What are the ways in which we can secure the Azure App Service Backup, like from ransomware attack .
Thanks for asking question and reaching here! The Backup and Restore feature in App Service lets you easily create app backups manually or on a schedule. You can configure the backups to be retained up to an indefinite amount of time. You can restore the app to a snapshot of a previous state by overwriting the existing app or restoring to another app.
You might be aware that App Service can back up the following information to an Azure storage account and container, which you have configured your app to use:
• App configuration
• File content
• Database connected to your app
For security ensure that regular and automated back-ups are occurring at a frequency as defined by your organizational policies.
• Understand Azure App Service backup capability
• Customer-managed keys for Azure Storage encryption
Check this link: https://docs.microsoft.com/en-us/security/benchmark/azure/security-control-data-recovery
Further to elaborate on this, Microsoft Defender for Cloud provides you the tools to detect and block ransomware, advanced malware and threats for your resources. Keeping your resources safe is a joint effort between your cloud provider, Azure, and you, the customer.
You have to make sure your workloads are secure as you move to the cloud, and at the same time, when you move to IaaS (infrastructure as a service) there is more customer responsibility than there was in PaaS (platform as a service), and SaaS (software as a service).
Check this document on Implement general PaaS security best practices recommendations
Best practices for securing PaaS web and mobile applications using Azure Storage
Let us know if further query or issue remains.
Thanks for reply! Azure App Service is a fully managed platform for building and hosting your web apps and APIs. Since the platform is fully managed, you don't have to worry about the infrastructure. It provides management, monitoring, and operational insights to meet enterprise-grade performance, security, and compliance requirements. For more information, see Azure App Service.
Microsoft Defender for App Service uses the scale of the cloud to identify attacks targeting applications running over App Service.
Check this: Alerts for Azure App Service
Further check this link on How to create App Service Backup Alerts for Failed Backups.
For More details: Protect your web apps and APIs
Let us know if further query or issue remains.
1)Are azure backups for App service stored in Recovery vault or azure storage ?
2)Can we configure it to be stored in Azure Recovery Vault ?
3)How can we secure the Azure App service Backup ? I am not asking how to perform backup, but how to secure app service backup.
Please help
Sure, As per your query on where it is stored: App Service back-up is stored on Azure Storage and you need an Azure storage account and container in the same subscription as the app that you want to back up.
For more information on Azure storage accounts, see Azure storage account overview.
Since it's on Azure Storage to great extent it's secured to elaborate on this:
Azure Storage provides encryption at rest -Use system-provided keys or your own, customer-managed keys. This is where your application data is stored when it is not running in a web app in Azure.
Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure Storage encryption is similar to BitLocker encryption on Windows.
Azure Storage encryption is enabled for all storage accounts, including both Resource Manager and classic storage accounts. Azure Storage encryption cannot be disabled. Because your data is secured by default, you don't need to modify your code or applications to take advantage of Azure Storage encryption.
Check this complete details mentioned as App service security baseline data-recovery
Also, for additional security maybe Firewall and private endpoint supported storage account - will help. But as mentioned here it's not supported at this time.
Using a firewall enabled storage account as the destination for your backups is not supported.
Using a private endpoint enabled storage account for backup and restore is not supported.
Further you may want to know that Recovery Services vaults is used to hold backup data for Azure services such as IaaS VMs (Linux or Windows) and Azure SQL databases.
Let us know if further query.
2 people are following this question.
