Data encryption in Azure

One of the areas related to the improvement of Security Posture of the corporate information system is certainly encryption, through the adoption of specific techniques, that makes the data readable only to those who have the solution to decrypt it. This article provides an overview of how encryption is used in Azure and provides references to further studies.

To protect your data in the cloud, you must first consider the possible states in which the data can be located and evaluate the related controls that can be implemented. Best practices for data security and encryption, particularly in Azure, concern the following states:

  • At rest: includes all information that statically resides on physical storage media, both magnetic and optical.
  • In transit: when data is transferred between components, locations or services, are defined in transit. For example,, transferring data across the network, service bus or during processes of input / output.

Encryption at Rest

Encryption at Rest is a highly recommended technique and is a priority requirement for many organizations to comply with data governance and compliance policies. Different industry-specific and government-specific regulations, require the presence of data protection and encryption measures. Encryption at Rest encrypts the data when it is persistent and is used, in addition to meeting compliance and regulatory requirements, also to have a high level of protection for data. The Azure platform natively involves the adoption of advanced physical security mechanisms, data access control and auditing. However, It is important to take overlapping security measures to deal with potential bankruptcies, and encryption at Rest is a great way to ensure confidentiality, compliance and data sovereignty.

Server-Side Data Encryption Models

Server-side data encryption models refer to encryption performed by Azure services. In this model, it is the Azure Resource Provider that performs encryption and decryption. There are several Encryption at Rest templates at Server Side available in Azure, each of which has different characteristics in key management, these can be applied to different Azure resources:

  • Server-Side Encryption using Service-Managed Keys. In this scenario, the encryption keys are managed by Microsoft and proves to be a good combination of control and convenience.
  • Server-side encryption using customer-managed keys in Azure Key Vault. In this mode, the encryption keys are controlled by the customer through Azure Key Vault, and includes support for using your keys (BYOK).
  • Server-side encryption that uses customer-managed keys on customer-controlled hardware. This methodology allows the customer to check the keys that reside on a repository controlled by the customer, outside of Microsoft's control. This feature is called Host Your Own Key (HYOK). However, configuration is articulated and most Azure services do not support this model at this time.

Figure 1 – Server-side encryption model

Client-side data encryption models

The client-side data encryption model refers to encryption performed outside Azure and is performed directly by the calling service or application. When you use this encryption model, the Resource Provider in Azure receives encrypted data without the ability to decrypt it or access the encryption keys. In this model, key management is performed by the calling service or application and is obscure for the Azure service.

Figure 2 – Client-side encryption model

Encryption at Rest for top Azure services

Azure Storage

Azure Storage provides on automatically encrypts the data when they are made persistent in the cloud environment. In fact, all Azure Storage services (Blob storage, Queue storage, Table storage, and Azure Files) support server side encryption of data at rest and some of them also support encryption client-side of data and encryption keys managed by the customer.

  • Server-side: all default Azure storage services have enabled by default the server-side encryption using keys managed by the service. For Azure Blob storage and Azure Files is also supported using encryption keys managed by the customer in Azure Key Vault. The technology used is called Azure Storage Service Encryption, in automatically able to encrypt the data before being stored and decode them when they are accessed. This process is completely transparent to the user and involves the use of AES encryption 256 bit, one of the most powerful block ciphers currently available. Azure Storage encryption is similar to BitLocker encryption in a Windows environment. Azure Storage encryption is enabled by default for all new storage accounts and cannot be disabled. Storage accounts are encrypted regardless of performance level (standard or premium) or from the deployment model (Azure Resource Manager or classic). All redundancy options provided for storage accounts support encryption and all copies of a storage account are always encrypted. Encryption does not affect the performance of storage accounts and there is no additional cost.
  • Client-side: this encryption is currently supported by Azure Blobs, Tables, and Queues. When used the data is encrypted by the customer managing their keys and is uploaded as an encrypted blob.

Virtual Machines

All Managed Disks, Snapshots and virtual machine images in Azure are encrypted using Storage Service Encryption via keys managed by the service. When processing data on a virtual machine, data can be kept in the Windows paging file or in the Linux swap file, in a crash dump or an application log. Therefore, to obtain a solution of Encryption at Rest more complete on IaaS virtual machines and virtual disks, which ensures that data is never kept in an unencrypted form, you need to use Azure Disk Encryption . This feature helps you protect Windows virtual machines, using the technology Windows BitLocker, and Linux virtual machines through DM-Crypt. Relying on Azure Disk Encryption you get a full protection of the operating system disks and data volumes. The Encryption keys and the secrets are protected within their own Azure Key Vault. Encrypted virtual machine protection is supported by the Azure Backup service. For more information about Azure Disk Encryption you can see the Microsoft's official documentation.

Azure SQL Database

Azure SQL Database currently supports encryption at rest in the following ways:

  • Server-side: server-side encryption is guaranteed through a SQL feature named Transparent Data Encryption (TDE) and it can be activated either at the database server level. Starting in June 2017 this feature is on by default for all new database. TDE protects SQL data and log files, using AES encryption algorithms and Triple Data Encryption Standard (3DES). Database files are encrypted at the page level, they are encrypted before being written to disk and de-encrypted when read into memory.
  • Client-side: client-side encryption of data to SQL Azure Database is supported through the functionality Always Encrypted, that uses keys that are generated and stored on the client side. By adopting this technology it is possible to encrypt data within the client applications before storing in the Azure SQL database.

As with Azure Storage and Azure SQL Database, also for many other Azure services (Azure Cosmos DB, Azure Data Lake, etc.) the data encryption at rest occurs by default, but for other services it can be optionally activated.

Encryption in Transit in Azure

The protection of data in transit must be an essential element to be considered in your data protection strategy. It is generally recommended to protect the movement and exchange of data always using SSL protocols / TLS. Under certain circumstances, it may be appropriate to isolate the entire channel of communication between the on-premises environment and the cloud using a VPN. Microsoft uses the TLS protocol (Transport Layer Security) to protect data when traveling between cloud services and customers. In fact, a TLS connection is negotiated between the Microsoft datacenter and client systems that connect to the Azure Services. The TLS protocol provides strong authentication, privacy and message integrity (allows detection of tampering, interception and message forgery).

Conclusions

The issue of protection through encryption of the data stored in Azure environment is seen as very important for those who decide to rely on the services in the cloud. Knowing that all Azure services provide encryption at rest options and that basic services encryption is enabled by default, is certainly very comforting. Some services also support the control of the encryption keys from the customer and the client side encryption to provide a greater level of control and flexibility. Microsoft is constantly improving its services to ensure greater control of the encryption at rest options and aims to enable encryption at rest as the default for all customer data.