6

Securing Azure Storage

In the previous chapter, we covered recipes for securing Azure databases.

We introduced the concept of the shared responsibility model for public cloud platform service providers. The same approach and model applies to this chapter; the customer is responsible for the security of storage held in Azure and enabling and configuring the appropriate level of protection and security controls for the customer’s needs.

This chapter concludes Part 1 of this cookbook, in which we have been looking at Azure’s security features and capabilities.

In this final chapter of this part, the recipes we look at will cover the security settings that can be configured and data protection through encryption.

By the end of this chapter, you will have learned the following skills to carry out the following recipes to secure Azure Storage:

  • Implementing security settings on storage accounts
  • Implementing network security
  • Implementing encryption

Technical requirements

For this chapter, it is already assumed that you have an Azure AD tenancy and an Azure subscription from completing the recipes in previous chapters of this cookbook. If you skipped straight to this section, the information to create a new Azure AD tenancy and an Azure subscription for these recipes is included in the following list of requirements.

For this chapter, the following are required:

Implementing security settings on storage accounts

Azure Storage accounts, by default, have an internet-accessible public endpoint, the same as we learned about with Azure SQL databases from the last chapter. Therefore, we must provide security and access control layers for our defense-in-depth strategy.

This recipe will teach you to secure and control access to your Azure storage accounts.

We will look at the security settings that can be configured when creating storage accounts, network security, and encryption.

Getting ready

This recipe requires the following:

  • A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com
  • Access to an Azure subscription, where you have access to the Owner role for the Azure subscription

How to do it…

This task consists of the following tasks:

  • Reviewing the security settings when creating a storage account

Task – reviewing the security settings when creating a storage account

Perform the following steps:

  1. Sign in to the Azure portal at https://portal.azure.com.
  2. In the search bar, type storage accounts; click on Storage accounts from the list of services shown:
Figure 6.1 – Searching for Storage accounts

Figure 6.1 – Searching for Storage accounts

  1. On the Storage accounts blade, click on the + Create option from the top menu, or use the Create storage account button at the bottom of the blade.
Figure 6.2 – Create a storage account

Figure 6.2 – Create a storage account

  1. Set the Project and Instance details settings as required on the Basics tab:
Figure 6.3 – Setting the project details

Figure 6.3 – Setting the project details

  1. Under Instance details, set the Storage account name and Region details as required:
Figure 6.4 – Setting the instance details

Figure 6.4 – Setting the instance details

  1. Leave the Performance and Redundancy settings at their defaults for this recipe.
  2. Click on Next : Advanced.
  3. On the Advanced tab, in the Security section, we can now review the security settings configured at creation time:
Figure 6.5 – Security settings for the storage account

Figure 6.5 – Security settings for the storage account

  1. Minimum TLS version: This setting allows you to specify the default minimum TLS version. When set to the default of Version 1.2, requests are rejected when made using TLS 1.0 or TLS 1.1.

Learn more here:

https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version

  1. Permitted scope for copy operations: This setting implements the limits of the copy operations for lateral movement and data breach.
  2. No further configuration is required for this recipe.
  3. Click Review.
  4. On the Review tab, click Create. You will receive a notification that the deployment succeeded.
  5. Click on Go to resource ready for the next task for this recipe.

This task of reviewing the security settings that can be implemented when creating a storage account is complete. In the next task, we will clean up the resources created in this recipe.

Task – cleaning up resources

Perform the following steps:

  1. In the search box in the Azure portal, type resource groups and select Resource Groups from the listed Services results.
  2. On the Resource groups page, select the resource group we created for this recipe, and click Delete resource group; this will delete all the resources created as part of this recipe.
Figure 6.6 – Delete resource group

Figure 6.6 – Delete resource group

This task of cleaning up the resources created in this recipe is complete.

How it works…

For this recipe, we looked at reviewing the security setting options available when creating a storage account. We saw the default security settings that are applied and the optional security settings that can be applied.

See also

Should you require further information, you can refer to the following Microsoft Learn articles:

Implementing network security

We must secure not only the storage account itself but also the network we use for access; this enforces our defense-in-depth strategy.

This recipe will teach you to secure network access to your storage accounts.

We will look at the network access settings that can be configured when creating storage accounts, virtual network access, and implementing a storage IP firewall.

This recipe requires the following:

  • A device with a browser, such as Edge or Chrome, to access the Azure portal at https://portal.azure.com.
  • Access to an Azure subscription, where you have access to the Owner role for the Azure subscription.

