Comprehensive software reviews to make better IT decisions
Microsoft Announces Server-Side Encryption for Azure Managed Disks, Customer-Managed Keys Included!
Microsoft’s announcement that server-side encryption with customer managed keys for Azure Managed Disks is now available is welcome news for security-minded public cloud customers. Managing one’s own keys in a cloud environment can be an important step in complying with regulatory requirements, and this new feature should open Azure Managed Disks to a wider group of customers who may have held back for this reason.
Customer data on Azure Managed Disks has been encrypted using Microsoft’s Storage Service Encryption since shortly after the service became generally available in 2017. Encryption was automatic, though the keys were managed by Microsoft. Shared responsibility is an inherent characteristic of cloud services, but in some cases, customers may want or need additional security.
Customer managed keys (stored in an Azure Key Vault) may be a valuable alternative to Microsoft-managed keys for organizations that have more stringent compliance requirements.
Our Take
The cloud brings a host of new and advanced services and opportunities. But it also comes with trade-offs, one of which is giving up control of at least part of the infrastructure stack to the provider. That trade-off will now be a little less painful for some customers, as they will be able to repatriate management of Azure Managed Disks encryption keys. Perhaps this will be enough to convince some customers that the service is worth the risk.
After all, in the words of Info-Tech core infrastructure practice lead, Fred Chagnon, “If you didn't encrypt it, then it's not being encrypted for your needs.”