Azure Security Spectrum
Encryption
Encryption
Process of translating plain text data (plaintext) into something that appears to be random and meaningless (ciphertext)Decryption
Process of converting ciphertext back to plaintext-
Symmetric encryption is used to encrypt more than a small amount of data
- A symmetric key is used to encrypt the data
- The same key must be used to decrypt the data
Encryption at rest
- Encryption (or encoding) of data when it is persisted
- Very common security requirement to encrypt data with a secret encryption key anytime it is persisted to disk
- Prevents attackers from accessing sensitive data when they have full access to a server’s machine, storage or drives
- Encryption at rest design in Azure uses symmetric encryption:
- A symmetric encryption key is used to encrypt data as it is written to storage
- The same encryption key is used to decrypt that data as it is readied for use in memory
- Data may be partitioned, and different keys may be used for each partition
- Keys are stored in a security-enhanced location with access control policies
- Data encryption keys are often encrypted with asymmetric encryption to further limit access
Encryption at Rest for Azure Services
- Azure Storage
- Data is automatically encrypted server-side for all Storage services (Blob, Queue, Table, Files)
- Keys are managed by the service
- Azure SQL Database
- Transparent Data Encryption (TDE) is enabled by default on all new databases
- Supports customer-managed 2048-bit keys in Azure Key Vault
- Azure Cosmos DB
- Backups and media attachments are stored in Blob storage
- Databases are automatically encrypted on SSDs
Top comments (0)