Data security and encryption best practices - Microsoft Azure (original) (raw)

This article describes best practices for data security and encryption.

The best practices are based on a consensus of opinion, and they work with current Azure platform capabilities and feature sets. Opinions and technologies change over time and this article is updated on a regular basis to reflect those changes.

This article aligns with Microsoft's Zero Trust security model, which treats data as one of the critical pillars requiring protection at all stages. For prescriptive security controls with Azure Policy enforcement, see Microsoft Cloud Security Benchmark v2 - Data Protection.

Protect data

To help protect data in the cloud, you need to account for the possible states in which your data can occur, and what controls are available for that state. Best practices for Azure data security and encryption relate to the following data states:

• At rest: This includes all information storage objects, containers, and types that exist statically on physical media, whether magnetic or optical disk.
• In transit: When data is being transferred between components, locations, or programs, it's in transit. Examples are transfer over the network, across a service bus (from on-premises to cloud and vice-versa, including hybrid connections such as ExpressRoute), or during an input/output process.
• In Use: When data is being processed, the specialized AMD & Intel chipset based Confidential compute VMs keep the data encrypted in memory using hardware managed keys.

Choose a key management solution

Protecting your keys is essential to protecting your data in the cloud.

Azure offers several different services to protect your cryptographic keys using HSMs. These offerings provide cloud scalability and availability while giving you complete control over your keys. For more information and guidance on choosing among these key management offerings, see How to choose the right Azure key management solution. Azure Key Vault Premium or Azure Key Vault Managed HSM are recommended for managing your encryption at rest keys.

Manage with secure workstations

Note

The subscription administrator or owner should use a secure access workstation or a privileged access workstation.

Because the vast majority of attacks target the end user, the endpoint becomes one of the primary points of attack. An attacker who compromises the endpoint can use the user's credentials to gain access to the organization's data. Most endpoint attacks take advantage of the fact that users are administrators in their local workstations.

• Use a secure management workstation to protect sensitive accounts, tasks, and data: Use a privileged access workstation to reduce the attack surface in workstations. These secure management workstations can help you mitigate some of these attacks and ensure that your data is safer.
• Ensure endpoint protection: Enforce security policies across all devices that are used to consume data, regardless of the data location (cloud or on-premises).

Protect data at rest

Data encryption at rest is a mandatory step toward data privacy, compliance, and data sovereignty.

• Apply encryption at host to help safeguard your data: Use Encryption at host - End-to-end encryption for your VM. Encryption at host is a Virtual Machine option that enhances Azure Disk Storage Server-Side Encryption to ensure that all temp disks and disk caches are encrypted at rest and flow encrypted to the Storage clusters.

Most Azure services, such as Azure Storage and Azure SQL Database, encrypt data at rest by default. You can use Azure Key Vault to maintain control of keys that access and encrypt your data. See Azure resource providers encryption model support to learn more.

• Use encryption to help mitigate risks related to unauthorized data access: Encrypt your services before you write sensitive data to them.
• Understand key rotation behavior: When you rotate a key encryption key (KEK), the service re-wraps the data encryption keys (DEKs) with the new key version. The underlying data itself is not re-encrypted. Both old and new key versions must remain enabled until re-wrapping is complete. For more information, see Configure key auto-rotation in Azure Key Vault.
• Respond to suspected key compromise by rotating first: If you suspect a customer-managed key has been compromised, rotate to a new key and reconfigure dependent services before disabling or deleting the old key. Disabling or deleting a key immediately takes dependent services offline but does not re-encrypt any data encryption keys, meaning they are still at risk of decryption by the compromised key encryption key. For the full incident response procedure, see Backup security considerations.
• Use RSA-OAEP-256 for key wrapping: RSA-OAEP-256 is the recommended wrapping algorithm for customer-managed keys. RSA-OAEP (without the -256 suffix) uses SHA-1 and is considered legacy.

Organizations that don't enforce data encryption are more exposed to data-confidentiality issues. Companies also must prove that they are diligent and using correct security controls to enhance their data security in order to comply with industry regulations.

Protect data in transit

Protecting data in transit should be an essential part of your data protection strategy. Because data is moving back and forth from many locations, we generally recommend that you always use SSL/TLS protocols to exchange data across different locations. In some circumstances, you might want to isolate the entire communication channel between your on-premises and cloud infrastructures by using a VPN.

For data moving between your on-premises infrastructure and Azure, consider appropriate safeguards such as HTTPS or VPN. When sending encrypted traffic between an Azure virtual network and an on-premises location over the public internet, use Azure VPN Gateway.

