Archive for the ‘encryption’ Category

Microsoft Build brings new innovations and capabilities to keep developers and customers secure

May 19th, 2020 No comments

As both organizations and developers adapt to the new reality of working and collaborating in a remote environment, it’s more important than ever to ensure that their experiences are secure and trusted. As part of this week’s Build virtual event, we’re introducing new Identity innovation to help foster a secure and trustworthy app ecosystem, as well as announcing a number of new capabilities in Azure to help secure customers.

New Identity capabilities to help foster a secure apps ecosystem

As organizations continue to adapt to the new requirements of remote work, we’ve seen an increase in the deployment and usage of cloud applications. These cloud applications often need access to user or company data, which has increased the need to provide strong security not just for users but applications themselves. Today we are announcing several capabilities for developers, admins, and end-users that help foster a secure and trustworthy app ecosystem:

  1. Publisher Verification allows developers to demonstrate to customers, with a verified checkmark, that the application they’re using comes from a trusted and authentic source. Applications marked as publisher verified means that the publisher has verified their identity through the verification process with the Microsoft Partner Network (MPN) and has associated their MPN account with their application registration.
  2. Application consent policies allow admins to configure policies that determine which applications users can consent to. Admins can allow users to consent to applications that have been Publisher Verified, helping developers unlock user-driven adoption of their apps.
  3. Microsoft authentication libraries (MSAL) for Angular is generally available and our web library identity.web for ASP.NET Core is in public preview. MSAL make it easy to implement the right authentication patterns, security features, and integration points that support any Microsoft identity—from Azure Active Directory (Azure AD) accounts to Microsoft accounts.

In addition, we’re making it easier for organizations and developers to secure, manage and build apps that connect with different types of users outside an organization with Azure AD External Identities now in preview. With Azure AD External Identities, developers can build flexible, user-centric experiences that enable self-service sign-up and sign-in and allow continuous customization without duplicating coding effort.

You can learn even more about our Identity-based solutions and additional announcements by heading over to the Azure Active Directory Tech Community blog and reading Alex Simons’ post.

Azure Security Center innovations

Azure Security Center is a unified infrastructure security management system for both Azure and hybrid cloud resources on-premises or in other clouds. We’re pleased to announce two new innovations for Azure Security Center, both of which will help secure our customers:

First, we’re announcing that the Azure Secure Score API is now available to customers, bringing even more innovation to Secure Score, which is a central component of security posture management in Azure Security Center. The recent enhancements to Secure Score (in preview) gives customers an easier to understand and more effective way to assess risk in their environment and prioritize which action to take first in order to reduce it.  It also simplifies the long list of findings by grouping the recommendations into a set of Security Controls, each representing an attack surface and scored accordingly.

Second, we’re announcing that suppression rules for Azure Security Center alerts are now publicly available. Customers can use suppression rules to reduce alerts fatigue and focus on the most relevant threats by hiding alerts that are known to be innocuous or related to normal activities in their organization. Suppressed alerts will be hidden in Azure Security Center and Azure Sentinel but will still be available with ‘dismissed’ state. You can learn more about suppression rules by visiting Suppressing alerts from Azure Security Center’s threat protection.

Azure Disk Encryption and encryption & key management updates

We continue to invest in encryption options for our customers. Here are our most recent updates:

  1. Fifty more Azure services now support customer-managed keys for encryption at rest. This helps customers control their encryption keys to meet their compliance or regulatory requirements. The full list of services is here. We have now made this capability part of the Azure Security Benchmark, so that our customers can govern use of all your Azure services in a consistent manner.
  2. Azure Disk Encryption helps protect data on disks that are used with VM and VM Scale sets, and we have now added the ability to use Azure Disk Encryption to secure Red Hat Enterprise Linux BYOS Gold Images. The subscription must be registered before Azure Disk Encryption can be enabled.

