Archive for the ‘encryption’ Category

Preventing data loss and mitigating risk in today’s remote work environment

July 21st, 2020 No comments

The shift to remote work over the past few months has increased the need for organizations to re-evaluate their security and risk management practices. With employees accessing corporate data at times on home computers or sharing and collaborating in new ways, organizations could be at greater risk for data leak or other risks.

To help companies with the visibility they need and better protect their data, we are announcing several new capabilities across Microsoft 365 and Azure, including:

  • New Microsoft Endpoint Data Loss Prevention solution in public preview.
  • New features in public preview for Insider Risk Management and Communication Compliance in Microsoft 365.
  • New third-party data connectors in Microsoft Azure Sentinel.
  • New Double Key Encryption for Microsoft 365 in public preview.

Read on to get more information about all these new security and compliance features rolling out starting today.

Announcing Microsoft Endpoint Data Loss Prevention (DLP)

Having the right data protection and governance approach is critical to not only addressing regulatory compliance and privacy, but also to mitigating data leak and risk. Microsoft Information Protection helps you to identify your data and ensure you have the right data classification in place to properly protect and govern that data, which enables you to apply data loss prevention (DLP) to enforce policies against that data. Data Loss Prevention solutions help prevent data leaks and provide context-based policy enforcement for data at rest, in use, and in motion on-premises and in the cloud. Microsoft 365 already includes built-in data loss prevention capabilities in Microsoft Teams, SharePoint, Exchange, and OneDrive, as well as for third-party cloud apps with Microsoft Cloud App Security.

Today we are excited to announce that we are now extending data loss prevention to the endpoint with the public preview of the new Microsoft Endpoint Data Loss Prevention (DLP). Endpoint DLP builds on the labeling and classification in Microsoft Information Protection and extends the existing DLP capabilities in Microsoft 365, helping you to meet compliance requirements and protect sensitive information on endpoints.

Built into Windows 10, Microsoft Edge, and the Office apps, Endpoint DLP provides data-centric protection for sensitive information without the need for an additional agent, enabling you to prevent risky or inappropriate sharing, transfer, or use of sensitive data in accordance with your organization’s policies. For example, organizations can now prevent copying sensitive content to USB drives or print sensitive documents.  The sensitive content labeling integration ensures consistency across all data types and reduces false positive and false negatives within DLP. Microsoft Edge works with Endpoint DLP to extend visibility and control into third-party cloud apps and services. Also, because Endpoint DLP builds on the existing DLP capabilities in Microsoft 365, you immediately get insights when sensitive data is accessed and shared directly from the Activity Explorer in the Microsoft 365 compliance center.

An image showing how you can manage your data loss prevention policies across Microsoft 365 from one location – the Microsoft 365 compliance center.

Figure 1: You can manage your data loss prevention policies across Microsoft 365 from one location – the Microsoft 365 compliance center.

The Microsoft 365 Compliance Center also now provides a single, integrated console to manage DLP policies across Microsoft 365, including endpoints.  The public preview of Endpoint DLP will begin rolling out today. For more information, check out the Tech Community blog.

New features to help you to address insider risk and code of conduct violations

Remote work, while keeping employees healthy during this time, also increases the distractions end users face, such as shared home workspaces and remote learning for children. According to the SEI CERT institute, user distractions are the cause for many accidental and non-malicious insider risks. The current environment has also significantly increased stressors such as potential job loss or safety concerns, creating the potential for increased inadvertent or malicious leaks.

Today we are pleased to announce the public preview of several new features that further enhance the rich set of detection and remediation capabilities available in Insider Risk Management and Communication Compliance in Microsoft 365.

Insider Risk Management

While having broad visibility into signals from end-user activities, actions, or communications are important, when it comes to effectively identifying the risks, the quality of signals also matters. In this release, we are significantly expanding the quality of signals that Insider Risk Management reasons over to intelligently flag potentially risky behavior. New categories include expanded Windows 10 signals (e.g., files copied to a USB or transferred to a network share), integration with Microsoft Defender ATP for endpoint security signals, more native signals from across Microsoft 365 (including Microsoft Teams, SharePoint, and Exchange), and enhancements to our native HR connector.

We are also introducing new security policy violation and data leak policy templates to help you to get started quickly and identify an even broader variety of risks.

