Azure Cloud Encryption
Managing Encryption on Azure using Randtronics DPM
Leading cloud computing platform such as AWS, Google and Microsoft Azure offer organizations the ability dynamically scale computing workloads and ensure high availability through spreading workloads across a global network of managed datacentres. Naturally each platform seeks to outdo its competitors in offering an extensive range of services designed to enhance platform utility both to help maintain competitive differentiation plus the potential tactical benefit of increasing switching cost.
Many organizations, on the other hand, prize flexibility and value the option to spread their computing loads across multiple cloud providers. So when it comes to essential services such as encryption, we find many organisations are interested to understand their options for preserving platform portability and avoiding encryption lock-in.
The good news is that Randtronics DPM enterprise encryption management platform supports several good options that enable organizations to maintain encryption independence across multiple cloud vendors and bring their cloud infrastructure under the control their standardised, policy-based data protections measures. These options include:
Bring Your Own Key (BYOK)
Amongst the range of services offered by Microsoft Azure, some of the more proprietary solutions emphasize simplicity of management and scalability through the replacement of standard operating system layers by Azure proprietary systems.
Azure includes encryption as part of the built-in services of its proprietary systems and includes support for Bring Your Own Key (BYOK), allowing customers to maintain control over their own encryption keys, root-of-trust and location/protection of master keys.
Randtronics DPM supports Azure BYOK through its DPM easyKey product allowing customers to maintain complete control over:
a) Root-of-Trust, location/storage of master keys. DPM customers can elect a software-only key management strategy or have DPM easyKey control hardware-based master key protection through the management of one or many Hardware Storage Modules (HSM) assembled from multiple vendors.
b) Policy-based Key Lifecycle management. Centralized policy-based control of encryption keys including key creation, automatic rotation, key suspension and key destruction
Bring Your Own File/Folder Encryption
Other services offered by Microsoft Azure, emphasise ease of provision and manageability of standard Windows/Linux operating environments. (Virtual Machines and Container environments that provide the user a Windows or Linux operating system). Utilising such services customers maintain greater flexibility over how and where services are deployed without the need to build deep platform-specific technical skills. Secondly the methods and practices for building high-resilience, high-availability systems based on these environments are widely understood.
Randtronics DPM fully supports encryption on Azure services that present standard Windows/Linux operating systems:
a) Transparent Data Encryption for files and folders. Policy-based data protection includes air-gap separation of sensitive data from systems administrators and platform providers.
d) Hosting of DPM products. Our support for Azure extends to the hosting of own products. We have many customers who elect to run their own instances of the DPM management modules on Azure and use standard Windows/Linux methods dial-up the availability / resilience parameters (just like any other application).
Bring Your Own Database Encryption
Randtronics DPM fully supports database encryption on Azure services that present standard Windows/Linux operating systems:
a) No-code change, multi-vendor, Transparent Data Encryption. DPM easyCipher simplifies the challenge of managing encryption across a heterogeneous database fleet. A single TDE product that works with all databases that run on standard Windows/Linux environments allowing organisations to simplify and standardise database encryption and easing the burden of maintaining specialist technical skills. Randtronics TDE is implemented without the need for code-change or change to user workflows.
d) No-code change, Column-level database encryption for MS-SQL and Oracle Databases. For the most commonly used database products, Randtronics DPM also supports column-level data protection without the requirement for code-change
Platform independent API-level data protection
Our last option for maintaining encryption independence focuses on the customers developing new applications. Randtronics DPM supports a full range of API-based data protection methods that makes it easy for developers to invoke field-level data protections including format preserving encryption, tokenization and data-masking with the major advantage that all data protection methods are standardized and remain under centralized control:
- Reducing the scope for errors and oversights through standardized data protection API methods
- Ensuring that the data protection component of new applications remain easy to maintain
- Ensuring that data protection methods remain under the control of centrally managed policies controlling encryption keys and access control
Latest news and articles
Goodbye, Tina Turner
Sad news this week that the Queen of Rock ‘n’ Roll has exited the stage. Many of us at the
Don’t take an Uber to the Big House
In a groundbreaking development, the ex-security chief of Uber has been convicted for his failure to disclose a significant data
Vormetric Migration Assessments at Minneapolis CyberSecurity Conference 17th May 2023
Are you a Vormetric DSM user attending the Minneapolis CyberSecurity Conference at the Sheraton Bloomington Minneapolis on 17th May 2023?