You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security/fundamentals/paas-applications-using-storage.md
+14-17Lines changed: 14 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,18 +3,17 @@ title: Securing PaaS applications using Azure Storage | Microsoft Docs
3
3
description: "Learn about Azure Storage security best practices for securing your PaaS web and mobile applications."
4
4
services: security
5
5
documentationcenter: na
6
-
author: TomShinder
7
-
manager: barbkess
8
-
editor: ''
6
+
author: terrylanfear
7
+
manager: rkarlin
9
8
10
9
ms.assetid:
11
-
ms.service: storage
12
-
ms.subservice: blobs
10
+
ms.service: security
11
+
ms.subservice: security-fundamentals
13
12
ms.topic: article
14
13
ms.tgt_pltfrm: na
15
14
ms.workload: na
16
-
ms.date: 09/28/2018
17
-
ms.author: tomsh
15
+
ms.date: 01/23/2023
16
+
ms.author: terrylan
18
17
19
18
---
20
19
# Best practices for securing PaaS web and mobile applications using Azure Storage
@@ -24,8 +23,6 @@ Azure makes it possible to deploy and use storage in ways not easily achievable
24
23
25
24
Azure Storage provides the following four services: Blob storage, Table storage, Queue storage, and File storage. To learn more, see [Introduction to Microsoft Azure Storage](../../storage/common/storage-introduction.md).
26
25
27
-
The [Azure Storage security guide](../../storage/blobs/security-recommendations.md) is a great source for detailed information about Azure Storage and security. This best practices article addresses at a high level some of the concepts found in the security guide and links to the security guide, as well as other sources, for more information.
28
-
29
26
This article addresses the following best practices:
30
27
31
28
- Shared access signatures (SAS)
@@ -37,9 +34,9 @@ This article addresses the following best practices:
37
34
## Use a shared access signature instead of a storage account key
38
35
Access control is critical. To help you control access to Azure Storage, Azure generates two 512-bit storage account keys (SAKs) when you create a storage account. The level of key redundancy makes it possible for you to avoid service interruptions during routine key rotation.
39
36
40
-
Storage access keys are high priority secrets and should only be accessible to those responsible for storage access control. If the wrong people get access to these keys, they will have complete control of storage and could replace, delete, or add files to storage. This includes malware and other types of content that can potentially compromise your organization or your customers.
37
+
Storage access keys are high priority secrets and should only be accessible to people responsible for storage access control. If the wrong people get access to these keys, they'll have complete control of storage and could replace, delete, or add files to storage. This includes malware and other types of content that can potentially compromise your organization or your customers.
41
38
42
-
You still need a way to provide access to objects in storage. To provide more granular access you can take advantage of shared access signature (SAS). The SAS makes it possible for you to share specific objects in storage for a pre-defined time-interval and with specific permissions. A shared access signature allows you to define:
39
+
You still need a way to provide access to objects in storage. To provide more granular access, you can take advantage of shared access signature (SAS). The SAS makes it possible for you to share specific objects in storage for a pre-defined time-interval and with specific permissions. A shared access signature allows you to define:
43
40
44
41
- The interval over which the SAS is valid, including the start time and the expiry time.
45
42
- The permissions granted by the SAS. For example, a SAS on a blob might grant a user read and write permissions to that blob, but not delete permissions.
@@ -48,23 +45,23 @@ You still need a way to provide access to objects in storage. To provide more gr
48
45
49
46
SAS allows you to share content the way you want to share it without giving away your storage account keys. Always using SAS in your application is a secure way to share your storage resources without compromising your storage account keys.
50
47
51
-
To learn more about shared access signature, see [Using shared access signatures](../../storage/common/storage-sas-overview.md).
48
+
To learn more about shared access signature, see [Using shared access signatures](../../storage/common/storage-sas-overview.md).
52
49
53
50
## Use Azure role-based access control
54
-
Another way to manage access is to use [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md). With Azure RBAC, you focus on giving employees the exact permissions they need, based on the need to know and least privilege security principles. Too many permissions can expose an account to attackers. Too few permissions means that employees can't get their work done efficiently. Azure RBAC helps address this problem by offering fine-grained access management for Azure. This is imperative for organizations that want to enforce security policies for data access.
51
+
Another way to manage access is to use [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md). With Azure RBAC, you focus on giving employees the exact permissions they need, based on the need to know and least privilege security principles. Too many permissions can expose an account to attackers. Too few permissions means that employees can't get their work done efficiently. Azure RBAC helps address this problem by offering fine-grained access management for Azure. Access control is imperative for organizations that want to enforce security policies for data access.
55
52
56
-
You can use Azure built-in roles in Azure to assign privileges to users. For example, use Storage Account Contributor for cloud operators that need to manage storage accounts and Classic Storage Account Contributor role to manage classic storage accounts. For cloud operators that need to manage VMs but not the virtual network or storage account to which they are connected, you can add them to the Virtual Machine Contributor role.
53
+
You can use Azure built-in roles in Azure to assign privileges to users. For example, use Storage Account Contributor for cloud operators that need to manage storage accounts and Classic Storage Account Contributor role to manage classic storage accounts. For cloud operators that need to manage VMs but not the virtual network or storage account to which they're connected, you can add them to the Virtual Machine Contributor role.
57
54
58
-
Organizations that do not enforce data access control by using capabilities such as Azure RBAC may be giving more privileges than necessary for their users. This can lead to data compromise by allowing some users access to data they shouldn’t have in the first place.
55
+
Organizations that don't enforce data access control by using capabilities such as Azure RBAC may be giving more privileges than necessary for their users. More privileges than necessary can lead to data compromise by allowing some users access to data they shouldn't have in the first place.
59
56
60
57
To learn more about Azure RBAC see:
61
58
62
59
-[Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md)
-[Security recommendations for Blob storage](../../storage/blobs/security-recommendations.md)
65
62
66
63
## Use client-side encryption for high value data
67
-
Client-side encryption enables you to programmatically encrypt data in transit before uploading to Azure Storage, and programmatically decrypt data when retrieving it. This provides encryption of data in transit but it also provides encryption of data at rest. Client-side encryption is the most secure method of encrypting your data but it does require you to make programmatic changes to your application and put key management processes in place.
64
+
Client-side encryption enables you to programmatically encrypt data in transit before uploading to Azure Storage, and programmatically decrypt data when retrieving it. Client-side encryption provides encryption of data in transit but it also provides encryption of data at rest. Client-side encryption is the most secure method of encrypting your data but it does require you to make programmatic changes to your application and put key management processes in place.
68
65
69
66
Client-side encryption also enables you to have sole control over your encryption keys. You can generate and manage your own encryption keys. It uses an envelope technique where the Azure storage client library generates a content encryption key (CEK) that is then wrapped (encrypted) using the key encryption key (KEK). The KEK is identified by a key identifier and can be an asymmetric key pair or a symmetric key and can be managed locally or stored in [Azure Key Vault](../../key-vault/general/overview.md).
0 commit comments