How to do it…

This task consists of the following tasks:

  • Implementing network access settings when creating a storage account
  • Implementing virtual network access
  • Implementing a storage IP firewall

Task – implementing network access settings when creating a storage account

Perform the following steps:

  1. Sign in to the Azure portal at https://portal.azure.com.
  2. In the search bar, type storage accounts; click on Storage accounts from the list of services shown.
Figure 6.7 – Searching for storage accounts

Figure 6.7 – Searching for storage accounts

  1. On the Storage accounts blade, click on the + Create option from the top menu, or use the Create storage account button at the bottom of the blade.
Figure 6.8 – Create a storage account

Figure 6.8 – Create a storage account

  1. Set the Project and Instance details settings as required on the Basics tab.
Figure 6.9 – Setting the project details

Figure 6.9 – Setting the project details

  1. Under Instance details, set the Storage account name and Region details as required.
Figure 6.10 – Set instance details

Figure 6.10 – Set instance details

  1. Click Next : Advanced and click Next : Networking.
  2. On the Networking tab, under the Network connectivity section, we can now review the following Network access settings that can be configured at the time of creation.
Figure 6.11 – Network connectivity settings for the storage account

Figure 6.11 – Network connectivity settings for the storage account

  • Enable public access from all networks: This setting is the default; the storage account’s public endpoint will allow traffic to be routed from all networks. Consider the security implications of this “any networkpublic access.
  • Enable public access from selected virtual networks and IP addresses: This setting requires all access to the storage account to be routed via a virtual network; only the selected virtual network will be able to access the storage account.
  • Disable public access and use private access: This setting will remove public access. Access to the storage account can only be provided through a private connection; a private endpoint must be created.

For this recipe, we will leave the setting as the default of Enable public access from all networks.

  1. In the Network routing section, you can determine the Routing preference setting; there are two options:
    • Microsoft network routing: This setting will direct traffic to the Microsoft backbone (private) network as close to the source as possible
    • Internet routing: This setting will direct traffic to enter the Microsoft backbone (private) network closer to the Azure endpoint

For this recipe, we will leave the setting as the default of Enable public access from all networks.

  1. Click Review.
  2. On the Review tab, click Create.
  3. You will receive a notification that the deployment succeeded.
  4. Click on Go to resource ready for the next task for this recipe.
Figure 6.12 – Resource deployment complete

Figure 6.12 – Resource deployment complete

This task of reviewing the network access settings that can be implemented when creating a storage account is complete. In the next task, we will look at implementing virtual network access options.

Task – implementing virtual network access

Perform the following steps:

  1. On the created storage account page, click on Networking under the Security + networking section from the left toolbar.
Figure 6.13 – Storage account page

Figure 6.13 – Storage account page

  1. On the Firewalls and virtual networks tab on the Networking page, select the Enabled from selected virtual network and IP addresses option in the Public network access section.
Figure 6.14 – Public network settings

Figure 6.14 – Public network settings

  1. In the Virtual networks section, you can select Add existing virtual network.
Figure 6.15 – Add existing virtual network

Figure 6.15 – Add existing virtual network

  1. Alternatively, you can select Add new virtual network.
Figure 6.16 – Add new virtual network

Figure 6.16 – Add new virtual network

This task is complete. In the next task, we will implement a storage IP firewall.

Task – implementing a storage IP firewall

Perform the following steps:

  1. On the created storage account page, click Networking in the Security + networking section from the left toolbar.
Figure 6.17 – Storage account page

Figure 6.17 – Storage account page

  1. On the Firewalls and virtual networks tab on the Networking page, select the Enabled from selected virtual network and IP addresses option in the Public network access section:
Figure 6.18 – Public network settings

Figure 6.18 – Public network settings

  1. In the Firewall section, check the Add your client IP address (‘Your-IP’) checkbox.
Figure 6.19 – Storage firewall settings

Figure 6.19 – Storage firewall settings

  1. In Address range, add any IP address or CIDR IP block that you wish to allow to access the storage account.
  2. Click Save from the top toolbar of the Firewalls and virtual networks tab.

This task of setting a storage firewall rule is complete. In the next task, we will clean up the resources created in this recipe.

Task – cleaning up resources

Perform the following steps:

  1. In the search box in the Azure portal, type resource groups and select Resource Groups from the listed Services results.
  2. On the Resource groups page, select the resource group we created for this recipe, and click Delete resource group; this will delete all the resources created as part of this recipe.
Figure 6.20 – Delete resource group

Figure 6.20 – Delete resource group

This task of cleaning up the resources created in this recipe is complete.

How it works…

For this recipe, we looked at implementing the available network security capabilities for a storage account. We saw the security settings that can be set when creating a storage account. We looked at the options to restrict access to the storage account from selected virtual networks. We concluded with how to implement a storage IP firewall to restrict access by IP address or CIDR address block.

There’s more…

This recipe covered tasks including controlling network access through virtual networks and a storage IP firewall. In addition, you can also create private endpoints, so access via the internet is not possible and connections are only possible via a virtual network. A private endpoint works by assigning the storage account a network interface and private IP address for your virtual network’s private IP address space; this allows the service to be brought into the virtual network for secure private access.

The Private endpoint connections page for a storage account is represented in the following figure.

Figure 6.21 – Storage private endpoint connections

Figure 6.21 – Storage private endpoint connections

See also

Should you require further information, you can refer to the following Microsoft Learn articles:

Implementing encryption

When implementing a Zero Trust approach to cloud resource security, we must adopt the stance of Assumed Breach. This means assuming that bad actors have already compromised our perimeter defenses, and we are at risk of data integrity breaches and data exfiltration. Therefore, we must provide mechanisms that ensure our data’s integrity remains and our data is unreadable and unusable in the case of exfiltration.

