DOCSLIB.ORG

Protecting Data in Microsoft Azure

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Protecting Data in Microsoft Azure Protecting Data in Microsoft Azure Protecting Data in Microsoft Azure Abstract Microsoft® is committed to ensuring that your data remains your data, without exception. When stored in Microsoft Azure, data benefits from multiple layers of security and governance technologies, operational practices, and compliance policies in order to enforce data privacy and integrity at a very granular level. This white paper describes such capabilities in Microsoft Azure, including mechanisms for encryption, secrets administration, and access control that you can leverage for managing sensitive data. The sections that follow provide detailed guidance on how to use features in the Microsoft Azure platform to protect critical enterprise data in the cloud, whether structured or unstructured, in-transit, or at-rest. Audience This document focuses on data protection in Microsoft Azure, and is intended for Information Technology (IT) Professionals and IT Implementers who deal with information asset management on a daily basis, either as their main duties or as part of a broader cloud IT management role. This document will be most useful to individuals who are already familiar with Microsoft Azure, and are looking to increase their knowledge of tools and technologies for encryption, access control, and other aspects of data security in the platform and related services. Sections 2.1, 2.2, and 2.3 provide a brief overview of Azure and can be skipped depending on your existing knowledge of Azure services. NOTE: Certain recommendations contained herein may result in increased data, network, or compute resource usage, and increase your license or subscription costs. Published August 2014 (c) 2014 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples are for illustration only and are fictitious. No real association is intended or inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. P A G E | 02 Protecting Data in Microsoft Azure Table of Contents 1 OVERVIEW .................................................................................................................................................. 5 2 DATA STORAGE IN MICROSOFT AZURE ................................................................................................ 6 2.1 MICROSOFT AZURE STORAGE .............................................................................................................................................. 7 2.1.1 Data Structures ............................................................................................................................................................. 7 2.1.2 Data Transfers............................................................................................................................................................... 8 2.2 MICROSOFT AZURE SQL DATABASE ................................................................................................................................... 8 2.2.1 Azure SQL Database Structure ................................................................................................................................ 9 2.3 MICROSOFT AZURE ACTIVE DIRECTORY ............................................................................................................................. 9 2.3.1 Azure Active Directory Architecture ...................................................................................................................... 9 2.4 WHO CAN ACCESS YOUR DATA? .................................................................................................................................... 10 2.4.1 Single Sign-On (SSO) ............................................................................................................................................... 11 2.4.2 Two-Factor Authentication (2FA) ........................................................................................................................ 11 2.4.3 Access Controls: Subscriptions ............................................................................................................................. 12 2.4.4 Access Controls: Storage ........................................................................................................................................ 12 2.4.5 Access Controls: Azure Tables vs. SQL Databases ......................................................................................... 12 3 UNDERSTANDING DATA SECURITY .....................................................................................................14 3.1 RISK AND RISK MANAGEMENT ......................................................................................................................................... 14 3.1.1 Understanding Data Risk ....................................................................................................................................... 14 3.2 THREATS TO YOUR DATA................................................................................................................................................... 15 3.2.1 Data Attack Taxonomy ........................................................................................................................................... 16 3.3 MICROSOFT AZURE DEFAULT PROTECTION .................................................................................................................... 16 3.3.1 Data Security in Azure AD ..................................................................................................................................... 19 3.4 PLATFORM ENCRYPTION .................................................................................................................................................... 19 3.4.1 Encryption in Transit ................................................................................................................................................ 20 3.4.1.1 VM to VM ................................................................................................................................................................................ 20 3.4.1.2 Customer to Cloud .............................................................................................................................................................. 20 3.5 DATA DELETION .................................................................................................................................................................. 21 3.5.1 Subscriptions............................................................................................................................................................... 21 3.5.2 Microsoft Azure Storage ......................................................................................................................................... 21 3.5.3 Microsoft Azure Virtual Machines ....................................................................................................................... 22 3.5.4 Azure SQL Database ................................................................................................................................................ 22 3.6 COMPUTE SECURITY FOR DATA IN USE ........................................................................................................................... 22 3.7 PHYSICAL DATA SECURITY ................................................................................................................................................. 23 4 CUSTOMER-CONFIGURABLE PROTECTION .........................................................................................24 4.1 VOLUME LEVEL ENCRYPTION ............................................................................................................................................ 25 4.1.1 BitLocker Drive Encryption .................................................................................................................................... 26 4.1.2 Drive Encryption - Partners ................................................................................................................................... 26 4.1.3 Key Management and Security ............................................................................................................................ 27 P A G E | 03 Protecting Data in Microsoft Azure 4.1.4 Subscription and Service Certificates ................................................................................................................. 27 4.2 ENCRYPTION FOR SQL SERVER IN AZURE VIRTUAL MACHINES ................................................................................... 28 4.2.1 Cloud Implementation ............................................................................................................................................ 28 4.3 AZURE RIGHTS MANAGEMENT SERVICES ........................................................................................................................ 30 4.3.1 RMS Basics: How the RMS Components Work Together ............................................................................ 30 4.3.2 RMS Server Choices .................................................................................................................................................
Load more

Recommended publications
  • Migrating from Storsimple to Azure Netapp Files and Global File Cache
    REFERENCE ARCHITECTURE Globally Distributed Enterprise File Sharing with Azure NetApp Files and NetApp Global File Cache Evolving from StorSimple to next-gen Azure solutions. Table of contents Introduction 3 Solution overview 3 A New Data Store with Azure NetApp Files 4 Azure NetApp Files features 4 Using Azure NetApp Files to consolidate distributed file servers 5 Accessing the ANF datastore with a Global File Cache fabric 5 NetApp Global File Cache Edge 6 NetApp Global File Cache Edge instance 6 Network connectivity 6 Configuration guidelines 6 Azure NetApp Files with Global File Cache topology 6 Deployment methodologies 7 Operating environment summary 7 User experience 7 Migrate your StorSimple data to Azure NetApp Files 8 Overview of data migration – StorSimple to Azure NetApp Files 8 Getting the data to Azure 8 Volume Clone 8 Create Azure VM 8 Connecting to the Cloud Appliance 8 Create Azure NetApp Files share 9 Data copy 9 Summary 9 2 Document title Streamline and simplify IT storage Solution overview and infrastructure by centralizing NetApp Global File Cache + Azure NetApp Files: unstructured data into Microsoft Azure a “major step” in unstructured data management for the distributed enterprise using Azure NetApp Files to provide 85% of companies are in the process of adopting a fast local and geographically distributed cloud transformation strategy. This means combining access with NetApp Global File Cache™. on-premises, hybrid, and public cloud services and associated storage technologies, like file/block-based and object storage (e.g., Azure BLOB) to host both Introduction structured and unstructured data. Why did people use StorSimple...what are the NetApp and Microsoft recognize the impact on primary use-cases? the organization, end users, distributed IT strategy, • Unstructured file shares that can be more easily datacenter, and cloud operations.
    [Show full text]
  • Microsoft Storsimple Configuration with Expressroute
    MICROSOFT STORSIMPLE CONFIGURATION WITH EXPRESSROUTE Version: 1.0 Copyright This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy, use and modify this document for your internal, reference purposes. © 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows Azure, StorSimple, Hyper-V, Internet Explorer, Silverlight, SQL Server, Windows, Windows PowerShell, and Windows Server are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners. Table of contents Introduction .............................................................................................................................................................................................. 4 Physical Appliance High Level Solution Architecture................................................................................................................... 5 Virtual Appliance High Level Solution Architecture ..................................................................................................................... 6 Physical Appliance Detailed Traffic Matrix .....................................................................................................................................
    [Show full text]
  • Download (5MB)
    This work is protected by copyright and other intellectual property rights and duplication or sale of all or part is not permitted, except that material may be duplicated by you for research, private study, criticism/review or educational purposes. Electronic or print copies are for your own personal, non- commercial use and shall not be passed to any other individual. No quotation may be published without proper acknowledgement. For any other use, or to quote extensively from the work, permission must be obtained from the copyright holder/s. An assessment model for Enterprise Clouds adoption Usman Nasir PhD (Computer Science) December 2017 Keele University, UK An assessment model for Enterprise Clouds adoption ABSTRACT Context: Enterprise Cloud Computing (or Enterprise Clouds) is using the Cloud Computing services by a large-scale organisation to migrate its existing IT services or use new Cloud based services. There are many issues and challenges that are barrier to the adoption of Enterprise Clouds. The adoption challenges have to be addressed for better assimilation of Cloud based services within the organisation. Objective: The aim of this research was to develop an assessment model for adoption of Enterprise Clouds. Method: Key challenges reported as barrier in adoption of Cloud Computing were identified from literature using the Systematic Literature Review methodology. A survey research was carried out to elicit industrial approaches and practices from Cloud Computing experts that help in overcoming the key challenges. Both key challenges and practices were used in formulating the assessment model. Results: The results have highlighted that key challenges in the adoption of Enterprise Clouds are security & reliability concerns, resistance to change, vendor lock-in issues, data privacy and difficulties in application and service migration.
    [Show full text]
  • Emerging Technology Roundtable - Cloud Computing on the Bulk Electric System November 16, 2016 Agenda - Emerging Technology Roundtable
    Emerging Technology Roundtable - Cloud Computing on the Bulk Electric System November 16, 2016 Agenda - Emerging Technology Roundtable 2 RELIABILITY | ACCOUNTABILITY [email protected] 3 RELIABILITY | ACCOUNTABILITY A Resilient and Trustworthy Cloud and Outsourcing Security Framework for Power Grid Applications Jianhui Wang Energy Systems Division, Argonne National Laboratory NERC Emerging Technologies Roundtables November 16, 2016 Presentation Outline 1. Introduction to Cloud Computing 2. Project Overview 3. Progress to date 4. Conclusions 2 Introduction to Cloud Computing What is it, the Need, Benefits, and Challenges 3 What is Cloud Computing? . Cloud Computing is an umbrella term used to refer to Internet-based development and services – a group of integrated and networked hardware, software and Internet infrastructures – Using the Internet for communication and transport provides hardware, software and networking services to end-users . Cloud platforms hide the complexity of the underlying infrastructure from users by providing simple graphical interfaces 4 Essential Characteristics of Cloud Computing 1. Resource Pooling – No need to have servers in-house – Reduce the need for advanced hardware in-house 2. Broad Network Access – Data is available anytime, anyplace, and anywhere – Secure backup and disaster recovery of data 3. Rapid Elasticity – Quickly scale operations 4. On-Demand Self Service – Pay for only your use 5. Measured Service Characteristics defined by NIST – Resource usage can be monitored, controlled, and reported
    [Show full text]
  • Storsimple & Microsoft
    Building a SharePoint 2013 Public Web Site Presented by Peter Carson President, Envision IT March 27, 2013 Peter Carson • President, Envision IT • SharePoint MVP • Virtual Technical Specialist, Microsoft Canada • [email protected] • http://blog.petercarson.ca • www.envisionit.com • Twitter @carsonpeter • VP Toronto SharePoint User Group Agenda • Envision IT Overview • Example Public Sites • Hosting and Licensing • SharePoint 2013 Web Content Management Features • Christie Medical Business Case • Hosting in Azure • Wrap-up and Q&A Envision IT Services Overview Focused on complex SharePoint solutions, Envision IT is the “go-to” partner for Microsoft SharePoint, building integrated public web sites, Intranets, Extranets, and web applications that leverage your existing systems anywhere over the Internet. Products Public Web Sites and Extranets on SharePoint • Public web sites are pure anonymous sites • Extranets are sites that allow external users to authenticate to consume or contribute content securely • These can be combined in a single site • SharePoint is ideal for all of the above EXAMPLE PUBLIC SITES HOSTING AND LICENSING Hosting Options Site Type On-Premise Office 365 Azure Third-Party Public Web Yes Very simple Yes Yes Site Extranet Yes Yes Yes Yes Combined Yes No Yes Yes Office 365 Notes . Only very simple public web sites can be hosted in Office 365 . Microsoft currently provides up to 10,000 external clients with Windows Live ID access to an Extranet with no additional subscription costs . A combined public web site and Extranet
    [Show full text]
  • Veeam for the Microsoft Cloud Transforming Data Protection with Integrations for Microsoft Azure and Microsoft Office 365
    Solution Brief Veeam for the Microsoft Cloud Transforming data protection with integrations for Microsoft Azure and Microsoft Office 365 As enterprises accelerate the adoption of a multi-cloud strategy, the need to ensure Availability for any application and any data, across any cloud infrastructure, Overview is more important than ever. Veeam for the Microsoft Cloud Veeam® for the Microsoft Cloud provides tightly integrated solutions for enterprises provides a consolidated solution of all sizes enabling Availability for virtual, physical and cloud-based workloads — for virtual, physical and cloud-based eliminating complexity and simplifying business continuity between your data workloads with integrations for center and the Microsoft Cloud. Microsoft Azure and Office 365. Our seamless solutions provide you the ability to lower costs by archiving data to Veeam Availability Platform Azure, mitigate risk by backing up Office 365, and ensure Availability of cloud-based and the Microsoft Cloud workloads with the protection of Azure virtual machines. We’ve extended the industry Archiving and recovery to Microsoft Azure leading VMware and Hyper-V data protection to deliver #1 Availability Even though most companies realize the importance of backing up their data, many for any app, any data on any cloud! put their businesses at risk by failing to have at least one copy of their data off site and in the cloud. Veeam recognizes the importance of the 3-2-1 Rule, to maintain Providing: at least three copies of data, stored on at least two different types of storage media, • Non-Stop Business Continuity with one copy off site. to instantly recover cross-cloud anything to anywhere Veeam helps you achieve the final step of the 3-2-1 Rule with archives in Microsoft Azure, offering both full and file-level granular recovery back to the customer’s • Digital Transformation Agility on-premises environment or in Microsoft Azure.
