How To Use Azure for Customer Data Protection

Azure data protection services provide users with strong customer data protection both by default features and as customer options to meet business requirements. When implemented correctly, Azure data protection enables organisations to secure both at-rest and in-transit data.

One of the most challenging and important organisational tasks is securing customer data. Although businesses have measures in place to secure internal data, challenges arise when security protocols for external data are implemented. Among these challenges, finding customer data protection solutions that are parallel to an organisation’s requirements remains a significant hurdle. 

Before the implementation of such solutions, businesses must consider the threats which necessitate the need for customer data protection. In addition, they must analyse the default data protection options providers offer and the configuration and installation protocols that must be followed. 

Microsoft Azure, above all others, remains the most committed provider that organisations can opt for when ensuring data security. Using their services, organisations can avail multiple layers of security and governance. When implemented, these solutions allow business leaders to increase their operational efficiency and ensure regulatory compliance. 

Feel free to contact our Microsoft Azure Consultants for expert advice on which customer data protection solutions are best catered for your business requirements. 

What Is Azure Data Protection?

Azure data protection is a set of security practices and tools used by organisations for developing multi-layered security protocols. Such protocols include solutions for security for physical data centres, infrastructure protection, and tools used for securing customer data. These data security solutions ensure that access to customer data is denied by default. 

Access to support case-related data is provided using a Just-in-Time (JIT) model. Policies used for this access are continuously monitored and audited with regard to their compliance and privacy. Microsoft ensures that support personnel for such security servicers are assigned unique accounts. 

These accounts then control access to key information systems using multi-factor authentication (MFA) and ensure access is granted from secure consoles only. Azure ensures that its data protection solutions cater to organisational requirements by allowing them to choose from both built-in security tools and custom options.

These services are priced similarly to other products, such as the Azure Monitor Log, but businesses must consider their security policies before implementation. Azure’s Security Policy for access control requirements states that:

• Access to customer data is restricted by default.
• Access requests are logged and audited.
• User or Administrator accounts can not be created on Virtual Machines (VMs).
• Only the least privilege required for task completion is granted. 

Customer Data Protection Threats 

When implementing such solutions, organisations must understand that the data they store can present various threats, such as misuse, alteration, or theft. However, business leaders can avoid such threats by understanding where the data is stored and the vulnerable data elements of each storage service. 

Customer package or service configuration files, shared access signatures, and credential information are known for being vulnerable data elements for computing services and storage and networking options. Data stored on VMs have vulnerabilities such as end-point configurations, user and admin credentials, and VM images. Vulnerabilities for data stored on virtual networks include pre-shared keys and IP addresses. 

Although cloud-hosted data is more accessible and vulnerable than data stored on on-premises infrastructure, threats for both are similar. Some of the threat types that organisations should be aware of include the following: 

• Repudiation – this threat allows the data to be accessed or modified without using auditable logs. 
• Misuse – this threat refers to either the accidental or intentional exposure or sharing of data with unauthorised users. 
• Alteration – refers to the compromise of data integrity due to corruption, user errors, or tampering. 
• Loss – refers to loss of data which makes it unrecoverable. Such loss may occur due to hardware failure, error, or theft.  

When implementing cloud-based customer data protection, organisations must consider both online and offline attacks. Online attacks occur when systems are in active operations and are often caused by compromised credentials or authorization failures. On the other hand, offline attacks do not require network access and occur when data or storage devices are moved by unauthorised users. These attacks result in efforts to modify system controls or deploy malware. 

Default Customer Data Protection and Security

Azure products come with several default security services that organisations can use for customer data protection. Some of these default data security services include:

Azure Active Directory (AD)

Azure AD is a cloud-native security solution used for identification and access management. Organisations can use this built-in solution for creating and managing access credentials and permission for all their cloud-based resources. The solution comes equipped with MFA protocols and allows businesses to develop conditional access policies. In addition, Azure AD can be used for auditing permissions, alerting to changes, and for reporting on user activity. 

Virtual Machine Security 

Azure allows organisations to use various Microsoft and third-party anti-malware solutions. When implemented, these solutions allow organisations to prevent their virtual machines from becoming infected. It enables them to prevent individual machines from being compromised and allows them to restrict hackers from moving within the network. In addition, Azure services are also compatible with Microsoft anti-malware solutions for cloud-based services such as Azure Virtual Desktop (AVD).

Web Application Firewalls (WAF)

WAFs in the Azure cloud environment are made available through the Azure Application Gateway services. These firewalls work similarly to traditional firewalls. However, they provide security and protection to web applications instead of network endpoints. 

Protection standards for these firewalls are based on filtering rules created by the Open Web Application Security Project (OWASP). Implementing these firewalls to protect against numerous web application threats, including SQL injection, code injection, and cross-site scripting. 

Data Protection Using Azure NetApp Files 

Azure NetApp Files allow organisations to securely migrate and operate industry-specific applications in the Azure cloud environment. The built-in option is deeply integrated with Azure and ensures that organisations do not require any storage-centric learning needed for data protection. In addition, it allows businesses to find the perfect balance between data protection and application performance. 

These security solutions are effective measures for customer data protection. However, businesses must use Microsoft’s Cloud Services Due Diligence Checklist to evaluate their current configurations before implementing these solutions. Using the checklist will allow businesses to assess various performance, availability, security and service requirements. In addition, organisations can use the checklist to ensure proper configurations after cloud migration. 

