Privacy Concerns with Azure Storage

Question

Folks,
  I'm curious if anybody has been thinking about the privacy concerns inherent with cloud computing? So many of the people I might be trying to recommend this technology to are skeptical and downright opposed to moving to the cloud because their data would no longer be in their data center... the data is in the cloud in the control of a third party. Depending on the kind of app you're putting in the cloud, the data generated by the consumers of your application could be considered Intellectual Property.

What kind of guarantees does Microsoft make that the data stored in the cloud won't be looked at or compromised?

Also, does anybody know of any good strategies for encrypting user data in such a way that only that user can see it?

---

The .NET Addict - http://dotnetaddict.dotnetdevelopersjournal.com

Answer 1

that might provide some background regarding the Microsoft part of your question:
http://www.globalfoundationservices.com/security/index.html

Else, you should start thinking from todays solutions - if you hosting such in a 3rd part data center, what are your requirements here, and how do you overcome those? Similar applies to any cloud solution as well. Than check all the contracts/agreements with your cloud provider if they fit your needs or work out the open questions. There is not so much difference to other hosting solutions, allthough there might be customer cases where cloud computing is not applicable due to privacy requirements etc.

Answer 2

I've read that document. I can't find anywhere in that document that definitively tells me whether or not the data I'm putting into Azure Storage is being encrypted while it sits in the data center to prevent against third party intrusion.

---

The .NET Addict - http://dotnetaddict.dotnetdevelopersjournal.com

Answer 3

The Cloud Security Alliance has an 80-page free whitepaper, Security Guidance for Critical Areas of Focus in Cloud Computing, which is worth looking at. I am currently reading a recently released book Cloud Security and Privacy which has been a pretty good read so far. 

Answer 4

Also interesting reading material, but that doesn't tell me whether Microsoft is encrypting the contents of Azure Storage underneath the API within the data center...

---

The .NET Addict - http://dotnetaddict.dotnetdevelopersjournal.com

Answer 5

Hello, I wonder why are you concered whether the data is encrypted or not. Are you concened that someone in Microsoft may steal your information? Please stay assured. We will never do that. Even if we simply need to logon to your VM in order to help you to trouble shoot a problem, we will ask you to grant us access first.

If you're concerned a third party member may get access to your data, please also do not worry. As long as you don't share your account key with anyone else, you will be safe. We assure you that there's no way to get the data without a correct account key.

---

Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.

Answer 6

Hello, I wonder why are you concered whether the data is encrypted or not. Are you concened that someone in Microsoft may steal your information? Please stay assured. We will never do that. Even if we simply need to logon to your VM in order to help you to trouble shoot a problem, we will ask you to grant us access first.

If you're concerned a third party member may get access to your data, please also do not worry. As long as you don't share your account key with anyone else, you will be safe. We assure you that there's no way to get the data without a correct account key.

---

Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.

sorry to say, but "we will never do that" is a pretty weak assurance, in my mind! Can you guarantee for all all people all times? Think of other (hopefully unlikely) scenarios - theft, (cyber) crime/terrorism, vulnerabilities in the platform and so on.

@Kevin: Depending on your needs you may also consider to keep those data to be protected on premise but expose only less critical functionality only.

Answer 7

I'm not worried that someone from Microsoft will steal the data. I'm worried that someone will violate a Microsoft data center and snatch a pile of customer's Azure Storage in the raw. If Microsoft isn't encrypting that stuff on the disk level, then the safety of customer data is suspect.

I may not have made myself clear earlier. My problem right now is that the application I want to build will involve customers putting things into Azure Storage that could be considered Intellectual Property. Those customers must feel safe that their data will not be violated, and that even if someone steals Azure data, they won't be able to read it!

This is crucial. If you read the guarantees and assertions made by credit card companies and banks, you'll see pages upon pages of statements that indicate how many different ways in which the customer data is protected from spying and theft. What I'm looking for from Microsoft is just a simple statement that says "yes, we protect your data". I don't want Microsoft to say "no we won't steal your data", I want them to say, "Even if our data center is violated, your customers don't have to worry about losing potential money on lost IP."

When I ran a multi-tenant web application that hosted data for multiple companies - we encrypted that data so that even we couldn't see it, even if we wanted to. Financial companies like Wall St firms have to be able to prove that no unauthorized employee can ever even see confidential trading data, let alone steal it.

