Bring Your Own Key Increases Security of Your Data in Microsoft Azure

Posted May 11, 2017

In Cyber Security, Microsoft, Microsoft Azure

Although the perception remains that cloud is less secure than on-premises data centers, experts hold a different opinion. Gartner anticipates that public cloud providers will experience at least 60% less security incidents than traditional data centers.

To address the security concerns, many cloud providers support encryption of data in the cloud. While encryption helps, if the cloud provider manages the keys, security concerns don’t entirely go away, because someone else controls the keys that allow access to your data.

That’s why cloud providers like Microsoft Azure now offer “bring your own key” (BYOK) options to let cloud users retain control of their keys. When a business remains responsible for creating, storing, and managing keys in the cloud, there’s reduced risk of the cloud provider exposing the keys and the company’s data.

Microsoft Azure Encryption

Companies can secure their keys with Azure Key Vault. When you use Key Vault and bring your own key, you first generate a key on your own site using a hardware security module (HSM). The key is then securely transferred to an HSM at Microsoft. Microsoft has no way to view the keys, and you can review the key usage logs through Azure HDInsight or your own security systems to see how the keys are being used and monitor access.

Microsoft Azure offers services that offer encryption at file, database, disk, and virtual machine levels. It’s important to note that not all Microsoft Azure services allow users to manage their own keys. Azure Disk Encryption allows virtual machine (VM) disks to be encrypted with user-managed keys, but Azure Storage Service Encryption for data at rest requires Microsoft to manage the keys. Customer key management capabilities are planned for the future.

Azure SQL Database Transparent Data Encryption offers real-time encryption of the database; users of Azure SQL Database rely on Microsoft for key management while users of SQL Server on an Azure VM can use Key Vault to manage their own keys.

File-level encryption is offered through Azure RMS, which supports BYOK.

Those approaches protect data at rest; it’s also important to protect data in transit. That relies on SSL/TLS and HTTPS secure protocols or the use of a virtual private network to ensure secure connections between your site and Microsoft Azure.

Create a Comprehensive Cloud Security Plan

Encrypting your data in the cloud should be part of a comprehensive cloud security plan. With expertise in information security and Microsoft Azure, combined with our Microsoft Partner status, Prescient Solutions can help you design and implement a Microsoft Azure environment that meets all your business needs, including security and data protection. Contact us to learn more about how you can leverage the cloud while keeping your confidential data safe.