Data security and encryption with Azure

An illustration representing a data warehouse, next to an illustration of Bit the Raccoon.

Nowadays, corporate data assets are being stored, processed, and shared more than ever before. Organisations are looking for more efficient ways of doing business, such as big data analysis and the migration of data to the cloud. To ensure that sensitive data isn’t exposed to people that don’t need access to it, putting security and controls in place is key.

To protect sensitive data, such as personal identifiable data, company financials, and intellectual property, Azure offers a set of best practices for data security and encryption. To protect your data, you need to know which state your data resides in and what controls are available for that state.

Data states

Best practices for Azure data security and encryption relate to the following states:

  • Data at rest: This includes all information storage objects, types, and containers that exist statically on physical media.
  • Data at transit: This includes data that is being transferred between components, locations, or programs.

Data encryption at rest is a mandatory step toward achieving data privacy and compliance. The following best practices are applicable for protecting data at rest:

  • Use encryption to help mitigate risks related to unauthorised data access. Organisations must prove that they are using proper security controls to comply with industry regulations. They are also more exposed to data-confidentiality breeches if they don’t encrypt their data.

Data at rest is encrypted by default in Azure Storage and Azure SQL Database. Many other services offer default encryption as well. Azure Key Vault can be used to store the keys that access and encrypt the data. See Azure resource providers encryption model support for more information.

  • Apply disk encryption to help safeguard your data. Azure Disk Encryption enables IT administrators to encrypt Linux and Windows IaaS VM disks. It combines Windows BitLocker and Linux dm-crypt to provide volume encryption for data and OS disks.


Protect data at transit

Protecting data at transit should be an essential part of the data protection strategy. Because data is moved back and forth between many locations, it is recommended to use SSL/TLS protocols to exchange this data. You can also isolate the entire communication channel between your on-premises and cloud infrastructures by using a VPN. You can use Azure VPN Gateway to encrypt traffic between an Azure virtual network and an on-premises location over the public Internet.

Below are best practices for using Azure VPN Gateway, HTTPS, and SSL/TLS:

  • To secure access from multiple workstations located on-premises to Azure, use a Site-to-Site VPN.
  • To secure access from a single on-premises workstation to Azure, use a Point-to-Site VPN.
  • To move larger data sets over a dedicated high-speed WAN link, use ExpressRoute.
  • Interact with Azure Storage through the Azure portaI. All transactions will occur over HTTPS. You can also use the Storage REST API over HTTPS to interact with Azure Storage.

Use a key-management solution

To protect your data in the cloud a key-management solution is mandatory. Azure Key Vault can be used to streamline the key-management process and enables you to maintain control of cryptographic keys and secrets that cloud applications and services use. It enables you to maintain control of keys that access and encrypt your data.

Below are the best practices for using Azure Key Vault:

  • Control what users have access to. Access to a key vault is controlled through two separate interfaces: management plane and data plane. Use Role based Access Control (RBAC) to control what users have access to. If an application needs access to keys in the vault, only data plane management must be enabled for this application. No management access is needed.
  • Store certificates in your key vault. You can manage all your certificates in one place, and they can securely be deployed to Azure VMs using Key Vault. By setting appropriate access policies for the Key Vault, you can control the access to the certificates.
  • Ensure that you can recover a deletion of key vaults or key vault objects. Enable the soft delete and purge protection features of Key Vault. Deletion of these keys is equivalent to data loss, so you can recover deleted vaults and vault objects if necessary.

Manage with secure workstations

Because most of the attacks are aimed at end users, the endpoint becomes one of the primary points of attack. By compromising the endpoint, an attacker can utilise the user’s credentials to get access to the company data. Most endpoint attacks benefit from the fact that most users are administrators at their workstations.

Below are the best practices for managing secure workstations:

  • Ensure endpoint protection. Enforce security policies across all devices that are utilised to access data, regardless of the location (on-premises or cloud).
  • Use a secure management workstation to protect sensitive accounts, tasks, and data. To reduce the attack surface in workstations, use a privileged access workstation. These secure management workstations can help you mitigate some of these attacks.

Secure email, documents, and sensitive data

To secure email, data, and documents that you share outside your organisation, you can deploy Azure Information Protection to classify, label, and protect documents and email. This can be done automatically, by defining rules and conditions, or manually by users.

The protection technology used by Azure Information Protection is on based Azure Rights Management (Azure RMS). This technology is integrated in other technologies, such as Office 365 and Azure Active Directory, and it uses encryption, identity, and authorisation policies to help you control your data, even when it is shared with others outside your organisation.

Best practices for using Azure Information Protection:

  • Configure Azure RMS Usage logging. This can help you to monitor how your organisation is using the protection service.
  • Apply labels that reflect your business requirements. For instance, apply a label named “highly confidential” to all documents and emails that contain top-secret data.

Next steps

In this article we have covered several Azure best practices for securing and encrypting data. You can refer to Azure security best practices and patterns for more security best practices to use when you’re designing, deploying, and managing your cloud solutions.