Azure Encryption: Server-side, Client-side, Azure Key Vault

With a rapid rise of malicious cyber security threats such as ransomware, ensuring the security of data stored in the cloud is of paramount importance for any organization.

Azure provides various out-of-the-box security options that can be leveraged by customers to ensure such data security. Encryption of data at rest is one of the most important options available here which can be leveraged to encrypt Azure Virtual Machine data, storage account data, and various other at-rest data sources such as databases in Azure.

There are multiple Azure encryption models. Out of these, server-side encryption leveraging Azure Key Vault is one of the most popular configurations used by many. This blog will introduce you to encryption at rest in Azure by looking at different models and types of encryption available. It will then take a deeper look into server-side encryption and how it works with Azure Key Vault. It will also explore different types of keys used for Azure server-side encryption and their security implications.

Jump down below to read about:

• Data Encryption in Azure: What Is Azure Key Vault and More
• Azure Encryption Models
• Azure SSE with CMK Using Azure Key Vault
• Conclusion: Getting More for Azure Encrypted Storage
• Q&As

Data Encryption in Azure: What Is Azure Key Vault and More

It’s a widespread security requirement for data at rest in a storage environment to be encrypted. Encryption at rest is often mandated by regulatory compliance requirements that many enterprise organizations are legally required to follow. In addition, encryption at rest also provides an additional layer to maintain the defense-in-depth approach to information security.

It is important to understand some of the key components involved in providing the at-rest data encryption available in Azure.

Source: Azure

• Azure Resource Providers: A service that supplies Azure resources and services. Examples include Microsoft.Compute, which supplies virtual machine resources, and Microsoft.Storage, which supplies storage resources such as storage accounts and blob storage.
  These resource providers perform the encryption and decryption of data, typically using a data encryption key, which is generated using the root key encryption key (KEK). Azure encryption at rest options for various services cover its Infrastructure-as-a-Service components (i.e., Azure Virtual Machines, Storage accounts), Platform-as-a-Service components (i.e., Azure SQL databases, Azure Cosmos DB), and Software-as-a-Service components (i.e., such as parts of Office 365).
• Data Encryption Key (DEK): In Azure encryption, symmetric encryption keys—which are referred to as data encryption keys (DEK)—are used to encrypt (and decrypt) data. Azure resource providers, described above, or the application instances needing to encrypt or decrypt data in Azure need access to the DEK in order to do so. This is a system key that is generated automatically using the root KEK and users have no control over the DEK itself directly.
• Key Encryption Key (KEK): KEKs are encryption keys that provide an additional level of security by encrypting the DEK itself. KEKs are also known as root keys.
• Azure Key Vault: For added security, encryption keys themselves need to be stored in a secure location that is separate from the data. It’s recommended by Azure to use Azure Key Vault as your key storage solution in the Azure cloud.
  Azure Key Vault provides the services typically offered by a hardware security module (HSM) in an on-premises environment for encryption. It provides the access controls needed to secure the access to the encryption keys to end users (authenticated via Azure AD accounts) as well as Azure services.

Azure Encryption Models

Azure at rest data encryption supports two main encryption models where customers have the choice of managing the encryption and encryption keys themselves or letting Azure manage it in full.

Let’s take a closer look at these options.

1. Client-side encryption: Data encryption is done using encryption keys managed and stored outside of Azure, such as in the customer’s on-premises environment or another secure location. Azure typically will not have access to the encryption keys and therefore cannot decrypt such data and the customer maintains complete control over the keys. In most cases Azure will only receive an encrypted (and therefore unreadable) blob of data.
2. Server-side encryption (SSE): In this model, Azure supports three different varieties of encryption options:
   • Server-side encryption with service-managed keys: Customers can simply mark the resources that need to be encrypted and Azure will manage the rest (including the encryption key management overhead as well as encryption and decryption). This is a simple solution to enable encryption for Azure services, however, large enterprise organizations may require different teams to be in charge of key management and the Azure service itself.
   • Server-side encryption with customer-managed keys in Azure Key Vault: This model provides customers with the control over the keys. Customers can also bring their own keys or generate new ones within Azure Key Vault.
   • Server-side encryption with customer-managed keys in customer-controlled hardware: In this model, customers bring their own encryption keys which are stored outside of Microsoft control. It should be noted that the number of Azure services that support this model are limited with this option.