Azure Key Vault innovation

Azure Key Vault is a unified service for secret management, certificate management, and encryption key management, backed by FIPS-validated hardware security modules (HSMs). Here are some of the new capabilities we are bringing for our customers:

  1. Enhanced security with Private Link—This is an optional control that enables customers to access their Azure Key Vault over a private endpoint in their virtual network. Traffic between their virtual network and Azure Key Vault flows over the Microsoft backbone network, thus providing additional assurance.
  2. More choices for BYOK—Some of our customers generate encryption keys outside Azure and import them into Azure Key Vault, in order to meet their regulatory needs or to centralize where their keys are generated. Now, in addition to nCipher nShield HSMs, they can also use SafeNet Luna HSMs or Fortanix SDKMS to generate their keys. These additions are in preview.
  3. Make it easier to rotate secrets—Earlier we released a public preview of notifications for keys, secrets, and certificates. This allows customers to receive events at each point of the lifecycle of these objects and define custom actions. A common action is rotating secrets on a schedule so that they can limit the impact of credential exposure. You can see the new tutorial here.

Platform security innovation

Platform security for customers’ data recently took a big step forward with the General Availability of Azure Confidential Computing. Using the latest Intel SGX CPU hardware backed by attestation, Azure provides a new class of VMs that protects the confidentiality and integrity of customer data while in memory (or “in-use”), ensuring that cloud administrators and datacenter operators with physical access to the servers cannot access the customer’s data.

Customer Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests. It is used in cases where a Microsoft engineer needs to access customer data during a support request. In addition to expanded coverage of services in Customer Lockbox for Microsoft Azure, this feature is now available in preview for our customers in Azure Government cloud.

You can learn more about our Azure security offerings by heading to the Azure Security Center Tech Community.

The post Microsoft Build brings new innovations and capabilities to keep developers and customers secure appeared first on Microsoft Security.

Cloud security controls series: Encrypting Data at Rest

September 10th, 2015 No comments

In the last article I wrote in this series on cloud security controls I discussed controls that help protect data while its in-transit between Microsoft’s cloud services and our cloud service customers. Many of the customers I talk to are also interested in understanding the controls that are available to help manage the security of data stored and processed in Microsoft’s cloud services.

There are many controls available that help mitigate different threats to data at rest, whether the data is stored online or offline. I’ll discuss some of these controls in this article. Given very high customer interest in this topic area, new features/functionality that provide customers control over data at rest are frequently announced and introduced into Microsoft cloud services. This article isn’t intended to be a complete list – it’s just an introduction.

When it comes to data at rest, there are at least a few different categories of threats that enterprise customers tend to be interested in discussing with me when they first start evaluating cloud services. Some examples include:

  1. The threat that attackers are able to compromise a cloud service and gain access to their data that is processed by and/or stored in the Cloud.
  2. The “insider threat” where a malicious or rogue administrator steals a physical disk drive or server that contains data the customer has in the cloud service.
  3. The threat that a government uses a subpoena or warrant to get access to the customer’s data in the cloud without their knowledge.

In all of these scenarios, encrypting customer data and properly managing the encryption keys can help mitigate the risk of unauthorized access to that data. While I’m going to discuss encryption controls in this article, it’s important to note that there are additional security controls such as physical security, access control, auditing, logging, key management, etc. that are used in concert with encryption options to mitigate some of these risks; I won’t be discussing these other controls in any detail in this already lengthy article.

For example, the insider threat risk I mention above is also mitigated by all the physical security controls (gates, guards, locks, cameras, biometrics, etc.) that prevent unauthorized access and control authorized access to Microsoft datacenters. For the aforementioned insider threat scenario, the combination of all the physical security controls and data encryption controls make the probability of someone stealing a disk drive or server from a Microsoft datacenter and getting access to any customer data on it, very remote.

Now let’s look at some of the encryption controls for data at rest that are available to customers.

For some of the customers I talk to that are evaluating the security of Infrastructure as a Service (IaaS), they want to know about encryption options available to them in Microsoft Azure. There are several encryption related solutions that customers can choose from depending on the risks they are trying to mitigate. Let’s look at a few of these solutions.

Some of the customers I talk to that are interested in moving some or all of their infrastructure into the cloud want to ensure that the virtual machines (VMs) they manage in the cloud are secured at rest and only boot and operate when their organization authorizes them to do so. They want to mitigate the risk that if someone managed to steal one of their VMs from the cloud, attackers could siphon off data stored in the VM using an offline attack or boot the VM with the intent of stealing data or modifying the VM in some way. Encryption can help manage these types of risks; without access to the encryption keys, the VMs stored in the Cloud won’t boot or provide easy access to data stored in them.

