• 7 min read

Storing Encrypted Data in Windows Azure

As companies weigh the benefits of moving their data, processes, and systems to the cloud-from reduced infrastructure costs to rapid, success-based scaling-security is a perennial concern.…

As companies weigh the benefits of moving their data, processes, and systems to the cloud-from reduced infrastructure costs to rapid, success-based scaling-security is a perennial concern. Executives want to know: How will we protect our company’s most sensitive data against an ever-expanding array of threats?

To mitigate risk, some companies are turning to the cloud mainly as a way to access cost-efficient data storage. Several independent software vendors (ISVs) have recognized the demand for solutions that enable businesses to use their on-premises environment to operate on their most sensitive data, while capitalizing on the elasticity of cloud resources to store encrypted data. Building this kind of solution requires a cloud technology platform that incorporates strong data encryption and decryption capabilities.

As an application development and hosting platform, Windows Azure offers rich security functionality, including deep support for standardized encryption protocols. Developers can use the Cryptographic Service Providers (CSPs) built into the Microsoft .NET Framework to access Advanced Encryption Standard (AES) algorithms, along with Secure Hash Algorithm (SHA-2) functionality to handle such tasks as validating digital signatures. Moreover, the Windows Azure platform builds on the straightforward key management methods incorporated into the .NET security model, so developers can retain custom encryption keys within the Windows Azure storage services.

ISV Success Stories

Thoroughly addressing security needs while pursuing rapid time-to-market, lower operating costs, and scalability improvements is no small challenge. However, an increasing number of technology providers have used the Windows Azure SDK to build solutions that help customers encrypt their most sensitive data for cost-efficient, scalable storage in the cloud.

Cloud-Based Storage Without Compromising Control

The amount of content that companies are adding to their shared files drives, Microsoft SharePoint Server and Microsoft Exchange Server databases, and virtual machine libraries is exploding, making it increasingly difficult to achieve cost-efficient data protection. In managing all of this information, one important consideration is that not all content is created equal. The working set of content that users interact with most frequently should be prioritized. To balance performance, data protection, disaster recovery, cost, and capital and operating expenditures, it is critical to manage this working set of content differently from other data.

Administrators and users both want the speed of on-premises, high-speed disks; instant data accessibility from multiple geographies; and the elasticity that cloud-based infrastructure offers. At the same time, they want the safety afforded by traditional on-premises tape backup systems. To improve application performance, many companies turn to such costly solutions as adding on-premises servers. The introduction of Windows Azure has provided a new alternative.

StorSimple is a Santa Clara, California-based independent software vendor that focuses on solving storage-related issues-such as performance, scalability, manageability, security, and cost-for business-critical applications. Specifically, StorSimple concentrates on solving the storage issues that companies experience with high-growth applications.

Leaders at StorSimple saw an opportunity to offer a hybrid solution that integrates customers’ content-intensive applications with on-demand, cloud-based storage. In addition to helping customers more effectively scale capacity and better manage data storage costs, they recognized the critical importance of providing rigorous data protection.

To meet a growing market need for highly secure, scalable, and cost-effective storage, the company developed its flagship StorSimple solution. StorSimple lets customers seamlessly connect their on-premises infrastructure with enterprise cloud storage through service platforms such as Windows Azure. To address performance issues related to linking cloud-based and on-premises data storage, StorSimple transparently tiers data across solid-state drives (SSD) and Serial Attached SCSI (SAS) drives, and Windows Azure by using a unique BlockRank algorithm, enabling both SSD performance and cloud elasticity. The solution deduplicates data, a data compression process that eliminates redundant data segments and minimizes the amount of storage space that an application consumes.

In addition to optimizing storage space for data-intensive applications, StorSimple uses Cloud Clones-a patented StorSimple technology-to persistently archive copies of application storage volumes in the cloud. Cloud Clone technology automatically stores a deduplicated snapshot of data volumes to the cloud. “By using StorSimple and cloud storage services, customers get critical data protection while eliminating the use of tapes for off-site backup,” says Guru Pangal, StorSimple Cofounder and President.

Data is protected at multiple levels. Each file is broken into blocks; deduplication occurs at the block so that only changed blocks are stored. Each block that is sent to the cloud is encrypted with military-grade AES 256-bit encryption and compressed-and the private key is stored at the client premises, not in the cloud. “The Cloud Clones volumes can be directly mounted, reducing recovery time from days to minutes when compared to tape,” says Pangal. “The cloud means that everyone can now afford a highly secure, redundant data center for disaster recovery. The only difference is you only pay for it when you need it.”

With StorSimple and Windows Azure, customers maintain control of their data and can take advantage of public cloud services with security-enhanced data connections. StorSimple uses Windows Azure AppFabric Access Control to provide rule-based authorization to validate requests and connect the on-premises applications to the cloud.

