Protecting sensitive data at Microsoft from end to end is critical to the success of our business. In this episode of Code + apps, Lyle Dodge talks with Marc Thenot, Engineering Program Manager, about the Deal Discount Approval application. The application is used by field sellers at Microsoft to process approvals for discounts on services from Microsoft. The application team had to encrypt the data at all points in the application, from sitting on the client’s device to the back end database system.
Marc lists out a few key points that software engineers mulling end-to-end encryption from the client all the way to the back end database should consider:
- Encryption is easy to implement at all points in the application. It’s also easy to maintain and rotate certificates in your operational procedures. People shouldn’t be afraid to do it.
- The team found that it didn’t significantly impact the user experience, but the performance impact was measurable, which you should keep in mind.
- Turn on end-to-end encryption right at the beginning of development. This will help you identify any issues or processes you need established well ahead of production. This will also help you get comfortable with key rotation and other security best practices early in the software development lifecycle.
- Think about collation early. If you’re doing joins and searches across tables and databases, a different collation will result in different cryptographic hashes for the same content.
- Using Azure Key Vault will make it easier to do key and certificate rotation, and the integration to other Azure services will make things easier as well.
If you’d like to read the full technical whitepaper which takes a deep dive into the technical aspects of authentication, go to IT Showcase at Protecting highly confidential sales data with Azure SQL Database.
To get started thinking about encryption end-to-end in your Azure applications, see the article Azure encryption overview.