Azure Storage Security Demo

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

8 hours 33 minutes
Video Transcription
Hello, Siberians. Welcome to this demonstration on a just average security.
This demonstration is part of the eight month you off the ends at 500 Microsoft Azure security that largest costs
some quick information on the activities that will be completing in this demonstration
who started by reviewing. I just started security options in the azure portal.
When I create a shared access policy toe access as your blood resources and generate disaster king using the policy and finally will revoke to shared access policy let's get right into this.
So in the first task, I'll go to the Azure Pato and I review some are just of its security options.
So here I am in the azure Pato. If I Guidant Lee constructed account, I prepared a storage account for the purpose of this demo called Is it 500 store 20. If I go, I'd and click on that now on the left hand side. That's where. How Find the options to configure security for the storage account.
So the first option is the access keys. So these are the access kids that we talked about.
So we have the primary key and we have the connection string relating to the primary key on. We have a second Ricky on the equivalent connection strength and we have the option to regenerate any off this keys. So the fact that we have two keys allows us to be able to rotate in a smooth way. So while we're currently using key number one,
we can guide and voted key number two and then substitute where we're using key number one with the new value for key number two, and then we can go ahead and regenerate K number one. The other configuration I want to show you is under the configuration, certain CS. If I go ahead and click on configuration,
we have the option to disable secure transfer, which is something that we do not want to do. We wants to live these and neighborhood,
so that's secure. Protocols are required at all times. We also have a new option that makes off released just a few weeks ago that allows us to enable or disable public blob access. Now this is currently enabled, which means we can create containers on objects that allows unauthenticated anonymous access.
If I said this to disabled
and if I go ahead and click save on this.
Let's see the effect very quickly. So if I scroll down and I goto the blob's service and I click on containers,
if I go ahead and create a new container, I'll call this Web data.
You see that it's disabled the option to configure public access level so it does not allow me to configure on authenticated anonymous access.
So if I guide and creates that Andi, this has no other option but to be such to private
figure I'd and click on my container. I can also upload and objecting to heats. If I ride and click on the upload option on, I double click
the job deployed Jason Foul and I click on upload. So this will also be private
regret and close this and let's go back on the con figuration. Let's review some other options that we have. We can configure the minimum TLS level that we allow so obviously wants to sets that with a strong guests. That's possible if I scroll down a bit. Also, we also have the option to configure identity based access control for agile fouls
on. This is currently sets to disabled so if he wants to configure these four as your a d d s
off for just on premises A D. D. S. This is where we can do that. So for now, I'll just leave the option as the default and I'll go ahead and just click Save on what I've done.
The other option I want to show you is the encryption. You can say that encryption is enabled by default, and that is storage service encryption. However, we have the option to use our own customer Manion keys on it. Want to use that option will have to specify the key vote where we have a key. Start
Proglide and cancel these and click OK to. That's likely back on my storage account. And if I scroll down, I click on shared access Signature. So this is where we can generate service level shared access signatures on. We can specify the resource types that we want to allow and the allowed permissions.
So this is something that we want to use, Pierre Indeed, because again,
it gives too much permissions. If I go, I'd and click on the firewall and veteran networks option. You see that we have the option to allow access from all networks enabled by the faults.
This is where we can configure a service level firewall to specify trust and I p addresses
where we can configure those on the firewall or even specify the private networks that we want to allow those great on this cat that we also have the option to configure private endpoints, which would create an I P address in a private network So that request sense of that private I P address would be sent off by private link into the service.
The final orphan, I want to show you is advanced security. If I click on Advanced Security, this is where we can enable advanced threat protection, which integrates with security center on what is thus it It's going to pass through the locks for this storage account
on If it detects any anomalies or indicators of compromise, it's going to a ladders to that's true security center.
So in the next task, I'll be creating a shared access policy toe access as your blob resources on our generators. Faster changes in that policy
here is a visual representation of what I'll Be Dean
are created, shared access policy called 24 Hours read only access on the Web. The dark Continent I created earlier. The policy will allow for the generation off talking's that Grant read only access for 24 hours as the name implies, how they generate a sass talking using that policy.
How years the Storage Explorer in the azure portal. For this,
I'll make note off the sash. You Arrieta includes the object. You have I under talking and then I'll verify access using that talking. So here I am, back in the azure Pato. What I'll do is I'll go toe creates the start access policy. So if I go back on the containers, if I select my Web better container on, If I click on access policy, are click on the option tohave the policy
and I'll specify the name for my policy
to be the name that we discussed, which is the 24 hours read, only access now. For the permission, I'll select only the read permission,
and for the starts time, I'll select my current start states on our living as early this morning on our specified expiry dates to be the next day, and that will be next money, so I'll just go ahead and click OK to that, and I'll go ahead and click safe now. That saved, I can now go to generates Astor Kings
is in this policy.
So to do that, I'll go back to my storage account level.
How go on the storage Explorer
on If I expand blob containers, I have my container day on. We didn't make container. I have an object that I uploaded Alia, which is the Azure deployed or Jason fell. If I cried and right click on If I click on gets, she had access signature.
Now you see that allows me to select an access policy and I can select the access policy that I created earlier.
And you can see that it's automatic colleges in every towards the cities here. And if I go ahead and click on create and our quiet and copied this, you are right on, then I can quiet and close. That's now. Why have Yes, I have a private browser
on our right click and our guide and pasty um, buy into that and you can see that I can access my foul using the your eye off my object plus t talking that was generated using that policy.
So in the final task off this demonstration are revoked to shed access policy that I created earlier. Yes, official representation off what I'll be doing
in the azure Pato are expanded. She had access policy to revoke it.
How don't very fight that talking is that were generated using that policy, I invalidated. So if I try to use the talking, if you no longer work
so here I am back in the other Pato. If I griet and click on containers and I select my container,
if I go ahead and click on access policy, I have the access policy that I created a lier,
the good friend batches and they start access. Policy is we can configure things from the southern side and control things. So what I'll do is I'll just quiet and expertise so quiet and sets Thies to the touch. It's on our sets this to just 12 1
And if I go ahead and click OK to that's
on. If I go ahead and click, sift. That's
so that saved that. But I've already expired. Eat
so to verify if I go back to the private brother that I used earlier on. If I refresh the screen now, you can see that's the talkin is now invalidated. I did not need to issue a new talking. All I needed to do waas invalidates start access policy that was used to generate this talking.
So he has a summary of the activities that were completed in this demonstration.
We started out by reviewing as your started security options in the azure Poteau. We'll that created a shared access policy toe access as your blood resources on. We generated a sass talking using the policy.
And finally we revoked the shared access policy
times very much for watching on. I'll see you in the next lesson.
Up Next