Developing Solutions for Azure (AZ-204)

Last Updated: 7/8/2024

Security features

  • All data (including metadata) written to Azure Storage is automatically encrypted using Storage Service Encryption (SSE).
  • Microsoft Entra ID and Role-Based Access Control (RBAC) are supported for Azure Storage for both resource management operations and data operations, as follows:
    • You can assign RBAC roles scoped to the storage account to security principals and use Microsoft Entra ID to authorize resource management operations such as key management.
    • You can assign RBAC roles scoped to a subscription, resource group, storage account, or an individual container or queue to a security principal or a managed identity for Azure resources.
  • Data can be secured in transit between an application and Azure by using Client-Side Encryption, HTTPS, or SMB 3.0.
  • OS and data disks used by Azure virtual machines can be encrypted using Azure Disk Encryption.
  • Delegated access to the data objects in Azure Storage can be granted using a shared access signature.

Azure Storage encryption for data at rest

  • Encryption protects your data and helps you meet your organizational security and compliance commitments.
  • Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure Storage encryption is similar to BitLocker encryption on Windows.
  • Azure Storage encryption is enabled for all new and existing storage accounts and can't be disabled. Because your data is secured by default, you don't need to modify your code or applications to take advantage of Azure Storage encryption.
  • Storage accounts are encrypted regardless of their performance tier (standard or premium) or deployment model (Azure Resource Manager or classic).
  • All Azure Storage redundancy options support encryption, and all copies of a storage account are encrypted.
  • All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted.
  • Encryption doesn't affect Azure Storage performance.
  • There's no extra cost for Azure Storage encryption.

Encryption key management

  • You can rely on Microsoft-managed keys for the encryption of your storage account, or you can manage encryption with your own keys.
  • If you choose to manage encryption with your own keys, you have two options:
    • You can specify a customer-managed key to use for encrypting and decrypting all data in the storage account.
    • You can specify a customer-provided key on Blob storage operations. A client making a read or write request against Blob storage can include an encryption key on the request for granular control over how blob data is encrypted and decrypted.

Microsoft-managed keys

  • Azure Storage services supported: Microsoft key store
  • Key storage: All
  • Key rotation responsibility: Microsoft
  • Key usage: Microsoft
  • Key access: Microsoft only

Customer-managed keys

  • Azure Storage services supported: Blob storage, Azure Files
  • Key storage: Azure Key Vault
  • Key rotation responsibility: Customer
  • Key usage: Azure portal, Storage Resource Provider REST API, Azure Storage management libraries, PowerShell, CLI
  • Key access: Microsoft, Customer

Customer-provided keys

  • Azure Storage services supported: Blob storage
  • Key storage: Azure Key Vault or any other key store
  • Key rotation responsibility: Customer
  • Key usage: Azure Storage REST API (Blob storage), Azure Storage client libraries
  • Key access: Customer only
Previous
Next