Platform: AZURE
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | True | Storage account keys and SAS tokens can be used to access data. These should be managed and rotated securely. | Shared Access Signatures (SAS) and account keys should be used with caution. |
| Authentication & Authorization | IAM Integration | True | Azure RBAC can be used to manage access to storage accounts and blob containers. | |
| Authentication & Authorization | MFA | True | MFA can be enforced for users managing the storage account. | Applies to administrative access. |
| Authentication & Authorization | Service Account Support | True | Managed identities and service principals can be used to access blob storage. | |
| Authentication & Authorization | Standard Protocols | True | Azure Storage APIs use OAuth 2.0 for authentication. | |
| Compliance & Certifications | Compliance Documentation | True | Compliance documentation is available through the Azure Trust Center. | |
| Compliance & Certifications | Industry Certifications | True | Azure holds numerous industry certifications. | |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | Data masking is not a direct feature of blob storage. | Not a direct feature. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | True | Microsoft Purview can be used to scan and classify data in Azure Blob Storage. | Requires integration with Microsoft Purview. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | Data is not replicated to other regions unless the customer configures geo-redundant storage (GRS). Access can be restricted by network rules. | Customer is responsible for configuring replication and access policies. |
| Data Residency & Sovereignty | Data Location Transparency | True | The location of the storage account is clearly visible in the Azure Portal and APIs. | |
| Data Residency & Sovereignty | Region Selection | True | Customers can choose the Azure region where their storage account will be created, ensuring data is stored in a specific geographic location. | |
| Encryption | Encryption at Rest | True | All data in Azure Blob Storage is encrypted at rest by default using platform-managed keys. Customer-managed keys are also supported. | |
| Encryption | Encryption in Transit | True | All data transferred to and from Azure Blob Storage is encrypted using TLS. | |
| Logging & Monitoring | Access Logging | True | Storage Analytics provides detailed logging of requests to the storage account. | Requires enabling storage analytics. |
| Logging & Monitoring | Audit Logging | True | Azure Activity Log tracks management operations on the storage account. | |
| Logging & Monitoring | Log Retention | True | Log retention policies can be configured for Storage Analytics. | |
| Logging & Monitoring | Monitoring & Alerting | True | Azure Monitor provides metrics and alerting for blob storage. | |
| Network Security | API Gateway Integration | True | Azure API Management can be used to expose and secure data in blob storage as an API. | Indirectly. |
| Network Security | DDoS Protection | True | Azure provides DDoS protection for the underlying infrastructure. | Inherited from the Azure platform. |
| Network Security | Firewall Rules | True | Storage account firewalls can be configured to restrict access to specific IP addresses or VNets. | |
| Network Security | Private Access | True | Private endpoints can be used to access blob storage from within a VNet. | |
| Secure Development Lifecycle (SDL) | API Design Principles | True | The Azure REST API follows Microsoft's SDL. | Applies to the Azure management API. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | Microsoft performs security testing and code reviews of the Azure platform. | Applies to the Azure platform. |
| Vulnerability Management & Patching | Security Updates | True | Microsoft is responsible for patching the blob storage service. | Microsoft manages the service. |
| Vulnerability Management & Patching | Vulnerability Scanning | True | Microsoft performs vulnerability scanning of the Azure platform. | Microsoft manages the service. |