From a047147d291a325e0a018bb1f6e5f6613486cc14 Mon Sep 17 00:00:00 2001
From: SmallParty <serena@divd.nl>
Date: Thu, 12 Dec 2024 14:23:23 +0100
Subject: [PATCH] =?UTF-8?q?Update=20Articles=20=E2=80=9Chow-to-secure-your?=
 =?UTF-8?q?-blob-storage-containers=E2=80=9D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...-secure-your-blob-storage-containers.en.md | 75 ++++++++++---------
 1 file changed, 41 insertions(+), 34 deletions(-)

diff --git a/content/newsroom/articles/how-to-secure-your-blob-storage-containers.en.md b/content/newsroom/articles/how-to-secure-your-blob-storage-containers.en.md
index a280215..9281761 100644
--- a/content/newsroom/articles/how-to-secure-your-blob-storage-containers.en.md
+++ b/content/newsroom/articles/how-to-secure-your-blob-storage-containers.en.md
@@ -29,27 +29,27 @@ By [Serena de Pater](https://www.divd.nl/who-we-are/team/people/serena-de-pater/
 
 No time to read the entire article. DIVD notified me, what do I do? (choose all that are applicable)
 
-- Set the Blob Storage container’s access level to private.
-- Disable anonymous access.
-- Reconfigure shared access policies to enforce the principle of least privilege.
-- Regenerate Shared Access Signatures (SAS) or Storage Account Keys.
-- Apply relevant updates or patches.
-- Enable logging (e.g., Azure Monitor and Azure Blob Storage Diagnostics) to monitor future access attempts.
-- Secure your existing logs.
-- Move business-critical data, PII and other sensitive data to the right container which is adequately protected.
-- Contact [G](https://buckets.grayhatwarfare.com/)[rayhatwarfare](https://buckets.grayhatwarfare.com/) for deletion.
+1. Set the Blob Storage container’s access level to private.
+2. Disable anonymous access.
+3. Disallow Shared Key authorization for a storage account.
+4. Rotate and regenerate your keys.
+5. Check what is stored where.
+6. Enable logging to monitor future access attempts.
+7. Secure your existing logs.
+8. Implement strict naming conventions.
+9. Contact [G](https://buckets.grayhatwarfare.com/)[rayhatwarfare](https://buckets.grayhatwarfare.com/) for deletion.
 
 {{< /callout >}}
 
 _In October 2022, a [misconfiguration in Microsoft's Azure Blob Storage](https://www.spiceworks.com/it-security/cloud-security/news/microsoft-azure-cloud-misconfiguration/) service exposed the personal data of more than 548,000 users, including product orders/offers, project details and PII (Personally Identifiable Information) data. The breach was due to the misconfiguration of only one server. According to SOCRadar’s assessment, this exposed server stored 2.4 terabytes of data from 65,000 companies based in 111 countries, including 335,000 emails, 133,000 projects, and 548,000 exposed users. SOCRadar described the incident as "the most significant B2B data leak in recent cybersecurity history" due to the scale and amount of data involved. "As long as humans are involved in configuring such data buckets, leaks will continue to occur."_
 
-## How can I secure my Blob Storage container?
+## How to secure a Blob Storage container
 
 A data breach is one of the last things you want to happen in your organisation. So, how can you secure your Blob Storage containers to keep your data safe and out of the hands of cybercriminals? It’s simple! Just follow these steps:
 
-### Implement least-privilege access
+### 1. Set the Blob Storage container’s access level to private.
 
-Implement least privilege access by giving users and applications only the permissions they need to perform their task(s). When configuring and maintaining Blob Storage containers, regularly review the configuration settings where the access level is defined. When creating a new container you can choose one of the following options:
+Implement least privilege access by giving users and applications only the permissions they need to perform their task(s). When creating a new container you can choose one of the following options:
 
 - **Private Access**: Only specific users and services are granted permission to access the data, ensuring a high level of security. Access is contingent on credentials or tokens, adding an extra layer of protection.
 - **Blob (level) Access**: The public cannot list the contents of the container, but anyone with the exact URL can access the blob. This poses a risk of exposing sensitive data if URLs are leaked or guessed. Blob Access is suitable for non-sensitive content that must be shared with external parties, such as public-facing images or documents.
@@ -57,52 +57,59 @@ Implement least privilege access by giving users and applications only the permi
 
 Needless to say, private access is the most secure option. This configuration ensures that only explicitly authorized users and services can access the data. It provides the highest level of security by enforcing strict access controls.
 
