Explore Azure Storage security features

Data is protected at rest, in transit.
CORS is supported.
Can control access to data and audit this access

Encryption at rest

256 bit AES cipher.
VM drives are encrypted with AZ disk encryption which uses bit locker for Win and dm-crypt for linux Key Vault stores the encryption keys and secrets

Encryption in transit

ALWAYS use https.

CORS support

Web apps can only load content from authorized sources.

Role-based access control

Can be at the subscription, resource group, storage account or container level.

Auditing access

Storage Analytics logs every operation.

Understand storage account keys

Pass keys in the Authorization header in web requests

Storage account keys

2 kinds - primary and secondary. These are full control.

• regenerate periodically
• do not store in config files

Understand shared access signatures

SAS is a string w/ a security token that can be added to a URI

Types of shared access signatures

Service level - allow access to specific resources Account Level - service level + additional abilities

Control network access to your storage account

By default storage accounts accept connections from anyone/anywhere.

Manage default network access rules

Under Storage Account > Networking

Understand Advanced Threat Protection for Azure Storage

Azure Defender for Storage provides an extra layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. Works on blob storage, az files and data lake storage gen2.

Storage account > Settings > Advanced Security > Enable Azure Defender

Explore security anomalies

When problems happen you get an email

Explore Azure Data Lake Storage security features

Very flexible, and integrated into the analytics tools.