Finally, we are also increasing integration to help you to take more action on the risks you identify. For example, integration with ServiceNow’s solution provides the ability for Insider Risk Management case managers to directly create ServiceNow tickets for incident managers. In addition, we are also onboarding Insider Risk Management alerts to the Office 365 Activity Management API, which contains information such as alert severity and status (active, investigating, resolved, dismissed). These alerts can then be consumed by security incident event management (SIEM) systems like Azure Sentinel to take further actions such as disabling user access or linking back to Insider Risk Management for further investigation.

For more information on these new features, check out the Tech Community blog.

Communication Compliance

As we embraced the shift to remote work, the volume of communications sent over collaboration platforms has reached an all-time high. Diversity, equity, and inclusion are now center stage. These new scenarios not only heighten a company’s risk exposure from insiders, but also highlight the need to support employees in these challenging times.

Communication Compliance in Microsoft 365 helps organizations to intelligently detect regulatory compliance and code of conduct violations within an organization’s communications, such as workplace threats and harassment, and take quick remediation efforts on policy violations.

Starting to roll out today, Communication Compliance will introduce enhanced insights to make the review process simpler and less time consuming, through intelligent pattern detection to prioritize alerts of repeat offenders, through a global feedback loop to improve our detection algorithms, and through rich reporting capabilities. New features also include additional third-party connectors to extend the capabilities to sources like Bloomberg Message data, ICE Chat data, and more. Additionally, the solution will see improved remediation actions through Microsoft Teams integration, such as the ability to remove messages from the Teams channel.

You can find more information about these new features in the Tech Community blog.

New partner connectors in Microsoft Azure Sentinel

Microsoft Azure Sentinel is a powerful Security Incident and Event Management (SIEM) solution that can help you collect security data across your entire hybrid organization from devices, users, apps, servers, and any cloud. Using these data sources you can build a more complete picture of the threats that your organization faces, conduct deep threat hunts across your environment, and use the power of automation and orchestration in the cloud to help free up your security analysts to focus on their highest-value tasks.

Today we are announcing several new third-party connectors across Azure Sentinel to simplify getting security insights across many leading solutions and partners, including networks, firewalls, endpoint protection, and vulnerability management.

These connectors, which offer sample queries and dashboards, will help collect security data easily and provide security insights immediately.

An image of new partner connectors provide greater visibility into external threats.

Figure 2: New partner connectors provide greater visibility into external threats.

Some of the new partner connectors include Symantec, Qualys, and Perimeter 81. You can see the full list of new connectors and learn more in our Tech Community blog.

Introducing Double Key Encryption for Microsoft 365

In today’s environment, the success of any organization is contingent upon its ability to drive productivity through information sharing while maintaining data privacy and regulatory compliance. Regulations, particularly in the financial services sector, often contain specialized requirements for certain data, which specifies that an organization must control their encryption key.  Typically, a very small percentage of a customer’s data falls into this category, but it is important for our customers to care for that specific data correctly.

To address that regulatory and unique need for some organizations, today we are pleased to announce the public preview of Double Key Encryption for Microsoft 365, which allows you to protect your most confidential data while maintaining full control of your encryption key. Double Key Encryption for Microsoft 365 uses two keys to protect your data, with one key in your control and the second in Microsoft’s control. To view the data, one must have access to both keys. Since Microsoft can access only one key, your data and key are unavailable to Microsoft, helping to ensure the privacy and security of your data.

With Double Key Encryption for Microsoft 365, you not only hold your own key, but this capability also helps you to address many regulatory compliance requirements, easily deploy the reference implementation, and enjoy a consistent labeling experience across your data estate. For more information, check out the Tech Community blog.

Get started today

Endpoint Data Loss Prevention, Insider Risk Management, Communication Compliance, and Double Key Encryption are rolling out in public preview starting today and are a part of Microsoft 365 E5. If you don’t have Microsoft 365 E5, you can get started with a trial today.

In addition, to learn more about the rest of the Microsoft 365 product updates being announced today, check out the Microsoft 365 blog from Jared Spataro.

You can also learn more about how you can modernize your SIEM with Azure Sentinel. 

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Preventing data loss and mitigating risk in today’s remote work environment appeared first on Microsoft Security.

11 security tips to help stay safe in the COVID-19 era

June 9th, 2020 No comments

The COVID-19 pandemic has changed our daily routines, the ways we work, and our reliance on technology. Many of us are now working remotely, students are attending classes virtually, and we’re relying more on social media and social networks to stay connected as we define what our new normal looks like.

