alphaspirit - Fotolia
Data storage administrators go to great lengths to protect network servers and their contents against various types of security breaches. Similar care must be taken to secure backups so they don't become a security vulnerability. After all, a backup is essentially a copy of an organization's data that exists outside of the protective confines of the server where the data normally resides.
Backup encryption uses encryption keys. These might be software-level keys or hardware-level keys that live on a backup device such as a tape drive. In any case, an encrypted backup cannot be decrypted without the encryption key. Imagine a situation in which an organization has created a series of encrypted tape-based backups, sent them off-site for safe keeping and then has its data center destroyed by a fire. However, when the organization retrieves its backup tapes so data can be restored, it must have a copy of the encryption key -- which typically does not exist on the backup tape -- to decrypt the data. If it doesn't, the organization ends up losing just as much data as it would have if the data had never been backed up.
Storing encryption keys with Microsoft Azure Key Vault
The Azure Key Vault is a cloud-based service specifically designed to store encryption keys and other secrets such as SQL Server connection strings and passwords. It does this by using a Federal Information Processing Standards-validated hardware security module.
HSMs are physical devices that store and protect cryptographic keys. They typically take the form of an expansion card or external device that connects to a network server. Although HSMs aren't anything new, it is only in recent years that Microsoft has made it possible to use a cloud-based HSM.
It is important to understand that the Microsoft Azure Key Vault not only stores a backup copy of your encryption key, but manages an application's access to a key. This allows the Azure Key Vault to store keys securely in the cloud and prevent keys and other secrets from being directly exposed.
Setting up an Azure Key Vault
Each Microsoft Azure customer can create a dedicated Key Vault. Because the organization owns the Azure Vault, it has full control over its use. But creating a Key Vault is only the first step. The administrator must make the vault work with the backup application. Unfortunately, there is no standard method for doing this because every application is different.
To get a backup application to use the Microsoft Azure Key Vault, the administrator must register the application in the Microsoft Azure Active Directory and then use the Set-AzureRmKeyVaultAccessPolicy cmdlet to authorize the application to use the Key Vault.
In most cases, other IT staff members -- such as backup operators -- will need to be authorized to use the Azure Vault. For instance, the storage administrator may need to grant members of the IT staff the ability to add keys to the vault. The Set-AzureRmKeyVaultAccessPolicy cmdlet can be used for this task.
Once the access policy has been configured, the backup application must be set to use the Azure Key Vault. You will need to use the Add-AzureKeyVaultKey cmdlet to add your key to the vault. If the backup application uses some other type of secret, you can use the Set-AzureKeyVaultSecret cmdlet instead. In either case, Azure will provide a uniform resource identifier that corresponds to the key or secret. To use the Key Vault and the key within it, the application must provide users with a way of adding the key's URI to the application's configuration.
Microsoft makes it relatively easy to set up an Azure Key Vault and to add keys and secrets to the vault. Although HSMs can be used on-premises, these devices tend to be expensive, and the Microsoft Azure Key Vault may be a cheaper alternative.
Managing encryption keys in cloud becomes more popular
Benefit from security features in Azure
Users must also bear responsibility for Azure testing