NHI Forum
Read full article here: https://www.oasis.security/blog/what-are-storage-accounts/?utm_source=nhimg
Azure Storage accounts are foundational elements of cloud infrastructure, enabling organizations to store, access, and manage data across diverse applications and services. While their scalability and accessibility drive productivity, ensuring storage account security is critical to prevent unauthorized access, data leaks, and operational disruption.
Understanding Azure Storage Accounts
Azure Storage accounts provide centralized repositories for various data types, including:
- Blobs – unstructured object storage
- File Shares – managed file storage
- Queues – messaging between applications
- Tables – structured NoSQL storage
These accounts allow global access, letting applications retrieve and manipulate data from anywhere. However, this accessibility underscores the need for stringent non-human identity (NHI) governance to protect sensitive information.
Non-Human Identities in Storage Accounts
Non-human identities, including service accounts, access keys, and SAS tokens, are essential for programmatic access to storage accounts. Mismanagement of these credentials can expose your environment to serious cybersecurity risks.
Access Keys
- Provide full access to all storage account data
- Lack inherent expiration; manual rotation is required
- Each storage account has two keys (key1 and key2) for rotation purposes
SAS Tokens (Shared Access Signatures)
- Offer granular access to specific resources and actions
- Can include custom expiration, IP restrictions, and protocol limitations
- Linked to an access key; rotation of the key invalidates associated SAS tokens
Non-Human Identity Risks for Storage Accounts
- Access Key Leakage – Compromised keys grant unrestricted access, potentially enabling data breaches or manipulation.
- Unmonitored SAS Tokens – Without visibility, unauthorized use may go undetected, as seen in incidents like Microsoft AI token leaks.
- Misconfigured SAS Tokens – Overly broad permissions or long TTLs expand the attack surface and increase risk exposure.
Best Practices to Secure Storage Accounts
Disable Shared Access When Possible - Limit vulnerabilities by relying on Role-Based Access Control (RBAC) for fine-grained permission management.
1- Prioritize SAS Tokens
- Grant minimal permissions necessary
- Enforce HTTPS-only access
- Set short expiration periods (≤7 days)
- Restrict access by IP where possible
2- Rotate Access Keys Regularly - Manual rotation is complex; use automation platforms like Oasis Security for seamless key rotation and NHI lifecycle management.
3- Minimize Service Accounts and Principals - Reduce the number of identities with access to storage accounts to shrink the potential attack surface.
5- Leverage Automation Tools - Automated NHI governance ensures consistent provisioning, auditing, and RBAC enforcement, reducing operational overhead and human error.
Elevating Security with Oasis Security
Oasis Security offers a comprehensive solution for managing non-human identities in Azure Storage accounts:
- Contextual Mapping: Visibility into SAS token configurations, usage patterns, and access controls
- Lifecycle Governance: Automated workflows for provisioning, auditing, and RBAC enforcement
- Security & Compliance: Enforcement of policies and adherence to industry standards
By integrating automation and NHI lifecycle management, organizations can reduce risks, safeguard data, and streamline storage account security.