What exactly would you need from a compliant service like Storage Account? We have seen number of data breaches in cloud when storage account storing sensitive data have been compromised within 2019. Those breaches really raised the serious attention to cloud infosec team on how a compliant and secure storage account looks like.
This article is going to describe what a compliant Azure storage account is. It also gives you a sample template to deploy it.
Tl;dr: To deploy a compliant storage account with the characteristics described below, refer to this template here https://github.com/azsec/scaf-azure-arm-templates/tree/master/StorageAccount
When it comes to a compliant storage account, there are characteristics to be considered:
- Storage Account Naming Convention
- Storage Account Tag
- Storage Account Type
- Storage Account SKU
- Advanced Threat Protection
- Storage Account Logging
- Encryption Setting
- Storage Account Service Endpoint
- Storage Account Alert
Storage Account Naming Convention
This may not be a high priority but that would be great to have a naming convention to specify purpose of the storage account you are going to create. The rule can be the access level of the data that storage account stores. For example you may have a storage account to store multimedia content that can be seen publicly. You may have a storage account that stores all private and sensitive information. Take a look at some examples below:
Compliance Criteria: name must be generated uniquely
Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only. Your storage account name must be unique within Azure.
Storage Account Tag
Tagging resource is considered a very important task and that should be treated as a compliance. When your environment is small you wouldn’t have to worry but when it grows to be bigger without tagging it will become a challenge to govern your resource – especially when an incident event occurs you would need to know who owns your storage account, which department, what project or so on.
Compliance Criteria: Have tag at least the following info:
- Environment (e.g dev, test, uat, staging, pre-prod, prod).
- Project Name (e.g, azsec)
- Cost Center (e.g. infosec)
For both naming convention and tagging, this link is very helpful.
Storage Account Type
Azure offers several types of storage accounts and each of them may support for different use cases and scenarios. In general purpose, Storage V2 is always recommended. If you check the capability table in this page you can see General-purpose V2 provides full of support compared to other types.
Compliance Criteria: Storage version 2
Storage Account SKU
To always ensure durability and high availability Azure performs copy of data stored in Storage Account to another area which depends on SKU type you select when creating a new storage account. LRS (Locally redundant storage) only supports within data center that wouldn’t meet your business continuity so you may choose non-LRS storage account.
Compliance Criteria: select non-LRS SKU for wider replication.
Advanced Threat Protection
Advanced Threat Protection feature in Azure Storage offers you several capabilities. Microsoft adds an additional security detection layer to help detect unusual and suspicious activities on your storage account.
Compliance Criteria: enable Advanced Threat Protection for storage account.
Storage Account Logging
There are typically three types of logs:
- Operation Log
- Metric Log
- Storage Analytics log
Operation log wouldn’t help much. You can still check who created a storage account, or make a change on it (not detail).
With Metric log you can see how your storage account is being used. There may be high-extensive ingress traffic to your storage with would be a sign of attack to increase storage account charge. For all supported storage metric, read this article.
Compliance Criteria: write storage metric to a central Log Analytics workspace for centralized operational monitoring and enable Storage Analytics logging.
For Storage Analytics log, it is pretty similar to kind of diagnostic log in managed service that you can trace specific log per API service call (e.g. who sent a GetBlob with which of authentication method). Storage Analytics logging is not supported in Premium storage account as of this article.
As of this article, enabling Storage Analytics logging via Azure ARM template is still not supported yet.
By default your storage account is encrypted by Microsoft Managed Key. You can go with Bring Your Own Key (BYOK) by selecting Key Vault. However, I’d recommend you to go with built-in Microsoft service. Unless you would like to use a corporate certificate to comply with specific policy.
Compliance Criteria: encryption is enabled on both Blob and File service by default.
Storage Account Service Endpoint
Service Endpoint allows you to control ingress traffic to your storage account from a virtual network or specific IP range. You may have a client application deployed in a virtual machine that interacts with your storage account.
More information about storage service endpoint, read here.
Compliance Criteria: specify virtual network that is allowed to your storage account.
Storage Account Alert
There are ways to monitor and detect sign of compromise on your storage account. In this article, I’d like to mention about using Azure Monitor alert in order to monitor and notify when an anonymous authentication is succeeded.
Compliance Criteria: create an alert associated to your storage account when an anonymous authentication is succeeded.
There are other characteristics like CORS, Private Link but they should be deployed separately as they are specific to some use cases.
Follow the series below for better monitoring and detection for your storage account in Azure:
- Security Monitoring and Detection Tips for your Storage Account – Part 1
- Security Monitoring and Detection Tips for your Storage Account – Part 2
If you want to deploy the storage account as a blueprint using Azure Blueprint read this article (https://azsec.azurewebsites.net/2019/12/11/walkthrough-deploy-a-compliance-storage-account-blueprint/)