We'll continue our conversation on data encryption in this video and see how to apply it to the different service model paradigms
When using, I asked model there two major options for encrypting the volumes of your virtual servers. These air the virtual hard drives were talking about.
There's the instance managed encryption. This is where the encryption engine runs inside the instance itself. An example of this is the Lennox Unified key. Set up the issue with instance. Managed encryption is that the key itself is stored on the instance and protected with a pass phrase.
In other words, you could have a powerful encryption algorithm like A S to 56.
But that key is secured with a pass phrase that's highly simplistic, like a 123 or even past phrase. So when you take this approach, be sure to understand how safe the past phrases are from brute force hacking. Alternatively, there's externally managed encryption keys.
In this approach, the encryption keys are managed externally,
and a key to unlock the data is issued to the instance on Request. Azar's disk encryption stores three keys on a key vault, which itself is a service built using Phipps validated hardware security modules. When the instances started, it retrieves a copy of the key and holds that in memory.
If the instances powered down or somebody takes a snapshot of the disc of that instance,
the key itself is not included.
Keep in mind, the object and file storage scenario is set up in such a way that the storage itself is not directly bound to any particular compute machine. It's kind of like a shared network storage location to handle encryption of data in that storage module. There are a few options client side encryption.
In this case, data is encrypted using an encryption engine embedded in the application or the client.
With this approach, you are in control of the encryption keys used by the application to encrypt the data before it is persisted to the storage account.
Proxy encryption is kind of like, ah, hybrid storage gateway. This approach can work well with object and file storage in a nice environment, as the provider is not required to access your data in order to deliver services. In this scenario, the proxy intercepts data flowing through the network handles all cryptography operations.
The encryption keys may be held within the proxy appliance or by an external key management service.
Finally, service side encryption is supplied by the Cloud Service provider. They have access to the encryption keys, and they run the encryption engine themselves. Although this is the easiest way to encrypt data, this approach requires the highest level of trust in a provider. If the provider holds the encryption keys,
they may be forced or using legal terms. They may be compelled by a government agency to un encrypt
and supply your data that is residing on the storage accounts. Unlike I, as where there are a few dominant players, there are numerous past providers, all with different options for data encryption, the C S. A guidance calls out three areas where encryption could be used in a pass environment start out at the application layer.
With this approach, the encryption is performed within the application itself
and that encrypted data goes to the platform service.
Past database offerings generally provide a built in encryption capabilities that are supported by the data base platform. Examples of common encryption capabilities include transparent data encryption, which encrypts the entire database and field level encryption, which encrypts Onley sensitive portions of the database. One thing to keep amount about transparent data encryption
is that the data at rest is encrypted.
But the data loaded in memory in the database itself is not encrypted. So if somebody gains access to the database itself, establishes a connection, starts running some sort of queries against the data, the data returned will not be encrypted.
And finally, there's the other bucket where the encryption gets integrated into the past. Service by the platform provider. The specific approaches on this very, quite dramatically certain past services give you the capability for customer managed keys, and we'll talk more about customer manage keys. But you essentially give the key that's used for the encryption.
But at the same time, there are many others where
the providers past service assumes that the encryption itself and the keys for that encryption need to be managed by the provider.
In the Sadd's model, you have two major options. You can rely on your provider's supported encryption, or you can use 1/3 party encryption proxy that sits is a man in the middle, and it intercepts the network traffic coming from the client and going to the SAS provider to support provider managed encryption.
Many see SPS implement per customer keys.
This improves the enforcement of multi tenant isolation. Every tenants data is encrypted using a different key. So even if somebody breaks the 10 and isolation, they still need to get the key of that tenant to make any sense of the persistent data that they've been able to obtain, says encryption proxies being introduced new security concerns
because it needs to decrypt the encrypted network traffic
and sits between the client and the cloud provider. This may also break application functionality, since data going to the provider is already encrypted. However, there are limited use cases for applying this strategy.
Customers often and choose encryption supplied by the provider for many reasons. For example, using the a proxy approach, the SAS provider may not be able to process the encrypted data that is handed to them.
So let's quiz a little bit about encryption or maybe even reach back a little bit further, which is the primary mechanism to protect data encryption, logging, access, controls, data, sovereignty, loss.
So I know we've been talking about encryption in this video, but I wanted to squeeze in this quiz question just to make sure you didn't get too fixated on encryption because it does have its own vulnerabilities. Access controls. Keep in mind this is where things start. This is your primary method to protect data
from there. If you can also encrypt the data when is at rest. And of course, when it is in transit,
that's additional things that you can do. Logging is also great for security, but it is not the answer. C Access controls is the answer data. Sovereignty laws really aren't going to protect your data. They're going to create constraints as to how you can use the data and where the data could be physically located.
In this video, we went over different methods to deal with encryption based on the different service model