Posted in AZ-500 Azure Security Engineer Associate, Azure Administrator, Azure Security Engineer, Azure Solutions Architect, MS Cyber Security Architect Expert

Azure Infrastructure Encryption

   November 1, 2024

Azure Infrastructure Encryption is an advanced encryption layer in Azure that provides additional data protection for data stored in Azure. It works alongside other Azure encryption features to ensure that data is protected at rest with multiple layers of encryption, making it harder for unauthorized access to occur. Infrastructure Encryption is particularly useful for sensitive data that requires high levels of security and compliance.

This guide will explain the key concepts, tools, functions, features, and steps for creating, configuring, managing, and monitoring Azure Infrastructure Encryption, with examples to help you understand its practical uses.

1. Overview of Azure Infrastructure Encryption

Azure Infrastructure Encryption adds an additional layer of encryption on top of the standard Storage Service Encryption (SSE) that Azure uses by default to protect data at rest in Azure Storage. With Infrastructure Encryption, data is encrypted twice, using two separate encryption keys managed by Azure. This double encryption ensures an extra level of security for your data and meets the needs of highly regulated industries that require multiple layers of encryption.

Key Use Cases for Azure Infrastructure Encryption:

  • Storing sensitive or regulated data that requires enhanced protection.
  • Meeting compliance requirements for double encryption (e.g., financial or government organizations).
  • Securing data in Azure Storage accounts, including Blob storage and file shares.

2. Core Concepts and Features of Azure Infrastructure Encryption

Core Concepts

  • Double Encryption: With Azure Infrastructure Encryption, data is encrypted twice, using two separate encryption keys. The first layer is the default Storage Service Encryption (SSE), and the second layer is Infrastructure Encryption.
  • Managed Keys: Azure manages both encryption layers, using separate encryption keys for each layer. This managed approach simplifies key management for the user.
  • Data at Rest Protection: Infrastructure Encryption applies to data stored in Azure Storage accounts, providing additional protection for data that is not actively in transit.

Key Features

  • Enhanced Security: Adds a second layer of encryption to improve data security.
  • Transparent to Applications: Infrastructure Encryption is applied at the storage level and does not require changes to applications or code.
  • Compliance Support: Helps meet compliance and regulatory requirements for data protection and double encryption.
  • Integration with Azure Key Vault: Azure Key Vault manages the encryption keys used by Infrastructure Encryption, ensuring secure key management.

3. How Azure Infrastructure Encryption Works

Azure Infrastructure Encryption works by adding an additional encryption layer to Azure Storage. Here’s how it works:

  1. Storage Service Encryption (SSE): Azure Storage applies encryption by default to all data stored in Azure using Storage Service Encryption. This first layer of encryption is applied automatically.
  2. Infrastructure Encryption: When Infrastructure Encryption is enabled, a second encryption layer is added to the data, encrypting it with a separate encryption key.
  3. Separate Encryption Keys: Each encryption layer uses different keys managed by Azure, ensuring that unauthorized access is more challenging.
  4. Decryption Process: When data is accessed, Azure automatically decrypts both layers, making it transparent to applications.

4. Step-by-Step Guide to Setting Up Azure Infrastructure Encryption

Prerequisites

  • Azure Subscription: An active Azure subscription.
  • Storage Account with Infrastructure Encryption Support: Infrastructure Encryption is available for premium or high-performance storage accounts and certain regions.

Step 1: Create a Storage Account with Infrastructure Encryption Enabled

  1. Go to the Azure Portal: In the Azure portal, search for Storage accounts and select Create.
  2. Basic Settings:
  • Subscription and Resource Group: Choose the Azure subscription and resource group.
  • Storage Account Name: Enter a unique name for the storage account.
  • Region: Select a region that supports Infrastructure Encryption (check Azure documentation for supported regions).
  • Performance: Select Premium or Standard based on your storage requirements.
  1. Enable Infrastructure Encryption:
  • Under Advanced > Security, you will see the option for Infrastructure Encryption.
  • Set Infrastructure Encryption to Enabled to add the second layer of encryption.
  1. Review and Create: After configuring the settings, review the configuration, and click Create to deploy the storage account with Infrastructure Encryption enabled.

Step 2: Configure Access Policies and Encryption Key Settings

  1. Go to the Storage Account: Once the storage account is created, go to the storage account settings.
  2. Encryption:
  • Under Settings, go to Encryption.
  • Key Type: By default, Infrastructure Encryption uses Microsoft-managed keys. You can switch to Customer-managed keys if you want more control over the encryption keys, but this requires Azure Key Vault.
  1. Set Up Customer-Managed Keys (Optional):
  • If you choose customer-managed keys, configure a Key Vault with the necessary access policies.
  • In Key Vault, generate or import a key, and set up access permissions for the storage account.
  • Link the Key Vault key to the storage account under Encryption settings.

