堆栈内存溢出
  简体   繁体   English

在 Azure blob 存储中存储我的角色服务 package 有多安全?

[英]How safe is storing my role service package in Azure blob storage?

 原文  2011-07-06 14:23:52       windows/ deployment/ azure/ cloud/ azure-storage-blobs

问题描述

Azure Management Portal allows deploying a service from a service package earlier uploaded to Azure blob storage. Azure 管理门户允许从之前上传到 Azure blob 存储的服务 package 部署服务。 This looks very convenient but kind of paranoid - what if some third party accesses the blob storage and retrieves the executables comprising my role?这看起来很方便,但有点偏执——如果某些第三方访问 blob 存储并检索构成我的角色的可执行文件怎么办?

How safe is storing role service package in Azure blob storage?在 Azure blob 存储中存储角色服务 package 的安全性如何? What are better alternatives if any?如果有的话,有什么更好的选择?

1 个解决方案

解决方案1
 5 已采纳  2011-07-06 15:17:44

There are a few attack vectors to get to blob storage and you are in control of all of them, so it is up to you to secure the access.有一些攻击向量可以访问 blob 存储,并且您可以控制所有这些向量,因此您可以确保访问安全。 Specifically:具体来说:

  1. Securing your Primary and Secondary secret keys to the storage account.保护存储帐户的主密钥和辅助密钥。 Loss of these keys would compromise the storage account.丢失这些密钥会危及存储帐户。 All acccess by default to blob storage must be authenticated.默认情况下,所有对 blob 存储的访问都必须经过身份验证。
  2. Securing any and all management certificates (private key) for the subscription.保护订阅的所有管理证书(私钥)。 A management certificate holder can always get the storage keys for all storage accounts in the sub, so this is a total compromise.管理证书持有者始终可以获取 sub 中所有存储帐户的存储密钥,因此这是一种完全妥协。
  3. Securing the container with the package.用 package 固定容器。 If you mark the container public, folks can get it without a storage key.如果您将容器标记为公开,人们可以在没有存储密钥的情况下获取它。
  4. Removing any Signed Identifiers or making sure you are not unwittingly allowing access through a poorly crafted SAS signature.删除任何签名标识符或确保您不会无意中允许通过制作不当的 SAS 签名进行访问。

That's it.而已。 Unless there is an actual security issue with blob storage service (that we currently don't know about), those are the only ways to get access.除非 blob 存储服务存在实际的安全问题(我们目前不知道),否则这些是获得访问权限的唯一方法。 If you secure it, it is pretty safe and I don't think there is a better alternative to store a package in Windows Azure.如果你保护它,它是非常安全的,我认为没有更好的选择来将 package 存储在 Windows Azure 中。

One last thing: the package you upload by default is actually encrypted.最后一件事:您默认上传的 package 实际上是加密的。 Even if someone downloaded it, the only thing that can decrypt it is the fabric controller.即使有人下载了它,唯一能解密它的就是面料 controller。 I think you have other issues you should worry more about.我认为您还有其他问题应该更多地担心。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Azure教程 - 如何使用本地blob存储 - Azure tutorial - How to use local blob storage 如何在不编写自己的程序的情况下将一些文件上传到 Azure blob 存储? - How do I upload some file into Azure blob storage without writing my own program? 如何连接Azure存储以从blob存储中读取.txt文件 - How to connect Azure Storage to read .txt files from blob storage 如何配置Windows Azure WCF服务Web角色以使用netTcpBinding? - How to configure a Windows Azure WCF Service Web Role to work with netTcpBinding? 更改 Azure 存储 Blob 中文件的内容类型 - Change Content Type for files in Azure Storage Blob 将 Azure 存储模拟器作为服务运行 - Run Azure Storage Emulator as service 备份符合SQL Azure DB的Azure Blob存储 - Backup Azure blob storage in line with SQL Azure DB Jenkins Azure Blob 存储插件将构建文件夹的内容而不是构建文件夹复制到 $web azure blob 静态容器 - Jenkins Azure Blob Storage plugin to copy the contents of Build folder and not build folder to $web azure blob static cotainer 从 Windows Azure 中的 blob 存储逐行读取 - Reading line by line from blob Storage in Windows Azure 我已经使用云服务,windows azure创建了Web应用程序,现在我要在2个以上的环境中部署Web角色 - I've created web application with cloud service, windows azure,right now i am deploying my web role on more then 2 environment
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM