Securing Blob storage access

1. Securing Blob storage access

Welcome back! So far, you’ve learned how Cipher Coffee stores, organizes, and manages data in Azure Blob Storage. Now, let’s focus on something every modern business must take seriously: security and compliance.

2. Unauthorized access

Imagine this: Cipher Coffee’s database contains customer orders, loyalty card info, payroll files, and secret recipes. If someone gained unauthorized access, the impact could be severe and could even result in fines!

3. Azure security

To keep your data secure in Azure Blob Storage, you can rely on several built-in protection mechanisms. These include: Encryption at rest secures stored data Encryption in transit protects data whilst it’s moving Access controls, to define who can see or manage your blobs Networking restrictions, to limit access based on IP ranges or private endpoints Monitoring and alerts, to track suspicious behavior and take action These layers work together to provide strong, defense in depth security for your data.

4. Encryption at rest

First, let's talk about encryption at rest. Azure automatically encrypts all data stored in Blob Storage, even before it's written to disk. Think of it like putting every file in a locked safe the moment it arrives. This means that, even if someone managed to get hold of the underlying storage hardware, your data would remain unreadable without the proper keys. For most businesses, including Cipher Coffee, this level of automatic protection is both a compliance requirement and a best practice.

5. Encryption in transit

When a customer places an order at Cipher Coffee, their data travels from their browser to Azure. Encryption in transit ensures that this data is protected while moving between devices or services. Azure uses Transport Layer Security (TLS) to create a secure tunnel, so even if someone intercepts the data, it appears scrambled and unreadable. Azure requires TLS for Blob Storage access via HTTPS, ensuring secure connections by default. This protects sensitive information like payment details or personal info from being exposed. For Cipher Coffee, encryption in transit is essential to keep customer trust, meet compliance standards, and ensure secure communication between systems and users, whether inside or outside Azure.

6. Extra security

But encryption alone isn’t enough. You also need to control who can access your data, and for how long. Blob containers are private by default unless changed at creation. Only authenticated users or apps with permission can see what’s inside. But sometimes, you’ll need to securely share a file, maybe with a delivery partner, or for a limited-time marketing campaign.

7. Shared Access Signatures

This is where Shared Access Signatures, or SAS tokens, come in. A SAS token is like a digital “hall pass” you can hand out. It grants specific people access to certain blobs or containers, with strict limits. For example:

8. Access type

You can allow someone to download a file, but not upload or delete.

9. Timed access

You can set a time window, maybe one hour, or even just a few minutes like you'll be doing later on in the exercises!

10. IP restrictions

You can even restrict access by IP address or protocol. With SAS, Cipher Coffee can securely share reports, images, or invoices, without ever making an entire container public or risking unwanted access.

11. Let's practice!

Let’s get started securing Cipher Coffee’s Blob storage!

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.