Step 3: Verify Encryption Settings and Compliance

  1. Check Encryption Status:
  • In the Storage Account blade, go to Settings > Encryption to view the current encryption status.
  • Confirm that Infrastructure Encryption is enabled and that the encryption type (Microsoft-managed or customer-managed) is displayed.
  1. Compliance Requirements:
  • Azure Security Center provides recommendations for storage encryption. Check Azure Security Center for any compliance alerts or recommendations.

5. Managing and Monitoring Azure Infrastructure Encryption

Azure provides several tools for managing and monitoring encryption, ensuring that data remains secure and compliant.

Managing Encryption Keys in Azure Key Vault (For Customer-Managed Keys)

  1. Rotate Encryption Keys: For customer-managed keys, rotate keys periodically to meet compliance standards.
  2. Enable Soft Delete and Purge Protection: In Azure Key Vault, enable Soft Delete and Purge Protection to protect encryption keys from accidental deletion.
  3. Audit Access to Key Vault: Regularly monitor access to Key Vault to ensure only authorized users have access to encryption keys.

Monitoring Encryption Compliance in Azure Security Center

  1. Go to Azure Security Center: In the Azure portal, navigate to Security Center.
  2. Check for Security Recommendations:
  • Security Center provides recommendations related to storage encryption and compliance.
  • Check for any recommendations related to data encryption and infrastructure encryption.
  1. Set Up Alerts for Encryption Events:
  • Use Azure Monitor to set up alerts for key access or encryption-related events. This helps you stay informed about changes in encryption settings.

6. Working and Usage Examples

Example 1: Creating a Storage Account with Double Encryption for Financial Data

A financial organization needs to store sensitive data that requires double encryption to comply with regulatory standards.

  1. Create a Premium Storage Account:
  • In the Azure portal, create a new storage account and select the Premium performance tier.
  1. Enable Infrastructure Encryption:
  • During creation, enable Infrastructure Encryption under Advanced > Security settings.
  1. Verify Encryption Settings:
  • Once created, check the encryption settings to ensure double encryption is enabled.

This setup meets the compliance requirements by providing an additional layer of encryption to secure financial data.

Example 2: Configuring Customer-Managed Keys for Extra Control

If your organization wants full control over encryption keys for auditing and compliance, you can use customer-managed keys with Azure Key Vault.

  1. Create a Key Vault and set up an access policy for encryption keys.
  2. Generate or Import a Key in Key Vault that will be used for Infrastructure Encryption.
  3. Link Key Vault to Storage Account:
  • Go to the storage account encryption settings and select Customer-managed keys.
  • Choose the key stored in Azure Key Vault.
  1. Monitor Key Usage:
  • Use Key Vault logging to track key usage and access.

This configuration gives your organization control over key rotation and access, supporting stricter security and compliance policies.

Example 3: Verifying Encryption Compliance in Azure Security Center

To ensure all storage accounts meet compliance standards:

  1. Go to Azure Security Center and review the Recommendations section.
  2. Look for recommendations related to Infrastructure Encryption and Data Encryption.
  3. Resolve any recommendations by enabling Infrastructure Encryption where needed.

Azure Security Center provides continuous monitoring to help you maintain compliance across all storage accounts.

7. Best Practices for Using Azure Infrastructure Encryption

  • Use Customer-Managed Keys for Sensitive Data: For highly sensitive data, use customer-managed keys in Azure Key Vault to gain control over key management.
  • Enable Soft Delete and Purge Protection in Key Vault: Protect your encryption keys from accidental deletion by enabling Soft Delete and Purge Protection in Azure Key Vault.
  • Regularly Rotate Encryption Keys: Rotate encryption keys periodically to comply with data security policies.
  • Monitor Encryption Compliance: Use Azure Security Center to monitor encryption compliance across storage accounts.
  • Apply Infrastructure Encryption to Regulated Data: For regulated industries, enable Infrastructure Encryption to meet industry standards and provide additional data protection.

Azure Infrastructure Encryption adds a second layer of encryption to data stored in Azure, providing enhanced protection and helping organizations meet compliance requirements for sensitive data. With Infrastructure Encryption, data is encrypted twice—first by Storage Service Encryption and then by Infrastructure Encryption—each with a separate encryption key managed by Azure. This double encryption is transparent to users and applications and can be further customized with customer-managed keys in Azure Key Vault.

By following the steps above, you can configure, manage, and monitor Infrastructure Encryption to ensure your data in Azure is secure and compliant with industry regulations.

Share: XFacebookPinterestLinkedin
Author: tonyhughes