Status: OUT
Azure Storage provides defense-in-depth with automatic encryption at rest (optionally customer-managed keys via Key Vault) and firewall rules that block all requests by default until exceptions are explicitly added — unless the workload relies on Resource Manager locks for data protection, since locks prevent account deletion but do not prevent data deletion within the account, leaving a gap between perceived and actual protection.