Azure Storage security overview

Azure Storage is the cloud storage solution for modern applications that rely on durability, availability, and scalability to meet the needs of their customers. Azure Storage provides a comprehensive set of security capabilities. You can:

  • Secure the storage account by using Role-Based Access Control (RBAC) and Azure Active Directory.
  • Secure data in transit between an application and Azure by using client-side encryption, HTTPS, or SMB 3.0.
  • Set data to be automatically encrypted when it's written to Azure Storage by using Storage Service Encryption.
  • Set OS and data disks used by virtual machines (VMs) to be encrypted by using Azure Disk Encryption.
  • Grant delegated access to the data objects in Azure Storage by using shared access signatures (SASs).
  • Use analytics to track the authentication method that someone is using when they access Storage.

For a more detailed look at security in Azure Storage, see the Azure Storage security guide. This guide provides a deep dive into the security features of Azure Storage. These features include storage account keys, data encryption in transit and at rest, and storage analytics.

This article provides an overview of Azure security features that you can use with Azure Storage. Links to articles give details of each feature so you can learn more.

Role-Based Access Control

You can help secure your storage account by using Role-Based Access Control. Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access. These access rights are granted by assigning the appropriate RBAC role to groups and applications at a certain scope. You can use built-in RBAC roles, such as Storage Account Contributor, to assign privileges to users.

Learn more:

Delegated access to storage objects

A shared access signature provides delegated access to resources in your storage account. The SAS means that you can grant a client limited permissions to objects in your storage account for a specified period and with a specified set of permissions. You can grant these limited permissions without having to share your account access keys.

The SAS is a URI that encompasses in its query parameters all the information necessary for authenticated access to a storage resource. To access storage resources with the SAS, the client only needs to provide the SAS to the appropriate constructor or method.

Learn more:

Encryption in transit

Encryption in transit is a mechanism of protecting data when it's transmitted across networks. With Azure Storage, you can secure data by using:

Learn more about client-side encryption:

Encryption at rest

For many organizations, data encryption at rest is a mandatory step toward data privacy, compliance, and data sovereignty. Three Azure features provide encryption of data that's at rest:

Learn more about Storage Service Encryption:

Azure Disk Encryption

Azure Disk Encryption for virtual machines helps you address organizational security and compliance requirements. It encrypts your VM disks (including boot and data disks) by using keys and policies that you control in Azure Key Vault.

Disk Encryption for VMs works for Linux and Windows operating systems. It also uses Key Vault to help you safeguard, manage, and audit use of your disk encryption keys. All the data in your VM disks is encrypted at rest by using industry-standard encryption technology in your Azure storage accounts. The Disk Encryption solution for Windows is based on Microsoft BitLocker Drive Encryption, and the Linux solution is based on dm-crypt.

Learn more:

Azure Key Vault

Azure Disk Encryption uses Azure Key Vault to help you control and manage disk encryption keys and secrets in your key vault subscription. It also ensures that all data in the virtual machine disks are encrypted at rest in Azure Storage. You should use Key Vault to audit keys and policy usage.

Learn more: