Skip to main content

How Does Azure Encrypt Data?

In on-premises environments, data security is typically a siloed activity, with a company’s security team telling the internal technology groups (server administration, database, networking, and so on) what needs to be protected against intrusion.

This approach is absolutely a bad idea for cloud platforms such as Microsoft Azure. Security is everyone’s job and should be one of the key elements of every cloud solution design. It’s vital that everyone involved is aware of the best practices and platform capabilities.

Fortunately, there are an abundance of tools, methods, and information available to help with securely deploying cloud applications and the virtual networks supporting them. In this post, we’ll take a brief tour of Azure’s encryption techniques, its usage, and the available customizations focused on three important areas:

  • How Azure Encrypts Data at Rest
  • How Azure Encrypts Data in Flight
  • Azure Key Management

Azure Encryption of Data at Rest

Encryption of data at rest protects stored information from unwanted access. For example, at-rest encryption could protect the contents of your hard drive if it were lost or stolen.

This is a high-level overview of the encryption workflow for data written to and retrieved from Azure Blob storage:

By default, data written to Azure Blob storage is encrypted when placed on disk and decrypted when accessed using Azure Storage Service Encryption, Azure Key Vault, and Azure Active Directory (which provide secure, centrally managed key management and role-based access control, or RBAC).

Azure also provides encryption for data at rest for files stored in its database platforms such as Azure SQL. Using transparent data encryption, the contents of a database can be encrypted and decrypted through the use of symmetric keys (essentially, a shared secret) managed by Azure Key Vault (encryption at rest is the default for Azure Cosmos DB):

Virtual machines aren’t left out of Azure’s data-at-rest encryption capabilities if you use managed disks (Azure Key Vault managed encryption is enabled by default on managed disks). Check out the managed disk FAQ for more detailed information.

Azure Encryption of Data In-flight

Data in flight (for example, data transfers over the open internet to cloud storage, web sessions and other types of data movement) must be protected against eavesdropping, interception, and tampering. All sessions with Azure services and data centers are secured using the Transport Layer Security (TLS) cryptographic protocol and Forward Secrecy (also known as Perfect Forward Secrecy or PFS), a key agreement protocol:

 

The TLS Wikipedia article summarizes its critical features:

– The [TLS encrypted] connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret negotiated at the start of the session

– The identity of the communicating parties can be authenticated using public-key cryptography.

– The connection is reliable because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission.

Perfect Forward Secrecy (PFS) is a fascinating methodology used by Microsoft to further ensure the security of communication with cloud services. Turning again to the Wikipedia article on PFS, it

“…is a feature of specific key agreement protocols that gives assurances your session keys will not be compromised even if the private key of the server is compromised. Forward secrecy protects past sessions against future compromises of secret keys or passwords. By generating a unique session key for every session a user initiates, even the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key.”

Secure Communication with Azure Virtual Networks Using VPN

Azure supports the creation of encrypted Virtual Private Network (VPN) tunnels with Azure virtual networks. The two available methods are point to site VPN, which connects an individual client machine to a virtual network and site to site VPN which connects a site to Azure using an on-premises VPN device connected to an Azure VPN Gateway:

Secure Communication with Azure Virtual Machines

When securely communicating with virtual machines in Azure virtual networks, you use two methods:

By now you’ve probably noticed the repeated mention of Azure Key Vault as the recommended, central source for key storage, generation, logging, and management. Microsoft describes the Key Vault offering:

“Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. By using Key Vault, you can encrypt keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) using keys protected by hardware security modules (HSMs). For added assurance, you can import or generate keys in HSMs. If you choose to do this, Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware).

The graphic below illustrates the benefits and use cases of Azure Key Vault:

 

Azure Key Vault provides you with a platform-native, feature-rich toolkit for deploying, storing, and tracking usage of the keys you’ll use to secure the applications you build.  Although experienced enterprise IT organizations moving to Azure may be tempted to build their own systems for key management (duplicating what’s been done on-premises), Key Vault should always be considered first as the preferred solution.

Well, that brings our brief tour of Azure’s encryption techniques to an end.  For more information, and to get started using Azure Key Vault, check out the following resources:

I also recommend the following content from Cloud Academy to learn how to work with and apply Azure Key Vault for your deployments:

  • Hands-on Lab: Azure Key Vault and Disk Encryption: Work in the Azure console to use the Azure Key Vault service to store keys and secrets used to encrypt an Azure Virtual Machine.
  • Learning Path: Azure Services for Security Engineers: Apply Key Vault and other Azure security features and services to enable strong security practices and to protect and secure your own cloud applications.

Happy learning and good luck on your cloud journey!

