- 9 minutes to read
This article describes best practices for data security and encryption.
The best practices are based on a consensus of opinion, and they work with current Azure platform capabilities and feature sets. Opinions and technologies change over time and this article is updated on a regular basis to reflect those changes.
To help protect data in the cloud, you need to account for the possible states in which your data can occur, and what controls are available for that state. Best practices for Azure data security and encryption relate to the following data states:
- At rest: This includes all information storage objects, containers, and types that exist statically on physical media, whether magnetic or optical disk.
- In transit: When data is being transferred between components, locations, or programs, it's in transit. Examples are transfer over the network, across a service bus (from on-premises to cloud and vice-versa, including hybrid connections such as ExpressRoute), or during an input/output process.
Choose a key management solution
Protecting your keys is essential to protecting your data in the cloud.
Azure Key Vault helps safeguard cryptographic keys and secrets that cloud applications and services use. Key Vault streamlines the key management process and enables you to maintain control of keys that access and encrypt your data. Developers can create keys for development and testing in minutes, and then migrate them to production keys. Security administrators can grant (and revoke) permission to keys, as needed.
You can use Key Vault to create multiple secure containers, called vaults. These vaults are backed by HSMs. Vaults help reduce the chances of accidental loss of security information by centralizing the storage of application secrets. Key vaults also control and log the access to anything stored in them. Azure Key Vault can handle requesting and renewing Transport Layer Security (TLS) certificates. It provides features for a robust solution for certificate lifecycle management.
Azure Key Vault is designed to support application keys and secrets. Key Vault is not intended to be a store for user passwords.
Following are security best practices for using Key Vault.
Best practice: Grant access to users, groups, and applications at a specific scope.Detail: Use Azure RBAC predefined roles. For example, to grant access to a user to manage key vaults, you would assign the predefined role Key Vault Contributor to this user at a specific scope. The scope in this case would be a subscription, a resource group, or just a specific key vault. If the predefined roles don't fit your needs, you can define your own roles.
Best practice: Control what users have access to.Detail: Access to a key vault is controlled through two separate interfaces: management plane and data plane. The management plane and data plane access controls work independently.
Use Azure RBAC to control what users have access to. For example, if you want to grant an application access to use keys in a key vault, you only need to grant data plane access permissions by using key vault access policies, and no management plane access is needed for this application. Conversely, if you want a user to be able to read vault properties and tags but not have any access to keys, secrets, or certificates, you can grant this user read access by using Azure RBAC, and no access to the data plane is required.
Best practice: Store certificates in your key vault. Your certificates are of high value. In the wrong hands, your application's security or the security of your data can be compromised.Detail: Azure Resource Manager can securely deploy certificates stored in Azure Key Vault to Azure VMs when the VMs are deployed. By setting appropriate access policies for the key vault, you also control who gets access to your certificate. Another benefit is that you manage all your certificates in one place in Azure Key Vault. See Deploy Certificates to VMs from customer-managed Key Vault for more information.
Best practice: Ensure that you can recover a deletion of key vaults or key vault objects.Detail: Deletion of key vaults or key vault objects can be inadvertent or malicious. Enable the soft delete and purge protection features of Key Vault, particularly for keys that are used to encrypt data at rest. Deletion of these keys is equivalent to data loss, so you can recover deleted vaults and vault objects if needed. Practice Key Vault recovery operations on a regular basis.
If a user has contributor permissions (Azure RBAC) to a key vault management plane, they can grant themselves access to the data plane by setting a key vault access policy. We recommend that you tightly control who has contributor access to your key vaults, to ensure that only authorized persons can access and manage your key vaults, keys, secrets, and certificates.
Manage with secure workstations
The subscription administrator or owner should use a secure access workstation or a privileged access workstation.
Because the vast majority of attacks target the end user, the endpoint becomes one of the primary points of attack. An attacker who compromises the endpoint can use the user's credentials to gain access to the organization's data. Most endpoint attacks take advantage of the fact that users are administrators in their local workstations.
Best practice: Use a secure management workstation to protect sensitive accounts, tasks, and data.Detail: Use a privileged access workstation to reduce the attack surface in workstations. These secure management workstations can help you mitigate some of these attacks and ensure that your data is safer.
Best practice: Ensure endpoint protection.Detail: Enforce security policies across all devices that are used to consume data, regardless of the data location (cloud or on-premises).
Protect data at rest
Data encryption at rest is a mandatory step toward data privacy, compliance, and data sovereignty.
Best practice: Apply disk encryption to help safeguard your data.Detail: Use Azure Disk Encryption for Linux VMs or Azure Disk Encryption for Windows VMs. Disk Encryption combines the industry-standard Linux dm-crypt or Windows BitLocker feature to provide volume encryption for the OS and the data disks.
Azure Storage and Azure SQL Database encrypt data at rest by default, and many services offer encryption as an option. You can use Azure Key Vault to maintain control of keys that access and encrypt your data. See Azure resource providers encryption model support to learn more.
Best practices: Use encryption to help mitigate risks related to unauthorized data access.Detail: Encrypt your drives before you write sensitive data to them.
Organizations that don't enforce data encryption are more exposed to data-confidentiality issues. For example, unauthorized or rogue users might steal data in compromised accounts or gain unauthorized access to data coded in Clear Format. Companies also must prove that they are diligent and using correct security controls to enhance their data security in order to comply with industry regulations.
Protect data in transit
Protecting data in transit should be an essential part of your data protection strategy. Because data is moving back and forth from many locations, we generally recommend that you always use SSL/TLS protocols to exchange data across different locations. In some circumstances, you might want to isolate the entire communication channel between your on-premises and cloud infrastructures by using a VPN.
For data moving between your on-premises infrastructure and Azure, consider appropriate safeguards such as HTTPS or VPN. When sending encrypted traffic between an Azure virtual network and an on-premises location over the public internet, use Azure VPN Gateway.
Following are best practices specific to using Azure VPN Gateway, SSL/TLS, and HTTPS.
Best practice: Secure access from multiple workstations located on-premises to an Azure virtual network.Detail: Use site-to-site VPN.
Best practice: Secure access from an individual workstation located on-premises to an Azure virtual network.Detail: Use point-to-site VPN.
Best practice: Move larger data sets over a dedicated high-speed WAN link.Detail: Use ExpressRoute. If you choose to use ExpressRoute, you can also encrypt the data at the application level by using SSL/TLS or other protocols for added protection.
Best practice: Interact with Azure Storage through the Azure portal.Detail: All transactions occur via HTTPS. You can also use Storage REST API over HTTPS to interact with Azure Storage.
Organizations that fail to protect data in transit are more susceptible to man-in-the-middle attacks, eavesdropping, and session hijacking. These attacks can be the first step in gaining access to confidential data.
Secure email, documents, and sensitive data
You want to control and secure email, documents, and sensitive data that you share outside your company. Azure Information Protection is a cloud-based solution that helps an organization to classify, label, and protect its documents and emails. This can be done automatically by administrators who define rules and conditions, manually by users, or a combination where users get recommendations.
Classification is identifiable at all times, regardless of where the data is stored or with whom it's shared. The labels include visual markings such as a header, footer, or watermark. Metadata is added to files and email headers in clear text. The clear text ensures that other services, such as solutions to prevent data loss, can identify the classification and take appropriate action.
The protection technology uses Azure Rights Management (Azure RMS). This technology is integrated with other Microsoft cloud services and applications, such as Microsoft 365 and Azure Active Directory. This protection technology uses encryption, identity, and authorization policies. Protection that is applied through Azure RMS stays with the documents and emails, independently of the location-inside or outside your organization, networks, file servers, and applications.
This information protection solution keeps you in control of your data, even when it's shared with other people. You can also use Azure RMS with your own line-of-business applications and information protection solutions from software vendors, whether these applications and solutions are on-premises or in the cloud.
We recommend that you:
- Deploy Azure Information Protection for your organization.
- Apply labels that reflect your business requirements. For example: Apply a label named "highly confidential" to all documents and emails that contain top-secret data, to classify and protect this data. Then, only authorized users can access this data, with any restrictions that you specify.
- Configure usage logging for Azure RMS so that you can monitor how your organization is using the protection service.
Organizations that are weak on data classification and file protection might be more susceptible to data leakage or data misuse. With proper file protection, you can analyze data flows to gain insight into your business, detect risky behaviors and take corrective measures, track access to documents, and so on.
See Azure security best practices and patterns for more security best practices to use when you're designing, deploying, and managing your cloud solutions by using Azure.
The following resources are available to provide more general information about Azure security and related Microsoft services:
- Azure Security Team Blog - for up to date information on the latest in Azure Security
- Microsoft Security Response Center - where Microsoft security vulnerabilities, including issues with Azure, can be reported or via email to email@example.com
Which Azure security solutions provides general security recommendations and suggest remediation to better secure your resources? ›
Defender for Cloud collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats.Which security solution is recommended in Azure? ›
You can additionally use Microsoft Defender for Endpoint to protect your Azure servers. It provides advanced breach-detection sensors that quickly adapt to evolving threats through the power of big data and analytics and provides superior threat intelligence to protect your workloads.Which of the following requirements need to be met for using encryption at rest for Azure? ›
Azure Key Vault
The storage location of the encryption keys and access control to those keys is central to an encryption at rest model. The keys need to be highly secured but manageable by specified users and available to specific services.
- Deploy and scale containers on managed Kubernetes.
- Deploy and scale containers on managed Red Hat OpenShift.
- Azure Container Apps. ...
- Execute event-driven serverless code functions with an end-to-end development experience.
- Run containerized web apps on Windows and Linux.
- Azure Container Instances.
- Rapidly changing workloads. It's both a strength and a challenge of the cloud. ...
- Increasingly sophisticated attacks. Wherever you run your workloads, the attacks keep getting more sophisticated. ...
- Security skills are in short supply.
Transparent data encryption
You can also encrypt data using SSMS and the Always encrypted feature. To enable or verify encryption: In the Azure portal, select SQL databases from the left-hand menu, and select your database on the SQL databases page. In the Security section, select Transparent data encryption.
Effective security rules view returns all the configured NSGs and rules that are associated at a NIC and subnet level for a virtual machine providing insight into the configuration.How do you ensure security in Azure? ›
- Microsoft Sentinel.
- Microsoft Defender for Cloud.
- Protect your Azure resources from distributed denial-of-service (DDoS) attacks.
- Azure Bastion. Fully managed service that helps secure remote access to your virtual machines.
- Web Application Firewall. ...
- Azure Firewall. ...
- Azure Firewall Manager.
- Use Dedicated Workstations With Privileged Access For Admins. ...
- Restrict the Administrator Access. ...
- Use Multi-Factor Authentication (MFA) ...
- Restrict User Access. ...
- Manage and Limit Network Access within Azure. ...
- Use a Key Management Solution. ...
- Encrypt Virtual Disks and Disk Storage.
- Use dedicated workstations. ...
- Use multiple authentication. ...
- Restrict the administrator access. ...
- Restrict the user access. ...
- Control and limit the network access to Microsoft Azure. ...
- Use a key management solution. ...
- Encrypt virtual disks and disk storage.
Azure Key Vault provides two types of resources to store and manage cryptographic keys. Vaults support software-protected and HSM-protected (Hardware Security Module) keys.How many types of encryption are there in Azure? ›
Three types of keys are used in encrypting and decrypting data: the Master Encryption Key (MEK), Data Encryption Key (DEK), and Block Encryption Key (BEK).What type of encryption does Azure use? ›
Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure Storage encryption is similar to BitLocker encryption on Windows.What are the 3 important services offered by Azure? ›
This gives users the flexibility to use their preferred tools and technologies. In addition, Azure offers four different forms of cloud computing: infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) and serverless functions.What is the best Practise to be followed in order to improve the performance of Azure function? ›
Use async code but avoid blocking calls
Asynchronous programming is a recommended best practice, especially when blocking I/O operations are involved. In C#, always avoid referencing the Result property or calling Wait method on a Task instance. This approach can lead to thread exhaustion.
What are container best practices? Use container scanning tools to detect vulnerabilities, as well as ensure there aren't any CIS (Center for Internet Security) Benchmark violations.What best practices for cloud operations are you using? ›
- Set up a deployment plan. Instead of randomly rolling out your cloud applications and systems updates, it's advisable to follow a structured deployment plan. ...
- Automate cloud processes. ...
- Build and maintain redundancy. ...
- Set appropriate resource limits. ...
- Monitor cloud costs.