Azure Storage Security Overview

Azure Storage provides robust security capabilities that allow developers to build secure applications. Key areas include:

1. Encryption

• At rest: All data is automatically encrypted using Storage Service Encryption (SSE) with 256-bit AES.

• Customer-managed keys: You can optionally use Azure Key Vault to manage your own encryption keys for more control.

• In transit: Use HTTPS, SMB 3.0, or client-side encryption to protect data moving between applications and Azure.

2. Authentication & Authorization

• Azure Active Directory (Azure AD): Enables role-based access control (RBAC) for both resource management and data operations.

• Shared Key: Uses storage account access keys to authorize requests.

• Shared Access Signatures (SAS): Delegated, time-limited access to specific resources without exposing account keys.

• Anonymous Access: Optional for public containers or blobs.

Shared Access Signatures (SAS)

A SAS is a URI that grants restricted access to Azure Storage resources.

Key Features

• Granular permissions: Read, write, delete, or other operations.

• Scope: Can be at account level (multiple services) or service level (single service/resource).

• Time-bound: Specify start and expiry times.

• Optional controls: Limit access by IP range and protocol (HTTPS).

URI Structure

A SAS URI includes:

• Resource URI: Endpoint for blob, file, queue, or table.

• Version (sv): Storage service version.

• Services (ss) & Resource types (srt): Scope of SAS.

• Permissions (sp): Operations allowed.

• Start (st) & Expiry (se) time

• IP range (sip) & Protocol (spr)

• Signature (sig): HMAC-SHA256 for authentication.

Types of SAS

1. Account SAS: Delegates access to multiple services.

2. Service SAS: Delegates access to a single resource/service.

3. Stored access policy: Provides additional server-side control and allows revoking permissions without regenerating keys.

Best Practices for SAS

Security Risks

• SAS compromise allows unauthorized access.

• Expired SAS may disrupt client applications if not renewed.

Recommendations

• Always use HTTPS to distribute SAS.

• Use stored access policies where possible.

• Short-lived SAS for ad hoc access.

• Automatically renew SAS before expiry for continuous access.

• Be cautious with start times to account for clock skew (15 min buffer recommended).

• Grant minimum required permissions to reduce risk.

• Monitor usage with Storage Analytics.

• Validate data written through SAS.

• Consider middle-tier services for critical operations instead of SAS.

• Understand that usage with SAS is billed to your account.

Demonstration: Creating SAS (Azure Portal)

Service-level SAS

1. Go to storage account → blob container → select a file → Generate SAS.

2. Configure:

   • Permissions: Read

   • Start & expiry: Today → 1 year

   • Protocol: HTTPS

   • Key: Key1

3. Copy SAS URL → open in browser → verify access.

Account-level SAS

1. Go to storage account → Shared access signature.

2. Configure services, resource types, permissions.

3. Generate SAS & connection string → review URL and token.