Data protection – challenges
•
•
•
•
•
Windows Azure
Data is growing
Data is everywhere
Threats/Attacks growing
Compliance regulations
Data privacy
Source:KrebsOn
2
http://technet.microsoft.com/en-us/cloud/gg663906.aspx
In-Transit
Removal
Storage
Data
Access
Retention
Availability
Data In Transit - Encryption Points
Microsoft:
In-Transit
Removal
Storage
Data
Access
Retention
• Azure Portal
Availability
• Encrypts transactions through Azure Portal
using HTTPS
• Strong Ciphers are used / FIPS 140-2 support
• Import / Export
• Only accepts bitlocker encrypted data disks
• Datacenter to Datacenter
Data in transit
between a user
and the service
Protects user from
interception of
their
communication
and helps ensure
transaction
integrity
Data in transit
between data
centers
Protects from
bulk interception
of data
End-to-end
encryption of
communications
between users
Protects from
interception or loss
of data in transit
between users
• Encrypts customer data transfer between Azure
datacenters by EOY
Customers:
• Storage
• Can choose HTTPS for REST API
(recommended) for Storage
• N-Tier Applications
• Encrypt traffic between Web client and server
by implementing TLS on IIS
Choice of data location
Several Locations to choose from:
• Select location thru Portal
•
•
•
•
•
•
•
•
East US
East US2
West US
Central US
North Europe
West Europe
East Asia
South East Asia
• Data Stays in Same Geo
Windows Azure
In-Transit
Removal
Storage
Data
Access
Retention
Availability
In-Transit
Encryption Options for Customers
Removal
Storage
Data
Access
Retention
IaaS with sensitive data on disk
• Volume Level Encryption - <IaaS Data/Boot Volume Full Disk Encryption through BitLocker or
Partner Solutions>
IaaS VM with SQL Server workload
• Data base Level Encryption - <IaaS SQL Server Transparent Data Encryption>
Azure Storage Workload
• Application Level Encryption - <Encrypt in Application running on-premise or Azure>
• Cloud Integrated Storage - <Extension to on-premise Storage Solution>
Managing Encryption Keys
• On-premise KMS – <Customer’s or Customer Partner’s KMS and controlled by Customer>
• Azure KMS – <Azure KMS backed by HSMs and keys controlled by Customer> (Future)
Availability
IaaS with Sensitive Data on Disk - BitLocker
In-Transit
Removal
Storage
Data
Access
Retention
Availability
• Encrypt Data and/or Boot drives in VM using ‘Managebde’ commands (Azure Powershell Command Infra)
• One time - Using a script to encrypt
• Lock and unlock or Auto unlock
• Protectors can be password, certificate etc.
• Protectors can be managed
• Customer’s on-premise Key Management Service
• Partners Key Management Service
• Azure Key Management Service (Future)
IaaS with Sensitive Data on Disk – Partner
Volume Level Encryption (Data or Boot) - Partner Solutions
Key Management support including Partner / on-premise HSM
•
•
•
For additional details – Refer to ‘DCIM-B385 – Security and Microsoft Azure IaaS’
In-Transit
Removal
Storage
Data
Access
Retention
Availability
IaaS with SQL Server Workload - TDE
In-Transit
Removal
Storage
Data
Access
Retention
Availability
Azure
IaaS VM
Phase 1
SQL Server
w/TDE
EKM
Azure HSM
Phase 2
article
Corporate Network
VPN
HSM
Azure Storage – Application Level Encr.