    [Show full text]
  • Samarth Kulshreshtha
    Samarth Kulshreshtha (669) 272-4449 j [email protected] j smkuls.github.io Industry Experience Google Sunnyvale, CA Software Engineer, Network Infrastructure Jun ’19 – Present • Currently working on the infrastructure to model all aspects of Google’s network • Currently working on the infrastructure to manage configuration of all devices within Google’s network • Own the design and implementation of a highly available and distributed network telemetry service which exports terabytes of data per day Nvidia Santa Clara, CA Software Intern, Distributed File Cache May ’18 – Aug ’18 • Implemented various features including APIs to query extended actions, checksum validation on warm GET, range read of objects, throttling of LRU eviction strategy, and migration of DFC APIs to the Open API 3.0 specification (fka Swagger) • Enhanced the hashing performance by 90% using an optimized version of Rendezvous Hashing Microsoft Bangalore, India Software Engineer, Azure StorSimple Jun ’16 – Jul ’17 • Designed and developed a new cloud service, Data Discovery and Insights, to search and retrieve files stored across backups • Designed the schema for storing file metadata across tables to optimize for storage and transaction costs • Designed, implemented, and automated the infrastructure to test the Hybrid Data Services architecture Software Engineering Intern, Azure StorSimple Jan ’16 – May ’16 • Implemented the core logic for Data Transformation Service to trigger backups, clone and cleanup volume containers • Implemented the host agent to estimate the
    [Show full text]
  • Hybrid Cloud Migration Service for Microsoft Azure
    Hybrid Cloud Migration Service for Microsoft Azure Insight’s Hybrid Cloud Migration Service – Azure Key benefits (HCM-A) helps you move to Azure with confidence and assurance. • Enables assured, controlled migration to Azure, with minimal security, costs or It is a unique, high-level service delivered, by performance risks Insight experts whose knowledge of Microsoft Azure will ensure you understand, choose and • Delivered by highly experienced cloud implement the right migration options for your solutions architects current and future needs. • Offers options to extend and tailor the service using Insight’s portfolio of ‘add-on’ Business challenge modules Cloud Services are now an accepted part of many organisations IT Services. Deploying services strategically however, is not always as simple as it seems. While you might be ready to migrate to Azure, finding the time and specialist resources to rigorously assess cost-control, security compliance, availability and performance is difficult. Designing a successful Why Insight migration plan requires experienced professionals to ensure you select the right workloads, understand dependencies and We are the partner relationships, and identify required changes. to manage today and transform tomorrow Our solution Insight’s Migration Service for Azure help organisations with the complexities of migration. Our experts support you with planned and and confident move to Azure. We use proven and agile Manage methodologies, tailored to your individual needs. • Efficiency • Scalability Our service • Dependability Our Service is available at Standard and Advanced levels, • Convenience ensuring the overall design, plan and migration aligns with your • Speed business needs. The Standard level is focused on smaller, simpler migrations; Transform while the Advanced level is applicable for complex or larger-scale • Depth of capability workloads.
    [Show full text]
  • Connected Cloud Step Into the Future with Grey Matter
    Grey Matter Issue 69 | Summer 2016 Building on 33 years of software know how Connected Cloud Step into the future with Grey Matter Cloud services The top providers compared Bing Maps V8 What’s new for the mapping control See page 8 WIN! for details STREAMING RESULTS YOU CAN COUNT ON Intel® Video Pro Analyzer Part of the Intel® Media Server Studio Product Family Improve video quality with the ability to inspect the entire decoding process with the new Intel® Video Pro Analyzer. Analyse, compare, test, and debug streams in developing high-quality media encoders. Get deep video coding analysis for HEVC, VP9, AVC, and MPEG-2. • Test/debug media encoders • View and analyse, compare, and debug streams • Innovate for the next-gen colour gamut supporting Ultra HD content Intel® Video Pro Analyzer supports Microsoft Windows*, Linux*, and OS X*. For more information, contact us. Phone: 01364 654100 Email: [email protected] Visit: greymatter.com/hc/imss-2016 Copyright © 2016, Intel Corporation. All rights reserved. Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. Contents Welcome 4 Software News Microsoft, Parallels, SmartBear and more. Editorial In March 1995, some five years after Tim Berners-Lee created 6 News in brief Editor: .....................................................................Matt Nicholson the first World Wide Web server, Microsoft announced a new Technical editors: .. Sean Wilson, Paul Edwards and competition winner. “design environment for online applications” codenamed ‘Blackbird’ Editorial advisor: ............................................Julia Hopkins 8 Competition News editor: ...................................................... Paul Stephens which would allow developers to create content for the forthcoming Publisher: ..................................................................Andrew King Microsoft Network.
    [Show full text]
  • Microsoft Azure Storsimple Appliance 8600 Hardware Installation Guide Contents
    Microsoft Azure StorSimple Appliance 8600 Hardware Installation Guide Contents Unpack your device ..................................................................................................................................................... 3 Prerequisites ................................................................................................................................................................... 3 Unpacking your device ............................................................................................................................................... 3 Rack-mount your device ................................................................................................................................................4 Site preparation .............................................................................................................................................................4 Prerequisites ................................................................................................................................................................... 5 Rack-mounting rail kit ................................................................................................................................................. 5 Install the EBOD enclosure on the rails ................................................................................................................. 5 Mounting the EBOD enclosure in the rack .........................................................................................................
    [Show full text]
  • Microsoft Azure Storsimple 5000/7000 to 8000 Series Migration Guide
    MICROSOFT AZURE STORSIMPLE 5000/7000 TO 8000 SERIES MIGRATION GUIDE Copyright This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy, use, and modify this document for your internal, reference purposes. © 2017 Microsoft Corporation. All rights reserved. Microsoft, Windows Azure, StorSimple, Hyper-V, Internet Explorer, Silverlight, SQL Server, Windows, Windows PowerShell, and Windows Server are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners. Revision History Release Date Changes May 27, 2015 Update 1.0 release May 29, 2015 Links were updated to reflect Update 1 documentation September 25, 2015 Feedback, added a note to contact Support to enable migration August 26, 2016 Review for Update 3 and bug fixes post Update 1 September 6, 2016 Finished capturing all the changes to the doc from the technical review September 8, 2016 Finalized and published the doc for Update 3 release October 31, 2017 Updated the guide for Azure portal and the migration tool Contents Microsoft Azure StorSimple 5000/7000 To 8000 Series Migration Guide .....................................................................
    [Show full text]
  • FHIR Server for Azure
    FHIR Server for Azure https://github.com/Microsoft/fhir-server Michael Hansen ([email protected]) Sr Program Manager | Microsoft Healthcare D octo rFHIR cat Platform Services Security & Hybrid Management Cloud Media & CDN Application Platform Data Azure AD Security Center Content SQL Health Monitoring Media Media SQL Data DocumentDB Services Analytics Delivery Web Mobile Database Warehouse Network Apps Apps Portal AD Privileged Identity SQL Server Redis Storage Azure Management Azure Active Integration API Cloud Stretch Database Cache Tables Search Directory Apps Services Domain Services Azure AD API BizTalk Services B2C Management Service Notification Fabric Hubs Intelligence Logic Backup Multi-Factor Cognitive Services Bot Framework Cortana Authentication Apps Service Bus Functions Automation Operational Analytics & IoT Analytics Developer Services Scheduler Compute Services Machine HDInsight Stream Analytics Mobile Learning Visual Studio Import/Export Container VM Engagement Service Scale Sets Key Vault Data Data Lake Catalog Analytics Service Data Lake Store VS Team Services Batch Xamarin Azure Site Store/ RemoteApp Recovery Marketplace IoT Hub Event Data Power BI Application HockeyApp Hubs Factory Embedded Insights VM Image Gallery Dev/Test Lab StorSimple & VM Depot Infrastructure Services Compute Storage Networking Virtual Load Traffic VPN App Virtual Machines Blob Queues Files Disks DNS Express Containers Network Balancer Route Manager Gateway Gateway Datacenter Infrastructure On Responsibility Prem IaaS PaaS SaaS Applications
    [Show full text]