Azure Security – Understanding Azure Data Encryption at Rest

Introduction to Data States

Data at rest refers to data that resides in persistent storage on physical media in any digital form. The media can include files on magnetic or optical media, archived data, and data backup. As soon as someone requests a file, that data moves across a network and becomes data in-transit. Once someone (or something) starts processing a file, the data enters the in-use state.

Data at Rest Encryption in Azure

Encryption at Rest is a common security requirement and it becomes more important when you have sensitive data stored in Public Clouds. Encryption at rest may also become very important for organization’s for data governance and compliance efforts. Industry and government regulations such as HIPAA, PCI and FedRAMP, lay out specific safeguards regarding data protection and encryption requirements.

Microsoft Azure provides a number of data storage options to fulfil various requirements like File, Disc, blob, and table storage. Microsoft also protects Azure SQL Database, Azure Cosmos DB, and Azure Data Lake with encryption. Microsoft Azure includes tools to safeguard data according to your company’s security and compliance needs.

In this blog we will try to focus on :

1. How data is protected at rest across Microsoft Azure
2. Components taking part in the data protection implementation.
3. Merits and de-merits of different key management protection approaches.

In its Encryption at Rest design in Azure, Microsoft leverage symmetric encryption to encrypt (as it is written in storage) and decrypt (as it is readied for use in memory) large amount of data quickly. The encryption and decryption key, is stored in a secure location  with identity-based access control and audit policies.

Azure Encryption at Rest Components

Multiple Azure components mentioned below are involved in encryption of data at rest. Azure encryption at rest models use envelope encryption, where a key encryption key encrypts a data encryption key.

1. Azure Key Vault  – Azure Key Vault is the recommended key storage solution  and provides a common management experience across services. Access to a key vault can be given to users or services.  It supports use of  customer created keys and import of customer keys in various encryption key scenarios.
2. Azure Active Directory – Permissions to use the keys stored in Azure Key Vault, either to manage or to access them for Encryption at Rest encryption and decryption, can be given to Azure Active Directory accounts.
3. Data Encryption keys – Azure leverage symmetric  AES 256 key also referred as Data Key, to encrypt a portion or block of data. A single resource can have multiple partitions and many Data Encryption keys. Encrypting each block of data with a different key makes crypto analysis attacks more difficult and keeping DEKs local to the service encrypting and decrypting data maximizes performance.  Resource providers and the application instances always store the encrypted DEKs as metadata.
4. Key Encryption keys – Azure use envelope encryption, also referred to as wrapping to encrypt the Data Encryption Keys. Key Encryption keys never leaves the Azure Key Vault allows data encryption keys themselves to be encrypted and controlled.
5. Resource providers – Resource providers and the application instances always store the encrypted DEKs as metadata.

Azure Data at Rest Best Practices

1. Use Azure disk encryption to help safeguard your data on Windows and Linux IaaS VM Disk. It combines Windows Bitlocker feature and Linux dm-crypt feature to provide volume encryption for OS and Data Drive.
2. Encrypt the derives before you write sensitive data on them.
3. Leverage Azure Policies to enforce data at rest for different cloud models.

Recommendation

Organization can leverage Microsoft Defender for Cloud a keep a check if OS, Data, Temp, etc disks are encrypted as per organization policy and can take the manual / automated action using logic apps to encrypt the virtual machine as per organization policy.

Conclusion :

In this blog, we discussed on how Data at Rest encryption work in Microsoft Azure and what are the different components involved in data at rest encryption. We also discussed on the best practices along with the recommendations for Data at rest encryption in Azure Public Cloud.