This recipe will teach you to secure your storage account data at rest through encryption using Azure Storage Service Encryption.

In this task, we will look at the customer-managed keys encryption type; by default, storage accounts are encrypted by Microsoft-managed keys with no configuration required.

We will look at how encryption can be set for existing storage accounts.

Getting ready

This recipe requires the following:

  • A device with a browser, such as Edge or Chrome, to access the Azure portal at https://portal.azure.com
  • Access to an Azure subscription, where you have access to the Owner role for the Azure subscription
  • Access to an Azure storage account; we will step through this process in the following Getting ready tasks

Continue with the following Getting ready tasks for this recipe:

  • Creating an Azure storage account

Getting ready task – creating an Azure storage account

Perform the following steps:

  1. Sign in to the Azure portal at https://portal.azure.com.
  2. In the search bar, type storage accounts; click on Storage accounts from the list of services shown.
Figure 6.22 – Searching for Storage accounts

Figure 6.22 – Searching for Storage accounts

  1. On the Storage accounts blade, click on the + Create option from the top menu, or use the Create storage account button at the bottom of the blade.
Figure 6.23 – Create storage account

Figure 6.23 – Create storage account

  1. Set the Project and Instance details settings as required on the Basics tab.
Figure 6.24 – Setting the project details

Figure 6.24 – Setting the project details

  1. Under Instance details, set the Storage account name and Region details as required.
Figure 6.25 – Setting the instance details

Figure 6.25 – Setting the instance details

  1. No further configuration is required for this recipe.
  2. Click Review.
  3. On the Review tab, click Create.
  4. You will receive a notification that the deployment succeeded.
  5. Click on Go to resource ready for the main task for this recipe.

This Getting ready task is complete. You are now ready to continue the main tasks for this recipe of setting encryption for an existing storage account.

How to do it…

This task consists of the following tasks:

  • Implementing encryption for an existing storage account

Task – implementing encryption for an existing storage account

Perform the following steps:

  1. On the created Azure storage account page, click on Encryption in the Security + networking section.
Figure 6.26 – Storage account page

Figure 6.26 – Storage account page

  1. On the Encryption page, select Customer-managed keys in the Encryption selection section of the Encryption tab.
Figure 6.27 – Encryption page

Figure 6.27 – Encryption page

  1. In the Key selection section, click Select a key vault and key.
Figure 6.28 – Customer-managed keys

Figure 6.28 – Customer-managed keys

  1. On the Select a key page, select Key vault for the Key store type option:
Figure 6.29 – Key store type

Figure 6.29 – Key store type

  1. For the Key vault selection, click on Create new key vault.
Figure 6.30 – Key vault selection

Figure 6.30 – Key vault selection

  1. On the Create a key vault page, enter the following:
    • For Project details, select the same Subscription and Resource group details used to create the storage account in the Getting ready task for this recipe
    • For Instance details, enter the Key vault name details as required, and select the same Region option used to create the storage account in the Getting ready task for this recipe
Figure 6.31 – Key vault creation

Figure 6.31 – Key vault creation

No further configuration is required for this recipe.

  1. Click Review + create.
  2. On the Review + create tab, click Create.
  3. You will receive a notification that the deployment succeeded; wait to be returned to the Select a key page.
  4. Once you have returned to the Select a key page, click Create a new key for the Key value.
Figure 6.32 – Key selection

Figure 6.32 – Key selection

  1. On the Create a key page, enter a Name value as required, and then click Create.
Figure 6.33 – Creating a new key

Figure 6.33 – Creating a new key

  1. Once you have returned to the Select a key page, click Select.
Figure 6.34 – Select a key

Figure 6.34 – Select a key

  1. Once you have returned to the main Encryption settings page, click Save.
Figure 6.35 – Save the settings

Figure 6.35 – Save the settings

  1. You will receive a notification that the encryption of the storage account was successful.
Figure 6.36 – Encryption successful

Figure 6.36 – Encryption successful

  1. You can now close the Encryption page.
  2. Click on Go to resource or navigate to your storage account.
Figure 6.37 – Encryption complete

Figure 6.37 – Encryption complete

  1. From your storage account, click on Encryption in the Security + networking section and review your customer-managed key information.
Figure 6.38 – Encryption settings

Figure 6.38 – Encryption settings

This task is complete. In the next task, we will clean up the resources created in this recipe.

Task – cleaning up resources

Perform the following steps:

  1. In the search box in the Azure portal, type resource groups and select Resource Groups from the listed Services results.
  2. On the Resource groups page, select the resource group we created for this recipe, and click Delete resource group; this will delete all the resources created as part of this recipe.
Figure 6.39 – Delete resource group

Figure 6.39 – Delete resource group

The task of cleaning up the resources created in this recipe is complete.

How it works…

In this final recipe task for this chapter, we looked at implementing encryption for the storage account.

As a Getting ready task, we created an Azure storage account for the recipe task to illustrate setting encryption on an existing storage account.

We used Azure Storage Service Encryption using the customer-managed keys encryption option; by default, storage accounts are encrypted by Microsoft-managed keys with no configuration required.

See also

Should you require further information, you can refer to the following Microsoft Learn articles:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset