This guide will provides prescriptive guidance and deployment strategy, we will start this guide by explaining how to secure your data
Secure control of data in Azure
 At Rest Encrypt inactive data when stored in blob storage, database, etc. Azure Services:
|  In Transit Encrypt data that is flowing between untrusted public or private networks a.g:
|  In Use Protect/Encrypt data that is in use during computation a.g:
|
IaaS Encryption At Rest
PaaS Encryption at Rest
Encryption In Transit
Encryption In Use
- Confidential computing brings secure enclaves to Azure
First public cloud to offer Intel Software Guard Extensions (SGX) enclaves
- Enhancing Always Encrypted in Azure SQL Database with enclaves
In-place encryption and key management
Azure Key Vault
Protect cryptographic keys with FIPS 140 2 Level 2 & Level 3 HSM by Thales
Encrypt Azure VMs, Azure Data Lake, SQL Server, and other apps with a key in your key vault. The key never leaves the vault.
Available as a service in every azure region
Cost: Pay-as-you-go
Encrypt Azure VMs, Azure Data Lake, SQL Server, and other apps with a key in your key vault. The key never leaves the vault.
Available as a service in every azure region
Cost: Pay-as-you-go
As security summary you have to:
- Assume highest data classification & encrypt all application & network layers
- Use HSM-backed Azure Key Vault for key storage & management
- Enable Azure Security Center & apply its recommendations
- Enable Azure Sentinel (SIEM) & apply its recommendations
- Enable Azure DDoS
- Enable Monitoring for all Azure services
Subscription Structure
Microsoft recommended to have a separated subscription for each workload such as Dev/Test and Production
Azure Reference Architecture
Microsoft Cybersecurity Reference Architecture
References
- https://docs.microsoft.com/en-us/azure/architecture/browse/
- https://gallery.technet.microsoft.com/Cybersecurity-Reference-883fb54c
RSS Feed
