Azure Data Protection – An Overview of Your Options

With Microsoft’s cloud solution there seems to be a dizzying array of options to secure data, with new ones coming out all the time.  There is Azure Site Recovery (ASR), Azure Information Protection (AIP), Customer Key (new and not fully rolled out), Azure BitLocker, Key Vault, and the list goes on.

Some of these solutions are designed to work with only some of Microsoft’s services (Office 365, Azure, SharePoint Online, OneDrive) while others can work with all of Microsoft’s cloud services.  I’d like to give just a brief overview of each of these services and what they apply to and where you would use them.

Azure Site Recovery (ASR)

This is Microsoft’s backup program and is designed to backup data and servers hosted in Azure.  It is almost identical to the Windows Backup program found on traditional Windows Servers but optimized to work with Azure virtual machines.

Azure Information Protection (AIP)

AIP is really a Rights Management platform that allows you to classify, label and protect documents and e-mails.  AIP is a cloud-based solution.  The protection uses yet another technology called Azure Rights Management (RMS) to encrypt data and allow access based on identity and authorization policies that you set.

Customer Key

Customer Key is possibly the newest addition to the security lineup.  It allows you to use a “key” that you generate to encrypt data.  With Customer Key you can encrypt data from Exchange Online, OneDrive, and/or SharePoint Online.  It is intended to add an extra layer of defense against data exfiltration by unauthorized entities.  Full disclosure, even though you generate the keys, Microsoft keeps a “master” key that it can use to decrypt your data.  This is a protection against you losing your keys (and consequently all your data), but in theory could be used to gain access to your data to comply with subpoenas and such.  Whether Microsoft would do that is unclear, but it’s possible.

Azure BitLocker

Then we have Azure BitLocker, which is nothing more than regular BitLocker on a server hosted in Azure.  BitLocker in Azure requires that customers create and manage their own Key Vault (at least to encrypt the system (C:) drive.

Key Vault

Key Vault, is nothing more than a place to store, you guessed it, keys that are used throughout Microsoft’s cloud environment to encrypt data.  You create these keys and have ownership of them.  It does not mean that Microsoft can’t bypass them, but it does mean that outsiders generally can’t.

So, while there is some overlap between the services they are generally designed to fill different roles in the security portfolio.  The kind of security you need will determine which service is most appropriate for your organization.


Did you find this helpful?

Share it on social media!

Todd received his MBA from Villanova University and his B.S. in Electrical Engineering from Penn State. Prior to joining Adaptive Solutions as Director of Datacenter Operations in January 2008, Todd worked for his own consulting firm for the last ten years providing technical expertise for a variety of large and mid-sized corporate clients including General Motors (Saturn Division) in Delaware. Todd assumed the role of Chief Technology Officer in December of 2012. In his current role with Adaptive Solutions, Todd helps to set best practices and technology standards for the company. Todd also has a wide range of expertise, including VDI, virtualization, and numerous Microsoft technologies, as well as document management. Todd maintains numerous Microsoft Engineer certifications and is considered an expert in the field of server and desktop virtualization.

Leave a Comment