Blob storage
Network access
Because Azure Blob storage is a managed service, and located outside the customer’s Virtual Network (VNet). It is important to protect access to the Azure Blob storage service.
Best practices
Keep all Azure Blob storage (that is, all tiers) private.
To secure access from your VNet to the Azure Blob storage, use an Azure private endpoint, which avoids sending network traffic outside your VNet through a secure channel.
Unforce the use of transport encryption (HTTPS only) for all Azure Blob storage.
For sensitive environments, require a minimum of TLS version 1.2 for Azure Blob storage.
Deny default network access to the Azure storage account and only allow access from predefined conditions such as the setting up of IP addresses.
Encrypt data at rest using Azure Key Vault.
For sensitive environments (for example, which contain PII, credit card details, healthcare data, and more), encrypt data at rest using customer-managed keys (CMKs) stored inside Azure Key Vault.
Auditing and monitoring
Azure allows you to monitor blob storage using Azure Monitor and Azure Security Center.
Best practices
Enable log alerts using the Azure Monitor service to track access to the Azure Blob storage and raise alerts (such as multiple failed access attempts to Blob storage in a short period of time).
Enable Azure storage logging to audit all authorisation events for access to the Azure Blob storage.
Log anonymous successful access attempts to locate an unauthorised access attempt to the Azure Blob storage.
Enable Azure Defender for Storage to receive security alerts in the Azure Security Center console.