As we spend more time online, it’s important to remember that the basics of online safety have not changed. These guidelines provide a strong foundation for digital security, but as we think about the “new normal” and how the internet is woven into the fabric of our lives, extra steps may be necessary to further reduce risk.

So, in addition to the security policies implemented by your work or school, here are a few more practices we recommend you—and your family and friends—adopt to further increase personal cybersecurity resilience.

Keep devices secure and up to date

  1. Turn on automatic security updates, antivirus, and firewall. The reality of cyberthreats is that they often prey upon the devices that are the easiest to compromise: those without a firewall, without an antivirus service, or without the latest security updates. To reduce this risk, turn on automatic updates to ensure your devices have the latest security fixes, enable or install an antivirus solution that runs continuously, and configure a firewall. Modern computers have many of these features available and enabled by default, but it is a good idea to check all three are correctly set up.
  2. Don’t forget networking devices. Device safety includes your networking devices, too. As with computing devices, make sure that you check for and apply all updates for your networking devices. Many devices use default passwords, which means attackers have an easy list to try. Make sure to check your networking devices are not using default admin passwords or ones that are easily guessable (like your birthday). It’s also good hygiene to update your Wi-Fi credentials to strong passwords with a mix of upper- and lowercase letters as well as symbols and numbers.
  3. Use Wi-Fi encryption options for access. Wireless access points offer the ability to require passwords to gain access to the network. You should take advantage of this feature to ensure only authorized users are on your home network.

Secure your identity, guard your privacy

  1. Protect your digital identity. With more of our lives connected in the virtual realm, your digital identity becomes even more important to protect. Use strong passwords or, if possible, biometric authentication like your face or fingerprint, and wherever possible enable multi-factor authentication (MFA). Among others, Google and Microsoft both offer free MFA applications that are easy to set up and use.
  2. Keep your guard up in online chats and conferencing services. As we spend more time on virtual conferences and video calls, it is important to think about privacy. Consider these questions when trying new services:
    • Who can access or join the meeting/call?
    • Can it be recorded? If yes, do all participants know?
    • Are chats preserved and shared?
    • If there is file sharing, where are those files stored?
  3. Use background blur or images to obscure your location. One of the more popular features on video conferencing tools like Zoom, Skype, and Microsoft Teams is the ability to blur or change your background. This can be an important privacy step that you can take to maintain privacy between home and work environments.

Protect business data while at home

  1. Use the right file-sharing service for the right task. While working remotely, it’s easy for lines to blur between work and home. It’s important to ensure that your business data does not get mixed with your personal data. Remember to use business resources, like SharePoint or OneDrive for Business, to store and share content for work. Don’t use consumer offerings for business data while you are remote. Where possible, consider enabling Windows Information Protection to reduce the risk of unintentional (and intentional) enterprise data leakage via consumer services.
  2. Turn on device encryption. Device encryption ensures that data on your device is safe from unauthorized access should your device be stolen or lost.

Be aware of phishing and identity scams

Cybercriminals continue to exploit victims even through this global crisis. Based on what Microsoft has observed over the last two months, cybercriminals are utilizing new lures related to the coronavirus outbreak and are being indiscriminate in their targeting. As we move into this “new normal” of more virtual engagement, the same vigilance you kept at the office or classroom applies at home. Here are a couple of observed attack methods to keep top of mind:

  1. Identity compromise is still number one point of entry. Attackers are looking to steal your digital identity for monetization, spam, and access. Be on the lookout for unexpected websites and applications asking you to sign in with your credentials. The same goes for MFA requests. If you did not initiate the request, do not verify it. Report suspected sites and uninitiated authentication requests through your browser or applications.
  2. Phishing is still out there. Be wary of offers that are too good to be true, pressure time, or promise a free prize. These are the same bad guys from before, but now they’re using the outbreak and public fear to drive a different action. For more information on phishing attacks, read Protecting against coronavirus themed phishing attacks.
  3. Don’t fall victim to tech support scams. Tech support scams are an industry-wide issue where scammers use scare tactics to try and trick you into paying for unnecessary services that supposedly fix a device, operating system, or software problem. Please note that Microsoft will never contact you with an unsolicited offer to address a technical issue. And error and warning messages in Microsoft products never include a phone number to call. If you receive an unsolicited tech support call telling you there is something wrong with your computer—even if the caller offers to correct the issue for free—hang up and report the call to For more information on tech support scams, visit this page:

With awareness and these few simple steps, you can better prepare yourself for this new world of secure remote work and social interaction. And as attackers evolve, we’ll be here to help you adapt and stay safe.

