Azure data protection refers to a set of practices and tools you can use to create multi-layered Azure security. It includes protections for physical security of data centers, protections for infrastructure, and tools for securing customer data.
Data protection in Azure relies on built-in controls and tools created by a team of Microsoft security experts. These controls and tools are integrated into Azure firmware and hardware and extend protections across your services. In particular, the following tools and technologies are available:
In this article, you will learn:
The wide variety of data that you can store in Azure services can present many threats. Data can be inherently sensitive, such as financial data, or can provide valuable information about your system structure and configurations, like metadata. To ensure data security, it is important to protect all types of data. This requires first understanding where data is stored.
Service |
Vulnerable data elements |
Compute services, storage, networking
|
● Customer package or service configuration files (CSPKG or CSCFG) ● Data in storage services ● Shared access signatures or user keys ● Service certificates ● Credential information |
Virtual machines |
● Virtual machine images ● User or admin credentials ● Endpoint configurations and deployment templates |
Virtual networks |
● Pre-shared keys ● IPs addresses or ranges for gateways |
This data and the threats that exist for this data are similar to those in an on-premises environment. The main difference is that cloud-hosted data is often more accessible due to Internet facing endpoints. Types of threats you should be aware of include:
Related content: read our guide to customer data security.
These threats can stem from user mistakes, natural disasters, and attacks. Although all are valid threats, most of your security resources are aimed at preventing attacks. In particular, with cloud data, you need to account for both online and offline attacks.
Attack type |
Description |
Online |
● Occur when resources are actively running ● Is typically accomplished through compromised credentials or failures of authentication and authorization mechanisms ● Often involves transferring data over unprotected or compromised communication channels |
Offline |
● Occur when unauthorized users move data or physical storage devices ● Does not require network access and often involves theft of physical devices, such as laptops ● Often involves attackers modifying system controls or planting malware |
This section should highlight data protection solution built into Azure NetApp Files as one of the services that have data protection built in. Snapshot copies and fast restores, Cross region replication, always on encryption.
To help you protect your data, Azure includes several built-in services and utilities. These solutions are all native to Azure and can help you monitor security and apply protections in combination with third-party tools.
Azure NetApp Files complies with leading industry certifications like HIPAA and GDPR. Along with the default 99.99% availability, this means that you can migrate and securely run industry applications in Azure with confidence. Deep integration with Azure enables a seamless and secure Azure experience, with no storage-centric learning to create, manage, or protect your business data.
Azure AD is a cloud-native version of the traditional AD solution for identify and access management. You can use it to define and manage user credentials and permissions across your cloud resources.
Included in Azure AD are features for multi-factor authentication (MFA) and the ability to create conditional access policies. You can use Azure AD to audit permissions, alert to changes, and report on user activity. Through the premium version, you can also enable single sign-on (SSO).
Azure provides built-in encryption for your data at-rest or in-transit. This encryption is enabled for most services by default and for some services cannot be disabled. At-rest encryption is based on AES-265 and in-transit encryption relies on TLS. You can manage your encryption keys through Azure services, rely on the services to self manage keys, or use Azure Key Vault for centralized management.
To protect your VMs, Azure supports a variety of third-party anti-malware solutions, including Kaspersky, Trend Micro, and Symantec. It also offers Microsoft Anti-malware for Azure Cloud Services and Virtual Machines.
Related content: read our guide to Azure performance.
WAFs are next-generation firewalls designed to protect web applications in the way traditional firewalls protect endpoints. In Azure, WAFs are available through the Azure Application Gateway service. This service is designed to provide centralized protection for your web applications.
The firewall includes traffic filtering rules created by the Open Web Application Security Project (OWASP). You can use this service to protect against the most common web app threats, including SQL injection, code injection, and cross-site scripting.
The Cloud Services Due Diligence Checklist is a tool created to help you evaluate your current configurations before moving to Azure. You can also use it to confirm that configurations were correctly addressed post-migration.
The checklist includes benchmarks for security, data management, performance, availability, governance objectives, and service requirements. These benchmarks are aligned with the current standard for cloud service agreements (ISO/IEC 19086).
Azure NetApp Files features Azure’s powerful built-in security infrastructure while supporting any workload type. You can select service and performance levels, set up NetApp Snapshot™ copies, and replicate between regions all through the service.
NetApp Cloud Volumes ONTAP can be used with NetApp SnapMirror technology for cross-AZ and cross-region data replication on Azure. Data is available in its native format with no platform locking and minimum storage consumption on cloud platforms due to Cloud Volumes ONTAP’s built-in storage-efficiency savings. See how NetApp cloud storage solutions prep your company for the future of cloud data.