Encryption of content for Windows Azure based web application

Question

I am in process of developing a web application for Windows Azure platform.

One of the consideration is encryption of content. Content here includes - files in blob storage, some 2 dimensional data in table storage, application data in SQL Azure.

I want to check if there are any particular best practices or existing encryption model that I could follow here.

Answer 1

This blog post explains how to use encryption on Windows Azure Storage and gives examples of what some companies have done. http://blogs.msdn.com/b/windowsazure/archive/2011/04/22/storing-encrypted-data-in-windows-azure.aspx

Answer 2

Two basic things you can do that you get for "free" for transport encryption:

• Microsoft provides storage access over http or https. Https should obviously be chosen. This will secure the transport layer between your Azure Tables and/or blobs.

• SQL Azure DB also supports encryption of connections (using the SQLConnection object in .NET). This encrypts communication between your API/app and the SQL Azure Database. SQL Azure Database includes IP filtering, so you can lock down access to your dev box and only the internal Azure data centers

Content encryption you have to do yourself for data persistence in Azure (this may change and even if MS internally encrypts your data, you should assume that it is NOT encrypted).

SQL Azure DB does not support TDE (trans. data encryption) nor more advanced features of SQL encryption. If you want to do that, you will have to run a dedicated SQL Server on a VM (Azure IaaS) to configure the features yourself. You could in theory encrypt everything on the API layer (encrypt/decrypt), but that would be very slow and you could not take advantage of inherent SQL DB features like indexing etc.

Azure Table Storage is a better candidate for encrypting content if your data can be accessed via a key/value pair. You can encrypt the content yourself and it is more manageable, since you will only be doing a single "value" or "set of columns" based on a single key not thousands of rows. Same goes for blob storage.

Answer 3

We encrypt/decrypt Azure config settings and other content using the domain certificate installed on the web roles. I posted a full example on my blog here: Securing Azure ServiceConfiguration values for Enterprise Deployment.