We have a project under way to develop a new web application allowing patients to order their own supplies. We currently have an on-premises sql server database which we would like to sync with a Azure-based db which the web app would link to. We're very concerned about the security & confidentiality of our customers' details, so any personal data on the Azure db would need to be encrypted. I've read the discussion at http://social.msdn.microsoft.com/Forums/en-US/windowsazuresecurity/thread/0671e79e-a75b-4b85-808c-d778bf7a9bef with interest, particularly the statement by Steve Marx that "If you want assurance that no one can read the data (even if the raw bytes are stolen), the only option is to encrypt before the data enters the cloud". This article is over 2 years old now, so are the statements contained in it still valid, given the rapid evolution of the Azure platform?
If we decide to take the approach that all personally identifiable fields will have to be encrypted, what are the most appropriate tools to consider for encryption/decryption between the db and the web app? The SQL Azure Labs' Trust Services framework looks potentially useful.
Any pointers would be greatly appreciated.
Indeed, the Trust Services seems the way to go, but remember that it's currently still in pre-release phase. There is a .NET SDK available for Trust Services, and it also comes with a sample project that covers copying a database with encryption. In this sample you can have specific database columns as sensitive and as a result these columns will be encrypted in your SQL Azure database.
Here are the links to get started:
- Sample guide: http://social.technet.microsoft.com/wiki/contents/articles/7145.trust-services-copy-sql-database-sample.aspx
- Sample download: http://www.microsoft.com/download/en/details.aspx?id=28793
Besides that you'll need to do encryption before the data enters the cloud / SQL Azure. This library allows you to hide the 'encryption infrastructure' in your Entity Framework data layer: http://securentity.codeplex.com/
Hope this helps.
Sandrino Di Mattia | Twitter: http://twitter.com/sandrinodm | Azure Blog: http://fabriccontroller.net/blog | Blog: http://sandrinodimattia.net/blog
- Navržen jako odpověď Sandrino Di Mattia 14. března 2012 9:41
Thanks for your reply - I've started looking through the sample app which looks very useful. I'm curious if there's any way of integrating this with SQL Azure Data Sync in a hybrid configuration? The scenario we're looking at is maintaining an on-premise database (un-encrypted to support multiple legacy applications) which would then be 'mirrored' to an encrypted copy on Azure using Data Sync which would be accessed from certificated data consumer websites.