Solidifying Microsoft Azure Security for SharePoint and SQL in the Cloud
- 23 July, 2014 08:14
More and more organizations are moving SharePoint and SQL workloads into Microsoft Azure in the cloud because of the simplicity of spinning up servers in the cloud, adding more capacity, decreasing capacity without having to BUY servers on-premise. What used to cost organizations $20,000, $50,000, or more in purchasing servers, storage, network bandwidth, replica disaster recovery sites, etc and delay SharePoint and SQL rollouts by weeks or month is now completely managed by spinning up virtual machines up in Azure and customizing and configuring systems in the Cloud.
But the question always comes up, is it "safe" to put SQL data and SharePoint content up in the cloud? The answer is absolutely YES, that SQL and SharePoint up in Azure are perfectly safe to store protected content up in the cloud AS LONG AS the systems are configured properly! And in fact, we have configured SharePoint and SQL to actually be MORE SAFE (significantly more safe!) up in Azure than most organizations can claim their security today on-premise.
Here's the layers of security that can be put in place to PROTECT SharePoint and SQL up in Azure:
- Microsoft Azure Security: First of all, specific to what Microsoft does for security, a visit to Microsoft's Azure "Trust Center" (http://www.windowsazure.com/en-us/support/trust-center/security ) can provide organizations information about what Microsoft does built-in to their Azure cloud services. There's a whitepaper on Microsoft's security (http://go.microsoft.com/fwlink/?linkid=392408&clcid=0x409) up on the Trust site. Within the Trust site, if you click on Privacy it'll go through their statements and audits on privacy and security, and if you click on Compliance, it'll provide you information about their compliance to ISO, HIPAA, SOC 1 / SOC 2 / SSAE / ISAE Attestations, etc... There's a LOT there, and I'd say that MOST organizations that question Microsoft's Azure datacenter security need to ask themselves if they have 7-layers of defense, 3rd party audited security controls, security and compliance certifications, and the like.
BUT, the concern most security and compliance officers have is what if Microsoft is subpoenaed to hand over information OR what if somebody happens to hack their way past the 7-layers of defense, or potentially a rogue employee compromises the system, the above standards, audits, etc are good but not foolproof. SO, my recommendation has been to ENCRYPT your content and YOU keep your encryption key. Here's what can be layered ON TOP OF what Microsoft provides:
- Encrypt SQL: With Microsoft providing virtual machines that organizations can install SQL Server on those VMs, what an organization can (and should do) is to ENCRYPT their SQL databases! Microsoft has what is called "Transparent Data Encryption" (TDE) that allows an organization to encrypt the ENTIRE database and KEEP the key! TDE encryption will protect data in a SQL database, including obviously SharePoint content since SharePoint content is stored in a SQL database. This is a highly effective manner in keeping you in charge of your information, see Section 5 in this SQL on Azure Tutorial on encrypting the SQL data http://msdn.microsoft.com/en-us/library/dn466438.aspx
If someone gains access to your database, either by legal power or by unauthorized access, the database itself is encrypted, so the blobs of encrypted "stuff" is useless to them. The key(s) would have to be subpoenaed separately, or someone would have to steal the keys off your site in addition to the databases that are up in Azure...
BUT then the comment comes up that with data up in the cloud, "anyone" can access the data directly from anyplace in the world... The answer, NO, not unless you want everyone in the world to access the content directly from the Internet. If you have protected data you ONLY want your employees in your corporate offices to access the information, then by default, Azure does NOT expose data externally. You actually have to configure your Azure and SQL Virtual Machine to have a public Internet address, and you have to configure Azure to open up firewall ports to gain direct access to your VMs/Servers up in Azure. If you ONLY want your employees to access content up in Azure (SQL data or SharePoint data that is being stored on SQL), then create a SECURED TUNNEL between your corporate sites to Microsoft Azure. Couple ways you can do this:
- Site to Site VPN: You can create a Site to Site VPN between your datacenter to Microsoft Azure, using IPSec to protect the channel of communications to YOUR data. Microsoft Azure provides site to site connectivity from Cisco, Brocade, Checkpoint, Sonicwall, Fortinet, Juniper, etc, or you can simply configure an old fashion Microsoft Windows RRAS server for a S2S secured VPN tunnel. LOTS of ways to create a secured and protected tunnel between your office(s) and Microsoft Azure where there is NO direct connection into your data.
- Site to Site using Express Route: Another way to create a connection between your offices and Microsoft is through what Microsoft calls "Express Route". Express Route is a PRIVATE connection between your enterprise and Microsoft, effectively a "last mile" type private connection right into Azure. Microsoft has partnered with companies like Equinix (and soon others) (http://blog.equinix.com/2014/05/microsoft-azure-expressroute-now-available-in-equinix-data-centers-customers-tap-benefits-to-deliver-hybrid-cloud-solutions/) so there are MANY local onramps to connect organizations right into Azure. With Express Route, you're not even going through a tunnel over the general internet, you actually have a direct connection (not over the Internet) to your Azure servers. Internal users go over your LAN/WAN to access data in Azure, and presumably your remote users have some form of 2-factor authentication and encryption if they are remote, connecting into your environment that will then go across Express Route in an encrypted direct transport to your Azure data. https://azure.microsoft.com/en-us/services/expressroute/
For those who are hardcore and STILL beat me down on security to Azure where a 7-level deep secured datacenter, with encrypted databases, connected over secured encrypted connections is not good enough, then one more thing we have done for organizations is to ENCRYPT the content that gets stored in the encrypted databases! For something like SharePoint, Microsoft has a technology called Rights Management Services (RMS) that allows organizations to set policies so that every Word doc, Excel spreadsheet, PDF file, JPG graphic, TIF file, PowerPoint presentation, etc is ENCRYPTED as it is stored in a SharePoint Library.
- Encryption of Content within SharePoint: Microsoft Rights Management Services (RMS) encryption is tied to user's Active Directory credentials, so that the content is encrypted upon user creation and access, and is stored in SharePoint protected, and then even if a user takes content OUT of SharePoint and accidentally (or absent-mindedly) uploads the content to DropBox, Box, OneDrive, etc that the actual FILE (doc, spreadsheet, etc) remains encrypted and accessible ONLY by authorized targeted recipients of the content http://office.microsoft.com/en-us/business/microsoft-azure-rights-management-FX104179392.aspx
So now you are taking something like a Word doc, it's encrypted automatically with Microsoft RMS (which the keys remain in Active Directory, so YOU own and keep the keys), transported over an encrypted and protected tunnel, saved in an encrypted SQL database (which you own and keep the keys for the database as well), in a Microsoft datacenter that has 7-layers of security and a pile of security audits and certifications noting the protection in place.
With ALL this in place, I have YET to have a compliance officer or a security officer tell me that they are doing a better job at securing content on their own and can poke holes in this process. It is most certainly MORE security than pretty much every organization that I've seen has put in place TODAY for their servers, databases, SharePoint content, etc in terms of layers of security, multiple levels of encryption, and even down to the file level of content stored in SharePoint that prevents data leakage outside of the environment.
Rand Morimoto is the President of Convergent Computing, a strategy and technology consulting firm headquartered in the San Francisco Bay Area. Dr. Morimoto is the author of the book "Cybersecurity: Being Cyber Aware and Cyber Safe" and was the Internet Security Advisor to President Bush, and Y2K Advisor to President Clinton.