Description:

Data encryption is a critical component of securing sensitive information. Microsoft Managed Keys (MMK) are used to encrypt critical data, ensuring that data at rest and in transit is protected using strong encryption standards. MMK provides seamless key management with minimal administrative overhead, as Microsoft manages the lifecycle of these encryption keys.

Rationale:

Using Microsoft Managed Keys ensures that sensitive data is protected with strong encryption standards. It simplifies the encryption process by leveraging Microsoft’s key management system, which is integrated with Azure services. By using MMK, organizations can ensure compliance with regulatory requirements and avoid the complexity of managing encryption keys manually.

Impact:

Enabling MMK for critical data encryption will ensure data is securely stored and protected from unauthorized access. This may impact application performance during the encryption and decryption processes, depending on the amount of data and the frequency of access. Additionally, reliance on Microsoft for key management means that control over key rotation and access is delegated to the cloud provider.

Default Value:

By default, encryption with Microsoft Managed Keys is not enabled. Encryption must be manually configured for relevant services.

Pre-requisites:

  • Azure account.

  • Azure Storage or other supported Azure services.

  • The user must have appropriate permissions to manage encryption settings (e.g., Storage Admin, Key Vault Admin).

Audit:

  1. Sign in to the Azure portal as a Storage Admin, Key Vault Admin, or other authorized user.

  2. Navigate to the Azure Storage or relevant service where critical data is stored.

  3. Review the Encryption settings and verify if Microsoft Managed Keys (MMK) are in use for data encryption.

Implementation Steps:

  1. Sign in to the Azure portal with a Storage Admin, Key Vault Admin, or similar role.

  2. Navigate to the Azure Storage Account or relevant service.

  3. Under Encryption settings, select Microsoft Managed Keys for data encryption.

  4. Enable MMK and save the changes.

  5. Ensure that any sensitive data or critical services are now using MMK for encryption.

Backout Plan:

  1. Sign in to the Azure portal as a Storage Admin, Key Vault Admin, or other authorized user.

  2. Navigate to the Azure Storage or relevant service.

  3. Under Encryption settings, switch from Microsoft Managed Keys to Customer-Managed Keys or another preferred encryption method.

  4. Save the changes.

References: