The management plane refers to the operation that affects the storage account itself. The way we control access to the services that affect the storage account is by using Azure active directory.

Role-based access control

As we are aware that every Azure subscription has an associated Azure active directory. The Azure active directory contains users, groups, and applications. To them, we can provide access to manage resources within the Azure subscription. That resource can be a storage account, and the way we control the level of access to storage accounts is by assigning an appropriate role to the user. So we can have an owner role or contributor role or reader role that we can define.

Key Points to remember:

When we are assigning a role, we can control access to the operations used to manage the storage account but not data objects in the account.
However, we can give access to data objects by providing permission to read storage account keys because storage account keys enable the users to have access to data objects.
Each role has a list of actions.
There are some standard roles available, e.g., Owner, Reader, Contributor, etc.
We can define a new custom role by selecting a set of actions from the list of available actions.

Data Plane security

It refers to the methods used to secure data objects (blobs, queues, tables, and files) within the storage account.

There are three ways that you can control access to the data within the storage account

Azure active directory authorizes access to containers and queues. Azure Active Directory provides advantages over other approaches to authorization, including removing the need to store secrets in your code.
Storage account keys provide blanket access to all data objects within the storage account.
Shared Access Signatures, in case, if we want to provide access to certain services, for example – only to blobs, only to queues, or a combination of them. And also, if we want to control the level of access, for example – read-only, update, delete in that way, and also, we wish to provide time-limited access. So, we want to give access to only one year, and after that one year, we generate another SAS and present it to them for security reasons. In that case, we use shared access signatures.

We can allow public access to our blobs by setting the access level for the container that holds the blob accordingly.

Encryption in transit

Transport level Encryption using HTTPS

Always use HTTPS when using REST APIs or accessing the object in storage.
If we are using SAS, we can specify that only HTTPS should be applied.

Using encryption in transit for Azure file shares

1 does not support encryption, so connections are only allowed within the same region.
0 supports encryption, and cross-region access is allowed.

Client-side encryption

Encrypt the data before being transferred to Azure storage
When retrieving the data form Azure, data is decrypted after it is received on the client-side.

Encryption at rest

Client-side encryption

Encrypt the data before being transferred to Azure storage.
When retrieving the data form Azure, data is decrypted after it is received on the client-side.

Storage Service Encryption (SSE)

This is what we generally use to encrypt the data at REST is Azure storage

It is enabled for all storage accounts and cannot be disabled.
It automatically encrypts data in all performance tiers (Standard and premium), all deployment models (Azure Resource Manager and Classic), and all of the Azure Storage services (Blob, Queue, Table, and File). So it is blanket encryption across all Azure storage.
We can use either Microsoft-managed keys or your custom keys to encrypt the data.

Azure Disk Encryption

This is a recommended approach from Microsoft to encrypt the disks particularly with Azure disk

Encrypt the OS & data disks used by IaaS Virtual Machine
You can enable encryption on existing IaaS VMs
You can use customer-provided encryption keys

CORS (Cross-Origin Resource Sharing)

When a web browser makes an HTTP request for a resource from a different domain, this is called a cross-origin HTTP request.
Azure Storage allows us to enable CORS. For each storage account, we can specify domains that can access the resources in that storage account. For example, enable CORS on the mystorage.blob.core.windows.net storage account and configure it to allow access to mywebsite.com.
CORS allows access but does not provide authentication, which means we still need to use SAS keys to access non-public storage resources.
CORS is disabled on all services by default. We can enable it using the Azure portal or Power Shell, and we can specify the domains from where the request will come to access the data in your storage account.