-### Disable anonymous read access for containers and blobs
+### 2. Disable anonymous read access 
 
-Azure Storage supports [anonymous read access](https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal) for containers and blobs (optional feature, disabled by default). Keep this feature disabled.
+Azure Storage supports [anonymous read access](https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal) for containers and blobs (optional feature, disabled by default). Keep this feature disabled. When anonymous access is enabled at the container level, it allows cybercriminals to enumerate or list all the blobs within that container. If they find a container with anonymous access enabled, they can access the data stored within it, which may include sensitive files, backups, or other critical information.
 
-When anonymous access is enabled at the container level, it allows cybercriminals to enumerate or list all the blobs within that container. They typically start by discovering the storage account name, which can often be guessed based on company naming conventions or identified through subdomain enumeration. Once cybercriminals have the storage account name, they can try to list the containers and their contents. If they find a container with anonymous access enabled, they can access the data stored within it, which may include sensitive files, backups, or other critical information.
+### 3. Disallow Shared Key authorization for a storage account
 
-### Use Microsoft Entra ID to authorize access to blob data & prevent Shared Key Authorization
+When you disallow Shared Key authorization for a storage account, Azure Storage rejects all subsequent requests to that account that are authorized with the account access keys. Only secured requests that are authorized with Microsoft Entra ID will succeed. 
 
-By default, requests can be authorized with either Microsoft Entra credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Microsoft Entra ID provides superior security and ease of use over Shared Key and is recommended by Microsoft. When you disallow Shared Key authorization for a storage account, Azure Storage rejects all subsequent requests to that account that are authorized with the account access keys. Only secured requests that are authorized with Microsoft Entra ID will succeed. 
-
-Need guidance to set this up? 
-
-- [Authorize access to Azure Storage data with Microsoft Entra ID](https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory)
 - [Prevent Shared Key authorization for an Azure Storage account](https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal)
 - [How to view, manage, and rotate storage account access keys. ](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal)
-- [Grant limited access to Azure Storage resources using shared access signatures (SAS)](https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview)
 
 {{< callout type="info" >}}
 A shared access signature (SAS) provides secure delegated access to resources in your storage account. An account SAS is secured with the storage account key. You can sign a SAS token with a user delegation key or with a storage account key (Shared Key).
 {{< /callout >}}
 
-### Regularly rotate and regenerate your keys
+### 4. Regularly rotate and regenerate your keys
+
+It is recommended that you rotate and regenerate your keys regularly. This can be done manually or using the Azure Key Vault.
+
+- [Manually rotate access keys](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#manually-rotate-access-keys)
+- [Use Azure Key Vault to manage your access keys](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#use-azure-key-vault-to-manage-your-access-keys)
+
+ Keep in mind that storage account access keys provide full access to the storage account data and the ability to generate SAS tokens.
+
+### 5. Check what is stored where
+
+Move business-critical data, PII and other sensitive data to the right container which is adequately protected. Our volunteers often find publicly accessible Blob Storage containers that were once created to only contain publicly known or insensitive information, but now also contain sensitive or private data. Regularly check if your Blob Storage containers only contain the data which the container was originally created for. Store business-critical data in immutable blobs, disallow cross-tenant object replication and configure legal holds and time-based retention policies if necessary. 
 
