Q. If I use Azure server-side encryption what value does this provide if Microsoft has the key?
A. There are various reasons to encrypt data. When using the Azure Key Vault service to store the keys leveraged for encryption at rest in Azure while Azure services can access the key to provide other Azure functionality such as backup, the Microsoft operations team do not have access to the keys which are secured using HSMs. The key goal for this type of encryption is really two-fold:
- Provides protection from a disk being taken out of a datacenter and the majority of data attack cases
- Enables a checkbox required for many regulatory requirements that says the data is encrypted at rest
If you need additional levels of data security then you should look at client encryption of data where the application controls the encryption and be careful of where the key is stored but this will limit types of Azure services that can interact with the data and even other application layers as there will need to be a method to provide them with a key to use the data.