To learn more about Microsoft security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 11 security tips to help stay safe in the COVID-19 era appeared first on Microsoft Security.

Microsoft Build brings new innovations and capabilities to keep developers and customers secure

May 19th, 2020 No comments

As both organizations and developers adapt to the new reality of working and collaborating in a remote environment, it’s more important than ever to ensure that their experiences are secure and trusted. As part of this week’s Build virtual event, we’re introducing new Identity innovation to help foster a secure and trustworthy app ecosystem, as well as announcing a number of new capabilities in Azure to help secure customers.

New Identity capabilities to help foster a secure apps ecosystem

As organizations continue to adapt to the new requirements of remote work, we’ve seen an increase in the deployment and usage of cloud applications. These cloud applications often need access to user or company data, which has increased the need to provide strong security not just for users but applications themselves. Today we are announcing several capabilities for developers, admins, and end-users that help foster a secure and trustworthy app ecosystem:

  1. Publisher Verification allows developers to demonstrate to customers, with a verified checkmark, that the application they’re using comes from a trusted and authentic source. Applications marked as publisher verified means that the publisher has verified their identity through the verification process with the Microsoft Partner Network (MPN) and has associated their MPN account with their application registration.
  2. Application consent policies allow admins to configure policies that determine which applications users can consent to. Admins can allow users to consent to applications that have been Publisher Verified, helping developers unlock user-driven adoption of their apps.
  3. Microsoft authentication libraries (MSAL) for Angular is generally available and our web library identity.web for ASP.NET Core is in public preview. MSAL make it easy to implement the right authentication patterns, security features, and integration points that support any Microsoft identity—from Azure Active Directory (Azure AD) accounts to Microsoft accounts.

In addition, we’re making it easier for organizations and developers to secure, manage and build apps that connect with different types of users outside an organization with Azure AD External Identities now in preview. With Azure AD External Identities, developers can build flexible, user-centric experiences that enable self-service sign-up and sign-in and allow continuous customization without duplicating coding effort.

You can learn even more about our Identity-based solutions and additional announcements by heading over to the Azure Active Directory Tech Community blog and reading Alex Simons’ post.

Azure Security Center innovations

Azure Security Center is a unified infrastructure security management system for both Azure and hybrid cloud resources on-premises or in other clouds. We’re pleased to announce two new innovations for Azure Security Center, both of which will help secure our customers:

First, we’re announcing that the Azure Secure Score API is now available to customers, bringing even more innovation to Secure Score, which is a central component of security posture management in Azure Security Center. The recent enhancements to Secure Score (in preview) gives customers an easier to understand and more effective way to assess risk in their environment and prioritize which action to take first in order to reduce it.  It also simplifies the long list of findings by grouping the recommendations into a set of Security Controls, each representing an attack surface and scored accordingly.

Second, we’re announcing that suppression rules for Azure Security Center alerts are now publicly available. Customers can use suppression rules to reduce alerts fatigue and focus on the most relevant threats by hiding alerts that are known to be innocuous or related to normal activities in their organization. Suppressed alerts will be hidden in Azure Security Center and Azure Sentinel but will still be available with ‘dismissed’ state. You can learn more about suppression rules by visiting Suppressing alerts from Azure Security Center’s threat protection.

Azure Disk Encryption and encryption & key management updates

We continue to invest in encryption options for our customers. Here are our most recent updates:

  1. Fifty more Azure services now support customer-managed keys for encryption at rest. This helps customers control their encryption keys to meet their compliance or regulatory requirements. The full list of services is here. We have now made this capability part of the Azure Security Benchmark, so that our customers can govern use of all your Azure services in a consistent manner.
  2. Azure Disk Encryption helps protect data on disks that are used with VM and VM Scale sets, and we have now added the ability to use Azure Disk Encryption to secure Red Hat Enterprise Linux BYOS Gold Images. The subscription must be registered before Azure Disk Encryption can be enabled.

