Building Simple Azure Resource Manager Templates – Part 1
In my last blog post here, I wrote an introduction to Azure Resource Manager (ARM). ARM is the...
Encryption is hard. There is really no way around that fact.
One of the great benefits of Office 365, or any cloud product, is that these complex solutions are deployed and maintained for you by those who are best qualified to make them work. The downside to having someone else deploy and run your IT solutions is the lack of control you have over your information. You don’t really know who has access to your information when you’re moving it to the cloud.
Now, I don’t want to sound like a tin foil hat alarmist. Microsoft does a really good job of providing transparency into their compliance and data access policies and procedures in Office 365. Features like Lockbox and auditing within Office 365 should give customers assurance that their data is relatively secure in Microsoft’s hands.
The problem is sometimes that doesn't cut it. Some customers are going to have some data that is just too important to hand off to anyone in an unencrypted format. Microsoft is well aware that some customers have security requirements that make the move to Office 365 impossible without absolute assurance they can maintain 100% control over their most sensitive data.
Today I’m going to talk about hold your own key (HYOK), a solution to address this concern. Before we get to HYOK, however, we need to catch up on Azure Key Vault and BYOK.
Azure Key Vault is a Microsot Azure service that allows you, as the name suggests, to store encryption keys in the cloud. The best way to think of Azure Key Vault is a Hardware Security Model (HSM) as a service.
An HSM is a piece of hardware that's purpose-built to hold and process encryption keys securely. They are fairly pricey pieces of hardware. Even more so, they are complex to setup and maintain. If you’re going to deploy your own HSM on-premises, you really need trained staff to ensure the equipment functions properly.
Azure Key Vault is Microsoft taking that HSM hardware and abstracting it from you, the customer, so you don’t have to worry about all the setup and deployment. You do still get all the security functionality of that HSM.
An HSM provides security by securely storing encryption keys in a fashion that never allows them to leave the HSM. When you encrypt a document on a server, that server needs to hold your encryption keys resident in memory for at least a short time. Anytime a server is holding encryption keys in memory, there is a risk that, if that server is compromised, control of that key will be lost and your encrypted data will be vulnerable. The HSM prevents this vulnerability by holding the key and doing the encryption and decryption in its own purpose-built hardware. Once in an HSM, keys cannot be extracted by anyone including Microsoft who physically controls that HSM.
Azure Key Vault allows you to access Microsoft’s HSMs via the REST API for encrypting and decrypting data without exposing your encryption keys.
Azure Key Vault costs about $1 per month to store a single key, plus about $0.03 for every ten thousand operations against that key. Pricing may vary slightly depending on how you purchase Azure, but those numbers should give you a ballpark estimate.
Azure Key Vault can be used for your Azure applications and SharePoint Online. There is a preview of the upcoming support for Exchange Online with Azure Key Vault, but that feature is not currently generally available.
As I said above, Azure Key Vault allows you to securely store encryption keys in the cloud. I did not, however, say anything about generating keys.
You can, of course, use Microsoft’s Certificate Authority (CA) within Azure to generate the keys that you use in Azure Key Vault. If, however, you would like to take your security up a notch, BYOK gives you another option.
The BYOK feature of Azure Key Vault allows you to use a key from a source outside Azure as your encryption key. That source can be your own on-premises CA, a third-party CA or anything in-between — as long as you have a valid CA with a valid Certificate Revocation List (CRL).
In its first incarnation, to use BYOK you had to physically get your encryption key to Seattle and manually load it into Microsoft’s Azure Key Vault HSM. This limitation has since been overcome. Now, you can load your encryption keys into Azure Key Vault over the Internet.
What’s important to understand about BYOK is that loading your encryption key into Microsoft’s HSM means that Microsoft will have the ability to decrypt any documents that are encrypted with that key. The HSM prevents Microsoft from exporting your encryption keys and using them outside the HSM, but it does not prevent Microsoft from accessing your data.
Again, I am in no way insinuating that Microsoft does access any materials that are stored within the Office 365 service. I’m just saying that there is no technological barrier preventing Microsoft from accessing materials you encrypt with keys stored within Azure Key Vault.
BYOK does give you two advantages over using keys generated by Microsoft’s CAs.
So BYOK offers some additional protection for your sensitive data, but it’s still not to the point where you know that only you and those you designate have access to your data. The good news is that Microsoft has introduced the next level of data protection if that is what you need.
Recently made available in preview, HYOK allows you to keep your own keys for SharePoint Online (and soon Exchange Online) in your on-premises environment. Unlike BYOK, HYOK is a configuration where you keep your own encryption keys, and all the encryption and decryption work is done with your on-premises hardware.
The upside to HYOK is that you know no one has access to your data without your approval. You hold all the keys to the kingdom.
Of course, this added security comes at a cost.
In order to help make it easier for your users to understand which encryption should be used with each data type, HYOK is implemented with Azure Information Protection.
Azure Information Protection is a whole other encryption technology in Office 365, but that is going to have to be the subject of another blog post.
Nathan is a five time former Microsoft MVP and he specializes in Exchange, Microsoft 365, Active Directory, and cloud identity and security.
In my last blog post here, I wrote an introduction to Azure Resource Manager (ARM). ARM is the...