Data security Q&A with John Molesky, Azure Security Engineering
In this post, we interviewed Azure Program Manager, John Molesky, from the Cloud Health and Security Engineering team with commonly asked questions regarding data security. For many customers, moving to the cloud means a change in processes to manage data, including data destruction and spillage. John’s answers help address those concerns.
1. How can customers secure access to storage accounts?
Azure offers a few ways to secure access to storage accounts. When a storage account is created, Azure generates 512-bit storage access keys, which, when combined with the storage account name, can be used to access the data objects stored in the storage account. Access to these storage access keys can be controlled using Azure Active Directory Role-Based Access Control (RBAC), ensuring that users have only the access and permissions they need. Additionally, Shared Access Signatures can be used to secure access to specific data objects stored in a storage account (e.g., blobs, files, queues, tables).
2. Can customers encrypt storage?
Yes, Azure customers can encrypt storage in several different ways. Azure Storage Service Encryption (SSE) provides 256-bit AES encryption at rest for Azure Storage accounts, transparently handling encryption, decryption, and key management. SSE can be enabled directly from the Azure portal for a customer’s storage account. Once enabled, any blobs written to the storage account will be encrypted. (It’s important to note that any existing blobs will not be encrypted until they are rewritten.) Additionally, Azure Virtual Machine disks (VHDs), including OS disks and data disks, can be encrypted using Azure Disk Encryption. For Windows virtual machines (VMs), disks are encrypted using BitLocker; for Linux VMs, disks are encrypted using DM-Crypt. Azure Disk Encryption is integrated with Azure Key Vault for control and management of disk encryption keys. Azure Disk Encryption can be used to help mitigate risk associated with a compromised or inadvertently disclosed storage access key. Storage Service Encryption and Azure Disk Encryption can be enabled simultaneously, encrypting data by both methods.
3. Does Microsoft have access to data in customer’s storage accounts or encryption keys?
You own your data. Microsoft uses customer data only to provide the services we have agreed upon, and for purposes that are compatible with providing those services. Access to customer data by Microsoft employees is restricted based on business need by role-based access control, multifactor authentication, minimizing standing access to production data, and other controls. Access to customer data is also strictly logged, and both Microsoft and third parties perform regular audits to attest that any access is appropriate. Access to encrypted customer data by Azure support personnel requires a customer’s explicit permission and is granted on a “just in time” basis if needed. All accesses are logged and audited, and upon completion of the support task, access is revoked.
4. When a customer deletes a storage blob, what happens?
To understand how Azure handles data when it is deleted, let’s first review how data is stored within Azure. For durability and high availability, data within Azure Storage accounts is replicated. Locally redundant storage (LRS) replicates data three times within a single facility within a single region for durability; geo-redundant storage (GRS) is replicated an additional three times in a secondary region. In Azure Storage, all disk writes are sequential. This minimizes the number of disk “seeks,” but requires updating the pointers to data objects every time they are written. A side effect of this design is that data cannot be deleted by overwriting with other data. The original data will remain on the disk, and the new data will be written sequentially. When a customer deletes a storage object (e.g., blob, file, queue, table), the pointer to this object is immediately deleted from the storage index used to locate and access the data. This operation is replicated asynchronously for GRS. With the storage index updated, the data is immediately unavailable. The sectors on the disk associated with the deleted data become immediately available for reuse and are overwritten when the associated storage block is reused for storing other data. The time to overwrite varies depending on disk utilization and activity, but is rarely more than two days. This is consistent with the operation of a log-structured file system. Azure Storage interfaces do not permit direct disk reads, mitigating the risk of another customer (or even the same customer) from accessing the deleted data before it is overwritten.
5. When a customer deletes a subscription, what happens?
If a subscription is cancelled or terminated, Microsoft will store customer data for a 90-day retention period to permit customers to extract data or renew their subscriptions. After this retention period, Microsoft will delete all customer data within 90 days of the retention period (i.e., by day 180 after cancelation or termination). If a storage account is deleted within a subscription, it is retained for two weeks to allow for recover1. y from accidental deletion, after which it is permanently deleted. NOTE: When a storage object (e.g., blob, file, queue, table) is itself deleted, the delete operation is immediate. To avoid retention of data after storage account or subscription deletion, customers can delete storage objects individually before deleting the storage account or subscription.
6. How does Microsoft dispose of hard disks?
Microsoft uses a disk disposal process that complies with NIST SP 800-88 R1, Guidelines for Media Sanitization. Disks are physically destroyed to render recovery of data impossible. Records of the destruction are retained and reviewed as part of our audit and compliance process. All Microsoft Azure services utilize approved media storage and disposal management services.
7. What should a customer do if unauthorized data is found to have been uploaded to their Azure storage account?
Azure implements safeguards for NIST SP 800-53 R4 control IR-9, Information Spillage Response; however, customers are responsible for data spillage incidents within their subscription and should refer to their internal incident response processes. Microsoft Azure Security Response in the Cloud outlines Microsoft and customer roles when responding to security incidents within Azure. Due to data striping across multiple disks, physical disks cannot be removed from service due to a customer data spillage incident. However, risk associated with persistence of the data can be mitigated by deleting the associated storage blob, which makes the data unavailable and marked as available to be overwritten as discussed in question #4 above. Should a disk fail or reach end-of-life prior to an overwrite action, it will be destroyed as described in question #6 above.
8. Could somebody physically steal my data?
Microsoft employs rigorous operational controls and processes to prevent unauthorized physical access to data centers, including 24×7 video monitoring, trained security personnel, key-locked server racks (housing compute, storage, and networking hardware), and smart card / biometric multifactor access controls. All physical access is logged. The way data is managed in Azure inherently includes several additional safeguards to help prevent access to data. For example, in Azure Storage, data is striped across multiple physical disks. Targeting specific data for theft would require not only knowing the correct data center, building, floor, room, and server rack on which the targeted data resides, but also understanding how the data is striped across disks and the location of each of the many physical disks where the associated strip units are written. In addition to these physical controls, Storage Service Encryption can be enabled to encrypt the data at rest, further preventing unauthorized access.
9. What additional resources has Microsoft published?
A variety of resources are available providing in-depth information about how customer data is stored in Azure. Check out the resources below for more information:
We welcome your comments and suggestions to help us continually improve your Azure Government experience. To stay up to date on all things Azure Government, be sure to subscribe to our RSS feed and to receive emails, click “Subscribe by Email!” on the Azure Government Blog. To experience the power of Azure Government for your organization, sign up for an Azure Government Trial.