Identify an appropriate data security solution

Data Protection

Protecting data at rest, in transit and in use.

Azure Storage

SQL Database

  • Azure SQL (PaaS) includes managed security
  • SQL Server on Azure VM (IaaS)
    • SQL Server Transparent Data Encryption (TDE) for data at rest
    • SQL Server Column Level Encryption (CLE) – sensitive data only decrypted by SQL server (application changes required & can have a performance impact)
    • Extensible Key Management (EKM) allows delegation to an independent KMS

Access Control

Ensuring only authorised users can access data.

Azure Storage

  • 2 keys associated with each storage account for easy rotation
  • Time bound URL based access with Shared Access Signatures (SAS)
    • Stored Access Policy (SAP) allowed management of SAS at scale

SQL Database

  • Azure SQL uses SQL authentication, SQL Server can use Kerberos

Azure AD

  • Global Administrator for simple deployments & additional roles

Other Controls

  • Azure Virtual Network ACLs and NSGs
  • Azure Service Bus supports SAS authentication for entities e.g. queues & topics

Data Reliability & Disaster Recovery

Backup and Disaster Recovery are key components of a Business Continuity strategy.

Azure Storage

  • Azure Storage is replicated multiple times for availability
    • LRS – 3 copies within a single facility & region
    • GRS – 6 copies, as LRS with an additional 3 copies in a backup region
    • RA-GRS – Ability to read from second region when primary is unavailable

SQL Database

  • Azure SQL uses 3 database replicas
  • Azure SQL offers ‘Point In Time Restore’ for a number of days according to the tier
  • Azure SQL fault tolerance options include
    • (Default) Geo-Restore to allow recovery to a different geographic region
    • Standard Geo-Replication creates additional secondary replicas (passive)
    • Active Geo-Replication  creates 4 geo-replicated live secondaries (active)
  • Databases can be manually backed up
  • The Import/Export service can also be used for recovery

Azure AD

  • Azure AD is highly available and geo-redundant by default

Azure Backup

  • Works at the file and folder level to protect data


  • Works at the volume level as a hybrid solution deployed on-premise

Azure Site Recovery

  • Works at the VM and topology level to both protect and migrate workloads

Azure Rights Management Service

  • Encrypt and decrypt data
  • Manage and track key distribution
  • Manage key management & access policies

Azure Key Vault

  • Protect and control keys using HSM in the cloud

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s