How safe is storing my role service package in Azure blob storage?

1
votes

Azure Management Portal allows deploying a service from a service package earlier uploaded to Azure blob storage. This looks very convenient but kind of paranoid - what if some third party accesses the blob storage and retrieves the executables comprising my role?

How safe is storing role service package in Azure blob storage? What are better alternatives if any?

1
windowsdeploymentazurecloudazure-blob-storage

1 Answers

5
votes

There are a few attack vectors to get to blob storage and you are in control of all of them, so it is up to you to secure the access. Specifically:

  1. Securing your Primary and Secondary secret keys to the storage account. Loss of these keys would compromise the storage account. All acccess by default to blob storage must be authenticated.
  2. Securing any and all management certificates (private key) for the subscription. A management certificate holder can always get the storage keys for all storage accounts in the sub, so this is a total compromise.
  3. Securing the container with the package. If you mark the container public, folks can get it without a storage key.
  4. Removing any Signed Identifiers or making sure you are not unwittingly allowing access through a poorly crafted SAS signature.

That's it. Unless there is an actual security issue with blob storage service (that we currently don't know about), those are the only ways to get access. If you secure it, it is pretty safe and I don't think there is a better alternative to store a package in Windows Azure.

One last thing: the package you upload by default is actually encrypted. Even if someone downloaded it, the only thing that can decrypt it is the fabric controller. I think you have other issues you should worry more about.