Server-side encryption (SSE) with customer-managed keys (CMK) in Azure key vault has become a very popular choice with many enterprise customers, so we will take a closer look at this model below.

Azure SSE with CMK Using Azure Key Vault

Performing server-side encryption with Azure Key Vault arguably provides the most balanced option for many Azure customers who can leverage the Azure key vault to store and maintain encryption keys, while providing the flexibility to bring their own root encryption keys.

Source: Azure

As shown in the screenshot above, customers can either generate or bring their own RSA 2048-bit root KEK onto Azure key vault (AKA: Bring your Own Key) and Resource providers such as the storage will then create and use the DEK using this root KEK. The DEK can be stored closer to the data itself for easier and quicker access to data as required.

Server-side encryption with Azure Key Vault supports automatic key rotation where new root keys will trigger an automatic update of all services, typically within an hour. Customers can also enable additional key management safety measures such as soft delete (holds deleted keys for a certain period) and purge protection (prevents permanent deletion of keys for a specified period) as needed via Key Vault.

Among all the Azure services leveraging encryption, one of the biggest consumers of Azure server-side encryption is the Azure Disk Storage, in order to protect the Azure Virtual Machine data. It automatically encrypts data stored on Azure managed disks by default, using powerful 256-bit AES encryption with FIPS 140-2 compliance.

Here is what a typical managed disk encryption process using Azure server-side encryption using Key Vault looks like.

Source: Azure

Server-side encryption with Azure Key Vault can also be used for various Azure services. These services include:

• AI and machine learning services such as Azure Cognitive Search, Power BI
• Analytics services such as Azure Stream analytics
• Compute services such as Virtual Machines and Azure Kubernetes Service
• Storage services such as Azure Blob storage,
• Database services such as Azure SQL.

See the full list of Azure services compatibility with the three encryption models here.

While utilizing server-side encryption with Azure Key vault provides various advantages as described above, customers must also consider some of the following:

• Customers are fully responsible for key access management which requires appropriate Azure AD configuration
• Customer also owns the responsibility for root key lifecycle management
• Azure Key Vault is not free and has costs associated with it, which you can see here.
• There are additional configurations and limitations when leveraging server-side encryption on Azure with various services. As an example, Azure disk storage specific restrictions can be found here. Refer to specific Azure service documentation for similar considerations applicable to each service.

Conclusion: Getting More for Azure Encrypted Storage

With Azure, encryption with server-side encryption comes in three different models, letting customers choose the one that best meets their security and compliance requirements. Out of those, server-side encryption with customer-managed root keys has become a popular choice thanks to its balanced approach.

NetApp Cloud Volumes ONTAP is an enterprise grade, cloud-native data storage and data management solution that is available on Azure (And all other major cloud platforms). Amongst various enterprise data management features such as high availability, storage efficiency, and multiprotocol file access, Cloud Volumes ONTAP also provides a number of enterprise security and compliance capabilities to safeguard customer data on Azure, including:

• Role-based access control (RBAC)
• Ransomware protection
• Write-Once-Read-Many (WORM) protection
• End-to-end data encryption
• NetApp Aggregate Encryption (NAE) and NetApp Volume Encryption (NVE) both offer data volume encryption that is FIPS 140-2 compliant, when using an external key manager

These capabilities can be easily coupled with the native features of Azure encrypted storage to provide additional security for highly sensitive enterprise data.

Learn more about Enterprise Data Security with Cloud Volumes ONTAP.

Q&As

●    Does Azure encrypt data at rest?

Azure offers two types of encryption for data at rest: client-side and server-side encryption. There are a number of different services that can leverage either of these two models.

●    What encryption does Azure use?

The two major methods of encryption for data at rest in Azure are client-side encryption and server-side encryption. The main difference between these two models is that in server-side encryption the encryption keys are stored and managed by Azure, while client-side encryption involves the user retaining and storing the encryption key information.

●    What is Azure storage service encryption?

The various Azure storage services can leverage the encryption capabilities offered by Azure. Many organizations have legal as well as operational requirements to ensure that their data is secure, and encryption is a keyway to ensure that.