None of the documents anyone has posted or linked to so far contain any such statements. In fact, I have been unable to find a single statement anywhere on the vast intertubes indicating what kind of protection our customer's data will have - if any!

So, to recap : I need something that I can put on my website in my web role to allay customer fears that their data is vulnerable in the cloud. This is the key point here: Microsoft doesn't have to convince developers that moving to the cloud is a good thing - we know the technical merits. Microsoft has to make it possible for our customers to believe that the cloud is a safe place to put their data. If our customers don't believe that, then we will stop using the cloud and Azure will fail.

@perpetualKid: my use case is 100% on-cloud, there is no on-premise. I don't have a premise, that's why I am considering using the cloud :)

---

The .NET Addict - http://dotnetaddict.dotnetdevelopersjournal.com

Answer 8

If you want assurance that no one can read the data (even if the raw bytes are stolen), the only option is to encrypt before the data enters the cloud.  If the data is encrypted in the cloud, then the key must be in the cloud too, which doesn't give you the assurance you're asking for.  (FYI, Windows Azure does not store data encrypted on disk.)

There are other reasonable strategies... for example, you can encrypt and decrypt in your application and ask for the key from the user each time.  This way the encryption key is only ever in memory in the VM, so someone who both cracks open your application package and acquires the data in your storage account still can't read the data without intercepting the key (over the wire or by gaining direct access to the VM).

In other words, like all security questions, it comes down to modeling the threats, assessing risks, and reaching a level of protection that makes you comfortable.  Some of that protection will come from us, the platform provider, and some will come from the design of your application.

Answer 9

Well that's really the information I wanted then. Now I know how much of the data protection Microsoft is claiming and how much I need to claim. This is very helpful because it clears up some assumptions. Microsoft will make sure your data doesn't vanish into thin air (reliability) and will make sure that concurrent access to your data won't ruin your application (scalability), but if you want to protect your data against intrusion, do so on your own.

That said, when a web role is running in full trust, can it run the .NET encryption libraries? I know several of them hit the disk immediately during the constructor to check for things like keys from the key store, etc.

---

The .NET Addict - http://dotnetaddict.dotnetdevelopersjournal.com

Answer 10

I'm not sure I agree with your summary... we do protect your data against intrusion in a number of ways, but my understand was that you were asking for assurances that even if intrusion occurs, your data can't be compromised.

I believe you can use the .NET encryption libraries, but I don't know enough about them to be sure.

Answer 11

What about this.. Is there some way that I could store a user-specific encryption key as a property on some kind of federated identity, like a .NET Access Control identity? I know I could use their encryption key as a federated claim using Geneva/ADFS but.. what's the equivalent in the cloud?

A workflow that I could see being ideal here would be:

1. user hits my web role
2. my web role does federated auth through .NET Access Control
3. my web role grabs the user's encryption key as a result of their log in, does not persist the key (stores it in-memory in session)

This way, the user can have an encryption key that is specific to them, but that encryption key wouldn't be sitting in cloud storage anywhere, it would be stored inside .NET Access Control (which I know is actually stored securely).

Any thoughts? Roadblocks? Samples? :)

---

The .NET Addict - http://dotnetaddict.dotnetdevelopersjournal.com

Answer 12

Yi-Lun,

Many potential SQL Azure Database and Windows Azure Data Services users must comply with privacy requirements and regulations that require protection of personally identifiable information (PII), such as federal HIPAA regs, which will now involve draconian fines up to $1.5 million for large-scale, willful PII disclosures. Many new state regs require encrypting PII to avoid liability for data breaches. Payment Card Industry (PCI) rules have similar requirments.

While it's possible to store PII in locally encrypted tables with joins (or the like) to related SQL Azure or Azure tables, this isn't convenient and might not be practical for prospective users.

SQL Server 2008 offers Transparent Data Encryption (TDE), but SQL Azure doesn't support it and, as Steve Marx notes, key management is local to the database instance and under Microsoft's control for SQL Azure. Thus, even TDE doesn't fully protect PII stored in Microsoft or on-premises data centers (because the person who has control of the encryption keys might not be authorized to view the PII.) 

I deal with many of these issues in the "Cloud Security and Governance" section of my "Windows Azure and Cloud Computing Posts for MM/DD/YYYY+" blog posts

-- rj

---

OakLeaf Blog