Understanding Data Encryption
It is the correct time to discuss about encryption of data and information in Azure as a part of the security. When the data is encrypted, it becomes the strongest line of defense in the layered security approach that we had discussed earlier. I don’t think encryption is something which needs to be explained to you, but still a little discussions is definitely needed on the types of encryption.
They are –
1 . Symmetric Encryption – This type of encryption uses one single key to encrypt and decrypt the data. One simple example is the passwords that you use for validating, verifying yourself and to access and retrieve the data from the stores.
2. Asymmetric Encryption – In this type of encryption, we have a pair of public and private key, which are used to encrypt and decrypt the data. In Asymmetric Encryption, either one of the key can encrypt the data, but needs a paired key to decrypt the data. So this kind of encryption is used for Transparent Layer Security, which is used in HTTPS.
There are two very important aspects to be kept in mind for the encryption. Actually, these are two approaches. These are –
1.Encryption at Rest – This is for the data which is at rest and has been stored. It can be on a server, in the database or even in the storage accounts. So it means that regardless of the storage medium, the encryption of the data at rest means that the stored data is in the encrypted, non-readable format and requires keys to decrypt it.
2.Encryption in Transit – The word transit itself tells the whole story. This is for the data which is travelling between the source and the destination, i.e., between two or more locations, and is not at rest. This can be achieved by a number of ways. One way is to encrypt the data at the application layer before sending it over the network. HTTPS is a classic example. Another way is to use the VPN connection, where the communication happens over a secure encrypted channel. Data is encrypted before it travels and then decrypted, when it reaches the destination.
3.Encryption on Azure – In this case Azure enables the encryption of data across its different services.
- Azure Storage Service Encryption, which is used for encrypting the data stored in the managed disks, blobs, queues, files, etc. So this is considered as the low-level protection. Then we have the Virtual Machine Hard Disks Encryption, where the VHDs are encrypted. This is known as the Azure Disk Encryption. This will help in cases where a malicious user got access to subscription and wishes to steal your complete VM along with it’s data.
- Next is the Database encryption, where we have the Transparent Data Encryption, abbreviated as TDE, which helps in the real-time encryption and decryption of databases, its associated backups and also the transaction logs. By default, TDE is enabled for all the newly deployed Azure SQL Database instances.
- Finally we have the Azure Key Vault, which is a centralized cloud service for storing the secrets and the keys to be used for your applications. It provides secure access, permission control, and access logging capabilities. It can be used for certificate management, key management, secrets management, and also store secrets backed by hardware security modules. So the bottom line is that they provide huge benefits like – centralized management, easy integration with azure services, easy and simplified management.