliable messaging, and a NoSQL store.

Storage in Azure can be broadly classified into two categories based on the type of data that you are going to store, either relational or non-relational data storage.

Among its many beneficial features, Azure Storage can support both legacy application development using Azure SQL and modern application development using Azure No-SQL.

Azure Storage includes the following data services which are accessed through a storage account:

• Azure Blobs: A massively scalable object store for text and binary data.
• Azure Files: Managed file shares for cloud or on-premises deployments.
• Azure Queues: A messaging store for reliable messaging between application components.
• Azure Tables: A NoSQL store for schemaless storage of structured data.

What are the risks to misconfigured Azure Storage accounts?

• Secure transfer: If the secure transfer option is not enabled, you will not ensure that only requests from a secure connection are allowed.
• Data encryption: If your storage service encryption is not enabled, your data will not be protected at rest.
• Storage Account Access: If your storage account access keys are not regenerated periodically, you risk inadvertent access or exposure to them.
• File Service encryption: If storage service encryption is not enabled for File Service, your data will not be encrypted at rest.
• Private access to Blob Containers: If public access level to blob containers is not set to Private, you risk exposing access to your account keys and blob containers.

Securing the cloud requires new approach

Public cloud computing requires a new approach to security. In the Azure environment, Microsoft provides a secure foundation across physical, infrastructure, and operational security, while you maintain responsibility for protecting the security of your application workloads, data, identities, on-premises resources, and all the cloud components that you control. This is referred to as the “Shared Responsibility Model.”

To ensure the security of your cloud computing resources, it’s important you fulfill your end of the shared responsibility model by using and configuring services, such as Azure Storage accounts, correctly.

The good news: You can protect your cloud attack surface by applying best practices for securing your cloud services and by using a security solution that offers the most comprehensive security visibility coverage for Azure.

How Halo Cloud Secure can help

Halo Cloud Secure can help you ensure that:

• Secure transfer required is set to ‘enabled’ to ensure data encryption in transit.
  • The secure transfer option enhances the security of your storage account by only allowing requests to the storage account from a secure connection.
• Storage service encryption is set to ‘enabled’ to ensure data encryption at rest for blobs.
  • Azure Storage encrypts your data as it’s written in its data centers, and automatically decrypts it for you as you access it.
• Storage account access keys are periodically regenerated.
  • Rotating these keys periodically ensures that any inadvertent access or exposure to these keys could be undermined.
• Storage service encryption is set to ‘enabled’ for File Service to protect your data at rest.
  • Azure Storage encrypts your data as it’s written in its data centers, and automatically decrypts it for you as you access it.
• Public access level is set to Private for blob containers and disables anonymous access to blob containers.
  • You can enable anonymous, public read access to a container and its blobs in Azure Blob storage. By doing so, you can grant read-only access to these resources without sharing your account key, and without requiring a shared access signature.

Photo:MageHit