How Does Azure Encrypt Data?

In on-premises environments, data security is typically a siloed activity, with a company’s security team telling the internal technology groups (server administration, database, networking, and so on) what needs to be protected against intrusion.

This approach is absolutely a bad idea for cloud platforms such as Microsoft Azure. Security is everyone’s job and should be one of the key elements of every cloud solution design. It’s vital that everyone involved is aware of the best practices and platform capabilities.

Fortunately, there are an abundance of tools, methods, and information available to help with securely deploying cloud applications and the virtual networks supporting them. In this post, we’ll take a brief tour of Azure’s encryption techniques, its usage, and the available customizations focused on three important areas:

  • How Azure Encrypts Data at Rest
  • How Azure Encrypts Data in Flight
  • Azure Key Management

Azure Encryption of Data at Rest

Encryption of data at rest protects stored information from unwanted access. For example, at-rest encryption could protect the contents of your hard drive if it were lost or stolen.

This is a high-level overview of the encryption workflow for data written to and retrieved from Azure Blob storage:

This is a high-level overview of the encryption workflow for data written to and retrieved from Azure Blob storage

By default, data written to Azure Blob storage is encrypted when placed on disk and decrypted when accessed using Azure Storage Service Encryption, Azure Key Vault, and Azure Active Directory (which provide secure, centrally managed key management and role-based access control, or RBAC).

Azure also provides encryption for data at rest for files stored in its database platforms such as Azure SQL. Using transparent data encryption, the contents of a database can be encrypted and decrypted through the use of symmetric keys (essentially, a shared secret) managed by Azure Key Vault (encryption at rest is the default for Azure Cosmos DB):

Encription/Decryption

Virtual machines aren’t left out of Azure’s data-at-rest encryption capabilities if you use managed disks (Azure Key Vault managed encryption is enabled by default on managed disks). Check out the managed disk FAQ for more detailed information.

Azure Encryption of Data In-flight

Data in flight (for example, data transfers over the open internet to cloud storage, web sessions and other types of data movement) must be protected against eavesdropping, interception, and tampering. All sessions with Azure services and data centers are secured using the Transport Layer Security (TLS) cryptographic protocol and Forward Secrecy (also known as Perfect Forward Secrecy or PFS), a key agreement protocol:

TLS Protocol Secure Communication

 

The TLS Wikipedia article summarizes its critical features:

– The [TLS encrypted] connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret negotiated at the start of the session

– The identity of the communicating parties can be authenticated using public-key cryptography.

– The connection is reliable because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission.

Perfect Forward Secrecy (PFS) is a fascinating methodology used by Microsoft to further ensure the security of communication with cloud services. Turning again to the Wikipedia article on PFS, it

“…is a feature of specific key agreement protocols that gives assurances your session keys will not be compromised even if the private key of the server is compromised. Forward secrecy protects past sessions against future compromises of secret keys or passwords. By generating a unique session key for every session a user initiates, even the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key.”

Secure Communication with Azure Virtual Networks Using VPN

Azure supports the creation of encrypted Virtual Private Network (VPN) tunnels with Azure virtual networks. The two available methods are point to site VPN, which connects an individual client machine to a virtual network and site to site VPN which connects a site to Azure using an on-premises VPN device connected to an Azure VPN Gateway:

Point to site VPN / Site to site VPN

Secure Communication with Azure Virtual Machines

When securely communicating with virtual machines in Azure virtual networks, you use two methods:

When securely communicating with virtual machines in Azure virtual networks, you use two methods

By now you’ve probably noticed the repeated mention of Azure Key Vault as the recommended, central source for key storage, generation, logging, and management. Microsoft describes the Key Vault offering:

“Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. By using Key Vault, you can encrypt keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) using keys protected by hardware security modules (HSMs). For added assurance, you can import or generate keys in HSMs. If you choose to do this, Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware).

The graphic below illustrates the benefits and use cases of Azure Key Vault:

Azure Key Volt

 

Azure Key Vault provides you with a platform-native, feature-rich toolkit for deploying, storing, and tracking usage of the keys you’ll use to secure the applications you build.  Although experienced enterprise IT organizations moving to Azure may be tempted to build their own systems for key management (duplicating what’s been done on-premises), Key Vault should always be considered first as the preferred solution.

Well, that brings our brief tour of Azure’s encryption techniques to an end.  For more information, and to get started using Azure Key Vault, check out the following resources:

I also recommend the following content from Cloud Academy to learn how to work with and apply Azure Key Vault for your deployments:

  • Hands-on Lab: Azure Key Vault and Disk Encryption: Work in the Azure console to use the Azure Key Vault service to store keys and secrets used to encrypt an Azure Virtual Machine.
  • Learning Path: Azure Services for Security Engineers: Apply Key Vault and other Azure security features and services to enable strong security practices and to protect and secure your own cloud applications.

Happy learning and good luck on your cloud journey!

Avatar

Written by

Dwayne Monroe

I'm a technologist. I know that sounds a bit general (like saying you love people or enjoy sunshine) but it's true. I started my career in the hectic world of client/server based infrastructures when that was shiny and new. Little did we know, as we laughed at the mainframe monks, that we were building an equally massive monolith made from servers and siloed applications. The cloud era is breathing new life into IT and I'm excited to be here, at the beginning, yet again.


