With Microsoft’s cloud solution there seems to be a dizzying array of options to secure data, with new ones coming out all the time. There is Azure Site Recovery (ASR), Azure Information Protection (AIP), Customer Key (new and not fully rolled out), Azure BitLocker, Key Vault, and the list goes on.
Some of these solutions are designed to work with only some of Microsoft’s services (Office 365, Azure, SharePoint Online, OneDrive) while others can work with all of Microsoft’s cloud services. I’d like to give just a brief overview of each of these services and what they apply to and where you would use them.
Azure Site Recovery (ASR)
This is Microsoft’s backup program and is designed to backup data and servers hosted in Azure. It is almost identical to the Windows Backup program found on traditional Windows Servers but optimized to work with Azure virtual machines.
Azure Information Protection (AIP)
AIP is really a Rights Management platform that allows you to classify, label and protect documents and e-mails. AIP is a cloud-based solution. The protection uses yet another technology called Azure Rights Management (RMS) to encrypt data and allow access based on identity and authorization policies that you set.
Customer Key is possibly the newest addition to the security lineup. It allows you to use a “key” that you generate to encrypt data. With Customer Key you can encrypt data from Exchange Online, OneDrive, and/or SharePoint Online. It is intended to add an extra layer of defense against data exfiltration by unauthorized entities. Full disclosure, even though you generate the keys, Microsoft keeps a “master” key that it can use to decrypt your data. This is a protection against you losing your keys (and consequently all your data), but in theory could be used to gain access to your data to comply with subpoenas and such. Whether Microsoft would do that is unclear, but it’s possible.
Then we have Azure BitLocker, which is nothing more than regular BitLocker on a server hosted in Azure. BitLocker in Azure requires that customers create and manage their own Key Vault (at least to encrypt the system (C:) drive.
Key Vault, is nothing more than a place to store, you guessed it, keys that are used throughout Microsoft’s cloud environment to encrypt data. You create these keys and have ownership of them. It does not mean that Microsoft can’t bypass them, but it does mean that outsiders generally can’t.
So, while there is some overlap between the services they are generally designed to fill different roles in the security portfolio. The kind of security you need will determine which service is most appropriate for your organization.
- Azure Data Protection – An Overview of Your Options - June 19, 2018
- Blocking Built-in Applications With AppLocker - February 15, 2018
- How’s Your Insecurity Level? - November 14, 2017
- Implementing Jumbo Frames - June 30, 2016
- Updating Windows 7 Workstations - February 19, 2016
- Recovering Data From An Exchange Archive - February 19, 2016
- Outlook Slow After Migrating to Exchange 2013 - February 19, 2016
- Migrating DHCP Servers - January 28, 2016
- Upgrading to VMware vCenter 6 - August 26, 2015
- VDI – Because A Desktop Is A Terrible Thing To Waste! - February 16, 2015