Azure Data Protection – An Overview of Your Options

With Microsoft’s cloud solution there seems to be a dizzying array of options to secure data, with new ones coming out all the time.  There is Azure Site Recovery (ASR), Azure Information Protection (AIP), Customer Key (new and not fully rolled out), Azure BitLocker, Key Vault, and the list goes on.

Some of these solutions are designed to work with only some of Microsoft’s services (Office 365, Azure, SharePoint Online, OneDrive) while others can work with all of Microsoft’s cloud services.  I’d like to give just a brief overview of each of these services and what they apply to and where you would use them.

Azure Site Recovery (ASR)

This is Microsoft’s backup program and is designed to backup data and servers hosted in Azure.  It is almost identical to the Windows Backup program found on traditional Windows Servers but optimized to work with Azure virtual machines.

Azure Information Protection (AIP)

AIP is really a Rights Management platform that allows you to classify, label and protect documents and e-mails.  AIP is a cloud-based solution.  The protection uses yet another technology called Azure Rights Management (RMS) to encrypt data and allow access based on identity and authorization policies that you set.

Customer Key

Customer Key is possibly the newest addition to the security lineup.  It allows you to use a “key” that you generate to encrypt data.  With Customer Key you can encrypt data from Exchange Online, OneDrive, and/or SharePoint Online.  It is intended to add an extra layer of defense against data exfiltration by unauthorized entities.  Full disclosure, even though you generate the keys, Microsoft keeps a “master” key that it can use to decrypt your data.  This is a protection against you losing your keys (and consequently all your data), but in theory could be used to gain access to your data to comply with subpoenas and such.  Whether Microsoft would do that is unclear, but it’s possible.

Azure BitLocker

Then we have Azure BitLocker, which is nothing more than regular BitLocker on a server hosted in Azure.  BitLocker in Azure requires that customers create and manage their own Key Vault (at least to encrypt the system (C:) drive.

Key Vault

Key Vault, is nothing more than a place to store, you guessed it, keys that are used throughout Microsoft’s cloud environment to encrypt data.  You create these keys and have ownership of them.  It does not mean that Microsoft can’t bypass them, but it does mean that outsiders generally can’t.

So, while there is some overlap between the services they are generally designed to fill different roles in the security portfolio.  The kind of security you need will determine which service is most appropriate for your organization.


Did you find this helpful?

Share it on social media!

Todd is the Chief Technology Officer and has been working in the field of legal IT since the early 1990’s. In his role at Adaptive, Todd functions as our most senior systems engineer. He works closely with our customers on the proper design and scaling of back-end and front-end network upgrades, including both desktop and server virtualization, backup and DR, document management and best practices for ongoing service and support. Specialties: • Technology Strategy & Roadmap • Infrastructure Design & Optimization • Technology Needs Assessments • Disaster Recovery / Business Continuity • Virtualization Design & Implementation

Leave a Comment