Organizations work with a large amount of data daily which are required to provide services to their clients and internal functionalities. Storing data such as images and documents in databases was often found in legacy applications. However, modern architecture patterns do not recommend storing such binary data, especially larger files, in databases because they hinder the performance of the database and increase cost due its size. Therefore, modern solutions recommend that documents, images, and video files uploaded as application data be stored in storage accounts and outside of databases.

Managing and securing large amounts of data is a challenge for any type of organization due to cyber-attack vulnerabilities and security vulnerabilities of an organization. As the solution for these security threats and management, Azure has introduced Azure storages. Azure storage provides a scalable object store for various data objects and services. Azure storage is secure, scalable, accessible, and durable storage for data storage requirements of organizations.

Lesson 6.1: Setting Up Azure Storage

Let’s learn how to set up an Azure storage account.

Go to https://portal.azure.com/ and log in as an administrator.

Search for storage account and click on storage account in the search result, and to go to storage account creation page (see Figure 6-1).

Figure 6-1
figure 1

Searching storage

Full size image

Click on the create button to start the storage account creation process. You will be able to see the first step of the storage creation process (see Figure 6-2).

Figure 6-2
figure 2

Storage account

Full size image
  1. 1.

    Select the relevant subscription if there are multiple subscriptions. Select the resource group where you need to create the storage account or create a new resource group.

  2. 2.

    Add the storage account name.

  3. 3.

    Select the region for the storage account.

  4. 4.

    You can select the type of the storage account as premium or standard, according to requirements. If there are low latency critical workloads, premium is recommended.

  5. 5.

    Redundancy is an important feature in Azure storage that ensures the availability of the data. It stores multiple copies of data to make sure of its availability when there are network and power failures, natural disasters, or any other unintended or intended events.

Once all mandatory fields have been selected and filled, move to the Advanced section (see Figure 6-3).

Figure 6-3
figure 3

Storage account advanced

Full size image

You can configure security settings in the Advanced tab.

Require secure transfer for REST API operations : This allows REST API operations on storage using only HTTPS. Once this feature is enabled, any requests coming from an insecure connection are rejected. Further, unencrypted Azure file service connections will fail.

Enable infrastructure encryption : By default, storage has service level encryption for securing the data inside. However, if users need an extra security layer they can enable this feature, which adds an extra security layer by adding encryption to the infrastructure level.

Enable blob public access : This feature allows anonymous access to storage blobs. However, users can enhance the security by avoiding the public access to blob by disabling this feature.

Enable storage account key access : If this feature is disabled, any request authorized with a shared key will be denied.

Default to Azure Active Directory authorization in the Azure portal : This feature enables the Azure active directory authorization for request to blobs, queues, and tables.

Minimum TLS version : TLS is required for secure communication between web browsers and servers. However, if outdated TLS is used, it adds vulnerabilities to security and data transmitted using TLS. Therefore, selecting the correct TLS version is important for the security of data. This feature allows users to select the minimum TLS version needed for communication between storage data and applications.

Advanced settings can also be set as shown in Figure 6-4.

Figure 6-4
figure 4

Advanced security

Full size image

Data Lake Storage Gen2 : To use the storage with Azure Data Lake Storage Gen2, you need to enable the hierarchical namespace. This configuration allows Azure storage to service for multiple petabytes of data.

Enable network file share v3 : Enabling this setting provides Linux file system compatibility, allowing mounting in the storage in a Linux VM or on-premise computers.

Access tier : Access tire in storage account allows you to store data in the most cost-effective manner for your application data needs. For frequently accessed data you can use hot tier, and you can use cool tier for infrequently accessed data.

Enable large file shares : You can enable this feature for standard LRS (local redundant storage) or ZRS (zone redundant storage) to use larger file shares.

Enable support for customer-managed keys : To use custom managed keys with storage tables and queues, you must enable this setting at the time of creation of the storage account.

You have learned the advanced settings available with storage. Let’s move to the networking tab for network configurations (see Figure 6-5).

Figure 6-5
figure 5

Storage networking

Full size image

Incoming traffic to the storage account routes via public endpoint by default, allowing incoming traffic from any network. You can restrict this to happen via Azure virtual network by setting it as a public endpoint with selected network. To further strengthen the security, you can enable private endpoints and configure a private endpoint in Azure.

You can select the preferred routing as Microsoft network routing, which routes the calls to storage public endpoint by default. Internet routing will direct to the closest POP (point of presence), which may effectively lower the networking costs.

You can store your data in Azure storage securely. However, there can be unintended data deletion from Storages. When such a situation occurs, Azure Storage has recovery features available for protecting the data (see Figure 6-6).

Figure 6-6
figure 6

Data protection

Full size image

Enable point-in-time restore for containers : This feature allows you to restore your blob containers to a particular point in time, facilitating recovery from corrupted data states by restoring to a previous version.