By using StorSimple with Windows Azure, customers also gain the reliability of Microsoft data centers, which are ISO 27001:2005 accredited with Statement on Auditing Standards No. 70 (SAS 70) Type I and Type II attestations. “We understand the questions that customers have about data security in the cloud, but with StorSimple and Windows Azure, we offer customers a solution that helps them rest easy,” says Pangal.

Read the full StorSimple case study at: www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000008345

Security-Enhanced Data Backup and Recovery

Based in Seattle, Washington, Datacastle is an independent software vendor that helps customers protect critical data on endpoint assets and mobile devices. The company’s flagship product, Datacastle RED, promotes “resilient endpoint data”-a security-enhanced cloud service that helps organizations back up and recover information from client-side devices, such as desktop and portable computers and tablet PCs, so that if a computer or device is lost or damaged, employees can get back to business quickly.

Datacastle needed a solution that would continue its tradition of helping keep customer data secure. The company prides itself on knowing that, with Datacastle RED, companies can store high-visibility, high-impact data both on-premises and in the cloud with high levels of security. Datacastle wanted to ensure that any cloud provider it worked with would support, if not further enhance, its security-enhanced data backup solution. So, in early 2010, the company decided to convert its Datacastle RED solution for deployment to Windows Azure.

When a customer uses the solution, data is first encrypted before it is sent to an on-premises server or to Windows Azure. Core elements of a file are broken down into blocks-or “Data DNA”-and sequenced in a specific order and indexed. The data is queried against existing data that has been backed up to ensure that data is not unnecessarily duplicated. Datacastle RED assigns each device a cryptographically generated random key and also assigns every Data DNA block a unique key as well.

“By the time data reaches Windows Azure, it is encrypted with multiple keys, which are not available on the back end,” says Gary Sumner, CTO for Datacastle. Although there are millions of encryption keys generated for a typical customer deployment, the customer’s IT department only has to manage one key, which is generated during setup.

In addition to the strong encryption policies with keys for every device and every block of data within a single file, which can only be retrieved by customers, all of the encrypted data and metadata is stored in Windows Azure at Microsoft data centers, which are ISO 27001:2005 accredited with SAS 70 Type I and Type II attestations.

Datacastle currently uses Microsoft SQL Azure to store user accounts and logon information for the Datacastle RED management dashboard. In the future, the company plans to implement Windows Azure AppFabric Access Control, which will provide federated, claims-based access control for the web services the solution uses to communicate between the client-side installation on devices and the server-side installation in Windows Azure, further enhancing data security.

Read the full Datacastle case study at: www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000008339

Ironclad Transaction Security

Zuora is the global leader for on-demand subscription billing and commerce solutions. Its core offerings-Z-Billing, Z-Payments, and Z-Commerce-give companies the ability to launch, run, and operate their recurring revenue businesses without the need for custom-built infrastructure or costly billing systems.

To capitalize on the burgeoning demand for a cloud-based subscription billing solution, Zuora sought to provide Microsoft ISVs and developers with an easy-to-use toolkit. “Our goal was to create the building blocks for a cloud-based solution that ISVs and developers could use to automate subscription billing and usage,” says Jeff Yoshimura, Head of Marketing at Zuora. “We wanted to develop it as a drop-in solution so that customers could go live with a customizable, subscription-enabled storefront and start collecting payments in 5 to 10 minutes. And of course, we had to make sure that it met the two biggest requirements for any e-commerce solution: scalability and ironclad transaction security.”

In June 2010, the company delivered the Zuora Toolkit for Windows Azure, which provides documentation, APIs, and code samples so developers can quickly automate commerce from within Windows Azure-based applications and connect those applications to the Zuora Z-Commerce for the Cloud subscription service. Zuora ensured that the Zuora Toolkit for Windows Azure meets data protection requirements in compliance with Payment Card Industry (PCI) standards. Throughout its development process, the company adhered to Microsoft Security Development Lifecycle (SDL) guidance regarding the use of cryptographic operations in its Z-Commerce for the Cloud application. The application uses Advanced Encryption Standards (AES) to protect customer data and meets standards for PCI Level 1 compliance.

The Zuora team also took advantage of Windows Azure AppFabric Access Control to enhance the security of its Z-Commerce for the Cloud solution. Windows Azure AppFabric Access Control is an interoperable, claims-based service that provides federated authorization and authentication solutions for any resource, whether in the cloud, behind a firewall, or on a smart device. Because it uses the OAuth Web Resource Authorization Protocol (WRAP) specification-an open protocol supported by global technology vendors-it enabled developers to quickly create a claims-aware application that was highly secure and able to connect to services across multiple platforms. “We didn’t want to sacrifice interoperability for security-and vice versa,” says Yoshimura. “Because it builds on core Microsoft identity and access management technologies and uses open authentication standards, Windows Azure offers the best of both worlds, so we didn’t have to make that tradeoff.”

Read the full Zuora case study at: www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000008478

[Additional Resources]

To read more Windows Azure customer success stories, visit: www.windowsazure.com/evidence

To access additional information about Windows Azure security, visit: