Azure Data Protection – An Overview of Your Options
With Microsoft’s cloud solution there seems to be a dizzying array of options to secure data, with new ones coming out all the time. There is Azure Site Recovery (ASR), Azure Information Protection (AIP), Customer Key (new and not fully rolled out), Azure BitLocker, Key Vault, and the list goes on.
Some of these solutions are designed to work with only some of Microsoft’s services (Office 365, Azure, SharePoint Online, OneDrive) while others can work with all of Microsoft’s cloud services. I’d like to give just a brief overview of each of these services and what they apply to and where you would use them.
Azure Site Recovery (ASR)
This is Microsoft’s backup program and is designed to backup data and servers hosted in Azure. It is almost identical to the Windows Backup program found on traditional Windows Servers but optimized to work with Azure virtual machines.
Azure Information Protection (AIP)
AIP is really a Rights Management platform that allows you to classify, label and protect documents and e-mails. AIP is a cloud-based solution. The protection uses yet another technology called Azure Rights Management (RMS) to encrypt data and allow access based on identity and authorization policies that you set.
Customer Key is possibly the newest addition to the security lineup. It allows you to use a “key” that you generate to encrypt data. With Customer Key you can encrypt data from Exchange Online, OneDrive, and/or SharePoint Online. It is intended to add an extra layer of defense against data exfiltration by unauthorized entities. Full disclosure, even though you generate the keys, Microsoft keeps a “master” key that it can use to decrypt your data. This is a protection against you losing your keys (and consequently all your data), but in theory could be used to gain access to your data to comply with subpoenas and such. Whether Microsoft would do that is unclear, but it’s possible.
Then we have Azure BitLocker, which is nothing more than regular BitLocker on a server hosted in Azure. BitLocker in Azure requires that customers create and manage their own Key Vault (at least to encrypt the system (C:) drive.
Key Vault, is nothing more than a place to store, you guessed it, keys that are used throughout Microsoft’s cloud environment to encrypt data. You create these keys and have ownership of them. It does not mean that Microsoft can’t bypass them, but it does mean that outsiders generally can’t.
So, while there is some overlap between the services they are generally designed to fill different roles in the security portfolio. The kind of security you need will determine which service is most appropriate for your organization.