Azure Disk Encryption
Whether you are creating a new IaaS VM from the Azure gallery or migrating existing encrypted VMs from your on-premises operations, Azure Disk Encryption can help you manage encryption of disks used with Windows or Linux VMs. Using Azure Disk Encryption, Windows VMs can be encrypted using native BitLocker Drive Encryption which many enterprise customers already use to protect data stored on their on-premises Windows-based systems.  Those customers leveraging Linux VMs in Azure can protect them using DM-Crypt technology with a passphrase they provide.

The BitLocker encryption keys or Linux DM-Crypt passphrases that are used to encrypt and decrypt the VM drives are stored in Azure Key Vault which provides protection for the keys via FIPS 140-2 Level 2 validated hardware security modules (HSMs). This means, among other things, that the HSMs that store customer keys and secrets have tamper-evident seals to protect against unauthorized physical access and role-based authentication for administration. This helps mitigate the risk that someone with physical access to the HSMs inside the heavily protected datacenter could easily tamper with HSMs or steal keys from them.

The theft of a VM that has been protected this way would not allow an attacker to boot the VM or harvest data from it.

Native BitLocker encryption for VMs running in Azure is something that many enterprise customers have asked me about and Azure Disk Encryption is what they are looking for. A preview of Azure Disk Encryption will be available soon – keep a look out for related announcements in the near future.

Here are more resources where you can get more information on Azure Disk Encryption and Azure Key Vault:
Azure Disk Encryption Management for Windows and Linux Virtual Machines
Enabling Data Protection in Microsoft Azure (video)
Azure Key Vault
Introduction to Microsoft Azure Key Vault (video)
Azure Key Vault – Making the cloud safer

CloudLink SecureVM
CloudLink SecureVM by EMC also provides native Windows BitLocker and Linux OS encryption for VMs running in Microsoft Azure. It emulates Trusted Platform Module (TPM) functionality to provide pre-boot authorization. CloudLink SecureVM allows you to define a security policy that permits VMs to start, verifies their integrity and helps to protect against unauthorized modifications. It also provides the ability to store the encryption keys to reside inside customers’ own datacenters.

You can find CloudLink SecureVM in the Microsoft Azure Marketplace as I have highlighted below.

More information is available in the Microsoft Azure Market place, as well as:
Encrypting Azure Virtual Machines with CloudLink SecureVM
Azure Virtual Machine Disk Encryption using CloudLink
Guest Post: CloudLink Secures Azure VMs via BitLocker and Native Linux Encryption (video)
Deploying CloudLink SecureVM from the Microsoft Azure Marketplace (video)
CloudLink SecureVM Administration Guide

StorSimple is a hybrid-cloud storage appliance that you can put into your datacenter and connect to the Azure Storage service. This solution provides many benefits and security controls, but for data at rest, StorSimple systems encrypt data stored in the cloud with a customer-provided encryption key using standard AES-256 encryption that is derived from a customer passphrase or generated by a key management system.
09102105_Figure2 09102105_Figure3

You can use the Azure Portal (as seen below) or Windows PowerShell for StorSimple for some management activities and there’s a StorSimple Adapter for SharePoint available.

You can get more information from these resources:
Introducing Microsoft Azure StorSimple
StorSimple Hybrid cloud storage security
Cloud Storage Security Best Practices
Episode 159: StorSimple with Ahmed El-Shimi (video)

Client-Side Encryption for Microsoft Azure Storage
Client-Side Encryption for Microsoft Azure Storage enables you to encrypt data contained in Azure Storage accounts including Azure Table storage, Azure Blob storage and Azure Queues. This feature enables developers to encrypt data inside client applications before putting in into Azure Storage. It also allows developers to decrypt the data stored in Azure Storage while downloading it to the client.

For some customers, the advantage of this approach is that they completely control the keys used for encrypting and decrypting the data stored in Azure Storage. The Azure Storage service doesn’t have the encryption keys, only the customer does. Even if the customer’s Azure Storage Account keys were compromised, the data encrypted using client-side encryption would still be secure. This feature also supports integration with Azure Key Vault, which I mentioned earlier in this article.

