Azure Microsoft Security

Encryption: Storage Account

This post is a follow up on my previous posts about personal data in the cloud. I wanted to write something about theoretical access to your data when stored in an Azure Storage Account.

Example data:
A spreadsheet with payroll information or similar. Disregard the fact that this is in itself a poor way to handle this information.

Azure Storage Encryption

This is the basic form of encryption. Microsoft encrypts your data at rest with a Microsoft Managed key by default. This requires no change in code or in application. More about this here.

This is a basic form of encryption, and should be considered as the simplest form of storage encryption. Microsoft manages the encryption key (if not configured otherwise), and they have a theoretical possibility of decrypting this data.

Infrastructure Encryption

Infrastructure encryption looks like a new form of double encryption. This provides an extra layer of security if a key for Azure Storage Encryption is compromised. You can read more about it here. This can only be enabled on creation of the storage account.

It results in a form of double encryption, where the data is encrypted twice with different keys. It will not give protection in regards to GDPR, as Microsoft is managing both keys, and can decrypt the data if necessary or required by U.S. Government. It will, however, make sure data is still controlled in case one of the two keys are compromised.

Azure Storage Encryption with Customer Managed Key

When configuring encryption on your storage account, you can choose to use a key located in an Azure Key Vault. This is in addition to the Infrastructure encryption, but a customer managed key is used. Customer Managed in this case means that the customer needs to rotate this, and keep it up to date.

This kind of encryption will not in itself make you GDPR compliant, because Microsoft in theory have access to the Azure Key Vaults. If required the key can be handed over to the U.S. Government, as far as I can tell. There is no mention of how Microsoft handles its own access to Azure Key Vaults. Maybe a Premium Tier with hardware HSM and BYOK gives additional protection at a higher cost? I’m not sure. Please let me know if you have information here.

Azure Storage Blob Encryption with Customer Provided Key

There is a possibility of using a Customer Provided Key with blob storage. Note that this is only supported for blob storage. Read here for more info.

This kind of encryption still puts Microsoft in a position to potentially record the keys when the data is encrypted/decrypted in the Azure service. Theoretically, the key can be stored/cached/logged to facilitate speedy encryption or decryption. The data can in theory be handed over to U.S. Government if requested. Still, this is a step up from the transparent encryption where the key is stored in Azure or managed by Microsoft. You can have your own key store on-premises, or wherever you choose.

End-to-End Encryption

When you have enabled all the builtin encryption (Azure Storage Encryption with Microsoft Managed key and possibly Infrastructure Encryption), you can add a separate level of encryption manually. We can call this End-To-End Encryption.

This is the best you can hope for regarding encryption in this situation, and will in my opinion ensure controlled access to your data, as long as the key is never stored anywhere in the cloud. You can double or triple encrypt, but then it gets complicated.

There are several different paths to achieve this level of encryption, but the most convenient for testing purposes is just using 7-Zip with AES256. When the file is encrypted before upload to a storage blob, Microsoft has no way of accessing, indexing or otherwise viewing the file. Barring any key compromise or brute-force on their part, of course.

You can also use:

Alternative

SkyFlok seems to do compliant storage, with desentralization, encryption and protection of data. All data is divided into several chunks, that are stored on different cloud storages. No single cloud provider has access to the data, because of a separate level of encryption provided by SkyFlok. No recommendation from me, or affiliation, but I have heard mention of this service. On the surface it looks GDPR compliant, even after Schrems2. I have not looked into it in detail.

In summary

The most secure and user-friendly method of storing your data in a storage account would, in my opinion, be using the Customer Managed Key in an Azure Key Vault. This grants some data protection, but is not perfect. If you have the money and requirements for it, use Premium Key Vault with HSM and BYOK for added protection.

I would like to point out that I trust Microsoft, and this is in no way an attempt to invalidate the security of data protected by Microsoft. I am only saying that in light of recent events (no more Privacy Shield), we need to look for other ways of securing the data to comply with GDPR.

Microsoft ends up between a rock and a hard place, when faced with the option of either GDPR non-compliancy or not complying to U.S. Government requests. This is not an easy subject, and we are all responsible of doing our best when handling personal data.