Azure Key Vault innovation

Azure Key Vault is a unified service for secret management, certificate management, and encryption key management, backed by FIPS-validated hardware security modules (HSMs). Here are some of the new capabilities we are bringing for our customers:

  1. Enhanced security with Private Link—This is an optional control that enables customers to access their Azure Key Vault over a private endpoint in their virtual network. Traffic between their virtual network and Azure Key Vault flows over the Microsoft backbone network, thus providing additional assurance.
  2. More choices for BYOK—Some of our customers generate encryption keys outside Azure and import them into Azure Key Vault, in order to meet their regulatory needs or to centralize where their keys are generated. Now, in addition to nCipher nShield HSMs, they can also use SafeNet Luna HSMs or Fortanix SDKMS to generate their keys. These additions are in preview.
  3. Make it easier to rotate secrets—Earlier we released a public preview of notifications for keys, secrets, and certificates. This allows customers to receive events at each point of the lifecycle of these objects and define custom actions. A common action is rotating secrets on a schedule so that they can limit the impact of credential exposure. You can see the new tutorial here.

Platform security innovation

Platform security for customers’ data recently took a big step forward with the General Availability of Azure Confidential Computing. Using the latest Intel SGX CPU hardware backed by attestation, Azure provides a new class of VMs that protects the confidentiality and integrity of customer data while in memory (or “in-use”), ensuring that cloud administrators and datacenter operators with physical access to the servers cannot access the customer’s data.

Customer Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests. It is used in cases where a Microsoft engineer needs to access customer data during a support request. In addition to expanded coverage of services in Customer Lockbox for Microsoft Azure, this feature is now available in preview for our customers in Azure Government cloud.

You can learn more about our Azure security offerings by heading to the Azure Security Center Tech Community.

The post Microsoft Build brings new innovations and capabilities to keep developers and customers secure appeared first on Microsoft Security.

Cloud security controls series: Encrypting Data at Rest

September 10th, 2015 No comments

In the last article I wrote in this series on cloud security controls I discussed controls that help protect data while its in-transit between Microsoft’s cloud services and our cloud service customers. Many of the customers I talk to are also interested in understanding the controls that are available to help manage the security of data stored and processed in Microsoft’s cloud services.

There are many controls available that help mitigate different threats to data at rest, whether the data is stored online or offline. I’ll discuss some of these controls in this article. Given very high customer interest in this topic area, new features/functionality that provide customers control over data at rest are frequently announced and introduced into Microsoft cloud services. This article isn’t intended to be a complete list – it’s just an introduction.

When it comes to data at rest, there are at least a few different categories of threats that enterprise customers tend to be interested in discussing with me when they first start evaluating cloud services. Some examples include:

  1. The threat that attackers are able to compromise a cloud service and gain access to their data that is processed by and/or stored in the Cloud.
  2. The “insider threat” where a malicious or rogue administrator steals a physical disk drive or server that contains data the customer has in the cloud service.
  3. The threat that a government uses a subpoena or warrant to get access to the customer’s data in the cloud without their knowledge.

In all of these scenarios, encrypting customer data and properly managing the encryption keys can help mitigate the risk of unauthorized access to that data. While I’m going to discuss encryption controls in this article, it’s important to note that there are additional security controls such as physical security, access control, auditing, logging, key management, etc. that are used in concert with encryption options to mitigate some of these risks; I won’t be discussing these other controls in any detail in this already lengthy article.

For example, the insider threat risk I mention above is also mitigated by all the physical security controls (gates, guards, locks, cameras, biometrics, etc.) that prevent unauthorized access and control authorized access to Microsoft datacenters. For the aforementioned insider threat scenario, the combination of all the physical security controls and data encryption controls make the probability of someone stealing a disk drive or server from a Microsoft datacenter and getting access to any customer data on it, very remote.

Now let’s look at some of the encryption controls for data at rest that are available to customers.

For some of the customers I talk to that are evaluating the security of Infrastructure as a Service (IaaS), they want to know about encryption options available to them in Microsoft Azure. There are several encryption related solutions that customers can choose from depending on the risks they are trying to mitigate. Let’s look at a few of these solutions.

