How to have a storage account with public data that complies with security practices?

Najam ul Saqib 60 Reputation points
2024-02-04T06:10:12.6233333+00:00

I have a storage account in Azure that holds public data i.e. static images that are sent to customers in email. I am trying to get compliant to ISO 27001 but there one check is failing i.e. "Access to storage accounts with firewall and virtual network configurations should be restricted" This is also appearing in recommendations of Defender for cloud, that Vnet needs to be configured with storage account but that kills my use case. I want my storage account's data to be publicly available. How can I get through this check of ISO 27001 without disallowing access to my public data?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,507 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,116 questions
0 comments No comments
{count} votes

Accepted answer
  1. Timmy Malmgren 501 Reputation points
    2024-02-04T13:11:41.4966667+00:00

    Hello @Najam ul Saqib For Defender for cloud this recommendation is retired and will not grant or remove any of your secure posture score from the portal. I created a storage account just to visualize it for you in the picture below :) as you can se this is not scored anymore in defender, its still available for reporting and information purposes.
    User's image

    When it comes to ISO 27001, its a very large policy with a lot of compliance settings and meeting them all is not possible for many companies as you have now first hand experience on :)

    In my personal opinion on how to work with secure posture and policy compliance its all about awareness and making calculated discissions, that's why Microsoft have created the "exempt" feature, there are scenarios where you just cant possible meet some of the requirements, BUT you should always be aware of them and make an informative decision, either to reconfigure/rebuild to meet them, or acknowledge them as a calculated risk (an exempt).

    To make an exempt

    Go to the policy assignment click "Create exemption"
    User's image

    In the exemption there are a few settings Scope: select the specific subscription/resource group/resource
    Exemption name: Specify something logical so its easy to understand what has been exempted Exemption category: if its mitigated or waivered (sometimes there can be third party options that azure cant see for example) Expiration date: Here I always recommend my customer to set an expiration date, why? well because i believe that everything that does not follow security baseline should be constantly evaluated. This helps to get a reminder that you have something that does not follow the security baseline and se if its still an acceptable configuration in for example a year, if this is still something you cant reconfigure just make a new exemption for another year. User's image

    On the Policies tab, select what specific setting you would like to exempt (remember to remove "policy definition reference switch"

    User's image

    Hope this is helpful Best Regards, Timmy Malmgren

    ---If the Answer is helpful, please click "Accept Answer" and upvote it as it helps others to find what they are looking for faster!

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Nehruji R 416 Reputation points Microsoft Vendor
    2024-02-05T10:44:55.2633333+00:00

    Hello Najam ul Saqib,

    Greetings!  Welcome to Microsoft Q&A forum.

    I would like to provide you with some more ways to overcome this scenario, I understand that you want to provide public access to your storage account data and meanwhile you have to meet the ISO 27001 compliance.

    For this, first segregate the data that should be publically accessible in a separate container and configure anonymous read access for containers and blobs that holds the specific data.

    Azure Blob storage has the option to allow anonymous public access to a container and its blobs, which allows read-only access without sharing the account key or requiring a shared access signature. However, it is advised to avoid granting anonymous access unless it is necessary.

    refer- https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal for more information about the same.

    In order to meet the ISO 27001 compliance please configure the firewall and Vnet for your storage account refer - https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal.

    Hope this answer helps. Please let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.