Following are best practices specific to using Azure VPN Gateway, SSL/TLS, and HTTPS.

• Secure access from multiple workstations located on-premises to an Azure virtual network: Use site-to-site VPN.
• Secure access from an individual workstation located on-premises to an Azure virtual network: Use point-to-site VPN.
• Move larger data sets over a dedicated high-speed WAN link: Use ExpressRoute. If you choose to use ExpressRoute, you can also encrypt the data at the application level by using SSL/TLS or other protocols for added protection.
• Interact with Azure Storage through the Azure portal: All transactions occur via HTTPS. You can also use Storage REST API over HTTPS to interact with Azure Storage.

Organizations that fail to protect data in transit are more susceptible to man-in-the-middle attacks, eavesdropping, and session hijacking. These attacks can be the first step in gaining access to confidential data.

Protect data in use

Lessen the need for trustRunning workloads on the cloud requires trust. You give this trust to various providers enabling different components of your application.

• App software vendors: Trust software by deploying on-premises, using open-source, or by building in-house application software.
• Hardware vendors: Trust hardware by using on-premises hardware or in-house hardware.
• Infrastructure providers: Trust cloud providers or manage your own on-premises data centers.

Reducing the attack surfaceThe Trusted Computing Base (TCB) refers to all of a system's hardware, firmware, and software components that provide a secure environment. The components inside the TCB are considered "critical." If one component inside the TCB is compromised, the entire system's security may be jeopardized. A lower TCB means higher security. There's less risk of exposure to various vulnerabilities, malware, attacks, and malicious people.

Azure confidential computing can help you:

• Prevent unauthorized access: Run sensitive data in the cloud. Trust that Azure provides the best data protection possible, with little to no change from what gets done today.
• Meet regulatory compliance: Migrate to the cloud and keep full control of data to satisfy government regulations for protecting personal information and secure organizational IP.
• Ensure secure and untrusted collaboration: Tackle industry-wide work-scale problems by combing data across organizations, even competitors, to unlock broad data analytics and deeper insights.
• Isolate processing: Offer a new wave of products that remove liability on private data with blind processing. User data can't even be retrieved by the service provider.

Learn more about Confidential computing.

Secure email, documents, and sensitive data

You want to control and secure email, documents, and sensitive data that you share outside your company. Azure Information Protection is a cloud-based solution that helps an organization to classify, label, and protect its documents and emails. This can be done automatically by administrators who define rules and conditions, manually by users, or a combination where users get recommendations.

Classification is identifiable at all times, regardless of where the data is stored or with whom it's shared. The labels include visual markings such as a header, footer, or watermark. Metadata is added to files and email headers in clear text. The clear text ensures that other services, such as solutions to prevent data loss, can identify the classification and take appropriate action.

The protection technology uses Azure Rights Management (Azure RMS). This technology is integrated with other Microsoft cloud services and applications, such as Microsoft 365 and Microsoft Entra ID. This protection technology uses encryption, identity, and authorization policies. Protection that is applied through Azure RMS stays with the documents and emails, independently of the location-inside or outside your organization, networks, file servers, and applications.

This information protection solution keeps you in control of your data, even when it's shared with other people. You can also use Azure RMS with your own line-of-business applications and information protection solutions from software vendors, whether these applications and solutions are on-premises or in the cloud.

We recommend that you:

• Deploy Azure Information Protection for your organization.
• Apply labels that reflect your business requirements. For example: Apply a label named "highly confidential" to all documents and emails that contain top-secret data, to classify and protect this data. Then, only authorized users can access this data, with any restrictions that you specify.
• Configure usage logging for Azure RMS so that you can monitor how your organization is using the protection service.

Organizations that are weak on data classification and file protection might be more susceptible to data leakage or data misuse. With proper file protection, you can analyze data flows to gain insight into your business, detect risky behaviors and take corrective measures, track access to documents, and so on.

Next steps

• See Azure security best practices and patterns for more security best practices to use when you're designing, deploying, and managing your cloud solutions by using Azure.
• Review the Microsoft Cloud Security Benchmark v2 - Data Protection controls for comprehensive data security guidance with Azure Policy mappings.
• Learn about the Microsoft Secure Future Initiative (SFI), Microsoft's internal security best practices for protecting data that we also recommend to customers.
• Explore Zero Trust deployment for data for guidance on implementing Zero Trust principles for data protection.