Encryption is the foundation on which security is built, and it needs to be present when data is at rest, in use, and in motion.
Microsoft Azure covers the major areas of encryption including:
- encryption at rest
- encryption in transit
- in use via key management with Azure Key Vault
Encryption at Rest
Microsoft Azure offers a range of data storage solutions, depending on your organisation’s needs, including file, disk, blob, and table storage. Data at rest is any stored data that is kept in persistent storage on physical media in any digital format and can include data backups, archived data and files on optical or magnetic media. Data encryption at rest is also available for services across the software as a Service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS).
Types of Data Encryption Models
There are a variety of encryption models available including:
- Server-side encryption that uses service-managed keys
- Customer-managed keys in Key Vault
- Customer-managed keys on customer-controlled hardware
This is performed outside of Azure. The cloud service providers so not have access to the encryption keys and cannot decrypt your data. Your organisation keeps control of your decryption keys.
There are three different server-side encryption models which offer different key management services. First, service-managed keys which is a low overheads option. Customer managed keys gives your organisation control over your keys, allows you to generate new keys and include Bring Your Own Keys (BYOK) support. Finally, there are service-managed keys in customer-controlled hardware. With this option, you manage your keys in a repository outside of Microsoft’s control, which is a Host Your Own Key (HYOK) feature. However, many Azure services don’t support this model.
Azure Disk Encryption
Azure disk encryption can be used to protect both operating systems and data disks on Windows and Linux virtual machines. Encryption keys are kept in your Azure Key Vault. Also, if you’re using the Azure Backup service, it’s possible to back up and restore encrypted virtual machines that use Key Encryption Key configuration (KEK).
Azure Storage Service Encryption
Data which is stored in blob storage and file shares can be encrypted while at rest using both server-side and client-side scenarios.
Data can be automatically encrypted before it is stored and automatically decrypted when you retrieve it using Azure Storage Service Encryption (SSE). SSE used 256-bit Advanced Encryption Standard (AES) encryption.
Client-Side Encryption of Blobs
One way of achieving this is by using the Azure Storage Client Library for NET NuGet package to encrypt data before you upload it to your Azure storage. If you use client-side encryption with Key Vault, then your data is encrypted using a one-time symmetric Content Encryption Key (CEK). This key is generated by the Azure Storage client. The CEK is encrypted using a Key Encryption Key (KEK). It can be managed locally or be stored in a Key Vault.
Encryption of Data at Rest With Azure SQL Database
This is a general purpose relational database that supports relational data, JSON, spatial and XML. SQL Database supports both server-side encryption via the Transparent Data Encryption (TDE) feature and client-side encryption via the Always Encrypted feature.
Transparent Data Encryption (TDE)
This is used to encrypt SQL Server, Azure SQL Database and Azure SQL Data Warehouse data files. It uses a Database Encryption Key (DEK) which is stored in the database’s boot record. Encryption is carried out at the page level and the pages are encrypted before they’re written to file and are decrypted when they’re read into memory. TDE is enabled by default on newly created Azure SQL databases.
This feature enables you to encrypt data within client applications before you store it in an Azure SQL Database. You can also separate those who own and can view the data from those who manage the data, but should not have access to the data itself.
At-Rest Encryption in Data Lake
Azure Data Lake is where every type of data is collected before it is organised. Data Lake supports encryption of data at rest, which you can set up when creating your account. Azure Data Lake Store manages the keys, which is the default setting, but you can also manage them yourself.
Encryption of Data in Transit
There are a number of ways of encrypting data as it moves from one place to another. First, when data is travelling between cloud services and customers, it is protected using Transport Layer Security (TLS). Perfect Forward Secrecy (PFS) protects the connections between customers’ client systems and Microsoft cloud services by using unique keys which makes it difficult to access data while it’s in transit.
Azure Storage Transactions
All interactions with Azure Storage through the Azure portal take place over HTTPS. Another option is to use the Storage REST API over HTTPS. You can ensure that HTTPS is used when REST APTs access objects in storage accounts by enabling the secure transfer that’s required for the storage account. Shared Access Signatures (SAS) include an option to specify that only the HTTPS protocol can be used when you use SAS. Client-side encryption encrypts the data before it’s sent to your Azure Storage instance, so that it’s encrypted as it travels across the network.
SMB Encryption Over Azure Virtual Networks
Virtual Machines which are running Windows Server 2012 or later can use SMB 3.0 to encrypt data in transit over Azure Virtual Networks. SMB can be enabled for the entire server or just specific parts of it.
In-Transit Encryption in VMs
Data that is passing to, from or between VNs that are running Windows can be encrypted in a number of ways. Which way you can use will depend on the nature of the connection. Remote Desktop Protocol sessions you can connect and sign into a VM by using a Remote Desktop Protocol (RDP). Data in transit in RDP sessions can be protected using TLS.
Secure Access to Linux VMS With SSH
Secure Shell (SSH) is an encrypted connection protocol which allows secure sign-ins over unsecured connections. You can use SSH to connect to Linux VMs hosted in Azure.
Azure VPN Encryption
You can connect to Azure through a virtual private network that creates a secure tunnel to protect the privacy of the data being sent across the network.
Azure VPN Gateways
You can use an Azure VPN gateway to send encrypted traffic between your virtual network and your on-premises location across a public connection, or to send traffic between virtual networks.
Individual computers can access an Azure virtual network using point-to-site VPNs. The Secure Socket Tunneling Protocol (SSTP) is used to create the VPN tunnel which appears as an HTTPS connection.
Your on-site premises can be connected to an Azure virtual network using a site-to-site VPN gateway connection over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. However, this type of connection needs an on-site VPN device that has a public IP address assigned to it.
Key Management With Key Vault
If keys are not properly stored and managed, then encryption is made pointless. Key Vault is how keys can be managed and securely stored. Access permissions to Key Vault can be assigned using Azure Active Directory accounts.
- 9th November, 2018: Version 1