10

Microsoft announced in May that it supported full disk encryption for VMs. They have recently merged a github branch into the Azure Powershell tools to enable this.

The basic theory is that you store encryption keys in an Azure Key Vault HSM, point the VM to it, it retrieves its keys, unlocks the disk and you're away.

However I am not entirely sure what this is protecting me from! The only case I can think of is that somebody obtains my blob storage credentials and uses them to download the VM disk (or someone infiltrates the underlying blob storage infrastructure - this seems unlikely) I can't imagine that this would offer any protection against any sort of law enforcement request as Microsoft own the hardware that contains my key and so would be able to hand over the whole thing.

What is the attack vector that cloud based full disk encryption protects me against? (what am I missing!)

*note this is not specifically an Azure question, as the answer should apply to all cloud vendors.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Michael B
  • 436
  • 4
  • 13
  • I don't see how anyone could consider the data encrypted if someone else owns the key. Maybe I'm off on that, but it does provide at least some protection in the event of an Azure hack or physical theft from a data center. – Dave Nov 13 '15 at 19:23
  • @Dave that was pretty much my underlying thought in asking this, and I can't imagine the Azure infrastructure being hacked. I'd imagine (/ hope!) they have some pretty exceptional security folk securing this stuff. – Michael B Nov 14 '15 at 08:21

1 Answers1

7

You aren't missing anything technically, full disk encryption protects you from disk theft, improper disk disposal, or unauthorized access to the virtual container.

The point I'd make to you is that if your data is valuable to your organization it's probably valuable to somebody else. You also have a duty of care to protect customer details any sensitive information as best you can. Infiltration or disk theft as an attack against your data may unlikely but it's not impossible, and the impact if it does happen could be catastrophic, especially if you haven't been seen to make every effort you can to prevent it. Disk encryption is part of a defense in depth strategy to protect your data. It's not going to protect you from governments, but that's probably not who you have to worry about.

GdD
  • 17,291
  • 2
  • 41
  • 63