Some of the customers I talk to that are interested in moving some or all of their infrastructure into the cloud want to ensure that the virtual machines (VMs) they manage in the cloud are secured at rest and only boot and operate when their organization authorizes them to do so. They want to mitigate the risk that if someone managed to steal one of their VMs from the cloud, attackers could siphon off data stored in the VM using an offline attack or boot the VM with the intent of stealing data or modifying the VM in some way. Encryption can help manage these types of risks; without access to the encryption keys, the VMs stored in the Cloud won’t boot or provide easy access to data stored in them.

Azure Disk Encryption
Whether you are creating a new IaaS VM from the Azure gallery or migrating existing encrypted VMs from your on-premises operations, Azure Disk Encryption can help you manage encryption of disks used with Windows or Linux VMs. Using Azure Disk Encryption, Windows VMs can be encrypted using native BitLocker Drive Encryption which many enterprise customers already use to protect data stored on their on-premises Windows-based systems.  Those customers leveraging Linux VMs in Azure can protect them using DM-Crypt technology with a passphrase they provide.

The BitLocker encryption keys or Linux DM-Crypt passphrases that are used to encrypt and decrypt the VM drives are stored in Azure Key Vault which provides protection for the keys via FIPS 140-2 Level 2 validated hardware security modules (HSMs). This means, among other things, that the HSMs that store customer keys and secrets have tamper-evident seals to protect against unauthorized physical access and role-based authentication for administration. This helps mitigate the risk that someone with physical access to the HSMs inside the heavily protected datacenter could easily tamper with HSMs or steal keys from them.

The theft of a VM that has been protected this way would not allow an attacker to boot the VM or harvest data from it.

Native BitLocker encryption for VMs running in Azure is something that many enterprise customers have asked me about and Azure Disk Encryption is what they are looking for. A preview of Azure Disk Encryption will be available soon – keep a look out for related announcements in the near future.

Here are more resources where you can get more information on Azure Disk Encryption and Azure Key Vault:
Azure Disk Encryption Management for Windows and Linux Virtual Machines
Enabling Data Protection in Microsoft Azure (video)
Azure Key Vault
Introduction to Microsoft Azure Key Vault (video)
Azure Key Vault – Making the cloud safer

CloudLink SecureVM
CloudLink SecureVM by EMC also provides native Windows BitLocker and Linux OS encryption for VMs running in Microsoft Azure. It emulates Trusted Platform Module (TPM) functionality to provide pre-boot authorization. CloudLink SecureVM allows you to define a security policy that permits VMs to start, verifies their integrity and helps to protect against unauthorized modifications. It also provides the ability to store the encryption keys to reside inside customers’ own datacenters.

You can find CloudLink SecureVM in the Microsoft Azure Marketplace as I have highlighted below.

More information is available in the Microsoft Azure Market place, as well as:
Encrypting Azure Virtual Machines with CloudLink SecureVM
Azure Virtual Machine Disk Encryption using CloudLink
Guest Post: CloudLink Secures Azure VMs via BitLocker and Native Linux Encryption (video)
Deploying CloudLink SecureVM from the Microsoft Azure Marketplace (video)
CloudLink SecureVM Administration Guide

StorSimple is a hybrid-cloud storage appliance that you can put into your datacenter and connect to the Azure Storage service. This solution provides many benefits and security controls, but for data at rest, StorSimple systems encrypt data stored in the cloud with a customer-provided encryption key using standard AES-256 encryption that is derived from a customer passphrase or generated by a key management system.
09102105_Figure2 09102105_Figure3

You can use the Azure Portal (as seen below) or Windows PowerShell for StorSimple for some management activities and there’s a StorSimple Adapter for SharePoint available.

You can get more information from these resources:
Introducing Microsoft Azure StorSimple
StorSimple Hybrid cloud storage security
Cloud Storage Security Best Practices
Episode 159: StorSimple with Ahmed El-Shimi (video)

Client-Side Encryption for Microsoft Azure Storage
Client-Side Encryption for Microsoft Azure Storage enables you to encrypt data contained in Azure Storage accounts including Azure Table storage, Azure Blob storage and Azure Queues. This feature enables developers to encrypt data inside client applications before putting in into Azure Storage. It also allows developers to decrypt the data stored in Azure Storage while downloading it to the client.

For some customers, the advantage of this approach is that they completely control the keys used for encrypting and decrypting the data stored in Azure Storage. The Azure Storage service doesn’t have the encryption keys, only the customer does. Even if the customer’s Azure Storage Account keys were compromised, the data encrypted using client-side encryption would still be secure. This feature also supports integration with Azure Key Vault, which I mentioned earlier in this article.

