Azure Encryption Explained
What is Azure Encryption?
Microsoft Azure provides comprehensive data protection capabilities, including multiple options for encrypting your data in the cloud.
Azure supports both client-side and server side data encryption, with three models for key management—service-managed keys, customer-managed keys, and service-managed keys on customer managed hardware. Azure supports encryption at rest by default across all storage services, and strong encryption for all communication within and between Azure resources and data centers.
In this article, you will learn:
Client-Side Data and Server-Side Data Encryption
Azure supports two main encryption models: client side and server side encryption.
Client-side encryption includes data that is received by Azure in an encrypted form, or data that is encrypted within a customer’s service application. Because encryption is not performed by Azure, the organization is in full control of the encryption keys, without granting access to Azure to decrypt the data. However, the organization can still manage keys using Azure Key Vault.
Server-side encryption comes in three different models, each offering different key management options. These include:
Service-managed keys—manages keys in a manner that is transparent to applications, while ensuring that data is always encrypted.
Customer-managed keys—provides more control over keys and enables the organization to generate new ones. The model also supports bring-your-own keys (BYOK).
Service-managed keys using customer-controlled hardware—allows the organization to manage keys in their own repository, otherwise known as ‘Host your own key’ (HYOK). Most Azure services do not support the model, and configuration can be complex.
Azure Data Encryption at Rest
Azure uses symmetric encryption for data at rest, using the same symmetric encryption key as the data is being written to storage and decrypted for use in memory. If you decide to partition your data, you can use a different key for each partition.
Azure stores keys in a secure location, protected by identity-based access and audit policies. An Azure key-encryption key (KEK) encrypts these keys. This key-encryption key is kept in the Azure key vault with limited access.
There is also a dedicated encryption solution for Azure database services, known as Transparent Data Encryption for Azure SQL Database.
Encryption of Data in Transit
Azure provides several features for encrypting data in transit, either within the Azure cloud or between data centers.
Data-Link Layer Encryption in Azure
Azure applies the IEEE 802.1AE standard (MACsec) when moving customer traffic between data centers external to Azure. Packets are encrypted and decrypted on devices before they are sent to an external data center.
This encryption is performed by default for all traffic, both within and outside regions. It is applied throughout the underlying network’s hardware without any action required by the customer, and without increase in latency. This prevents “man-in-the-middle” or wiretapping attacks.
TLS Encryption in Azure
To protect your data as it travels between the organization and Azure, you can also use transport layer security (TLS). This provides authentication and ensures privacy of communications, while immediately detecting interception or forgery. Other advantages include interoperability, ability to select encryption algorithms, and easy deployment.
If you choose to use TLS, Microsoft datacenters will negotiate the TLS connection between your organization and Azure services.
You can also use TLS Perfect Forward Security (PFS) for connecting organizational systems and Azure services using unique keys. PFS uses an RSA 2048-bit encryption key, makesmaking interception of in-transit data extremely difficult.
Azure Storage Service Encryption
Before persisting data to storage and, later, before retrieving it, Azure Storage automatically encrypts and decrypts it. Encryption, decryption, and key management are totally transparent processes that can be applied to Azure Blob storage and Azure Files Storage. You can use either Microsoft-managed encryption keys or your own.
SMB Encryption Over Azure Virtual Networks
Network administrators can enable server message block (SMB) encryption on either the entire server or for specific shares. By default, only SMB 3.0 clients can access the encrypted shares. You can use SMB 3.0 on VMs running Windows Server 2012 or later.
Secure Access to Linux VMs with SSH
Secure Shell (SSH) eliminates the need for passwords to sign in over unsecured connections. It provides a secure connection protocol using asymmetrically encrypted public and private key pairs. Azure uses SSH as its default connection protocol for Linux-based VMs within its environment.
Encryption for Azure Storage
Azure employs FIPS 140-2 compliant 256-bit AES encryption to transparently encrypt and decrypt data in Azure Storage. It is enabled for all storage accounts—both using Resource Manager and Classic—and cannot be disabled. As a result, there is no need to modify code or applications.
Similar to Windows BitLocker encryption, AES is an extremely strong cipher. All stored data are encrypted, whether it uses the Standard or Premium storage tier. Metadata, blobs, archive blobs, disks, files, queues, tables, and other Azure Storage resources are all encrypted—all at no additional cost.
In addition, Azure Storage redundancy options all support encryption. Data in primary and secondary regions are encrypted when you enable geo-replication.
In this article, we covered several encryption options provided by the Microsoft Azure cloud:
Client-side encryption for clients accessing the Azure cloud
Server-side encryption for Azure-based services
Encrypting data in transit using data link layer encryption, SSL/TLS, SMB protocol encryption, and secure SSH access to compute instances
Built in Azure storage encryption for data at rest
I hope this will help you plan your security posture in the Azure cloud to better meet your organization's security and compliance requirements.