6 secure

Azure Storage security features

Azure lets you encrypt virtual hard disks (VHDs) by using Azure Disk Encryption.

HTTPS

CORS support

Contoso locks GET requests down to specific domains

Azure Storage supports cross-domain access through cross-origin resource sharing (CORS)

optional flag you can enable on Storage accounts.

Role-based access control

Azure Active Directory and role-based access control (RBAC)

Auditing access

Storage Analytics service.

All data written to Azure Storage is automatically encrypted by Storage Service Encryption (SSE)
256-bit Advanced Encryption Standard (AES) cipher

storage account keys

shared key in the HTTP Authorization header of every request

Settings > Access keys.

regenerate keys periodically.

shared access signatures

best practice

string that contains a security token that can be attached to a URI

types

allow access to specific resources in a storage account

allow access to anything that a service-level shared access signature can allow, plus additional resources and abilities

designs

Clients upload and download data through a front-end proxy service, which performs authentication

A lightweight service authenticates the client as needed. Then it generates a shared access signature

Control network access

Firewalls and virtual networks.

Advanced Threat Protection

notified when suspicious activity is happening

anomalies in account activity

integrated with Azure Security Center

Settings page > Advanced security > Enable Advanced Threat Protection

Azure Data Lake

built on Azure Blob storage

role-based access control (RBAC)
access control lists (ACLs)
- POSIX-compliant
- restrict access to only authorized users,
  groups, or service principals

authenticates through Azure Active Directory OAuth 2.0 bearer tokens.