Encryption is one of the basic security mechanisms that can help protect your data from falling into the wrong hands. The Azure storage service offers built-in encryption as part of your Azure storage account. Let’s take a look at this AZ-104 configure storage account encryption guide and see how service-side encryption and client-side encryption keys can be used for encryption.
Azure Service-side encryption
When you create an Azure storage account, Azure storage creates a service-side encryption (SSE) key. It automatically encrypts your data when it is written to the cloud on persistent storage.
Azure Storage Encryption (ASE) is automatically enabled, safeguarding your data at rest using Microsoft-managed keys. This encryption is automatically applied across the following Azure storage technologies: blob storage, file shares, queue storage, and table storage.
This includes both the classic storage accounts and the newer Resource Manager accounts across all performance tiers, including hot or cool storage. Organizations, along with developers, do not have to modify code or flip any “switches” to make sure the encryption is on. It is entirely handled by Microsoft.
It is also important to note the built-in encryption cannot be disabled. The encryption used is 256-bit AES encryption, which is an industry standard and also compliant with the FIPS 140-2 standard. There is no cost for the storage service encryption that is automatically implemented by Microsoft.
Customer-Managed Keys
For customers who want more control over the encryption process than the Azure storage service encryption provides, Azure storage allows them to bring customer-managed keys. This can be helpful for regulatory compliance requirements so the customer has complete control over this process. These encryption keys are managed by the customer and are implemented in a couple of ways.
- The customer can choose customer-managed key for encryption/decryption of data in Azure Blob Storage and in Azure Files for encrypted data. These keys are stored in the Azure Key Vault or Azure Key Vault Managed Hardware Security Model (HSM)
- The customer can choose to specify a customer-provided key on Azure Blob storage for encrypting data. When read and write operations happen in Azure Blob storage, customers can include their own keys to encrypt data in the storage services
You can see this option under your storage account > encryption and then the section for encryption type.
Requirements for the customer-managed keys
There are a few requirements to note for the customer-managed keys. These include the following:
- Establishing a Key Vault that is associated with the storage account
- Importing your encryption keys into the key vault
- Setting policies for accessing the keys and using them
When you select Customer-managed keys you will see the following options:
Doubly encrypt data
Microsoft offers infrastructure encryption to customers who need the highest levels of encryption to secure their data. With infrastructure encryption, customers can enable 256-bit AES encryption at the Azure storage infrastructure level.
When you enable infrastructure encryption, the data is essentially encrypted twice:
- Encryption happens at the service level
- Encryption happens at the infrastructure level
Additional protection layer
Each of these encryption mechanisms has its own set of encryption algorithms and different encryption keys. How does this help with security? If you have a case where one of the encryption layers has its encryption key compromised, you will have another layer of encryption that will protect your data.
Note that to enable the double encryption layer of infrastructure encryption, the Azure storage must be created to allow infrastructure encryption:
Encryption Scopes
Azure introduces the concept of encryption scopes. These allow even more granular control by defining different encryption settings within the same storage account.
Encryption scopes enable specifying whether to use Microsoft-managed keys or customer-managed keys for different blobs within the same account and Azure storage resources.
Adding an encryption scope
When you choose Add, you will have the option to Create encryption scope. You will need to create a name for the scope and choose the encryption type and infrastructure encryption options.
Best Practices for Encryption Key Management
Managing encryption keys is a critical aspect of maintaining data security. Note the following other best practices to note for encryption key management and encryption in general for Azure storage:
- Comply with Organizational and Regulatory Mandates: Ensure encryption practices meet or exceed organizational mandates or regulatory requirements
- Aim for Higher Protection Levels: Always try to use encryption that offers a higher level of protection than the minimum requirements to safeguard against confidentiality breaches and data tampering
- Classify and Protect Data Appropriately: Determine the sensitivity level of data to decide on the encryption needs
- Balance Encryption Tradeoffs: Understand and anticipate the performance latency, operational complexities, and recovery challenges introduced by encryption, especially for sensitive data
- Document Exceptions: If encryption is not feasible due to technical or other limitations, ensure these reasons are clearly documented
- Utilize Native Encryption Mechanisms: Leverage the built-in encryption options provided by Azure services, which adhere to modern industry standards and are developed by experts
- Manage Encryption Keys Wisely:
- Default to Microsoft-Managed Keys: Use Azure’s default key management for simplicity and security
- Consider Customer-Managed Keys for Greater Control: Opt for customer-managed keys if you require more control over key operations and lifecycle management
- Secure Key Storage: Store encryption keys separately from the encrypted data, preferably in a key store or a managed hardware security module (HSM), to mitigate the risk of simultaneous compromise
- Monitor Key Access: Keep a close watch on access to encryption keys to detect and respond to anomalous activities
Wrapping up storage account encryption
Understanding the encryption options in the Azure cloud and Azure storage is extremely important. Microsoft has taken the heavy lifting out of implementing encryption by automatically turning this on for the Azure storage service with 256-bit AES encryption.
However, there are many other options that customers can take advantage of to implement encryption for their data effectively. Customer-managed keys allow organizations to control and manage their encryption keys if needed for compliance and other reasons.
Double encryption using infrastructure encryption allows you to add an extra layer of protection, doubly encrypting your data. For the AZ-104 exam, be familiar with Azure storage encryption and how it can be configured to protect your data, including customer-managed keys and adding infrastructure encryption.
Related Posts:
Microsoft Azure Administrator: AZ-104: Configure Object Replication in Azure Storage – Part 28
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.