To take advantage of this capability, developers use a new open-source Azure Storage Client Library for .NET that’s interoperable across a number of programming languages. The storage client library uses Cipher Block Chaining (CBC) mode with AES to encrypt the data.

Many details you’ll need are available including code samples:
Get Started with Client-Side Encryption for Microsoft Azure Storage
Client-Side Encryption for Microsoft Azure Storage – Preview
Microsoft Azure Storage Client-Side Encryption Goes into General Availability

I’ve covered a lot of ground in this article on protecting data at rest in Microsoft’s cloud. Frankly, there is a lot more I could write about here including SQL database encryption (Transparent Data Encryption (TDE), Cell Level Encryption (CLE), SQL Server Encrypted Backups, SQL Server Extensible Key Management (EKM), Office 365 encryption controls, OneDrive security controls, custom application encryption, etc. But this article provides a starting point for those customers evaluating the data protection controls available in Microsoft’s cloud.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Cloud security controls series: Encrypting Data in Transit

August 10th, 2015 No comments

Whether organizations store and process data on-premise, in the cloud, or use a combination of both, it is important that they protect that data when it is transmitted across networks to information workers, partners and customers.

For example, when an administrator is using the Microsoft Azure Portal to manage the service for their organization. The data transmitted between the device the administrator is using and the Azure Portal needs to be protected. Another example is protecting both outbound and inbound email. When you send an email to someone when using, your email is encrypted and thus better protected as it travels between Microsoft and other email providers that also support email encryption.

Microsoft is using encryption to protect customer data when it’s in-transit between our customers and our cloud services. More specifically, Transport Layer Security (TLS) is the protocol that Microsoft’s data centers will try to negotiate with client systems that connect to Microsoft cloud services. There are numerous benefits to using TLS including strong authentication, message privacy, and integrity (enables detection of message tampering, interception, and forgery), interoperability, algorithm flexibility, ease of deployment and use.

Perfect Forward Secrecy (PFS) is also employed so that each connection between customers’ client systems and Microsoft’s cloud services use unique keys. Connections to Microsoft cloud services also take advantage of RSA based 2,048-bit encryption key lengths.

The combination of TLS, RSA 2,048-bit key lengths, and PFS makes it much more difficult for someone to intercept and access data that is in-transit between Microsoft’s cloud services and our customers, than previously employed encryption technologies. Since no encryption suite is truly unbreakable, the goal of these protections is to make it extremely time consuming and expensive for would-be eavesdroppers to intercept and decrypt data that is transmitted between client devices and Microsoft datacenters. I have included some references at the bottom of this article if you are interested in learning more about PFS and TLS, and how Windows clients negotiate encryption protocols when connecting to servers. Besides using a newer version of Windows, there isn’t any action customers need to do to secure data in-transit between them and Microsoft’s cloud services.

Since seeing is believing I thought I’d show you what is actually happening on the wire when a client system connects to a Microsoft cloud service. Figure 1 and Figure 2 are screen shots of a network monitor trace I took while I was logging into the Azure Portal. This trace shows the Windows system I used to log into the Azure portal negotiated a secure connection that uses TLS and Elliptic curve Diffie–Hellman (ECDH) for PFS, and that the subsequent data communicated between the client device and the portal is encrypted and unreadable if intercepted.

Figure 1: A network monitor trace of a Windows 10 client negotiating an encrypted connection to the Azure Portal

Figure 2: Continuation of a network monitor trace of a Windows 10 client is sending encrypted data to the Azure Portal

In this article I provided some details on how Microsoft protects data in-transit between our customers’ client devices and Microsoft’s cloud services. But there are numerous additional encryption controls that customers can choose to use to protect their data depending on the type of service they are using and the risk they are trying to mitigate. I will cover some of these controls in future articles in this series on cloud security controls.

Some dated, but useful background information on how TLS works:
What is TLS/SSL?
How TLS/SSL Works
TLS/SSL Cryptographic Enhancements

Some newer useful content:
Speaking in Ciphers and other Enigmatic tongues…
How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
Protecting against the SSL 3.0 vulnerability
How to Disable SSL 3.0 in Azure Websites, Roles, and Virtual Machines
Associating a custom domain and securing communication with Microsoft Azure

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection