A common concern voiced by people wary about moving sensitive workloads into the public cloud component of a hybrid cloud is that running their virtual machines (VMs) on someone else’s infrastructure opens up the possibility of the owner of that infrastructure, or a nefarious third party that compromises that infrastructure, gaining access to their contents. Put another way, people ask “how do we know that Microsoft or another public cloud provider won’t peek into our VMs to see our secrets?”
There are certainly policy and legal reasons why that won’t happen. But, there are also technological solutions you can put in place to ensure that even if someone could get access to the virtual hard disk files of VMs running in Azure, they won’t be able to read their contents because they would be encrypted in their entirety.
Azure Disk Encryption is a feature that allows you to enable the volume encryption functionality built into the supported operating systems of Azure IaaS VMs. Not only has Microsoft enabled its BitLocker full volume encryption solution to be used on Azure IaaS VMs running its own Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 operating systems, there is also support for using DM-Crypt, a transparent disk encryption subsystem built into Linux kernel versions 2.6 and later.
Encryption keys that allow BitLocker and DM-Crypt to function are stored in the Azure Key Vault, an Azure feature which is only accessible to people and applications authorized by the subscription owner. Azure Key Vault supports having keys stored in a FIPS 140-2 Level 2 compliant hardware security module.
Azure Disk Encryption supports spinning up new VMs with encrypted volumes, the encryption of existing VMs running in Azure, as well as allowing VMs encrypted on-premises to be imported and run in Azure without requiring the virtual hard disks to be decrypted.
When you enable Azure Disk Encryption on your organization’s Windows Server or Linux Azure IaaS VMs, you can be certain that only the people appropriately authorized will have access to the contents of those VM hard disks.
This content is sponsored by Microsoft.
Orin Thomas is a contributing editor for Windows IT Pro and a Windows Security MVP. He has authored or coauthored more than thirty books for Microsoft Press, founded the Melbourne System Center, Security, and Infrastructure Group, creates courseware for PluralSight, and writes the Hyperbole, Embellishment, and System Administration Blog.