Enable soft delete for blobs: Soft deletion allows deleted blob data to be recovered/restored within the specified soft deletion period.

Enable soft delete for containers : Soft deletion allows deleted container data to be recovered/restored within the specified soft deletion period.

Enable soft delete for file shares : Soft deletion allows deleted file share data to be recovered/restored within the specified soft deletion period.

Such soft deletions allow recovery of data deleted from malfunctions of your application logic, accidental deletions by users, or intentional malicious activities, providing additional capability to have a resilient data store.

Organizations have to manage huge amounts of data and need continuous modifications and updates. However, it is an important but difficult task to keep track of the changes done to files. Azure storage has a track feature to track changes made to blobs, which helps users to track the blob changes (see Figure 6-7).

Figure 6-7
figure 7

Storage tracking

Full size image

Enable versioning for blobs : Blob content is versioned, and it is possible to view history and revert back to a previous version of data.

Enable blob change feed : This will track the information about the changes to blobs and metadata in blob transaction logs.

Once all required fields are filled and selected, you can create a new storage account.

We have discussed how to create an Azure storage and what security components can be utilized to secure the data inside the storage. Let’s consider how to use Azure storage in application development to enhance the data security of an application.

Shopping cart or video streaming sites such as Netflix have several files that store several details. Those can be image files, pdf or text files, video files, and more. When there are more and more files in the system developers need to store these data securely, but the storage mechanism should not affect the performance of the system. As a solution, Azure storage can be used to store image files, video files, and other required files securely that cannot be accessed by unauthorized users. Application will be the only way of accessing images and other files. Storage accounts have capability limit access to a virtual network where your application resides. You can add all the application file and media data into the storage and open a dedicated secure channel for the application to access the storage data. Therefore, anyone outside the network cannot access the storage data, making the only way to access storage data via the application. Another use of storage account is that you can mount storage to a virtual machine disk to increase the storage capacity of the virtual machine.

In this lesson, we have looked at a couple of storage account creation options and what we can enable as features to enable enhanced security.

Lesson 6.2: Azure Storage Encryption

Azure storage by default is enabled with encryption for all storage accounts, which is transparent to the users. It works similar to BitLocker encryption in Windows. You are not allowed to disable the encryption in Azure storages, which ensures safety of your data. Encryption works the same way regardless of the performance tier or access tier of the storage accounts.

Additionally, infrastructure level encryption can be enabled in storage, providing double encryption for data stored. You can set up Azure policy to demand for infrastructure encryption so that all of the storage accounts created in a subscription(s) are enforced to apply an additional layer of encryption for enhanced security. However, infrastructure encryption can only be enabled at the creation time of the storage account, as described in the previous lesson.

Let’s go to Azure storage to learn a bit about the encryption settings. You will be able to find encryption settings in the side settings blade of the storage account (see Figure 6-8).

Figure 6-8
figure 8

Encryption settings

Full size image

You can find the details of the encryption mechanism used in the storage. If there is a requirement to use a customer managed key, it can be selected from the encryption page. You can also define encryption scope, such as whether to enable infrastructure level encryption or not, in the encryption scope creation page (as shown in Figure 6-9).

Figure 6-9
figure 9

Encryption scope

Full size image

We have discussed encryption mechanisms available with Azure storage in this lesson.

Lesson 6.3: Azure Defender for Azure Storage

Multilayer security practices are well-established and accurate mechanisms followed by many cloud providers. Security layers include physical and virtual security mechanisms. Security mechanisms enabling compliance add value to your organization’s reputation. Azure storage has multilevel security features available.

There are several security threats introduced daily. New mechanisms to access systems in unauthorized ways are often found by hackers, terrorists, and other people stealing data. Azure storage users have to consider all these security threats available in the tech world and need to take all necessary steps to prevent cyber-attacks and enhance the security. Azure Defender is an intelligent security service that detects unusual and potentially harmful attempts to access or exploit the Azure storage accounts. It is a modern security alert system developed utilizing AI and Microsoft threat intelligence to provide security alerts and recommendations. Azure defender also sends details on security vulnerability to the administrators via email, and information on how to investigate the threat.

Azure defender identifies several activities as security threats and sends alerts. If there are unusual changes of access permissions, the defender identifies it and sends an alert. When trying to upload files and other content to storage that include malware files or phishing content, it will also alert the relevant users and administrator about the threat.

You can enable this feature from Azure security center. Go to Azure Security center and select pricing and settings from the side setting blade. Select Azure defender plans and enable the Azure defender for storage (see Figure 6-10).

Figure 6-10
figure 10

Defender

Full size image

In this lesson we have discussed utilizing Azure defender for storage.

Summary

In this chapter we have discussed how to create Azure storage and how it can be utilized to save data securely. In the next chapter, you will learn about virtual networks.