Welcome back. In this episode, we're gonna take a look at data encryption and confidential compute.
Our objectives include understanding the different encryption models and then taking a look at how encryption is used inside of azure, across disk storage and data base connections. And finally, we'll take a look at what is confidential. Compute
So First of all, Azure supports a couple of different encryption models. The first is client side encryption, where the data encryption is completed outside of Azure.
This could include the application encrypting the data or the data is already encrypted and then a cent and store to measure. We also have server side encryption, which has three different options. Based on how the encryption keys air managed. The first is service managed. Keys were azure encrypts the data using its own keys.
Then we have customer managed keys where you is. The customer have control over the encryption keys being used to encrypt the data, and the third option can be referred to as host your own key, where you manage and use keys from your own repositories outside of Microsoft's control.
So taking a look at some of the resource is inside of azure and how encryption is used with them. We can also encrypt and protect the virtual hard drives that are associated with our Windows and Lennox virtual machines With azure disc encryption. You can protect both the operating system and the data disks with full volume encryption
as your disk encryption uses bit locker technology for Windows VI, EMS and D M crypt for Lennox virtual machines. The encryption keys and secrets are securely stored in an azure key vault, which we covered in the previous episode, and we're gonna see how we can encrypt virtual machine dis in the demo in the next episode.
Another important concept is protecting data at wrist meaning when it is stored on disk. This protects against attacker that gains access to physical destroy Ives that has data stored on it. If the attacker did not have access to the encryption keys, they would need to break the encryption and order to access the data, which would be very difficult.
Encryption data at rest is also usually a requirement for many data governance and compliance efforts such as HIPPA,
P, C I and Fed ramp environments.
As your storage supports server side encryption for all is if it's service's, which include blobs, cues, tables and as your files. This encryption is enabled by default and uses service managed keys, and this is transparent to any application that's accessing the service.
In addition, blobs and as your files also support customer manage keys that are stored in the azure key vault.
Blobs, Tables and Q's also support client side encryption, meaning the data is encrypted before it is uploaded into those. Service is in this case, the application is responsible for encrypting the data, and the customer is responsible for managing the keys
as you're also offers protection for data and transit, depending on the resource in what kind of connection is being made for remote connections to virtual machines. We can use the remote desktop protocol, or RTP, and use tail less to protect the connection. And then you could also use secure shell or sssh. To secure the connect to Lennox virtual machines,
you can combine as his H with public and private key pairs
in order to eliminate the need for passwords with the SS H connection. Microsoft also uses transport, layer security or tea less to protect data that is traveling between the cloud Service and customers. Any connection made from a client system to azure negotiates a tailless connection to encrypt data,
and Microsoft is always working on. Upgrading. That service is to use the latest teal less 1.2 version
when interacting with any azure storage service through the portal. All transactions also take place over https as well as any transactions made using the storage rest a P I. If you remember for module to when we create a shared access signature for accessing a storage account, we can also enforce the Https Protocol
and Virtue Machines making data transfers over azure virtual networks used the S and B 3.0 protocol to encrypt data.
We also previously talked about our VP and connections that we can make to azure Networks are a site to site B P and connections can use I P SEC or I K E for transport security and point to site uses. S STP
Azure also has a feature in sequel databases called Always Encrypted. This is a feature designed to protect information like credit card numbers or Social Security numbers that might be stored in a sequel database. You can take individual columns inside the database and encrypted um toe where only the application can access them.
Administrators who might try to view the data outside the application will not be able to view it.
The encryption is transparent to the application as it uses and always enabled encrypted driver to automatically encrypt in decrypt the data. The data is protected from the database engine to where cannot be viewed while the application still can.
This allows for encrypting the data at wrist and insures administrators or other operators do not have access to the sensitive data.
Azure also has a concept called confidential compute. So far, we only talked about the encryption of data at rest and in transit. But confidential compute protects your data while it's being processed. It does this through the use of trusted execution environments, or t ese
t ease use hardware or software implementations that protect the data from being accessed outside the environment during processing.
The T E is really a protected container around the processor and memory of a system, and the data is only accessible and modified by authorized code. While it is either being access by the processor or being stored in memory.
The D. C. Siri's of virtual machines running the latest Intel Xeon processors with Intel. STX technology can be used along with custom build applications to protect data and code being used.
That does it for the discussion of some of the encryption options we have inside of Azure.
Perhaps you're using encryption to meet a compliance or governance standard. And I think if you start diving into the different service is inside azure, you'll see each one has a solution that will meet your needs.
Let's follow up this episode with a quick post assessment question. What two models are available for encryption Inside of Azure,
We have clients side encryption, where the data is encrypted by the application or client side before it's uploaded into azure. Or we have service side encryption, where the azure service manages encryption and the keys associate with it.
And there's also several scenarios. For instance, with our storage accounts where you can bring your own storage key that is stored in your azure key ball
Coming up. Next, we're going to take a look back at our topic about virtual machine disc encryption within azure disc encryption demo. See you in the next episode