Azure Customer Data Protection and Security Options

In addition to the various default security solutions, Azure offers various customer options to businesses they can use for their customer data protection. Some of these customer options for data security and protection include: 

Data Segregation 

Due to its multi-tenant structure, deployments and VMs from various organisations are stored on the same physical hardware. However, Azure uses logical isolation to ensure that the organisations’ data remains segregated. Such segregation metrics allow businesses to avail the scalability and economic benefits that Azure offers. In addition, it helps them ensure that others are not accessing their data. 

Protection for In-Transit Data

Azure provides several options for businesses to secure in-transit data. These protection options can be used to transmit data within Azure and externally to end users. Some of these options include communication through Virtual Private Networks (VPNs) with IPsec/IKE encryption and Windows IPsec or SMB protocols. In addition, it also uses various Azure components such as Application Gateway or Azure Front Door for protection mechanisms such as Transport Layer Security. 

Protection for At-Rest Data 

Organisations can access a variety of encryption capabilities. The availability of these capabilities allows businesses to flexibly encryption options that meet their requirements. Protection for at-rest data results from a combination of different Azure services. Where Azure Storage Service Encryption ensures that all data placed in an account is encrypted, Azure Disk Encryption also allows organisations to encrypt VMs. In addition, organisations can use Azure Key Vault to manage and control access keys used for data encryption. 

Data Redundancy

Organisations can use the data redundancy options from Azure to ensure customer data protection during a cyberattack or physical damage to data centres. An organisation can choose whether to have region-specific storage for regulator compliance or out-of-region storage for security or disaster recovery purposes. When making this decision, businesses must consider that data within a selected geographical region can be replicated within it but not outside of it. When creating an account, organisations can choose the following: 

• Locally redundant storage (LRS) to make three copies of their data and safeguard against normal hardware failure.
• Zero-redundant storage (ZRS) to make three copies in more than one data centre and avail greater data durability when compared to LRS.
• Geo-redundant storage (GRS) makes six copies of their data, three of which are stored in the primary region and the other in a secondary region located at a significant geographical distance. 

Data Destruction 

This option allows businesses to ensure that data within Azure storage options is deleted if they choose to leave the provider or want to delete the data. In addition, Microsoft also ensures that strict standards are followed for data deletion and physical destruction of decommissioned hardware. Such processes can be initiated upon requests or contact termination. 

Customer Data Protection and Security Best Practices 

Organisations considering using Azure for customer data protection must consider various different factors. These factors include management solutions, workstations’ security, and security protocols for in-transit and at-rest data. Understanding some of the best practices of Azure data security will allow businesses to choose and deploy solutions as per their requirements. Some of these best practices include: 

• Using privileged workstation access to protect sensitive accounts, data, and tasks. 
• Implementing end-point protection across all devices regardless of data location. 
• Using data encryption for mitigating risks resulting from unauthorised access. 
• Securing access to multiple workstations by using Azure virtual network.
• Applying disk encryption for customer data protection.
• Enabling soft delete and purge protection to ensure recovery of deleted key vaults or objects. 
• Using Azure Resources Manager to deploy certificates stored in Key Vault to Azure VMs.
• When using Key Vault, organisations can use Azure RBAC to provide and control access to users, groups, and applications as a specific scope. 
• Using Azure Information Protection for secure organisational documents and emails. 

What Is Azure Information Protection (AIP)?

AIP is used to classify and protect stored and transmitted sensitive information by extending labelling and classification functionalities. Its unified labelling client increases the labelling, classification, and protection capabilities to additional file types and encompasses File Explorer and PowerShell as well. It allows organisations to use an on-premise scanner for classifying and protecting content stored on physical infrastructure.

It also allows organisations to use Microsoft Information Protection SDK to extend the labelling and classification to third-party apps and services. In addition, it also allows organisations to track and monitor shared data and restrict access if necessary. The solution is easily deployable and allows organisations to ensure customer data protection regardless of on-premise or cloud-based storage. 

How To Configure and Implement AIP?

Organisations considering using AIP for data security must access the Azure portal and a subscription that includes the solution. Despite its inclusion in a subscription, AIP is not included in the Azure portal by default. However, it can be added and activated as a resource from the Azure Portal. When the installation and activation are completed, organisations begin to assign labels to sensitive data. 

AIP comes with certain labels that are created by default. However, newer labels can be created if these labels do not adhere to organisational requirements. The default labels that come with AIP include Personal, General, Confidential, and Highly Confidential. It’s preeminent to mention here that if the Unified label status is not activated, then the default labels may not be available. Organisational must publish these labels in the Azure portal to ensure that they are available for the AIP classic client. 

Before implementing AIP, organisations must understand that the labels and policy settings for classic clients are downloaded to the client in the AIP policy. Whereas for a unified labelling client, labels are downloaded to the client, but policy settings must be downloaded from the Microsoft 365 compliance centre. 

Conclusion

Customer data protection is essential to business success and is often seen as a significant challenge. Although numerous solutions for securing customer data are available, finding one that’s parallel to organisational requirements can be difficult. Catering to this scenario, Azure data protection services allow businesses to avail security solutions for both at-rest and in-transit data. 

However, before implementing these solutions, businesses must consider the data protection threats that may arise from network end-points, credentials and other vulnerabilities. Understanding these solutions and adhering to their best practices can help organisations effectively secure customer data. Reach out to an Azure expert today and learn more about how Azure Information Protection (AIP) can help you secure customer data.

Rob Rattray

Rob Rattray is the Sales Director of A1 Technologies, a Microsoft consultancy based in Australia. Rob's focus is settings the strategic and cultural direction for A1 Technologies, while also overseeing Sales and Marketing. Rob is passionate about business and helping good people do good things through technology.