Locking Down Your Data: Azure Data Security
In late 2014, Apple’s iCloud service was breached by rogue hackers. The hackers stole and later circulated online private photos belonging to several celebrities. Since then, many people – and organizations – have been leery of using public cloud storage. After all, how safe is it to keep confidential data on a server that you do not physically control?
According to a report published by McAfee, only 23% of organizations today trust public cloud services when it comes to data safety. Despite the ever-increasing adoption of cloud-based services, 49% of businesses have delayed cloud deployment because they do not believe they have the skills to keep their data secure.
How safe is your data in the Cloud?
Experts agree there is no such thing as foolproof data safety, regardless of where the data is stored. A determined hacker with enough time and resources will eventually find a way to get your data. What you can do, however, is to make it extremely difficult for the hacker to do so. Take measures to protect and harden your server to make it Fort Knox, so to speak, to avoid presenting a soft target.
Apple’s iCloud storage was breached only after hackers obtained poorly-protected passwords. By following the necessary security protocols, you can prevent the same from happening to you. Cloud storage suppliers or Infrastructure as a Service (IaaS) providers are not equal when it comes to the data security precautions they have in place. We recommend using only well-known companies with a track record of securely providing cloud services.
Keeping your data safe with Azure
We believe Microsoft Azure is one of the most secure public and private cloud platforms available now. Microsoft has decades of experience with online services, and it has implemented many industry-leading security technologies and services. Azure contains that expertise.
With Azure, you have total control over your data, which is completely encrypted and the keys stored securely in the Azure Key Vault. Thanks to client-side encryption support, you have the choice of keeping the keys on-site as an added safety measure.
Here are seven ways to lock down your data with Azure:
1. Add an extra layer of access security with Multi-Factor Authentication
You are familiar with the username-password way of keeping data safe. However, what happens when a hacker discovers the administrator’s username and password? They have unlimited access to your data. With Azure Multi-Factor Authentication (MFA), you can prepare for this scenario by adding an extra layer of authentication, in addition to the standard username-password.
The additional authentication can be a requirement to answer a phone call or input a One Time Password (OTP) sent as a text message to your phone when logging in. That way, even if a hacker has your password, it would be useless because they do not have your phone.
2. Control who accesses your data with Role-Based Access Control
It is easier to protect data if you grant access only on a need-to-know basis. After all, accessing data makes it vulnerable during the transit period to the workstation, at the workstation itself, and when it makes its way back to the server. If data is accessed only when necessary, it is less at risk.
With the Azure Role-Based Access Control (RBAC) system, you can assign separate permissions and privilege levels to users or groups. You can restrict who has access to what, and only give someone access if they need it to perform their job. You can create Storage Account Contributors, for example, if you want someone to manage your storage but nothing else.
3. Protect your data with encryption
Azure has provisions to keep your data encrypted when it is at rest and in transit. It is your job as the administrator to enforce the encryption, however. Azure Disk Encryption works with Windows BitLocker and Linux DM-Crypt features. Both BitLocker and DM-Crypt are industry-standard encryption tools designed to keep your data safe.
Encrypt your drives and databases first before you store any data. To prevent your database from being compromised, turn on Azure SQL Database Transparent Data Encryption (TDE).
4. Audit and manage your encryption keys with Azure Key Vault
You can only read your encrypted data by decrypting it with a key, so it is essential that you keep these keys safe. After all, anyone who has access to the key can use it to access your data. Some organizations prefer to store their keys in on-site servers for added security.
Azure has a Key Vault feature explicitly designed for key storage, management, and security. There are provisions to store your keys both on-site and off-site/cloud. They are protected by industry-standard algorithms and other means. Microsoft cannot read your keys. A single administrator can control and modify these keys as necessary.
5. Create a dedicated workstation
Most hackers attempt to target the weak link in your security: the endpoint user or workstation. That is, the account or computer you use to access sensitive data. If it is not well-protected, hackers can easily use its administrator-level privileges to read your data.
To avoid a data breach, create and use a dedicated administrator workstation to interact with sensitive data. These workstations are called Privileged Access Workstations (PAWs). With PAWs, you can take precautions to protect yourself against phishing, keystroke logging, impersonation, and other attack methods. To learn more about PAWs, read this official tutorial.
6. Secure data that is in transit with SSL/TLS
Your data requires protection while on the way to the cloud server and back again. Use the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocol to exchange encrypted data securely. With SSL, TLS, and HTTPS, your data is scrambled and impossible to read if intercepted.
Use the Azure Portal service to interact with your data directly on Azure Storage and be protected by HTTPS. Some organizations also prefer to create and use a Virtual Private Network (VPN) to obscure and mask their link to Azure’s servers.
7. Safeguard your files with Azure Rights Management
We talked about disk, database, and in-transit encryption. If you feel you need an additional layer of security, Azure also supports file-level encryption with Azure Rights Management (RMS). Azure RMS can keep your files and emails safe by encrypting them. Even if the files are copied to an external, un-encrypted disk, RMS stays with them.
RMS works by leveraging encryption, authorization, and identity policies. It can automatically be applied to data designated as top secret. The RMS app can be integrated to work with Office applications for added convenience.
For more information on data security in Azure, refer to the official security overview. Microsoft also offers a premium Azure Security Center service if you want additional protection. They provide services like threat monitoring and response, which notifies you about threats and enables you to respond in real time. As you see, Microsoft is serious about keeping your data safe.
Businesses worldwide are expected to spend $101.6 billion on cyber-security by the year 2020. With the cloud’s steady rise in popularity, much of this money will be poured into cloud-based security. Can you trust Azure with your data? Yes, you can.