-When you create a storage account, Azure generates two 512-bit storage account access keys for the account. These keys can be used to authorize access to data in your storage account via Shared Key authorization, or via SAS tokens that are signed with the shared key.
+### 6. Enable logging to monitor future access attempts
 
-It is recommended to regularly rotate and regenerate your keys. This can be done manually or using the Azure Key Vault. Keep in mind: Storage account access keys provide full access to the storage account data and the ability to generate SAS tokens.
+Enable logging (e.g., Azure Monitor and Azure Blob Storage Diagnostics) to monitor future access attempts. It can also help to employ additional layers of security such as Azure’s Advanced Threat Protection to detect anomalous access patterns.
 
-### Regularly check what is stored where
+You can use [Azure Storage Explorer](https://learn.microsoft.com/en-us/azure/storage/storage-explorer/vs-azure-tools-storage-explorer-blobs) to check the security configuration of your Azure Blob Storage containers by reviewing things like access levels, permissions, and encryption. In Azure Storage Explorer, you can for example manage (add and remove) access policies for a blob container. When you create a new Blob container right now, the default setting is that every Blob container is set to "No public access".
+
+### 7. Secure your existing logs
 
-Our volunteers often find publicly accessible Blob Storage containers that were once created to only contain publicly known or insensitive information, but now also contain sensitive or private data. Regularly check if your Blob Storage containers only contain the data which the container was originally created for. Store business-critical data in immutable blobs, disallow cross-tenant object replication and configure legal holds and time-based retention policies if necessary. 
+By analyzing logs, you can determine how and when the container was misconfigured and whether it resulted from human error, automation scripts, or other factors. Use [Azure's immutable blob storage feature ](https://learn.microsoft.com/en-us/azure/storage/blobs/immutable-storage-overview)to ensure that logs cannot be modified or deleted.
 
-### Implement strict naming conventions
+### 8. Implement strict naming conventions
 
 Implement strict naming conventions for Blob Storage containers that do not directly relate to the company or the type of data stored, making them difficult for attackers to predict.
 
-According to [Wizardcyber](https://wizardcyber.com/azure-blob-storage-navigating-misconfiguration-risks/), cybercriminals often aim to uncover two key pieces of information to exploit Blob Storage: the names of the container and its corresponding storage account. When anonymous access is set to the container level, it becomes possible for an attacker to enumerate, or list, all the blobs within a container.
+{{< callout type="info" >}}
 
-### Enable Microsoft Defender for all of your storage accounts
+According to [Wizardcyber](https://wizardcyber.com/azure-blob-storage-navigating-misconfiguration-risks/), cybercriminals often aim to uncover two key pieces of information to exploit Blob Storage: the names of the container and its corresponding storage account. When anonymous access is set to the container level, it becomes possible for an attacker to enumerate, or list, all the blobs within a container.
 
-Microsoft Defender for Storage adds an extra layer of security intelligence by detecting unusual and potentially harmful attempts to access or exploit storage accounts. When anomalies in activity are detected, security alerts are triggered in Microsoft Defender for Cloud. These alerts are also sent via email to subscription administrators, providing details about the suspicious activity along with recommendations for investigation and remediation of potential threats. For more information, see [Configure Microsoft Defender for Storage](https://learn.microsoft.com/en-us/azure/storage/common/azure-defender-storage-configure).
+{{< /callout >}}
 
-It can also help to employ additional layers of security such as Azure’s Advanced Threat Protection to detect anomalous access patterns.
+### 9. Contact Grayhatwarfare for deletion
 
-### Use Azure Storage Explorer to check  your security posture
+Contact [G](https://buckets.grayhatwarfare.com/)[rayhatwarfare](https://buckets.grayhatwarfare.com/) for deletion.
 
-You can use [Azure Storage Explorer](https://learn.microsoft.com/en-us/azure/storage/storage-explorer/vs-azure-tools-storage-explorer-blobs) to check the security configuration of your Azure Blob Storage containers by reviewing things like access levels, permissions, and encryption. In Azure Storage Explorer, you can for example manage (add and remove) access policies for a blob container. When you create a new Blob container right now, the default setting is that every Blob container is set to "No public access".
+### 
 
 ## Risks and consequences of misconfigured Blob Storage