Blog | Townsend Security

Welcome to Windows Azure Encryption Key Management

Written by Patrick Townsend | Feb 10, 2014 9:00:00 AM

The primary concern of cloud customers is the security of their sensitive data. Security remains one of the major barriers to cloud adoption. And that makes sense. Cloud platforms like Microsoft Windows Azure are by their nature shared environments. The computational resources are shared, the network resources are shared, and the responsibility for physical security is ceded to a third party. That would make anyone nervous.

There are also some additional practical issues. Where, for example, do you actually store your encryption keys that protect your data? For customers and software providers who are fully in the cloud, this is a difficult practical question. You just don’t have a convenient place to securely store encryption keys away from the data that they protect.

Until now.

Today we announced the availability of our latest encryption key management solution, Alliance Key Manager for Windows Azure. The same key management solution that we ship in our FIPS 140-2 compliant key management hardware security module (HSM) is now available as a virtual machine in Windows Azure. With a few clicks in the Windows Azure portal you can launch Alliance Key Manager for Windows Azure and start protecting encryption keys the right way.

All of the features that make a hardware HSM desirable - key management and encryption dedicated to you, exclusive administrative access to only you (sorry cloud provider), encryption and key management provably based on industry standards, and high availability now run as your dedicated virtual machine.

Alliance Key Manager for Windows Azure is deployed in just the way you would hope. An affordable, usage based pricing model, and managed through the same Windows Azure facility that you manage all of your other virtual machines. For added security, you can launch your virtual machine in a Windows Azure Virtual Private Cloud (VPC), and you can deploy two VMs in a Windows Azure Availability Set for better redundancy.

As is the case for our hardware key management solutions, our Windows Azure cloud offering supports encryption within the key management virtual machine. This means that you don’t even need to expose the encryption key in your Windows Azure web application. Just send the data to the key management virtual machine and encryption or decryption takes place there.

In conjunction with our launch into the Windows Azure platform, we’ve also added a great new feature we call “Ready-To-Use”. When you start your key management virtual machine for the first time it will automatically install a 30-day evaluation license, generate the certificates you need for authentication, and generate some encryption keys that are unique to you and ready to use with SQL Server, SharePoint, and your Windows .NET applications. You are ready to start encrypting in seconds.

There are many challenges to meeting compliance regulations, and you should be aware of the recommendations of the Cloud Security Alliance and of the PCI Security Standards Council for encryption and key management. You don’t need to compromise with poor key management, or a key management solution that has never seen the daylight of a FIPS 140-2 validation.

Happy cloud computing!

Patrick