Listen to this podcast to learn about protecting sensitive data in Microsoft Windows Azure with encryption and key management.
Sometimes when I think of the cloud, I still imagine all of my data floating around up in the sky. Which, of course, isn’t where the data lives at all. All of our data that we store in the cloud lives in massive data centers. How massive? I once heard one of these data centers described as so large that as you looked down the rows of servers you could see the curvature of the earth.
It’s clear that the cloud is growing, and becoming critical in how we work with data, which is why data security in the cloud is becoming a very hot topic. Because we’re beginning to work with more and more companies who want to protect their data in Microsoft Windows Azure, I particularly wanted to address concerns about encryption and encryption key management in the Microsoft Windows Azure Cloud platform. So I sat down with Patrick Townsend, CEO of Townsend Security and Data Privacy Expert, to discuss data privacy issues in Microsoft Windows Azure. Here are some of my questions and his answers.
Why is Data Security an Issue in Microsoft Windows Azure?
Overall, the number one concern of organizations moving to the cloud is security. Almost all core applications that run in an enterprise environment collect and store sensitive information. This information might be cardholder data, social security numbers, tax IDs, or any other personally identifiable information (PII). Properly protecting that data with encryption and key management is critical for enterprise customers to meet industry and state data privacy regulations as well as to prevent data breaches.
Microsoft Windows Azure is unique in that it actually has a few different facilities. The original Azure facilities were limited to .NET applications. This year Microsoft made a big jump to provide full Infrastructure-as-a-Service (IaaS) capability within Azure, to allow customers to run Windows, SQL Server, and almost any other Windows type of environment in Azure. Those capabilities opened the door to allow applications to move into Azure, and along with them came all of the issues of data protection.
Now, with all of those applications running in Windows Azure, the big challenge is getting a proper encryption and key management strategy in place to protect all of the sensitive data that those applications process.
Does Windows Azure provide customers with encryption capabilities?
Yes, Microsoft has really done a good job in terms of supporting encryption across all Azure platforms. In itself, Microsoft Windows has really good AES encryption capabilities in their .NET libraries. Azure and SQL Azure can leverage these .NET encryption capabilities. In fact, we’ve done a proof-of-concept where we show exactly how to do this in Azure. It’s actually very straightforward. In Azure you have the option to deploy either Transparent Data Encryption (TDE) to encrypt all data or Cell Level Encryption to encrypt data on a column-by-column basis.
Encryption key management can be implemented by leveraging Microsoft’s Extensible Key Manager (EKM) capabilities. Although Microsoft gives you the option to store the encryption keys locally in the same server where you store data, in order to be compliant with most data security regulations and avoid data breach notification, customers must use an external Hardware Security Module (HSM) to store their encryption keys and use best practices such as dual control and separation of duties.
Overall, I think Microsoft has truly done a great job with encryption performance. The greatest challenge people will have when protecting data is encryption key management, and doing it properly. It’s not just a challenge for Microsoft Windows Azure, but for all Cloud platforms. Luckily, we’ve developed a model to help companies do key management right.
Download our podcast "Securing Microsoft Windows Azure with Encryption & Key Management" for more information on protecting sensitive data in Microsoft Azure with encryption and key management, best practices for managing encryption keys, and what to look for when deciding on an encryption key management solution.