Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Data Encryption - Azure Storage Service


Published on

When bringing any new technology into an enterprise, security is of course a paramount concern. Let’s go “under the hood” and examine in detail how to use data encryption in Azure Storage Service

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Data Encryption - Azure Storage Service

  1. 1. Data Encryption - Storage Service Udaiappa Ramachandran ( Udai ) //
  2. 2. Who am I? • Udaiappa Ramachandran ( Udai ) • CTO, Akumina, Inc., • Consultant • Focus on Cloud Computing • Microsoft Azure, Amazon Web Services and Google • New Hampshire Cloud User Group ( ) • • @nhcloud
  3. 3. Agenda • Storage Service • Key Vault Service • Managed Service Identity • Data Encryption Methods • AWS S3 Encryption Methods • Best practices • Demo • References • Q & A
  4. 4. Azure Storage Service • Blobs (REST-based object storage for unstructured data) • https://<account> • Queues (scalable queue) • https://<account> • Tables (Tabular data storage) • https://<account> • Files (File shares that use the standard SMB 3.0 protocol) • https://<account>
  5. 5. Key Vault Service • Safeguard cryptographic keys and other secrets used by cloud apps and services • Increase security and control over keys and passwords • Create and import encryption keys in minutes • Applications have no direct access to keys • Use FIPS 140-2 Level 2 validated HSMs • Reduce latency with cloud scale and global redundancy • Simplify and automate tasks for SSL/TLS certificates
  6. 6. Managed Service Identity (MSI) • Azure Resource Manager receives a message to enable MSI on a VM. • Azure Resource Manager creates a Service Principal in Azure AD to represent the identity of the VM. The Service Principal is created in the Azure AD tenant that is trusted by this subscription. • Azure Resource Manager configures the Service Principal details in the MSI VM Extension of the VM. This step includes configuring client ID and certificate used by the extension to get access tokens from Azure AD. • Now that the Service Principal identity of the VM is known, it can be granted access to Azure resources. For example, if your code needs to call Azure Resource Manager, then you would assign the VM’s Service Principal the appropriate role using Role- Based Access Control (RBAC) in Azure AD. If your code needs to call Key Vault, then you would grant your code access to the specific secret or key in Key Vault. • Your code running on the VM requests a token from a local endpoint that is hosted by the MSI VM extension: http://localhost:50342/oauth2/token. The resource parameter specifies the service to which the token is sent. For example, if you want your code to authenticate to Azure Resource Manager, you would use resource= • The MSI VM Extension uses its configured client ID and certificate to request an access token from Azure AD. Azure AD returns a JSON Web Token (JWT) access token. • Your code sends the access token on a call to a service that supports Azure AD authentication. • Azure services that supports MSI • Virtual Machines (Windows and Linux) • App Services • Functions • Data Factory V2 Source:
  7. 7. Data Encryption • Custom Encryption • Write your own encryption using AES256 or other encryption • Client Side Encryption • Azure Storage provides Envelop techniques using SDK • Server Side Encryption • At Rest encryption
  8. 8. Client-Side Encryption • The object data is encrypted using content encryption key (CEK) generated by storage client library • The CEK is then wrapped (encrypted) using key encryption key (KEK) • For tighter security, the encryption key is stored in the Azure Key Vault, ensuring that only authenticated users/applications can access. • Encrypted data along with KEK transmitted via https to the azure storage • For data retrieval, the process is reversed. Encrypted data is retrieved from Azure Storage and decrypted using the encryption key stored in the Azure Key Vault.
  9. 9. Server-Side Encryption • Encrypted at REST before writing to disk • Service managed keys • Customer managed keys in Azure Key Vault • Customer-managed keys on customer-controlled hardware
  10. 10. AWS S3 Encryption • Server Side Encryption • S3 Managed Keys • AWS Key Management Keys (KMS) Managed Keys • Customer Managed Keys • Client Side Encryption • KMS Managed Keys • Customer Managed Keys • All keys can be protected using IAM control so that keys are securely accessed within cloud services.
  11. 11. Google Cloud Storage Encryption • Server Side Encryption • Cloud Storage default encryption using AES256 • Google Key Management Keys (KMS) Managed Keys • Customer Managed Keys • Client Side Encryption • KMS Managed Keys • Customer Managed Keys • All keys can be protected using IAM control so that keys are securely accessed within cloud services.
  12. 12. Best Practices • It is always possible to encrypt data using both client-side and server-side • With encryption there is overhead involved which can have impact on performance • For MSI enabled testing during development you can set the environment system variable “AzureServicesAuthConnectionString” with value in the format of RunAs=App;AppId=<CLIENTID>;TenantId=<TENANTID>;AppKey=<CLIENTSECRET>;
  13. 13. Demo • Download Slide from • • Download Source from •
  14. 14. Reference • // storage-service/ • // services-support-managed-service-identity • // • // • // • // • // • //
  15. 15. Q & A
  16. 16. Thank you for attending Boston Codecamp (bcc29)