Introduction

In the age of AI, cloud storage isn’t just infrastructure, it’s the foundation of innovation. Generative AI models rely on massive datasets for grounding, model training and fine-tuning, many containing sensitive or proprietary data. If compromised, the damage can be severe: IP theft, privacy violations, or even model poisoning.

What comes with the importance is the risks of being compromised:

• 70% of organizations found hidden sensitive data during audits.


• 78% struggle with compliance, especially with growing AI and data regulations.


• 47% have faced malware in storage, costing $2.3M on average per breach.

In this blog, we’ll explore how Defender for Cloud helps to safeguard customer’s most valuable data by helping them to start secure and stay secure.

The museum metaphor:

Imagine your cloud storage as a high-tech museum, housing priceless artifacts—your sensitive data, customer records, and AI training sets. Like any museum, protecting what’s inside requires strong defenses from day one and ongoing vigilance. To protect your important artifacts, you should

Start secure by preventing risks before the doors open. You’ll need to lock every entry point, position security cameras, and test alarms. Fix misconfigurations, close access gaps, and identify exposed data early—before attackers can.

Stay secure with continuous monitoring. Consider how museums never stop watching. Security systems run 24/7, and staff respond to suspicious activity. In the same way, you need to detect threats in real time, enforce policies, and block malicious actions and malware—like someone trying to upload poisonous data into your AI pipeline.

Whether you’re storing business-critical data or fueling innovation with AI, you will need to protect your data like it belongs in a vault.

In the same way, Microsoft Defender for Cloud Storage Security helps Azure storage customers to start secure and stay secure when it comes to protecting their cloud storage.

Start secure – proactively reduce storage risks

The first step of “start secure” is enabling security. It’s important to have native integrations with existing storage infrastructure for effective security. Defender for Cloud provides seamless integration with Azure Storage, allowing one-click enablement and reducing operational overhead.

After enabling security, it’s important to identify and address risks. Defender for Cloud offers prioritized recommendations to detect and fix storage posture issues by integrating with various cloud providers. It identifies misconfigurations like shadow data, network weaknesses, and excessive access, providing clear remediation steps and guidance for administrators.

However, it is not enough to understand where the risks are, without risk prioritization, security admins can get overwhelmed by the number of recommendations.

Defender for Cloud’s Attack Path Analysis feature offers a comprehensive understanding of the attack surface by simulating potential attack paths. This helps organizations identify and prioritize potential vulnerabilities and misconfigurations in their cloud environment that could be exploited by attackers. By proactively addressing these weaknesses, organizations can significantly reduce their attack surface and minimize the risk of breaches.

For example, Defender for Cloud can identify an internet-exposed VM with a high-severity vulnerability that has access to a storage account containing sensitive data. Without proper remediation, attackers can exploit this chain of posture issues to infiltrate the sensitive data.

Stay secure – detect and responds to storage threats

On top of helping storage accounts to start secure by managing security posture and reducing risks, keeping storage accounts secure requires continuous monitoring for threats and preventing malware in cloud storage.

This is where we need to introduce the idea of the control plane and data plane of cloud storage.

• The control plane governs management operations like creating or deleting storage accounts, setting access policies, and configuring diagnostics—typically via ARM endpoints.


• The data plane, on the other hand, handles the actual read/write operations on blobs, files, and queues—often using SAS tokens or access keys. This is where the majority of Azure Storage traffic flows, and it’s also where many traditional security tools fall short.

While most storage security solutions in the market focus on control plane activities like blob creation or deletion, the data plane— where over 67% of Azure Storage traffic happens— handles most operations and often goes unmonitored. Attackers can access the data plane directly with keys or tokens, which many security teams overlook.

Defender for Cloud addresses this by analyzing data plane logs and alerting suspicious activity, such as token leaks, lateral movements, or insider threats. Additionally, Defender for Cloud offers ongoing monitoring and sensitive data discovery to detect and prevent breaches involving unauthorized access, exfiltration, or corruption of information in Azure Blob Storage. All of these threat insights are directly available for investigation in the Defender XDR portal.

Keeping storage account malware free

As discussed above, “stay secure” has two aspects to it, threat detection and response and malware protection. Malware Scanning allows organizations to detect and prevent polymorphic and metamorphic malware distribution events with content scanning upon upload or on-demand using Microsoft Defender Antivirus technologies.

If a malicious file is found, access to the file can be blocked and the scan result will automatically trigger a security alert in Defender for Cloud.

Common use cases for storage security:

Based on above features, let’s look into common industry use case for Storage security.
1. Protect sensitive data in AI applications
Industries: Generative AI platforms, customer service providers,
Personas:  AI architects, infrastructure admins
Pain Points:

• Growing threat landscape targeting sensitive data


• Over-permissive access configurations


• Difficulty identifying high-priority assets to monitor

Solution:
Defender for Cloud helps organizations secure storage accounts holding sensitive data by providing robust posture management. It continuously assesses configurations, highlights risks, and enables teams to prioritize critical storage resources. When integrated with Microsoft Defender XDR, it extends protection with threat detection and response capabilities—alerting security operational teams to malware presence and enabling rapid investigation and remediation.

2. prevent malware from spreading through file uploads
Industries: Customer service, healthcare, data-driven applications with file upload pipelines
Personas: SOC analysts, infrastructure admins, Security admins
Pain Points:

• Risk of malware in customer-uploaded files


• Compliance pressure and industry mandates for data hygiene


• Slow or manual malware detection and response processes

Solution:
Defender for Cloud’s malware scanning proactively detects malicious content in uploaded files before it can spread across systems. Using fast, sampling-based scanning, security teams receive results quickly—helping them reduce time to remediation and automate responses. This improves compliance readiness and strengthens overall data hygiene for customer-facing environments.

Learn more about Defender for Cloud storage security:

Microsoft Defender for Cloud | Microsoft Security
Start a free Azure trial.

Read more about Microsoft Defender for Cloud Storage Security here.