Azure Storage security overview

Azure Storage is the cloud storage solution for modern applications that rely on durability, availability, and scalability to meet the needs of their customers. Azure Storage provides a comprehensive set of security capabilities. You can:

  • Secure the storage account by using Role-Based Access Control (RBAC) and Azure Active Directory.
  • Secure data in transit between an application and Azure by using client-side encryption, HTTPS, or SMB 3.0.
  • Set data to be automatically encrypted when it's written to Azure Storage by using Storage Service Encryption.
  • Set OS and data disks used by virtual machines (VMs) to be encrypted by using Azure Disk Encryption.
  • Grant delegated access to the data objects in Azure Storage by using shared access signatures (SASs).
  • Use analytics to track the authentication method that someone is using when they access Storage.

For a more detailed look at security in Azure Storage, see the Azure Storage security guide. This guide provides a deep dive into the security features of Azure Storage. These features include storage account keys, data encryption in transit and at rest, and storage analytics.

This article provides an overview of Azure security features that you can use with Azure Storage. Links to articles give details of each feature so you can learn more.

Role-Based Access Control

You can help secure your storage account by using Role-Based Access Control. Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access. These access rights are granted by assigning the appropriate RBAC role to groups and applications at a certain scope. You can use built-in RBAC roles, such as Storage Account Contributor, to assign privileges to users.

Learn more:

Delegated access to storage objects

A shared access signature provides delegated access to resources in your storage account. The SAS means that you can grant a client limited permissions to objects in your storage account for a specified period and with a specified set of permissions. You can grant these limited permissions without having to share your account access keys.

The SAS is a URI that encompasses in its query parameters all the information necessary for authenticated access to a storage resource. To access storage resources with the SAS, the client only needs to provide the SAS to the appropriate constructor or method.

Learn more:

Encryption in transit

Encryption in transit is a mechanism of protecting data when it's transmitted across networks. With Azure Storage, you can secure data by using:

Learn more about client-side encryption:

Encryption at rest

For many organizations, data encryption at rest is a mandatory step toward data privacy, compliance, and data sovereignty. Three Azure features provide encryption of data that's at rest:

Learn more about Storage Service Encryption:

Azure Disk Encryption

Azure Disk Encryption for virtual machines helps you address organizational security and compliance requirements. It encrypts your VM disks (including boot and data disks) by using keys and policies that you control in Azure Key Vault.

Disk Encryption for VMs works for Linux and Windows operating systems. It also uses Key Vault to help you safeguard, manage, and audit use of your disk encryption keys. All the data in your VM disks is encrypted at rest by using industry-standard encryption technology in your Azure storage accounts. The Disk Encryption solution for Windows is based on Microsoft BitLocker Drive Encryption, and the Linux solution is based on dm-crypt.

Learn more

Firewalls and Virtual networks

Azure storage allows you to enable firewall rules for your storage accounts. Once enabled they will block incoming requests for data, including requests from other Azure services. You can configure exceptions to allow traffic. Firewall rules may be enabled on existing storage accounts or during creation time.

You should use this functionality to secure your storage accounts to a specific set of allowed networks.

For more information on Azure storage firewalls and virtual networks review the article Configure Azure Storage Firewalls and Virtual Networks

Azure Data Box

Data Box, Data Box Disk, and Data Box Heavy devices help you transfer large amounts of data to Azure when the network isn’t an option. These offline data transfer devices are shipped between your organization and the Azure data center. They use AES encryption to help protect your data in transit, and they undergo a thorough post-upload sanitization process to delete your data from the device.

Data Box Edge and Data Box Gateway are online data transfer products that act as network storage gateways to manage data between your site and Azure. Data Box Edge, an on-premises network device, transfers data to and from Azure and uses artificial intelligence (AI)-enabled edge compute to process data. Data Box Gateway is a virtual appliance with storage gateway capabilities.

Learn more:

Advanced Threat Protection

Azure Storage provides Advanced Threat Protection for an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your storage account. Advanced Threat Protection monitors Azure Storage diagnostic logs for suspicious read, write, or delete requests to Blob storage.

Advanced Threat Protection alerts can be viewed from Azure Security Center. Azure Security Center provides details on any suspicious activity detected and recommends actions to investigate and remediate the potential threat.

Learn more:

Azure Key Vault

Azure Disk Encryption uses Azure Key Vault to help you control and manage disk encryption keys and secrets in your key vault subscription. It also ensures that all data in the virtual machine disks are encrypted at rest in Azure Storage. You should use Key Vault to audit keys and policy usage.

Learn more