In-Transit
Removal
Storage
Data
Access
Retention
Availability
public static byte[] SampleEncrypt(byte[] dataBuffer, byte[] Key, byte[] IV) {
MemoryStream InMemory = new MemoryStream();
Rijndael SymetricAlgorithm = Rijndael.Create();
SymetricAlgorithm.Key = Key;
SymetricAlgorithm.IV = IV;
CryptoStream EncryptionStream = new CryptoStream(InMemory,
SymetricAlgorithm.CreateEncryptor(), CryptoStreamMode.Write);
EncryptionStream.Write(dataBuffer, 0, dataBuffer.Length);
EncryptionStream.Close();
byte[] ReturnBuffer = InMemory.ToArray();
return ReturnBuffer;
}
Azure Storage –
In-Transit
Removal
Storage
Data
Access
Retention
Availability
• Hybrid Applications – Windows Server Data Snapshots
• Data Encrypted on-premise and backed up in Azure
• AES 256 Encryption and Integrity Protected with SHA-256
Hashes
Microsoft control – Admin console
In-Transit
Removal
Storage
Data
Access to Prod Azure using locked host on Admin console
Guest VM for email, browsing on Admin console
Retention
Availability
Azure data center
servers
Admin console
Win 8.1 w/ Hyper-V
Admin console running VM
to host mailbox machine
Access
Microsoft control – Operator Access
In-Transit
Removal
Storage
Data
Access
Retention
Microsoft cloud services
(PAAS, IAAS, SAAS)
BLOBS
TABLES
QUEUES
Just in
Time &
Role Based
Access
Admin
requests access
Availability
DRIVES
Grants temporary
privilege
Microsoft Corporate
Network
• Grants least privilege required to complete task.
• Multi-factor authentication required for all administration
• Access requests are audited and logged
In-Transit
Removal
Storage
Data
Access
Retention
Availability
Log mgmt. – options for customers
In-Transit
Removal
Storage
Data
Access
Retention
Option1 – push logs to Xstore
And analyze with Bigdata tools
(10.0.0.0/16)
Windows Azure
Option2 – push logs via WEF
Availability
In-Transit
Removal
Storage
Data
Microsoft Azure
Access
Retention
Availability
Storage Blobs, table and Queues
Multiple Replicated Copies
Replication across regions within a Geo
Customer Options
Leverage Geo Replication
Design for software failures
Deletion of data either Accidentally or due to a software bug removes all the
copies. Offline backup / Archiving to safeguard
RPO considerations and Design failover scenarios
In-Transit
Removal
Storage
Data
Access
Retention
Availability
Microsoft Azure
Customer Leaves Azure – Data retained for 90 days
and available if customer comes back within 90
days
Customer Options
Explicitly delete data before leaving
In-Transit
Removal
Storage
Data
Access
Retention
Availability
Microsoft Azure
Defective Disks – Data Erased or Disk Destroyed prior
to RMA
Decommission - Follow DoD Data Wipe Standards
Customer Options
Delete Data for removal from Azure
Our approach
Protect any file type
Protect in place,
and in flight
Share with anyone
Delight with Office docs,
PDF, Text, and Images.
Data is protected all the time
B2B sharing is most
important with
B2C on the rise
Important applications and
services are enlightened
Meet the varied
organizational needs
CSOs and Services can
‘reason over data’
Delight with Office docs,
PDF, Text, and Images.
Protection enforced in the
cloud, or on-premises; with
data in both places.
Delegated access to data
with bring-your-own-key
Microsoft and our partners are
working with us to make this
happen
‘Cloud Ready’ orgs can use RMS in
Office 365 with unprecedented
ease
Nearly automatic with Office 365
and Microsoft RMS
We’re not done yet, but we’ve
come a long way
‘Cloud Accepting’ orgs can use
Azure RMS with the RMS connector
Enables hybrid organizations with
Azure RMS and the RMS Connector
‘Cloud Reluctant’ orgs can use AD
RMS on premises
Protects any file type with RMS
app; enlightened applications do
better
Some will use Hardware Security
Modules in Azure with BYOK
DCIM-B385 – Security and Microsoft Azure IaaS
DCIM-B221 – Microsoft Azure Security and Compliance
Overview
DEV-B344 – Building Web Apps and Mobile Apps using
Microsoft Azure Active Directory for Identity Mgmt
For More Information
Windows Server 2012 R2
http://technet.microsoft.com/en-US/evalcenter/dn205286
System Center 2012 R2
http://technet.microsoft.com/en-US/evalcenter/dn205295
Azure Pack
http://www.microsoft.com/en-us/servercloud/products/windows-azure-pack
Microsoft Azure
http://azure.microsoft.com/en-us/
Come Visit Us in the Microsoft Solutions Experience!
Look for Datacenter and Infrastructure Management
TechExpo Level 1 Hall CD
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn
Descargar

Data Protection in Microsoft Azure