Security
Reader small image

You're reading from  Learn Azure Administration - Second Edition

Product typeBook
Published inDec 2023
PublisherPackt
ISBN-139781837636112
Edition2nd Edition
Concepts
Cybersecurity
Right arrow
Author (1)
Kamil Mrzygłód
Kamil Mrzygłód
author image
Kamil Mrzygłód

Kamil Mrzygłód is a technical lead and technology advisor, working with multiple companies on designing and implementing Azure-based systems and platforms. He's a former Microsoft Azure Microsoft Most Valuable Professional (MVP) and certified trainer, who shares his knowledge via various channels, including conference speeches and open source projects and contributions. Kamil lives in Poland with his two cats and one dog, dedicating some of his time to video games, cooking, and traveling.
Read more about Kamil Mrzygłód

Right arrow

Azure Storage Security and Additional Tooling

In the previous two chapters, we talked about Azure Storage with a focus on Blob and File Storage Services. Those chapters were meant to give you a general overview of those services’ capabilities and configuration options. This chapter will summarize our findings and lessons learned and, additionally, give you more insights into security options for Azure Storage and what’s possible to do and implement when challenged with automation tasks and data import/export activities.

Topics covered in this chapter may be considered advanced, as they require prior knowledge of Blob Service configuration (described in Chapter 9), Azure AD concepts (Chapter 2), and managed identities (Chapter 2). Let’s see what’s going to be described shortly:

  • Configuring soft delete in Blob Storage
  • Using Azure AD for authorization
  • Using managed identities
  • Considering various options for automation
  • Using the Azure...

Technical requirements

For the exercises in this chapter, you’ll need the following:

The Code in Action video for this book can be viewed at: https://packt.link/GTX9F

Configuring soft delete in Blob Storage

Soft delete as a concept has already been briefly described in Chapter 9 in the Configuring soft delete section. Let’s quickly remind ourselves what it means to have soft delete configured for a service. Under normal circumstances, any time you delete data from a service (storage or database), it’ll be permanently deleted unless it’s part of a backup or snapshot of your data. While backups could be described as a kind of soft delete solution, they’re rather meant for disaster recovery scenarios. Soft delete, on the other hand, is a simple feature that marks your data as deleted without it being deleted permanently. This allows you to restore data at any time without the need to recover a whole storage account or database.

Soft delete will work differently for different services, as it’s a feature that is tightly coupled with its functionalities and capabilities. For instance, in File Service, you’re...

Using Azure AD for authorization

When interacting with Azure Storage, you may use three different options when it comes to authenticating and authorizing each request:

  • Access key
  • Shared access token
  • Azure AD token

While the former two are the native ways of connecting with Azure Storage and are the simplest options, Azure AD authentication and authorization is a feature that gives you the most flexibility and improved security. Let’s discuss it further to have a better understanding of its capabilities.

Azure AD authorization benefits

Both access keys and shared access tokens are simple mechanisms for securing access to Azure Storage. The access flow for them looks like this, starting with the access key:

  1. Obtain the access key from your Azure Storage account.
  2. Share the key with a client.

Now, each client we share a key with can use it to connect to our storage account. What’s more, it gives them full access to all services...

Using managed identities

When deploying services to Azure, you can utilize a variety of different resources that will eventually interact with each other. You can have a virtual machine hosting an application connecting to a database, data orchestrators interacting with storage services, and many, many other possibilities. When designing such solutions, one often thinks about authentication and authorization mechanisms that will be used to determine what one service can and cannot do when connecting to another one. Most of the time, this can be solved by using concepts such as connection strings, access policies, or an in-built RBAC mechanism. This, however, is not always an ideal way of handling that challenge. In this section, we’ll talk more about using managed identities when connecting with Azure Storage to see how they make the whole setup simple.

Definition of managed identity

A managed identity in Azure is a concept for assigning an identity to a service that normally...

Considering various options for automation

Azure Storage, as a generic solution for building solutions that need scalable and reliable storage, can be easily automated using either native or external tools. In this section, we’ll talk about scenarios that could possibly be automated and how to approach this. Let’s start with managing data stored in Blob Service.

Automated cleanup of data

One of the biggest challenges when working with data-based infrastructure is providing a way to automatically clean up data that is no longer needed. This is often a requirement in systems that must follow legal requirements regarding how long users’ data is stored. In Azure Storage, if you choose to use Blob Storage as your storage service, you can leverage life cycle management, which will help you move files between tiers (hot -> cool -> archive) and delete them after a certain period of inactivity.

SAS token handling

If you decide to use SAS tokens as your...

Using the Azure Import/Export service

When deciding to migrate data to or from Azure, you always need to consider the volume of files you need to import or export. While incoming traffic (inbound) is free in Azure, outbound connectivity is not. This means that transferring large volumes of data from an Azure data center may be a costly operation unless it’s planned accordingly.

Important note

The price for each GB of data downloaded from an Azure data center depends on various factors. See the following documentation for a better understanding of the topic: https://azure.microsoft.com/en-us/pricing/details/bandwidth/.

Besides pricing, migrating large volumes of data gives us one more thing to consider – the time needed to complete an operation. If we’re talking about transferring hundreds of terabytes or even petabytes, you need to ensure that your network can handle the load in an acceptable time. As you’re not always in charge of the network infrastructure...

Summary

This chapter was focused on extending your knowledge regarding Azure Storage and refining it based on the topics we covered initially in Chapters 9 and 10. We talked about soft delete and versioning of blobs in Blob Storage and discussed in detail how different authorization methods for Azure Storage may work in various scenarios. We also looked at managed identities in the context of Azure Storage, so you can configure services to interact with tables, blobs, or queues using an identity defined in Azure AD. In the remaining parts, we revisited automation options for Azure Storage and importing/exporting data using physical disks that can be shipped to an Azure data center.

Lessons from this chapter will help you work with Azure Storage in advanced scenarios, which include improving the reliability of data stored in the service, improving security, and implementing automation. As Azure Storage is one of the most popular services in Azure, becoming proficient in it will help...

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 16 of 23
Next Chapter
You have been reading a chapter from
Learn Azure Administration - Second Edition
Published in: Dec 2023Publisher: PacktISBN-13: 9781837636112
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at AU $19.99/month. Cancel anytime

Author (1)

author image
Kamil Mrzygłód

Kamil Mrzygłód is a technical lead and technology advisor, working with multiple companies on designing and implementing Azure-based systems and platforms. He's a former Microsoft Azure Microsoft Most Valuable Professional (MVP) and certified trainer, who shares his knowledge via various channels, including conference speeches and open source projects and contributions. Kamil lives in Poland with his two cats and one dog, dedicating some of his time to video games, cooking, and traveling.
Read more about Kamil Mrzygłód

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages