Data at Rest is the state of data where the Data is stored on a physical disk, logical disk, tape, or any other equivalent persistence mechanism.
Data at Rest in Cloud with Risks and Countermeasures
As discussed earlier in series, let’s go from Security to Compliance. So as a first step, we need to evaluate the risks, and then we would discuss the countermeasures available in Microsoft Azure.
The following is STRIDE – Threat Model and Countermeasures those applies to Data Protection, for detail understanding of individual countermeasures and risk please refer to OWASP Threat Modelling – STRIDE .
The key risks and countermeasures are,
Spoofing– ProtectingSecrete Datai.e. User Information, Personal Information, Access Secretes.Information Disclosure– Securing sensitive information available at Rest, including Personally Identifiable Information – PII and any other information classified asSensitivefrom Business and Organisational perspective.Information Disclosure– employing techniques to obfuscate, encrypt, anonymize information in order limit the scope of information access for shadow IT, pseudo-authorise systems and personals (i.e. DBAs, System Engineers).Tempering– generateHash(MD5 Checksum or similar) to maintain the integrity of data.
Azure Ecosystem and Data at Rest
The Azure bandwagon has tonnes of services, platform and infrastructure services and it is sometimes difficult to keep track of new features and services could simplify the architecture and provide a better fit for purpose use case. I am trying to summarise the various options and respective advantages and disadvantages.
IaaS – Infrastructure as a Service
If your organisation is store sensitive information or applications that access such information on Azure VM, then the first option to explore would be Azure Disk Encryption . Azure Disk Encryption helps you encrypt your Virtual Machine disks. The feature applies BitLocker feature for Windows and DM-Crypt feature for Linux volume encryption for disks.
IaaS level encryption ensures that all data stored on the Azure Virtual Machine is Encrypted at Rest.
PaaS – Platform as a Service
We can categories Azure PaaS into following two,
Storage
Azure Storage Services are designed to provide durable, highly available, and scalable cloud storage. Blob Storage, Queue Storage and File Storage are most frequent services subscribed by all scale Azure customers.
Azure Storage Service Encryption (SSE) for Data at Rest protect and safeguard the organisational security and compliance comments (i.e. PII, PHI). Storage Service Encryption automatically encrypt before persisting and decrypts before retrieval. You can also refer Azure Storage Security Guide for best practices.
Azure StorSimple also allows encrypting confidential and sensitive data using data encryption key. Configuration and management of the key are allowed using Azure Portal.
Databases
Microsoft Azure offers many popular Database options as PaaS. Let’s discuss some popular PaaS options available as Azure user, it is hard to discuss every PaaS option in detail within the post, but I would try to come with individual topics for them in future.
- SQL Database – it is scalable and managed relational database service.
- SQL Data Warehouse – fully elastic, managed and parallelized relational database.
- Document DB – scalable and managed NoSQL document database service.
Azure SQL Database and SQL Data Warehouse support TDE (transparent data encryption) that protect against the malicious activity by real-time encryption and decryption of the database. TDE feature also applies to associated backups and transaction log files at Rest as an out-of-the-box feature. For general information of TDE, see Transparent Data Encryption .
TDE encrypts the entire database using a symmetric key, and built-in certificate protects the database encryption key. Microsoft Azure rotates these certificates at least every 90 days.
Another option with SQL Database is SQL Database Always Encrypted – it is a new data encryption technology in Azure SQL that protects sensitive data at Rest on the server. Additionally, it protects data movements also known as Data in Transit between server and client. For more information, please refer MSDN tutorial . Azure SQL Data Warehouse does not support Always Encrypted.
Document DB not supporting TDE (at the moment) or another equivalent data encryption out-of-the-box feature. However, the Document DB team is currently working toward supporting the future .
Tooling
If you need to manage a number of data sources and data technologies for compliance and data protection, then Azure Information Protection would be a very useful tool in your arsenal. The Azure Information Protection provides three important features,
- Classification and labelling
- Protection and use rights
- Tracking and reporting
It helps to protect sensitive data by encrypting and enforcing required authorisation and authentication access data policies. The solution also extends logs and reporting abilities for compliance and other regulatory purposes.
Azure Advisor and Azure Security Center could also be useful tools for compliance and security reasons.
Engineering & Payload Encryption
The payload is the part of transmitted data that is the actual intended message. The payload excludes any headers or metadata sent solely to facilitate payload delivery. (Credit: Wikipedia)
There are many services available on Azure Services that doesn’t support Encryption at Rest. This limitation does not restrict you from using or subscribing them. The requirement for many compliances and risk mitigation is Encryption. By encrypting the payload (message or data entity content), you can achieve the same outcome as above mentioned methods.
Payload encryption would enable you to use Azure Service Bus, Document DB and other popular Azure Services are not supporting Encryption at Rest at the moment.