Skip to the content

Securing data at rest with Azure

 

If you’ve ever been through any kind of security audit undoubtedly you would have been asked: “Is your data secured at rest?”. Securing your data at rest is one of the most fundamental things you can do to ensure that your data is protected from any potential threats.

Key Vault

Microsoft Azure Key Vault is a fundamental component used to help you secure your data at rest. Azure Key Vault provides you with the tools you need for creation and management of your encryption keys.

 

For some services Azure offers, both the ability to use your own managed keys through Azure Key Vault, or utilising Microsoft managed keys. The need for using your own managed Key’s vs. Microsoft managed key’s is an organisational decision, and the decision will likely be driven by compliance and internal process related factors.

 

Securing SQL Server Data

Azure SQL database’s can be encrypted at rest, by using Transparent Data Encryption. Microsoft Azure customers can choose whether to manage their own keys for TDE or by default, Microsoft will generate a managed key for you.

 

Furthermore Azure provides client side encryption function called “Always Encrypted” this feature allows a company to add another level of encryption to specific fields in their database, which may be deemed more sensitive than others, and require an additional level of encryption.

 

At a minimum, TDE should be enabled on all of your Azure SQL databases. Note that turning on TDE can have a 3-5% performance impact on your databases.

 

Securing Azure Storage

By default all Azure Storage accounts are configured to be encrypted at rest using 256 bit AES encryption. Customers can choose to either use Microsoft managed encryption keys, or their own managed encryption keys through Azure Key Vault.

 

Infrastructure encryption is also available to storage accounts, which adds another level of encryption, this option must be configured upon creation of your storage account. Infrastructure encryption secures data at a infrastructure level, whilst the standard encryption offered by Azure Storage provides encryption at a service levels. By enabling infrastructure encryption you are essentially doubling the encryption of your data.

 

Summary

Securing data at rest should be treated as an essential part of any software solution, to ensure that your organisation’s data is well protected. Microsoft Azure makes it easy to implement good data storage encryption configurations, which meet the industry best standards, when it comes to securing your data at rest.

 

Over the next few weeks we will be producing a number of articles that will guide you through how to best configure your Azure environments to get the best possible score, and ensure your assets are properly secured.

 

References

  1. Encryption at rest 
  2. Always encrypted database engine
  3. Infrastructure encryption enable
By Jamil Geor
Jamil Geor

About the author

Jamil Geor

Jamil is the co-founder and CTO of Pattern. Jamil has been developing software for the past 20 years for organisations ranging from start-ups to some of the world's largest brands.