So, this brings us to the end of blog. This Tecklearn ‘How to Configure Azure Storage Security’ blog helps you with commonly asked questions if you are looking out for a job in Azure and Cloud Computing. If you wish to learn Microsoft Azure and build a career in Cloud Computing domain, then check out our interactive, Microsoft Azure Developer and Administrator Training, that comes with 24*7 support to guide you throughout your learning period. Please find the link for course details:

https://www.tecklearn.com/course/microsoft-azure-developer-associate-az-203-and-microsoft-azure-administrator-associate-az-103/

Microsoft Azure Developer Associate: AZ-203 and Microsoft Azure Administrator Associate AZ-103 Training

About the Course

This Course provides training for Microsoft Azure Administrator and Azure Developer. Tecklearn’s Azure Administrator training provides you with a deep understanding of the entire administrative lifecycle in Azure environments. This Azure course shows you how to maintain services related to computing, storage, network, and security. Enhance your Azure Administrator skills and prepare to ace the AZ-103 Azure Administrator exam. The Azure Developer certification course prepares you for Microsoft’s Azure Developer certification exam AZ-203. It covers Azure architecture, Azure technology development solutions, Azure storage services, and solutions, Cognitive Services such as Computer Vision, Q&A Maker, Azure service solutions, and API management services.

Why Should you take Azure Developer and Administrator Training?

Microsoft certified Azure Associate developer earns salary ranging from $95,000 to $135,000
Average salary of Microsoft Certified Azure Administrator is $90,000 – Indeed.com
Apple, eBay, Samsung, Citrix, UST Global, Mindtree, TCS, Wipro, Infosys & many other MNC’s worldwide use Azure across industries
According to Microsoft, more than 1,000 new sign-ups for Azure occur each day, which equates to approximately 365,000 new sign-ups each year
By 2022, 90% of enterprises will use both the IaaS and PaaS capabilities from cloud provider – Gartner

What you will Learn in this Course?

Introduction to Azure Compute Solutions and Cloud Computing

Introduction to Microsoft Azure
About Azure Certification

Overview of Azure Storage Services

Azure Storage
Azure File Use Case
Azure DNS
Azure Site Recovery

Secure and Manage Azure Storage

Security Issue
Azure Regions
Azure Services

Implementing Secure Data Solutions and Integrating Caching & CDN

Azure CDN
Azure Traffic Manager
Azure Load Balancer
Azure Scale Set

Implementing Azure App Service Web Apps and Mobile Apps

Design and Implement Azure Service Apps
Web Apps
Pricing Calculator – Azure

Managing Azure Subscriptions and Resource Groups

Create Resource Group
Create App Service Plan
Create Web App and Deploy Angular Application using SCM
Deploy .NET Application using SCM
Deploy App using Visual Studio
Web Job Types
Sendgrid

Develop Event-based and Message-based Solutions in Azure

Messaging Strategy
Design and implement Messaging Strategy
Azure Notifications
Microsoft Azure Service Bus
Queues
Topics
Create Topic
Create Subscription
Azure Relay
Using EventHubs

Implementing Azure App Service API Apps & Azure Functions

Azure PAAS Services
API Management
Function Apps
Logic Apps

Overview of Azure Virtual Machines and Configure Virtual Machines for High Availability

Virtual Machines
Create VM
PowerShell DSC and Custom Script Extension
Scale ARM VMS
VMSS
Monitoring VMs
Dev Test Labs
VM Storage

Design and implement Azure DevOps

CI/CD Pipelines
VSTS
Deployment in pass and VM’s
Scheduled deployments

Manage Azure Active Directory (AD)

Manage Identity, Application and Network Services
Overview of Azure Active Directory
Azure Active Directory B2C
Azure Active Directory B2B
Key Vault
Azure Graph API

Azure Virtual Networks and Network Security

Redis Caching
Azure search
Virtual Networks
Configure Virtual Network
Hybrid Network Connectivity
ARM VM Networking
Azure security and recovery services

Developing Solutions That Use Relational Database and Azure Blob Storage

Azure DB Services – SQL DB
Azure Notifications
Backup and Restore
Enabling Geo-Replication
Export source Database
Scale Azure SQL Databases

Developing Solutions That Use Azure Table Storage & Cosmos DB

COSMOS DB
Azure Key Vault
Azure App Insights

Azure Command Line Interface (CLI) and PowerShell

Resource management and deployments using PowerShell and CLI
ARM templates
Implement ARM templates
Control Access
PowerShell runbooks
Azure Automation
Real Time Examples

Got a question for us? Please mention it in the comments section and we will get back to you.

569