Secure Azure Storage

Ways to Secure Azure Storage

3 dimensions to securing storage - management plane (manage users and perms), Data plane (who can access data), Encryption

Management: RBAC

Security principal - someone or something (user or application). Groups can also be principals. Service Principal is a "headless" user. Managed Identity

Role Definition - what permissions does a role have, what actions can they do.

Scope - set of resources you want to apply permissions to (mgmt group, subscriptions, resource group, resource)

Role assignment - attached role definition to a security principal on a scope Ex: Joe (principal) is attached "Storage Account contributor" (role definition) on "my-storage-account (scope)

Multiple roles are additive

Deny assignments take precedence.

Data Plane

Keys (long strings) (admin)

• storage account gets 2 keys
• root level access
• protect these
• rotate frequently
• recommended to use key vault to rotate keys

Shared Access Signature - least privilege. Much more flexible Azure AD - Standard OpenID

RBAC In Azure Storage

Access Control (IAM) in portal az role definition list --query "[?roleName == 'Storage Account Owner'" from CLI

Shared Access Signatures

Secure delegated access without sharing the key.
Control what clients access, for how long, etc.

3 kinds

• user delegation
• service SAS
• account SAS

looks like a long URL. Params are built into query string

Kinds of tokens

• ad-hoc (everything is in the uri)
• service sas with stored access policy - can share across tokens.

Stored Access Policy shorter uri - si param contains the policy name

Manage SAS Based Security for Azure Storage

Portal - Shared Access Signatures is a gui to pick and choose services, resources types and permissions, start and end times and IP addresses.

Stored Access Policy - better way of managing ad-hoc rules above.

Authenticate using Azure AD

The Microsoft Identity Platform

Authentication service, open source libraries and app management tools.

Auth Service

• Azure AD
  • Azure AD Connect
  • ADFS
  • and more
• OSS Libraries
  • MSAL (MS auth library - families of libs for different languages)
  • Microsoft.Identity.Web
  • Open ID connect (no MSAL for Rails, but can use OID)
• App Management
  • gallery apps (dropbox, etc)
  • single / multitenant apps - ex. you email client gets email from multiple places (google, work, yahoo, etc)
  • Authorization
  • Consent - App Wants to read mail - do you allow? Does the admin allow
  • Logs - who used this, when , etc

Modern Authentication

Legacy - basic auth / ntlm / kerberos. Would grant ticket. Good for on prem, dont scale to cloud

Modern

• WS* and SAML - designed for browsers but can work with other apps
• OAuth - "I am allowing X application to do something on my behalf"
• OpenID Connect - most popular and flexible currently (OIDC)

OIDC User wants to log in to App. App knows who you are. App wants to call API. App might use it's identity or the users id to call the API, depending on what it needs to do. API might want to call another API with app id, or original user's identity.

There are different flows. Implicit and PKCE for SPA Native apps - AuthCode without secret. Web - AuthCode with secret Daemon - client credential flow LimitedUI - device code flow (use your phone to authenticate your TV when logging into YouTube)

All flows send an Auth Header token. API validates token using Azure AD using certificates.

Register an App in Azure AD

Authenticate Using Azure AD

Additional Resources

Written with StackEdit.