To take advantage of this capability, developers use a new open-source Azure Storage Client Library for .NET that’s interoperable across a number of programming languages. The storage client library uses Cipher Block Chaining (CBC) mode with AES to encrypt the data.

Many details you’ll need are available including code samples:
Get Started with Client-Side Encryption for Microsoft Azure Storage
Client-Side Encryption for Microsoft Azure Storage – Preview
Microsoft Azure Storage Client-Side Encryption Goes into General Availability

I’ve covered a lot of ground in this article on protecting data at rest in Microsoft’s cloud. Frankly, there is a lot more I could write about here including SQL database encryption (Transparent Data Encryption (TDE), Cell Level Encryption (CLE), SQL Server Encrypted Backups, SQL Server Extensible Key Management (EKM), Office 365 encryption controls, OneDrive security controls, custom application encryption, etc. But this article provides a starting point for those customers evaluating the data protection controls available in Microsoft’s cloud.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Cloud security controls series: Encrypting Data in Transit

August 10th, 2015 No comments

Whether organizations store and process data on-premise, in the cloud, or use a combination of both, it is important that they protect that data when it is transmitted across networks to information workers, partners and customers.

For example, when an administrator is using the Microsoft Azure Portal to manage the service for their organization. The data transmitted between the device the administrator is using and the Azure Portal needs to be protected. Another example is protecting both outbound and inbound email. When you send an email to someone when using, your email is encrypted and thus better protected as it travels between Microsoft and other email providers that also support email encryption.

Microsoft is using encryption to protect customer data when it’s in-transit between our customers and our cloud services. More specifically, Transport Layer Security (TLS) is the protocol that Microsoft’s data centers will try to negotiate with client systems that connect to Microsoft cloud services. There are numerous benefits to using TLS including strong authentication, message privacy, and integrity (enables detection of message tampering, interception, and forgery), interoperability, algorithm flexibility, ease of deployment and use.

Perfect Forward Secrecy (PFS) is also employed so that each connection between customers’ client systems and Microsoft’s cloud services use unique keys. Connections to Microsoft cloud services also take advantage of RSA based 2,048-bit encryption key lengths.

The combination of TLS, RSA 2,048-bit key lengths, and PFS makes it much more difficult for someone to intercept and access data that is in-transit between Microsoft’s cloud services and our customers, than previously employed encryption technologies. Since no encryption suite is truly unbreakable, the goal of these protections is to make it extremely time consuming and expensive for would-be eavesdroppers to intercept and decrypt data that is transmitted between client devices and Microsoft datacenters. I have included some references at the bottom of this article if you are interested in learning more about PFS and TLS, and how Windows clients negotiate encryption protocols when connecting to servers. Besides using a newer version of Windows, there isn’t any action customers need to do to secure data in-transit between them and Microsoft’s cloud services.

Since seeing is believing I thought I’d show you what is actually happening on the wire when a client system connects to a Microsoft cloud service. Figure 1 and Figure 2 are screen shots of a network monitor trace I took while I was logging into the Azure Portal. This trace shows the Windows system I used to log into the Azure portal negotiated a secure connection that uses TLS and Elliptic curve Diffie–Hellman (ECDH) for PFS, and that the subsequent data communicated between the client device and the portal is encrypted and unreadable if intercepted.

Figure 1: A network monitor trace of a Windows 10 client negotiating an encrypted connection to the Azure Portal

Figure 2: Continuation of a network monitor trace of a Windows 10 client is sending encrypted data to the Azure Portal

In this article I provided some details on how Microsoft protects data in-transit between our customers’ client devices and Microsoft’s cloud services. But there are numerous additional encryption controls that customers can choose to use to protect their data depending on the type of service they are using and the risk they are trying to mitigate. I will cover some of these controls in future articles in this series on cloud security controls.

Some dated, but useful background information on how TLS works:
What is TLS/SSL?
How TLS/SSL Works
TLS/SSL Cryptographic Enhancements

Some newer useful content:
Speaking in Ciphers and other Enigmatic tongues…
How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
Protecting against the SSL 3.0 vulnerability
How to Disable SSL 3.0 in Azure Websites, Roles, and Virtual Machines
Associating a custom domain and securing communication with Microsoft Azure

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection