Studies suggest that 83% of enterprise workloads will be in the cloud by 2020. While AWS has dominated the cloud market with a 67% adoption rate, its competitors are gaining in. In 2018, Microsoft Azure boasted 58% adoption rates. According to the 2019 State of the Cloud Survey, Azure gained additional 2% of the market, reaching 60% adoption rates in 2019.
The popularity of the cloud, while advantageous to many, also carries security risks like data loss and data leaks. Companies storing their data in cloud environment should follow security practices to protect their data. This article provides an overview of Microsoft Azure Storage security services and best practices to protect your data in Azure.
What Is Azure Storage?
Azure Storage is a Microsoft cloud storage offering. Azure provides storage for data objects, files, messages, and NoSQL databases. Some of the advantages of Azure Storage include:
- High availability—you can replicate data across regions to ensure availability in the event of failure.
- Secure—Azure encrypts data at rest and in transit. The platform also provides Role-Based Access Control (RBAC) for protecting the access to your data.
- Scalable—you can easily add storage by adding more blob containers or Virtual Machines (VM).
- Flexible—the platform supports all major programming languages, such as Python, Ruby, .NET, Java, and Node. js.
Azure Storage Types
Azure Storage offers four types of services. Each one of these services is designed for a different type of data.
An object storage solution designed for storing unstructured data. You can use blob storage for serving images to a browser and streaming video. Blob storage is also useful for storing data for backup and restore.
You can use Azure File Storage (AFS) to set up network file shares accessible by the Server Message Block (SMB) protocol. This gives the user the advantage of having multiple VMs with reading and write access sharing the same file.
Unlike an on-premises file-share, AFS enables you to enjoy the accessibility of the cloud. You can access AFS files from anywhere via a URL. Regarding security, the service enables you to create a Shared Access Signature (SAS) token to control access to sensitive assets.
Azure Queue Storage is a service for storing messages through HTTP or HTTPS. A queue message can have up to 64 KB in size, and a queue can store millions of messages. You can use Queue Storage to create a workload for storing and retrieving messages asynchronously. This enables you to store large numbers of messages via authenticated calls.
A Virtual Hard Disk (VHD) service. When using this type of storage you can choose between Solid State Drive (SSD) or Hard Disk Drive (HDD). Azure disk storage provides high availability by replicating the data three times. Disk storage provides scalability by enabling you to create up to 50,000 VM disks per region.
Security in Azure Storage
Azure provides a number of security services. One of the offerings is the Azure Security Center—a built-in centralized security management system. It provides threat protection for cloud, hybrid, and on-premises workloads. The Security Center features a Security Advisor that provides recommendations for fixing security vulnerabilities.
Azure provides key features for securing your data in storage. For example, Shared Access Signatures (SAS) enables you to control who can access the data in your storage account. Here are more security features you can take advantage of to secure data stored in Azure:
- Automated data encryption—Azure encrypts all data written into Azure Storage by using Storage Service Encryption (SSE). This includes metadata.
- Role-Based Access Control (RBAC)—for resource management and data operations. You can assign roles to a security principal, a resource group, a storage account, or individual containers.
- Data in transit security—the platform provides three options to encrypt data in transit: client-side encryption, HTTPS, or SMB 3.0.
6 Security Best Practices
- Multi-factor authentication for administrator accounts
Applying Multi-Factor authentication (MFA) in admin accounts ensures that only authorized users can access the admin account. Otherwise, if an admin account is compromised, an attacker can create or delete resources, and steal money or intellectual property.
- Enable “secure transfer required”
This option only allows requests to the storage account via a secure connection. For example, requiring a connection through HTTPS, instead of HTTP.
- Storage service encryption
You should enable data encryption at rest for blobs. This feature enables you to encrypt the data as it’s written in the data center. The storage then automatically decrypts it when you access it.
- SQL database security practices
When using Azure SQL database you should ensure to follow the best practices below:
- Enable auditing—the auditing function tracks and logs database events. This helps you comply with regulations and strengthen your security posture.
- Enable threat detection—threat detection provides a layer of security by sending alerts when suspicious activities are detected. The user receives an alert when the system detects an anomaly. Early detection of vulnerabilities enables security officers to prevent threats, especially SQL injection attacks.
- Enable “transparent data encryption”—you should enable this option when configuring the database. This ensures the data gets encrypted in real-time.
- Minimize the number of admins
Since each additional person in the admin role increases the risk of internal threats and compromised credentials it is a good practice to keep admin roles to a minimum.
- Do not grant permissions to external accounts
External accounts can put your data at risk. These accounts may have different security standards than your company account.
Azure provides a good security base for protecting your data in storage. However, Azure’s shared responsibility model means users need to secure their side by following standard security practices and leveraging the security functions the platform provides. With the right practices, organizations can keep their data secure.