stay on top of Azure best practices - reference architecture

This guide will provides prescriptive guidance and deployment strategy, we will start this guide by explaining how to secure your data

Secure control of data in Azure

At Rest

Encrypt inactive data when stored in blob storage, database, etc.

Azure Services:

• Azure Storage Service
• Encryption for Data at Rest
• SQL Server Transparent
• Database Encryption (TDE)

In Transit

Encrypt data that is flowing between untrusted public or private networks

a.g:

• HTTPS
• TLS

In Use

Protect/Encrypt data that is in use during computation

a.g:

• Trusted Execution Environments
  
• such as Intel SGX and VBS
• Homomorphic encryption

IaaS Encryption At Rest

PaaS Encryption at Rest

Encryption In Transit

Encryption In Use

• Confidential computing brings secure enclaves to Azure

         Trusted execution environments
         First public cloud to offer Intel Software Guard Extensions (SGX) enclaves

• Enhancing Always Encrypted in Azure SQL Database with enclaves

         Rich computations on encrypted data (pattern matching, range queries, sorting, etc.)
         In-place encryption and key management

Azure Key Vault

Protect cryptographic keys with FIPS 140 2 Level 2 & Level 3 HSM by Thales

Encrypt Azure VMs, Azure Data Lake, SQL Server, and other apps with a key in your key vault. The key never leaves the vault.

Available as a service in every azure region

Cost: Pay-as-you-go

As security summary you have to:

1. Assume highest data classification & encrypt all application & network layers
2. Use HSM-backed Azure Key Vault for key storage & management
3. Enable Azure Security Center & apply its recommendations
4. Enable Azure Sentinel (SIEM) & apply its recommendations
5. Enable Azure DDoS
6. Enable Monitoring for all Azure services
   

Subscription Structure

Microsoft recommended to have a separated subscription for each workload such as Dev/Test and Production

Azure Reference Architecture

Microsoft Cybersecurity Reference Architecture

References

• https://docs.microsoft.com/en-us/azure/architecture/browse/
  
• https://gallery.technet.microsoft.com/Cybersecurity-Reference-883fb54c