This document discusses data encryption in Azure. It covers Azure Key Vault for key management, which allows users to securely store and control encryption keys. It also describes the different key management options with Azure Key Vault, including using Microsoft-managed keys, customer-managed keys, and bringing your own keys via hardware security modules. Several encryption scenarios are presented, such as encrypting storage services, performing key rotation, and using Key Vault for SQL Server encryption.

1. BASLE BERN BRUGG DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. GENEVA
HAMBURG COPENHAGEN LAUSANNE MUNICH STUTTGART VIENNA ZURICH
Data Encryption in Azure
from Microsoft managed over "Bring your own Keys" to multi cloud
Florian van Keulen
Principal Consultant Cloud & Security
@Trivadis

2. Agenda
Techevent sep. 2018 - Data Encryption in Azure2 14.09.18
1. Data Encryption in the Cloud
2. Key Management – Azure Key Vault
3. Key Management Options
4. Scenarios

3. Techevent sep. 2018 - Data Encryption in Azure3 14.09.18
Data Encryption in the Cloud

4. The Importance of Data Encryption in Cloud
Techevent sep. 2018 - Data Encryption in Azure4 14.09.18
Compliance
Security
Data Access

5. The Challenge of Data Encryption in the Cloud
Techevent sep. 2018 - Data Encryption in Azure5 14.09.18
Key Management

6. Techevent sep. 2018 - Data Encryption in Azure6 14.09.18
Key Management in Azure

7. Azure Key Vault
Techevent sep. 2018 - Data Encryption in Azure7 14.09.18
Key Management - Azure Key Vault makes it easy to
create and control the encryption keys used to
encrypt your data.
Secrets Management - Azure Key Vault can be used
to securely store and tightly control access to tokens,
passwords, certificates, API keys, and other secrets.
Certificate Management - Azure Key Vault is also a
service that lets you easily provision, manage, and
deploy public and private SSL/TLS certificates.

8. Service Overview
Techevent sep. 2018 - Data Encryption in Azure8 14.09.18
provide encrypted containers (Vaults)
manage Keys & Secrets
manage fine grade access control (RBAC principle) based on Azure AD
logging and monitoring
Import or generate keys in HSMs certified to FIPS 140-2 level 2 standards

9. SKU / Service Types
Techevent sep. 2018 - Data Encryption in Azure9 14.09.18
Standard
Standard SKU is using Software Keys only, which are using underlying Azure VMs
to handle Key operations. They are pretty cheap but less secure. These keys are
typically used for dev/test scenarios.
Premium
The Premium SKU provides next to the Software keys also the possibility to use
HSM Keys, where all key operations a handled directly on the HSM and the keys
never leave the HSM environment, thus more secure.

10. Regional Boundaries
Techevent sep. 2018 - Data Encryption in Azure10 14.09.18
accessible only in same Azure geo region
Backup / Restore only within same geo
region
Reason:
Dedicated pool of Thales HSMs per
region

11. Supported Keys
Techevent sep. 2018 - Data Encryption in Azure11 14.09.18
Asymmetric encryption keys
(RSA-2048 with RSA-OAEP and RSA-PKCS#1v1.5)
Secrets
(octet sequences with a maximum size of 25kb each)
X509 Certificates
(such as SSL/TLS, client certificate, code signing certificate, etc.)

12. Key Operations
Techevent sep. 2018 - Data Encryption in Azure12 14.09.18
Create, Import
(but no Export!)
Get, List, Update, Delete
Backup, Restore
Sign, Verify
Wrap & Unwrap, Encrypt & Decrypt

13. Soft Delete
Techevent sep. 2018 - Data Encryption in Azure13 14.09.18
It provides support for:
recoverable deletion of a key vault
recoverable deletion of key vault objects (ex. keys, secrets, certificates)
to prevent accidental loss of encryption keys
retention time is 90 days

14. Techevent sep. 2018 - Data Encryption in Azure14 14.09.18
Key Management Options
with Azure Key Vault

15. Option 1: Microsoft Managed
Techevent sep. 2018 - Data Encryption in Azure15 14.09.18
Build In Encryption of Azure Services uses Key Vault internal
Storage Service Encryption & Disk Encryption uses Key Vault internal
Customer can not manage internal Key Vault or the keys inside.
Full control resides at Microsoft

16. Option 2: Customer Managed
Techevent sep. 2018 - Data Encryption in Azure16 14.09.18
Customer deploys Azure Key Vault Service in his subscription
Customer has full control over the Key Vault instance
Customer can manage the keys (create | use | delete) in Key Vault

17. Option 3: Bring-Your-Own-Key (BYOK) - HSM-to-HSM
Techevent sep. 2018 - Data Encryption in Azure17 14.09.18
Peer an OnPremis Thales nShield HSM with
a Azure Key Vault premium (HSM)
On Premise self generated Keys
(Using Thales nShield HSM)
securely transfer to Azure Key Vault
using KEK (Key Exchange Key)

18. Architecture (Option 3: BYOK HSM-to-HSM)
Techevent sep. 2018 - Data Encryption in Azure18 14.09.18

19. Key Management on a Global / Multi-Cloud Scale
Techevent sep. 2018 - Data Encryption in Azure19 14.09.18

20. Techevent sep. 2018 - Data Encryption in Azure20 14.09.18
Scenarios

21. Storage Service Encryption
Techevent sep. 2018 - Data Encryption in Azure21 14.09.18

22. Key Rotation
Techevent sep. 2018 - Data Encryption in Azure22 14.09.18

23. Techevent sep. 2018 - Data Encryption in Azure23 14.09.18
Key Vault for SQL Server Encryption

24. Thank You
Florian van Keulen
Principal Consultant Cloud & Security
Florian.vanKeulen@trivadis.com
14.09.18 Techevent sep. 2018 - Data Encryption in Azure24

25. Session Feedback – now
TechEvent September 201825 14.09.2018
Please use the Trivadis Events mobile app to give feedback on each session
Use "My schedule" if you have registered for a session
Otherwise use "Agenda" and the search function
If the mobile app does not work (or if you have a Windows smartphone), use your
smartphone browser
– URL: http://trivadis.quickmobileplatform.eu/
– User name: <your_loginname> (such as "svv")
– Password: sent by e-mail...