Specify security requirements for storage workloads


Azure Storage Accounts are ideal for workloads that require fast and consistent response times, or that have a high number of input output (IOP) operations per second. Storage accounts contain all your Azure Storage data objects, which include:

  • Blobs
  • File shares
  • Queues
  • Tables
  • Disks

Consider the following recommendations to optimize security when configuring your Azure Storage Account:

  • Turn on soft delete for blob data
  • Use Azure AD to authorize access to blob data.
  • Consider the principle of least privilege when you assign permissions to an Azure AD security principal through Azure RBAC.
  • Use blob versioning or immutable blobs to store business-critical data.
  • Restrict default internet access for storage accounts.
  • Configure firewall rules to limit access to your storage account
  • Limit network access to specific networks.
  • Allow trusted Microsoft services to access the storage account.
  • Enable the Secure transfer required option on all your storage accounts.
  • Limit shared access signature (SAS) tokens to HTTPS connections only.
  • Avoid and prevent using Shared Key authorization to access storage accounts.
  • Regenerate your account keys periodically.
  • Create a revocation plan and have it in place for any SAS that you issue to clients.

Security posture management for storage

Just like any other cloud workload, web workloads need to have an ongoing security assessment to improve the overall security posture. Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your storage accounts. It uses advanced threat detection capabilities and Microsoft Threat Intelligence data to provide contextual security alerts. Those alerts also include steps to mitigate the detected threats and prevent future attacks.

You can enable Microsoft Defender for Storage at either the subscription level (recommended) or the resource level. Defender for Storage continually analyzes the telemetry stream generated by the Azure Blob Storage and Azure Files services. When potentially malicious activities are detected, security alerts are generated. These alerts are displayed in Microsoft Defender for Cloud together with the details of the suspicious activity along with the relevant investigation steps, remediation actions, and security recommendations. The diagram below shows the three major actions performed by Defender for Storage:

Diagram that shows security posture management for Storage.

  1. One-click enablement via Defender for Cloud dashboard
  2. Once enabled, Defender for cloud will be monitoring the storage account, generating security recommendations and in case of a suspicious activity, it will trigger an alert
  3. The alert can be handled in the Defender for Cloud dashboard, or if the company is using Microsoft Sentinel, they can perform the investigation there.