Access control is a vital component of cybersecurity. It preserves sensitive information by ensuring that it is not made available to unauthorized users. Access control is crucial for all organizations; however it becomes extremely important when using Cloud solutions. The Cloud services provided by Azure have extensive access control capabilities to protect the services that store data. In this blog, we will discuss the access control methods that Azure provides, which primarily use Azure Microsoft Entra ID and Shared Access Keys, and then outline their capabilities, pros and cons, and best practices.  

Access Control Overview

Access control implies providing users with the least amount of access required to perform business responsibilities. It requires great discipline by organizations in providing only privileged access to employees and contractors who need it for their responsibilities.  

As a critical part of security, the least privilege concept reduces risks to information systems. When providing access control for cloud storage, it is all about how to access data without allowing unauthorized access. The reasons organizations care about access control are biased on three objectives:  

• Safeguarding data against unauthorized access 

• Compliance regulations 

• Cloud security in general 

Azure Microsoft Entra ID and Shared Access Keys are the main access control methods to consider when using Azure Storage. Azure Storage has many access control methods to help organizations manage who can access their data, and what actions they can perform. Let us explore Azure Microsoft Entra ID and Shared Access Keys in more detail. 

Azure Microsoft Entra ID: Identity and Access Management

Azure Microsoft Entra ID, once known as Azure Active Directory (AAD), provides identity and access management capabilities. This is an essential service to manage access to Azure resources, including Azure Storage. In Microsoft Entra ID, access management has two key functions; Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC). 

1. Role-Based Access Control (RBAC)

RBAC is a widely adopted method of managing user permissions based on roles for user accounts. Rather than individually managing permissions for a user, administrators can assign a role to a user when using RBAC, making administration of access controls much simpler. 

How Does RBAC Work?

In Azure Storage, RBAC can be implemented at several locations in a storage account, at the storage account level, and at a container. The standard roles include: 

• Owner: Has permission to assign roles to other users and has full access to all resources 

• Contributor: Can manage all resources for the account; has no permission to assign roles 

• Reader: Can view resources for the account, but cannot modify resources 

For example, you have an Azure Storage account called ‘storage1’. If an administrator assigns the ‘Reader’ role to a user. The user can see the files and folders in ‘storage1’ but has no ability to make changes. The access control allows for a diminished risk of accidental data changes or deletions.  

2. Attribute-Based Access Control (ABAC)

Many organizations have established access control using RBAC, but organizations also utilize Attribute-Based Access Control to have more diverse access via attribute-based access control. ABAC allows administrators to grant access control based on the attributes or conditions.  

How ABAC works?

ABAC analyzes user attributes, resource attributes, and environmental constraints to make access control decisions, thereby granting more fine-grained control than RBAC. 

For example, in ‘storage1’, there is also a folder named ‘Books’, and a document ‘Note’. The user with a ‘Reader’ role can see both the folder and document but cannot access either. The administrator tags them with the attributes ‘confidential, internal, Do Not Share.’ The administrator can formulate a condition that enables the user to read the documents called ‘Note’ and have the remaining space in storage as not usable by this user. 

Advantages of Microsoft Entra ID for Access Control

• Centralized Management: Entra ID offers a single platform to set up identities and access permissions for all Azure services. 

• Improved Security: By using RBAC and ABAC, organizations can enforce access controls with more precision to limit access to secure content. 

• Flexibility: Organizations using ABAC to grant access have the ability to change access based on the organization’s current requirements without needing to change the whole access control management structure. 

• Auditability: Azure provides logs and monitoring functionally to also look for usage patterns and access. It can tell you who accessed what and when. 

Shared Access Keys

While Azure Microsoft Entra ID offers incredible features for controlling user access, Shared Access Keys provide another method of access control for Azure Storage. Shared Access Keys are cryptographic keys that directly allow users to access storage resources. 

Shared Access Signature (SAS)

A Shared Access Signature (SAS) is a secure token that provides limited access to specific Azure Storage resources for a defined period. There are three types of SAS tokens: 

1. User Delegation SAS: Associated with Microsoft Entra credentials and only usable with Blob storage. 
2. Service SAS: Secured by storage account key and can work with any single storage service. 
3. Account SAS: This is like Service SAS, but it allows one to work with many storage services within one account. 

Ad Hoc SAS

AD HOC SAS tokens are used when the administrator specifies permissions and optionally the start time and expiration time in the SAS URI. This type of SAS may also be used when temporary access is needed to resources. 

Example of Ad Hoc SAS: Let us say that a user needs to upload files to ‘storage1’ for a limited time. The administrator can create an Ad Hoc SAS token, allowing this user to upload files for one hour only. When the hour expires, the token expires, and access is automatically revoked. 

Service SAS with Stored Access Policy 

With Stored Access Policies, we can now provide administrators with a more structured method of managing SAS tokens by allowing them to create access policies at the resource level and then use the generated policies when they create SAS URIs. 

Benefits of Stored Access Policy 

• Manageability: Continuous access management is more efficient because admins can modify or remove access policies without having to renew SAS tokens.  

• Time-Limited Access: Policies can set time restrictions for the access that was granted under the policy and, therefore, enforce temporary access to resources and increase the security of their storage accounts. 

An Example of Service SAS with Stored Access Policy 

An organization may create access policies to allow a team to read and write files into a container for one month. If the administrators need to revoke this access policy before it expires, they will only have to update the policy and not have to worry about regenerating SAS tokens. 

Potential Risks with SAS Tokens 

There are some risks associated with SAS tokens, however:  

1. Token leakage: If a SAS token leaks, anything that gains access to it can use its power, which can be used to compromise a storage account.  

1. Token expiry: If a SAS token expires and an application cannot request and acquire a new SAS token, a disruption in the application’s operation may occur causing a degradation in the user experience and the business. 

Best Practices for Managing Access Control in Azure Storage 

Organizations should follow these best practices to manage access control in Azure Storage: 

Follow the Principle of Least Privilege: Users should only have the minimum permissions they require to do their work, whether using RBAC or ABAC. By assigning users only the minimum level of permissions required, the attack surface is limited if an account is compromised. 

1. Regularly Review and Audit Permissions: Periodically review access rights for users, as roles or responsibilities change. When roles or responsibilities change, ensure that the user’s access permissions are still reasonable and appropriate. This prevents over-privileged accounts from becoming a potential risk. 

1. Use Stored Access Policy with SAS: Instead of attaching SAS tokens to a storage account object in Azure Storage to manage access, this can be done easier using stored access policies. When access tokens become outdated or inappropriate, one will not need to regenerate SAS tokens (particularly if done in bulk) which can be tedious and easily subject to inaccuracy. 

1. Review Access, Activity and Audit Logs: Azure has several monitoring tools to track who accesses which resources and when. Review use activity regularly to detect anomalies or potential suspicious activity so that action can be taken swiftly. 

1. Educate Users to Follow Security Best Practices: Consider providing your users with training on personal responsibility for security metrics that give them the best chance of securely managing others with accounts. Their education should include keeping SAS tokens safe and reporting suspected phishing attempts, as well as following security protocols. An informed workforce is an organization’s best line of defense from attack confidentiality. 

Conclusion 

Access control is an important aspect of protecting Azure Storage and sensitive information in the cloud. Azure Microsoft Entra ID has complementary technologies such as RBAC and ABAC that allow organizations to assign and assure access to users effectively and securely within Azure. Shared Access Keys, consisting of SAS tokens, allows organizations to give others the capability to access resources in a configurable time.  

As organizations leverage Cloud technology, assuring that they are implementing appropriate access control mechanisms is critical for protecting data privacy, supporting compliance, and engineering trust.