Townsend Security Data Privacy Blog

Encryption & Key Management in Windows Azure

Posted by Michelle Larson on Feb 13, 2014 3:05:00 PM

Providing Data Security IN the Cloud

The excitement level has been palpable around our office this week as we released the first encryption key manager to run in Microsoft Windows Azure, solving the data security problem that has held many companies back from adopting Microsoft's cloud.  In preparation for this new product, we have had a number of questions to answer, so I thought we should recap a few of them and share an excellent podcast resource with our readers! Encryption Key Management in Windows Azure

What is the main issue that Microsoft Windows Azure customers are experiencing?

The number one concern reported by companies or organizations when they think about moving to any cloud environment is security. The studies show that their biggest concerns revolve around exposure of personally identifiable information and preventing data loss. It is a big enough concern that many companies have held back from migrating mission-critical applications with sensitive data from their traditional data centers into the cloud.  

A few things that are common across many industries and compliance regulations can really help with protecting data in cloud platforms like Windows Azure:

  • Use industry-standard AES encryption.
  • Keep your encryption keys are separate from the data that's being protected.
  • Use dual control and separation of duties to protect your encryption keys.
  • Follow best practices in terms of protecting data-at-rest and data-in-motion.

What strategy do you use for deploying a key manager in Windows Azure?

When you are running AKM as a Windows Azure virtual instance it is in a standard or virtual private cloud environment (VPC) allowing for better segmentation and isolation of your key management implementation. You definitely do not want to store encryption keys in the same virtual machine or instance of Windows Azure where sensitive data is stored. That would be like taping your house key to the front door when you leave home! In fact, the core concept for key management is to always separate the encryption keys from the data they protect. 

We know key management is critical to meeting compliance regulations, but is there any guidance about securing data in the cloud?

It is very important for cloud users to protect data using good practical guidance from PCI Security Standards Council (PCI SSC) even if not storing credit card information.  PCI SSC has issued Cloud Computing Guidelines as well as guidance around virtualization of data protection solutions, so you can be PCI compliant with a cloud-based key management and encryption solution.

The Cloud Security Alliance (CSA) has also issued good guidance around security in cloud environments in version 3 of their documentation (domain 11 applies to encryption and key management).

National Institute for Standards and Technology (NIST) also has produced a guidance for security in cloud environments (NIST Special Publication 800-144) which provides excellent guidance for people looking to move into cloud platforms and protect data there.

How does your Alliance Key Manager help protect data in Windows Azure?

Our founder and CEO Patrick Townsend says, “I'm rather proud of the fact that we have the first fully cloud-based key management solution in Windows Azure.  Our Alliance Key Manager for Windows Azure solution is a cloud instance that you can deploy directly into Windows Azure to manage encryption keys and protect data. It can be deployed in standard Windows Azure Infrastructure-as-a-Service (IaaS) environment and you can deploy it directly into a virtual private cloud.  It's the same binary code that is in our HSM which is FIPS 140-2 validated and it's running purely within that Windows Azure environment. I am proud of our development team for bringing forth our Alliance Key Manager for Microsoft Windows Azure users as an affordable solution.”

Along with Alliance Key Manager comes applications that deploy, such as our EKM provider, which gives you full protection of Microsoft SQL Server databases and the Microsoft solution applications that run on top of SQL Server. This includes:

  • Custom-built SQL Server applications
  • Applications in SharePoint using SQL Server as its content database platform
  • Microsoft dynamics applications such as CRM and AX and GP that run on top of SQL Server

For custom applications we provide a .NET assembly that you can use to add to your applications to perform encryption either on versions of SQL Server that don't support transparent data encryption (TDE) or on unstructured data that you may be storing in the Windows Azure platform. You are also able to encrypt data going into SQL Azure as well as MySQL or Oracle or any other database that you might be running. Alliance Key Manager comes with a complete library of SDKs and sample code for developers, along with purpose built applications that are ready to plug in and perform encryption, which will get encryption projects up and running very quickly.

“The recent data breaches experienced by so many retailers just highlight the need to protect data with encryption and properly manage the encryption keys.  We really help answer the challenge of protecting data in cloud environments like Microsoft Windows Azure and we are helping people achieve that data protection that they need to feel comfortable moving to cloud platforms.”

Please download this podcast to learn more about securing data in the Microsoft Windows Azure platform:

Encryption Key Management for Windows Azure

Topics: Alliance Key Manager, Compliance, Podcast, Cloud Security, Microsoft Windows Azure