Block External Access and Security in Windows Azure Storage

Question

Hi,

Sorry if this question has been asked before. I couldn't find anything on the forum.

Do you know if it's possible in Azure Storage to block HTTP/HTTPS external access ? I mean, is it possible that the storage is only available to my Azure Web/Worker roles ? My concern is that there is no granular security model. Everything can be done in your storage if someone for any reason grabs your private key, including deleting whole tables (I know that's kind of stupid since it's the same thing as having someone grabbing your password). But I'm looking for something like you have in SQL server that has granular permissions for the objects.

Are there any Best Practices or does the Azure team is planning to enhance the security model ?

I want to completely rely on Azure for data storage but I'm not 100% in the "comfort zone" with having my whole data (including user data) stored there. Any suggestions, ideas, feedback is greatly appreciated.

---

Andy

Answer 1

You're correct that the security of Windows Azure storage relies on the secrecy of your shared key.  It is in fact like a password.

There's no plan at the moment for a more granular permission model.  If you want to expose data via an API, you'll need to put your own authentication/authorization layer in front of storage that manages user permissions.

Answer 2

Hi Steve,

Thanks for the clarification. I can create my own security model. No problems with that. But still it wouldn't work since users could go straight to the storage since I don't believe there's a way to block the HTTP endpoint for Azure Storage external access, right ?

If you guys had a setting in a Azure Storage project such as "Accept requests only from [THIS]" where [THIS] could be my Azure Project ID or URL (or even the Private Deployment ID (I guess IP restriction may be complicated because of the Cloud Architecture). This way I'd have another layer of security by not opening my storage to the world (except through my own service layer with my own custom security model).

That would be something nice for a "feature list" and I guess Azure adoption (not only storage but hosting too) would increase a lot.

Thanks,

AN.

---

Andy

Answer 3

Any data that is marked as "private" is only accessible through the use of the private key. That means your users cannot bypass the security model and go straight to the data.