Written by

I'm a technologist. I know that sounds a bit general (like saying you love people or enjoy sunshine) but it's true.I started my career in the hectic world of client/server based infrastructures when that was shiny and new. Little did we know, as we laughed at the mainframe monks, that we were building an equally massive monolith made from servers and siloed applications. The cloud era is breathing new life into IT and I'm excited to be here, at the beginning, yet again.

Related Posts

— October 3, 2018

Highlights from Microsoft Ignite 2018

Microsoft Ignite 2018 was a big success. Over 26,000 people attended Microsoft’s flagship conference for IT professionals in sunny Orlando, Florida. As usual, Microsoft made a huge number of announcements, ranging from minor to major in importance. To save you the trouble of sifting thr...

Read more
  • Azure
  • Ignite
— September 20, 2018

Planning for Microsoft Ignite 2018 Sessions: What Not to Miss

Cloud Academy is proud to be a sponsor of the Microsoft Ignite Conference to be held September 24 - 28 in Orlando, Florida. This is Microsoft’s biggest event of the year and is a great way to stay up to date on how to get the most from Microsoft’s products. In this post, I’ll help you p...

Read more
  • Azure
— September 18, 2018

How to Optimize Cloud Costs with Spot Instances: New on Cloud Academy

One of the main promises of cloud computing is access to nearly endless capacity. However, it doesn’t come cheap. With the introduction of Spot Instances for Amazon Web Services’ Elastic Compute Cloud (AWS EC2) in 2009, spot instances have been a way for major cloud providers to sell sp...

Read more
  • AWS
  • Azure
  • Google Cloud
— August 23, 2018

What are the Benefits of Machine Learning in the Cloud?

A Comparison of Machine Learning Services on AWS, Azure, and Google CloudArtificial intelligence and machine learning are steadily making their way into enterprise applications in areas such as customer support, fraud detection, and business intelligence. There is every reason to beli...

Read more
  • AWS
  • Azure
  • Google Cloud
  • Machine Learning
— June 26, 2018

Disadvantages of Cloud Computing

If you want to deliver digital services of any kind, you’ll need to compute resources including CPU, memory, storage, and network connectivity. Which resources you choose for your delivery, cloud-based or local, is up to you. But you’ll definitely want to do your homework first.Cloud ...

Read more
  • AWS
  • Azure
  • Cloud Computing
  • Google Cloud
Albert Qian
— June 19, 2018

Preparing for the Microsoft Azure 70-535 Exam

The credibility of Microsoft Azure continues to grow in the first quarter of 2018 with an increasing number of enterprises migrating their workloads, resulting in a jump for Azure from 10% to 13% in market share. Most organizations will find that simply “lifting and shifting” applicatio...

Read more
  • Azure
  • Compute
  • Database
  • Security
— April 12, 2018

Azure Migration Strategy: A Checklist to Get Started

By now, you’ve heard it many times and from many sources: cloud technology is the future of IT. If your organization isn’t already running critical workloads on a cloud platform (and, if your career isn’t cloud-focused), you’re running the very real risk of being overtaken by nimbler co...

Read more
  • Azure
— March 2, 2018

Three Must-Use Azure Security Services

Keeping your cloud environment safe continues to be the top priority for the enterprise, followed by spending, according to RightScale’s 2018 State of the Cloud report.The safety of your cloud environment—and the data and applications that your business runs on—depends on how well you...

Read more
  • Azure
  • Security
— February 15, 2018

Is Multi-Cloud a Solution for High Availability?

With the average cost of downtime estimated at $8,850 per minute, businesses can’t afford to risk system failure. Full access to services and data anytime, anywhere is one of the main benefits of cloud computing.By design, many of the core services with the public cloud and its underl...

Read more
  • AWS
  • Azure
  • Cloud Adoption
  • Google Cloud
— February 7, 2018

What are the Benefits of Migrating to the Cloud?

If you’re like most businesses, you already have at least one workload running in the cloud. However, that doesn’t mean that cloud migration is right for everyone. While cloud environments are generally scalable, reliable, and highly available, those won’t be the only considerations dri...

Read more
  • AWS
  • Azure
  • Cloud Migration
— January 25, 2018

New Whitepaper: Separating Multi-Cloud Strategy from Hype

A 2017 RightScale survey* reported that 85% of enterprises have embraced a multi-cloud strategy. However, depending on whom you ask, multi-cloud is either an essential enterprise strategy or a nonsense buzzword.Part of the reason for such opposing views is that we lack a complete defi...

Read more
  • AWS
  • Azure
  • Google Cloud
— January 15, 2018

4 Trends That Will Change How Companies Invest in Cloud in 2018

The cloud is forever changing how we look at IT. Over the past years, we’ve had a front seat view of how the cloud has evolved and how large companies and industries are changing practices internally toward a response that looks more and more like  the innovation leaders have read about...

Read more
  • AWS
  • Azure
  • Cloud Migration
  • Google Cloud