Azure Storage Security

Introduction

Microsoft Azure is Microsoft's public cloud computing platform, formerly Windows Azure. It offers computation, analytics, storage, networking, and other cloud services.

This article will discuss Azure Storage Security. We will also discuss the five major areas of Azure Storage Security. 

Azure Storage Security

As the data stored in Azure Storage can be confidential, it becomes essential to secure the data. Azure provides many additional security features that can be integrated with your storage to ensure your data is protected. There are five significant areas of Azure Storage security. They are:

• Management plane security
• Data Plane security
• Encryption in transit
• Encryption at rest
• CORS (Cross-Origin Resource Sharing)

Management plane security

It is also referred to as the Control plane. It refers to providing different operations to control users' access to Azure Storage. It affects the storage account itself and supports role-based access control. 

All Azure subscriptions are associated with the Azure active directory. An Azure active directory consists of groups, users, and applications. These resources can be provided access by assigning different permissions to different roles and different roles to different users. The level of access is also specified by the role assigned. This way, the administrator can ensure that the data is secured and access is authorized. 

We cannot control the access of data objects. We can only control the operations on the storage account by the management security plane. However, since storage account keys allow users access to data objects, we can grant users access to data objects by permitting them to read storage account keys. 

Some default or in-built roles are available, for example, owner, contributor, reader, etc. Each of the in-built roles has specific permissions associated with it. You can create new customized roles by selecting the permissions or access rights you want to assign to that role. Further, these roles can be assigned to users, and the user gets all the permissions associated with the role assigned to it.

Data Plane security

Data Plane Security provides operations to secure the data objects. Data objects can be blobs, queues, tables, and files. There are three ways in which you can restrict who has access to the data objects in the storage account. They are: 

• Azure active directory: It authorizes access to containers and queues. Over other authorization strategies, Azure Active Directory has advantages, one of which is eliminating the need to store secrets in your code.
   
• Storage account keys: It is used to authorize access to all data objects in a storage account.
   
• Shared Access Signatures: It allows authorization to access particular data objects for a specific time. Using this, we can also limit the access levels such as read-only, update or delete. By setting all these permissions, a SAS key is generated that can be shared with the users to provide them with the desired access. 

Encryption in transit

It is a mechanism for protecting the data when transferring from one layer/component to another layer/component. 

It is achieved by enabling Transport Layer Security (TLS). It ensures that nobody can steal or tamper with the messages while on the wire or in transit. As a result, it contributes to maintaining data integrity and ensuring that the data is safe and protected.

Data is encrypted or ciphered when transferring from one layer to another to ensure the protection and integrity of data. It is then deciphered when retrieved at the client-side.  

Encryption at rest

Encryption is the process of ciphering the data to ensure confidentiality.  Encryption at rest involves ensuring that stored data is not accessible if malicious users get access to the storage. 

To ensure that the data is encrypted and secured, the majority of Azure designs use symmetric encryption methods. This indicates that the same key is used for data encryption and decryption. Azure services transparently handle key management. Azure offers the possibility to handle the encryption keys as well.

There are three main components of encryption at rest. They are:

• Azure Key Vault: It is advised to store the keys securely in an Azure key vault so only authorized users can access them.
   
• Azure AD: Azure's identity and access management solution is called Azure Active Directory. Azure Active Directory accounts may be granted access to keys kept in the Azure Key Vault for management purposes or to perform encryption and decryption for Encryption at Rest.
   
• Encryption keys: The key vault can be used to centralize all of the keys by storing encryption keys. The surface area of risk is decreased by limiting access to encryption keys. To automatically read the key and encrypt the data, Azure services can be given access to the key vault. There are Data encryption keys and key-encryption keys.

There are two implementation methods for encryption at rest. They are:

• Server-Side Encryption Model
• Client-Side Encryption Model

CORS (Cross-Origin Resource Sharing)

A web browser makes cross-origin HTTP requests for resources located on another domain. We may activate CORS using Azure Storage. 

We can specify domains that are allowed access to the resources in each storage account. We still need to employ SAS keys to access private storage resources since CORS just provides access; it does not give authentication.

All services come with CORS turned off by default. Using the Azure interface or Power Shell, we can enable it and define the domains from which requests to access the data in your storage account will originate.