When discussing a move to the public cloud, the top concerns expressed are always about data.

"I've heard Microsoft will store my data in China/Russia"

"Microsoft will be digging around in my data and looking at my intellectual property"

"How can I trust that my data is secure when it's in some distant, hidden facility?"

Silly statements, right? Wrong! As a trusted steward of data in your organization, you should be asking questions, vetting vendors, and generally be apprehensive when it comes to how that data will be handled. Part 1 of this series on transforming your business with Microsoft Azure will cover just why I, and many others, believe you can trust this platform with your data.

Data Governance

There are lots of reasons to store data in specific locations. Organizations may have regulatory requirements citing in which sovereignty that data must reside. We may want to locate resources in proximity to our users to improve performance. Whatever the reason, or combination of reasons, there are multiple tools and features available to us within Azure to ensure our data is where we want it to be.

When deploying resources in Azure, you must select a region in which the resources will be created. These regions have location based names such as East US, or UK South. Thus, from the inception of any resource, we have control over where it will reside. When specifically dealing with storage, we are presented with a few options. Locally Redundant Storage (LRS) and Geo Redundant Storage (GRS). LRS refers to 3 or more copies of your data within the same Azure region. GRS, on the other hand, refers to having 3 copies in the original Azure region and 3 more copies in another Azure region. In any instance where data is copied to multiple regions, you will either have the choice of the region or be explicitly told in which additional regions the data will reside. These options are available as an additional data protection and business continuity strategy.

It's not enough that we can decide where a resource should reside at it's creation. After all, an administrator could make a simple mistake and choose South Africa West instead of South Central US. As part of our company's data protection policy, we must define where resources will reside, as well as enforce that requirement. Azure allows for policies to be placed at the subscription or resource group level, defining where resources are allowed to be created. Any attempt to create a resource outside of the allowed regions will result in a fatal error. In the example below, I attempted to create a storage account in the UK South region within a subscription wherein policy defines that I may only create resources in the United States.

Data Protection

Our data is now located where we want it, and we have enforced that geographical policy across our entire Azure infrastructure. Now we also want to make sure that our data is secure. Azure storage accounts have been designed with security in mind. We can encrypt storage accounts at rest, either with Microsoft managed keys or with our own. Another available setting allows us to guarantee that any connection made to the storage account is done so via an encrypted method. Combining these options, we have now secured our storage accounts both at rest and in-flight.

Azure virtual machines are another resource that most businesses will want to secure. Today, any new managed disk created in Azure is automatically encrypted at rest. If you are using unmanaged disks inside of storage accounts, you may use the previously mentioned encryption setting to achieve the same effect. However, there is a better option available to us concerning virtual machines encryption. Azure supports full disk encryption (FDE) of virtual machines using Bitlocker, made possible by storing the Bitlocker Encryption Key (BEK) inside of an Azure Key Vault backed by hardware security modules. Bitlocker encryption is available for managed and unmanaged disks, and is also compatible with Azure Backup. (In fact, I recently wrote an article on the topic).

In the same vein as the allowed Azure regions, we can also use policies to enforce all storage accounts to be both encrypted at rest and in-flight. For enforcement of Bitlocker encryption on the virtual machines themselves, we can leverage Azure Security Center to monitor and notify us of any virtual machines that are not encrpyted. We will discuss Azure Security Center in detail later in this series.

Azure Backup

Perhaps the most important part of our data protection and governance strategy is backups. The built in method for backing up virtual machines in Azure is a product known as Azure Backup. An incredibly versatile tool that allows for 99 years of retention. Backups are able to be run daily, weekly, monthly, or yearly. This gives us a wide berth in creating an archival strategy for our data. As of last week, Azure Backup Instant File Recovery became generally available, allowing us to quickly restore individual files from any backup point without interrupting the production virtual machine. To enforce our backup strategy, we can once again refer to Azure Security Center to notify us of any virtual machines that are not protected with Azure Backup. Additional features include PIN requirement to delete backup data, as well as a complimentary extra 14 day retention of any deleted backup restore points. These were improvements made to Azure Backup specifically in response to malware that had learned to destroy data from other types of backup software.

Summary

Today we have learned how data governance and protection are achieveable and reliable in Microsoft Azure. If you can't say the following about your current environment, it may be time to consider a digital transformation to the cloud:

Enforceable geographical resource control across your entire infrastructure

Enforceable storage encryption across your entire infrastructure, both at rest and in-flight

Enforceable full disk encryption across all of your virtual machines

Enforceable, reliable, long-term backup and archival strategy with instant file recovery.

Coming up next in this series, we will cover Identity & Access Management within Microsoft Azure. Stay tuned!







