When bringing any new technology into an enterprise, security is of course a paramount concern. Let’s go “under the hood” and examine in detail how to use data encryption in Azure Storage Service

1. Data Encryption - Storage Service
Udaiappa Ramachandran ( Udai )
//linkedin.com/in/udair

2. Who am I?
• Udaiappa Ramachandran ( Udai )
• CTO, Akumina, Inc.,
• Consultant
• Focus on Cloud Computing
• Microsoft Azure, Amazon Web Services and Google
• New Hampshire Cloud User Group (http://www.meetup.com/nashuaug )
• http://cloudycode.wordpress.com
• @nhcloud

3. Agenda
• Storage Service
• Key Vault Service
• Managed Service Identity
• Data Encryption Methods
• AWS S3 Encryption Methods
• Best practices
• Demo
• References
• Q & A

4. Azure Storage Service
• Blobs (REST-based object storage for unstructured data)
• https://<account>.blob.core.windows.net
• Queues (scalable queue)
• https://<account>.queue.core.windows.net
• Tables (Tabular data storage)
• https://<account>.table.core.windows.net
• Files (File shares that use the standard SMB 3.0 protocol)
• https://<account>.file.core.windows.net

5. Key Vault Service
• Safeguard cryptographic keys and other secrets used by cloud apps and services
• Increase security and control over keys and passwords
• Create and import encryption keys in minutes
• Applications have no direct access to keys
• Use FIPS 140-2 Level 2 validated HSMs
• Reduce latency with cloud scale and global redundancy
• Simplify and automate tasks for SSL/TLS certificates

6. Managed Service Identity (MSI)
• Azure Resource Manager receives a message to enable MSI on a VM.
• Azure Resource Manager creates a Service Principal in Azure AD to represent the
identity of the VM. The Service Principal is created in the Azure AD tenant that is
trusted by this subscription.
• Azure Resource Manager configures the Service Principal details in the MSI VM
Extension of the VM. This step includes configuring client ID and certificate used by
the extension to get access tokens from Azure AD.
• Now that the Service Principal identity of the VM is known, it can be granted access
to Azure resources. For example, if your code needs to call Azure Resource Manager,
then you would assign the VM’s Service Principal the appropriate role using Role-
Based Access Control (RBAC) in Azure AD. If your code needs to call Key Vault, then
you would grant your code access to the specific secret or key in Key Vault.
• Your code running on the VM requests a token from a local endpoint that is hosted
by the MSI VM extension: http://localhost:50342/oauth2/token. The resource
parameter specifies the service to which the token is sent. For example, if you want
your code to authenticate to Azure Resource Manager, you would use
resource=https://management.azure.com/.
• The MSI VM Extension uses its configured client ID and certificate to request an
access token from Azure AD. Azure AD returns a JSON Web Token (JWT) access
token.
• Your code sends the access token on a call to a service that supports Azure AD
authentication.
• Azure services that supports MSI
• Virtual Machines (Windows and Linux)
• App Services
• Functions
• Data Factory V2
Source: https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview

7. Data Encryption
• Custom Encryption
• Write your own encryption using AES256 or other encryption
• Client Side Encryption
• Azure Storage provides Envelop techniques using SDK
• Server Side Encryption
• At Rest encryption

8. Client-Side Encryption
• The object data is encrypted using content encryption key (CEK) generated by storage client library
• The CEK is then wrapped (encrypted) using key encryption key (KEK)
• For tighter security, the encryption key is stored in the Azure Key Vault, ensuring that only
authenticated users/applications can access.
• Encrypted data along with KEK transmitted via https to the azure storage
• For data retrieval, the process is reversed. Encrypted data is retrieved from Azure Storage and
decrypted using the encryption key stored in the Azure Key Vault.

9. Server-Side Encryption
• Encrypted at REST before writing to disk
• Service managed keys
• Customer managed keys in Azure Key Vault
• Customer-managed keys on customer-controlled hardware

10. AWS S3 Encryption
• Server Side Encryption
• S3 Managed Keys
• AWS Key Management Keys (KMS) Managed Keys
• Customer Managed Keys
• Client Side Encryption
• KMS Managed Keys
• Customer Managed Keys
• All keys can be protected using IAM control so that keys are securely accessed
within cloud services.

11. Google Cloud Storage Encryption
• Server Side Encryption
• Cloud Storage default encryption using AES256
• Google Key Management Keys (KMS) Managed Keys
• Customer Managed Keys
• Client Side Encryption
• KMS Managed Keys
• Customer Managed Keys
• All keys can be protected using IAM control so that keys are securely accessed
within cloud services.

12. Best Practices
• It is always possible to encrypt data using both client-side and server-side
• With encryption there is overhead involved which can have impact on
performance
• For MSI enabled testing during development you can set the environment system
variable “AzureServicesAuthConnectionString” with value in the format of
RunAs=App;AppId=<CLIENTID>;TenantId=<TENANTID>;AppKey=<CLIENTSECRET>;

13. Demo
• Download Slide from
• https://www.slideshare.net/UdaiappaRamachandran
• Download Source from
• https://github.com/nhcloud/techtalk

14. Reference
• //blog.akumina.com/2018/04/03/akumina-data-encryption-using-microsoft-azure-
storage-service/
• //docs.microsoft.com/en-us/azure/active-directory/msi-overview#which-azure-
services-support-managed-service-identity
• //docs.microsoft.com/en-us/azure/security/azure-security-encryption-atrest
• //docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis
• //aws.amazon.com/kms
• //docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html
• //cloud.google.com/storage/docs/encryption/
• //cloud.google.com/kms/

15. Q & A

16. Thank you for attending
Boston Codecamp (bcc29)