Related Posts

Amanda Cross
Amanda Cross
— January 7, 2021

New Content: AWS Terraform, Java Programming Lab Challenges, Azure DP-900 & DP-300 Certification Exam Prep, Plus Plenty More Amazon, Google, Microsoft, and Big Data Courses

This month our Content Team continues building the catalog of courses for everyone learning about AWS, GCP, and Microsoft Azure. In addition, this month’s updates include several Java programming lab challenges and a couple of courses on big data. In total, we released five new learning...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Bryony Harrower
Bryony Harrower
— November 6, 2020

WARNING: Great Cloud Content Ahead

At Cloud Academy, content is at the heart of what we do. We work with the world’s leading cloud and operations teams to develop video courses and learning paths that accelerate teams and drive digital transformation. First and foremost, we listen to our customers’ needs and we stay ahea...

Read more
  • AWS
  • Azure
  • content roadmap
  • GCP
Joe Nemer
Joe Nemer
— October 14, 2020

New Content: AWS Data Analytics – Specialty Certification, Azure AI-900 Certification, Plus New Learning Paths, Courses, Labs, and More

This month our Content Team released two big certification Learning Paths: the AWS Certified Data Analytics - Speciality, and the Azure AI Fundamentals AI-900. In total, we released four new Learning Paths, 16 courses, 24 assessments, and 11 labs.  New content on Cloud Academy At any ...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Joe Nemer
Joe Nemer
— September 15, 2020

New Content: Azure DP-100 Certification, Alibaba Cloud Certified Associate Prep, 13 Security Labs, and Much More

This past month our Content Team served up a heaping spoonful of new and updated content. Not only did our experts release the brand new Azure DP-100 Certification Learning Path, but they also created 18 new hands-on labs — and so much more! New content on Cloud Academy At any time, y...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Avatar
Andrew Larkin
— August 18, 2020

Constant Content: Cloud Academy’s Q3 2020 Roadmap

Hello —  Andy Larkin here, VP of Content at Cloud Academy. I am pleased to release our roadmap for the next three months of 2020 — August through October. Let me walk you through the content we have planned for you and how this content can help you gain skills, get certified, and...

Read more
  • alibaba
  • AWS
  • Azure
  • content roadmap
  • Content updates
  • DevOps
  • GCP
  • Google Cloud
  • New content
Alisha Reyes
Alisha Reyes
— August 5, 2020

New Content: Alibaba, Azure AZ-303 and AZ-304, Site Reliability Engineering (SRE) Foundation, Python 3 Programming, 16 Hands-on Labs, and Much More

This month our Content Team did an amazing job at publishing and updating a ton of new content. Not only did our experts release the brand new AZ-303 and AZ-304 Certification Learning Paths, but they also created 16 new hands-on labs — and so much more! New content on Cloud Academy At...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Alisha Reyes
Alisha Reyes
— July 16, 2020

Blog Digest: Which Certifications Should I Get?, The 12 Microsoft Azure Certifications, 6 Ways to Prevent a Data Breach, and More

This month, we were excited to announce that Cloud Academy was recognized in the G2 Summer 2020 reports! These reports highlight the top-rated solutions in the industry, as chosen by the source that matters most: customers. We're grateful to have been nominated as a High Performer in se...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • OWASP
  • OWASP Top 10
  • Security
  • VPCs
Avatar
Cloud Academy Team
— July 9, 2020

Which Certifications Should I Get?

The old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and companies. With all that in mind, the s...

Read more
  • AWS
  • Azure
  • Certifications
  • Cloud Computing
  • Google Cloud Platform
Alisha Reyes
Alisha Reyes
— July 2, 2020

New Content: AWS, Azure, Typescript, Java, Docker, 13 New Labs, and Much More

This month, our Content Team released a whopping 13 new labs in real cloud environments! If you haven't tried out our labs, you might not understand why we think that number is so impressive. Our labs are not “simulated” experiences — they are real cloud environments using accounts on A...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Joe Nemer
Joe Nemer
— June 19, 2020

Kickstart Your Tech Training With a Free Week on Cloud Academy

Are you looking to make a jump in your technical career? Want to get trained or certified on AWS, Azure, Google Cloud Platform, DevOps, Kubernetes, Python, or another in-demand skill? Then you'll want to mark your calendar. Starting Monday, June 22 at 12:00 a.m. PDT (3:00 a.m. EDT), ...

Read more
  • AWS
  • Azure
  • cloud academy content
  • complimentary access
  • GCP
  • on the house
Joe Nemer
Joe Nemer
— June 12, 2020

Azure Certifications: Our Experts Explain Which Is Best for You

How do you choose an Azure certification? It can be hard to get started when choosing an Azure certification. There are so many to sift through, so many interesting options, and it requires a time commitment to just understand the cert landscape. To help guide you through the select...

Read more
  • AZ-900
  • Azure
  • Certifications
Alisha Reyes
Alisha Reyes
— June 11, 2020

New Content: AZ-500 and AZ-400 Updates, 3 Google Professional Exam Preps, Practical ML Learning Path, C# Programming, and More

This month, our Content Team released tons of new content and labs in real cloud environments. Not only that, but we introduced our very first highly interactive "Office Hours" webinar. This webinar, Acing the AWS Solutions Architect Associate Certification, started with a quick overvie...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming