Presentation is loading. Please wait.

Presentation is loading. Please wait.

BRK3277 Protect your data using Azure's Encryption capabilities and Key Management Devendra Tiwari Principal Program Manager.

Published byCharlene Montgomery Modified over 6 years ago

Similar presentations

Presentation on theme: "BRK3277 Protect your data using Azure's Encryption capabilities and Key Management Devendra Tiwari Principal Program Manager."— Presentation transcript:

1 BRK3277 Protect your data using Azure's Encryption capabilities and Key Management Devendra Tiwari Principal Program Manager

2 Session Objectives and Takeaways
4/16/ :26 AM Session Objectives and Takeaways Session Objective(s): Understand Azure data protection principles Discuss Azure Promises Review Azure Encryption and key management models Discuss Azure Disk Encryption solution and demo Review Azure Encryption offerings Customers can take advantage of today in Azure services to help meet their security and compliance commitments © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Sarah Fender 100-level Azure Security deck
4/16/2018 Azure Data Protection Azure Provides Customers with Strong Data Protection Data isolation Logical isolation segregates each customer’s data from that of others is enabled by default. At-rest data protection Customers can implement a range of encryption options for virtual machines, storage, SQL etc. PaaS IaaS In-transit data protection Industry-standard protocols encrypt data in transit to / from outside components, as well as data in transit internally by default. Encryption Data encryption in storage or in transit can be deployed by the customer to align with best practices for ensuring confidentiality and integrity of data. On Premises SaaS Data redundancy Customers have multiple options for replicating data, including number of copies and number and location of replication data centers. Data destruction Strict standards for overwriting storage resources before reuse and the physical destruction of decommissioned hardware are by default.

4 SECURING THE PLATFORM EMPOWERING YOU Identity & Access Controls
4/16/ :26 AM SECURING THE PLATFORM EMPOWERING YOU Identity & Access Controls Encryption and Key Management Secure Networking Partner Solutions Azure Security Center Security Privacy and Control Transparency Compliance © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Delivering solutions that empower you to secure your Azure environments
Identity & access Encryption Secure networking Partner solutions Unified security management RBAC Strong Authentication Monitoring and Alerting Encryption Key Management Encryption at Rest and In Transit Virtual Networks Traffic Rules Secure Connectivity Antimalware Network Appliances Encryption Monitoring Application Security Authentication Security Policy Monitoring Recommendations Threat Detection 5

6 Azure Encryption at Rest Promises
Control Customers can choose if and when data is encrypted Customers can choose what encryption keys are used and where they are stored Customers can decide at anytime to revoke access to the keys and data Transparency Customers have full visibility to the encryption state of their data Customers know at any time where their data is stored Customers have the ability to view logs at any time related to the stored data and keys Contractual commitments Data Processing Agreements EU Model Clauses HIPAA BAA

7 Encryption Models Encryption Models Encryption Options
4/16/ :26 AM Encryption Models Encryption Options Server Encryption Client Encryption Server Side Encryption using service managed keys Server side encryption using customer managed keys in Azure Key Vault Server side encryption using on-premises customer managed keys Azure services can see decrypted data Azure services cannot see decrypted data Full cloud functionality REDUCED cloud functionality Microsoft manages the keys Customer controls keys via Azure Key Vault Customer controls keys on-premises Customer keep keys on-premises Provides defense-in-depth against Offline attacks Encryption at-rest is required by certain sovereign laws and certifications © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Microsoft Azure Key Vault
HSM Key Vault offers an easy, cost- effective way to safeguard keys and other secrets used by cloud apps and services using HSMs Microsoft Azure You manage your keys and secrets Import keys Applications get high performance access to your keys and secrets on your terms IaaS PaaS SaaS Key Vault ≠ Customer’s dedicated HSM. Azure Key Vault is a multi-tenant service backed by Microsoft-managed HSMs. Key Vault

9 Azure Services and Encryption Support
Media Services Virtual Machines PowerBI SQL Databases Data Lake Resource Providers Stream Analytics Storage blobs HDInsight Machine Learning Workspaces

10 Why Azure Disk Encryption
4/16/ :26 AM Why Azure Disk Encryption Announcement - Azure disk encryption for Linux VMs and VMs with premium storage is generally available in ALL Azure public regions Meet regulatory requirements …to keep data encrypted …to prove control of encryption keys Enhance control on your VM workload …both key owner and VM workload owner must approve Ensure VM does not leave Azure without your consent …your organization insider or malicious adversary get hold of the VHD, but cannot decrypt © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Azure Disk Encryption What:
4/16/ :26 AM What: Disk encryption for Windows and Linux IaaS VM’s Key management integrated in customer Azure key vault using HSM Value Proposition: VM’s are secured at rest using industry standard encryption technology to address organizational security and compliance requirements VM’s boot under customer controlled keys and policies, and customers can audit the usage in Key Vault Threats Addressed: Data breach  Loss of Disks, Loss of storage account keys, Offline disk attacks © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Azure Disk Encryption Scenarios
IaaS VM OS (boot) volume Data volume Azure storage Keys/Secrets are safeguarded in customer key vault Encryption/Decryption Scenarios New VM’s from Customer Encrypted VHD’s New VM’s from Azure Gallery Running VM’s in Azure Backup and Restore Encrypted VM Protection elements Access control: Customer control access to the keys/secrets in their key vault Monitoring and Logging: Customer collect logs in their storage account Data Security and Availability: Disks are stored encrypted in customer storage account and are automatically replicated by Azure storage Additional details on scenarios workflow is documented here

13 Azure Disk Encryption Features
4/16/ :26 AM Features: Disk encryption for Windows and Linux IaaS VM’s Disk decryption for Windows and Linux IaaS VM’s Client OS support for encryption/decryption Mount-point path support for Windows, RAID support for Linux Key management integrated in customer Azure key vault using HSM Supported Experiences – Azure PowerShell, Azure CLI, Azure Resource Manager Azure backup service support for encrypted VMs OS versions supported: Windows – Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 Linux – Ubuntu, CentOS, SUSE, SUSE Linux Enterprise Server and Red Hat Enterprise Linux Client OS – Windows 8, Windows 10 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Azure Disk Encryption – Encrypted VHD Workflow
Microsoft Ignite 2015 4/16/ :26 AM Customer uploads Encrypted VHD to their Azure storage account Customer provision encryption key material* in their key vault and grants access to platform to provision new encrypted VM Customer opt into enabling disk encryption Azure service management updates VM service model with encryption and key vault config Azure platform provision new encrypted VM * Key Material – BitLocker Encryption Keys [Windows], Passphrase [Linux] Virtual Machine Azure Storage Provision Encrypted VM Read VHD Read Key Customer Key Vault AAD HOST AAD token Encryption Config Customer Disks Service Management ARM/PS cmdlets © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Azure Disk Encryption – New VM or Running VM Workflow
Microsoft Ignite 2015 4/16/ :26 AM Customer opt into enabling disk encryption Customer provide AAD, key vault and other config to ARM/PS cmdlets to safeguard encryption key material* in their key vault Azure service management updates VM service model with encryption and key vault config and Azure platform pushes the encryption extension on the VM Encryption extension initiate encryption on the VM VM is encrypted * Key Material – BitLocker Encryption Keys [Windows], Passphrase [Linux] Virtual Machine Azure Storage Upload Key Encryption Extension AAD token Customer Key Vault HOST AAD Encryption Extension Encryption Config Service Management ARM/PS cmdlets © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Key Management using Key Vault
Secrets like BitLocker Encryption Keys [BEK] or Linux PassPhrase are safeguarded in customer Azure key vault Secrets can be encrypted by customer controlled Key Encryption Key [KEK – RSA 2048] when KEK is specified Azure do not have ANY default access to customer key vault Customer grant explicit read access to their key vault to Azure platform to enable disk encryption Customer provide AAD credentials to write the BEK or Linux PassPhrase secret to their key vault to enable disk encryption Secret Keys Contoso.BEK [encrypted by ContosoKEK] – BitLocker Windows ContosoPassPhrase [encrypted by ContosoKEK] – Linux ContosoKEK

17 Azure Disk Encryption Demo

18 SQL Encryption Always Encrypted - Encryption is transparent to client applications. Encrypted data can be queried Transparent Data Encryption - Encrypting your database, associated backups, and transaction log files at rest Product Encryption Class Key Management Feature Name Today SQL Server (IaaS) Client-side Customer Managed Always Encrypted GA Server Side SQL Connector for AKV Azure SQL DB (PaaS) Azure SQL DB (PaaS) Service Managed TDE for Azure SQL DB TDE for Azure SQL DB with AKV Public preview Q1 2017 For more details attend – BRK 3151 [Sept 28th], THR3015R [Sept 29th], BRK3162

19 Storage Encryption 4/16/2018 Server Side Encryption – Service Encrypts Data Automatically Scenario: Customer needs compliance check box checked, no need to modify applications Support for Block Blobs, Append Blobs and Page Blobs Generally Available in September Storage Account level (ARM accounts only) setting for enabling encryption Low cost of operations through Microsoft Azure managed keys Client Side Encryption – Encrypt Data in Your Applications Scenario: Customer want to encrypt data within their client applications prior to sending to Azure Support for Blob Storage, Table Storage and Queue Storage .NET and Java is GA For more details attend - Designing Secure Applications Using Azure Storage, Sept 29th 10:45 AM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Azure Data Lake Store Encryption
4/16/2018 Azure Data Lake Store Encryption Completely transparent service side encryption. No client side changes are required. Always ON - All data in account is always encrypted with the chosen key management scheme Product Encryption Class Key Management Schedule ADLS Server Side Service Managed Private Preview Customer Managed in Azure KeyVault For more details attend – Azure Data Lake Store session by Sachin Seth, Sept 29th 12:30 PM © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Azure Encryption @Rest: In Summary
Azure provides customers with strong data security – both by default and as customer options RMS SDK .NET Crypto SQL TDE Azure Disk Encryption Partners Storage Encryption StorSimple Virtual Machines Applications Storage OS/Boot drives – Azure disk encryption Data drives – Azure disk encryption SQL Server – Transparent Data and Column Level Encryption Partners – CloudLink, Safenet Virtual Machines Storage client side encryption using SDK Storage server side encryption using MS managed keys StorSimple with AES-256 encryption Storage Applications Client Side encryption through .NET Crypto API RMS Service and SDK for file encryption by your applications Key Management Key Management Azure Key Vault to safeguard customer keys and secrets Azure Key Vault Azure Data Lake ADL encryption using service managed or customer managed keys

22 Free IT Pro resources To advance your career in cloud technology
Microsoft Ignite 2016 4/16/ :26 AM Free IT Pro resources To advance your career in cloud technology Plan your career path Microsoft IT Pro Career Center Cloud role mapping Expert advice on skills needed Self-paced curriculum by cloud role $300 Azure credits and extended trials Pluralsight 3 month subscription (10 courses) Phone support incident Weekly short videos and insights from Microsoft’s leaders and engineers Connect with community of peers and Microsoft experts Get started with Azure Microsoft IT Pro Cloud Essentials Demos and how-to videos Microsoft Mechanics Connect with peers and experts Microsoft Tech Community © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 Please evaluate this session
4/16/ :26 AM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24 4/16/ :26 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "BRK3277 Protect your data using Azure's Encryption capabilities and Key Management Devendra Tiwari Principal Program Manager."

Similar presentations

Use relational database as a service

Use relational database as a service
1/27/2018 5:13 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

1/27/2018 5:13 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
2/20/2018 7:04 PM BRK1038 Meet Azure Information Protection customers and learn about their success stories Jeffrey Kalfut Strategy & Architecture Manager,

2/20/2018 7:04 PM BRK1038 Meet Azure Information Protection customers and learn about their success stories Jeffrey Kalfut Strategy & Architecture Manager,
BRK1017 Taking your hybrid management and security strategy to the cloud with Operations Management Suite Jeremy Winter and Srini Chandrasekar.

BRK1017 Taking your hybrid management and security strategy to the cloud with Operations Management Suite Jeremy Winter and Srini Chandrasekar.
Enterprise grade security in your Hadoop clusters on Azure

Enterprise grade security in your Hadoop clusters on Azure
Microsoft Ignite 2016 4/30/2018 9:28 PM BRK3174

Microsoft Ignite /30/2018 9:28 PM BRK3174
Business Continuity & Disaster Recovery

Business Continuity & Disaster Recovery
Deliver business insights with Microsoft Dynamics AX and Power BI

Deliver business insights with Microsoft Dynamics AX and Power BI
Successfully migrate existing databases to Azure SQL Database

Successfully migrate existing databases to Azure SQL Database
Examine information management in Cortana Intelligence

Examine information management in Cortana Intelligence
Enterprise Security in Practice

Enterprise Security in Practice
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.

5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
Microsoft Virtual Academy

Microsoft Virtual Academy
Develop, debug and deploy containerized applications with Docker

Develop, debug and deploy containerized applications with Docker
Microsoft 2016 6/2/2018 3:42 PM BRK3129 Query Big Data using the Expanded T-SQL footprint with PolyBase in SQL Server 2016 Casey Karst Program Manager.

Microsoft /2/2018 3:42 PM BRK3129 Query Big Data using the Expanded T-SQL footprint with PolyBase in SQL Server 2016 Casey Karst Program Manager.
BRK3288-Discover data-driven apps that learn and adapt

BRK3288-Discover data-driven apps that learn and adapt
Using Azure Key Vault for Encrypting and Securing your Cloud Workloads

Using Azure Key Vault for Encrypting and Securing your Cloud Workloads
Microsoft 2016 6/4/2018 8:21 AM BRK3082 Build solutions and apps with Microsoft OneDrive API and Microsoft Graph API Ryan Gregg Principal Program Manger,

Microsoft /4/2018 8:21 AM BRK3082 Build solutions and apps with Microsoft OneDrive API and Microsoft Graph API Ryan Gregg Principal Program Manger,
Windows Server* 2016 & Intel® Technologies

Windows Server* 2016 & Intel® Technologies
Configure and Manage Your Hybrid Cloud Environment at Scale

Configure and Manage Your Hybrid Cloud Environment at Scale

Similar presentations

Ads by Google