Storage and databases (Blob, Files, Azure SQL, PostgreSQL)
Data is the most valuable asset in the cloud and the most common target of attacks. Azure divides data services into object/file storage (Storage Account) and managed databases (Azure SQL, PostgreSQL). Each has its own controls, which ZEUS verifies for exposure and encryption.
Storage Account: Blob and Files
A single storage account hosts several services. The most important:
- Blob — object storage (files, backups, unstructured data), with Hot / Cool / Archive tiers for cost optimization.
- Files — SMB/NFS shares mounted like a network drive.
az storage account create \
--resource-group rg-zeus-data --name stzeusdata01 \
--sku Standard_LRS --kind StorageV2 \
--min-tls-version TLS1_2 \
--allow-blob-public-access false \
--public-network-access Disabled
Tip:
--allow-blob-public-access falseblocks anonymous access to blobs. Public containers are a classic data leak — ZEUS flags them as a critical finding.
Azure SQL Database
A managed SQL Server engine (PaaS). No patching, with built-in high availability and automatic backups. Key security controls:
- Microsoft Entra authentication instead of SQL logins,
- Transparent Data Encryption (TDE) — enabled by default,
- Private Endpoint instead of public access,
- firewall rules restricted to known addresses.
az sql server create \
--resource-group rg-zeus-data --name sql-zeus-weu \
--admin-user sqladmin --admin-password '<silne-haslo>' \
--enable-public-network false
Azure Database for PostgreSQL — Flexible Server
Managed PostgreSQL. Flexible Server is the currently recommended model — it provides VNet integration, availability zones and precise control over maintenance windows.
az postgres flexible-server create \
--resource-group rg-zeus-data --name pg-zeus-weu \
--tier GeneralPurpose --sku-name Standard_D2ds_v5 \
--version 16 --high-availability ZoneRedundant \
--public-access Disabled
Comparison table
| Service | Model | Typical use | Private access |
|---|---|---|---|
| Blob | object | backups, files, data lake | Private Endpoint |
| Files | file SMB/NFS | shared drives | Private Endpoint |
| Azure SQL | relational (T-SQL) | .NET apps, OLTP | Private Endpoint |
| PostgreSQL Flex | relational (PG) | open-source apps | VNet integration |
How ZEUS sees it
Through its read-only connector ZEUS checks critical data controls: whether the storage account allows public access to blobs, whether TLS 1.2 is enforced, whether the SQL/PostgreSQL databases have public access disabled and encryption enabled. This data feeds the compliance framework (e.g. ISO 27001, NIS2) — encryption and data access control are requirements for which ZEUS continuously collects evidence.
In the next lesson we get into Infrastructure as Code: Bicep and Terraform.