Secure Azure App Service Backup

Question

What are the ways in which we can secure the Azure App Service Backup, like from ransomware attack .

Answer 1

Thanks for asking question and reaching here! The Backup and Restore feature in App Service lets you easily create app backups manually or on a schedule. You can configure the backups to be retained up to an indefinite amount of time. You can restore the app to a snapshot of a previous state by overwriting the existing app or restoring to another app.

You might be aware that App Service can back up the following information to an Azure storage account and container, which you have configured your app to use:
• App configuration
• File content
• Database connected to your app

For security ensure that regular and automated back-ups are occurring at a frequency as defined by your organizational policies.

• Understand Azure App Service backup capability
• Customer-managed keys for Azure Storage encryption

Check this link: https://learn.microsoft.com/en-us/security/benchmark/azure/security-control-data-recovery

Further to elaborate on this, Microsoft Defender for Cloud provides you the tools to detect and block ransomware, advanced malware and threats for your resources. Keeping your resources safe is a joint effort between your cloud provider, Azure, and you, the customer.

You have to make sure your workloads are secure as you move to the cloud, and at the same time, when you move to IaaS (infrastructure as a service) there is more customer responsibility than there was in PaaS (platform as a service), and SaaS (software as a service).

Check this document on Implement general PaaS security best practices recommendations

Best practices for securing PaaS web and mobile applications using Azure Storage

Ransomware details

Let us know if further query or issue remains.

Answer 2

Sure, As per your query on where it is stored: App Service back-up is stored on Azure Storage and you need an Azure storage account and container in the same subscription as the app that you want to back up.

For more information on Azure storage accounts, see Azure storage account overview.

Since it's on Azure Storage to great extent it's secured to elaborate on this:

Azure Storage provides encryption at rest -Use system-provided keys or your own, customer-managed keys. This is where your application data is stored when it is not running in a web app in Azure.

Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure Storage encryption is similar to BitLocker encryption on Windows.

Azure Storage encryption is enabled for all storage accounts, including both Resource Manager and classic storage accounts. Azure Storage encryption cannot be disabled. Because your data is secured by default, you don't need to modify your code or applications to take advantage of Azure Storage encryption.

Check this complete details mentioned as App service security baseline data-recovery

• Ensure regular automated back-ups
• Perform complete system backups and backup any customer-managed keys
• Validate all backups including customer-managed keys
• Ensure protection of backups and customer-managed keys

Also, for additional security maybe Firewall and private endpoint supported storage account - will help. But as mentioned here it's not supported at this time.

• Using a firewall enabled storage account as the destination for your backups is not supported.
• Using a private endpoint enabled storage account for backup and restore is not supported.

Further you may want to know that Recovery Services vaults is used to hold backup data for Azure services such as IaaS VMs (Linux or Windows) and Azure SQL databases.

Let us know if further query.