Cybreach Consulting Prendre RDV
Back to articles
Vulnerabilities

Azure: data encryption, Key Vault, storage and secure SQL

Microsoft Azure offers a wide range of security controls, but their activation isn't always automatic. An Azure deployment with default settings may leave sensitive data unencrypted with customer-managed keys, resources without accidental deletion protection, and insufficient audit logs. Microsoft Defender for Cloud (formerly Security Center) provides a security score and recommendations.

Azure SQL encryption with customer-managed key

Azure SQL Database encrypts data at rest by default with TDE (Transparent Data Encryption) using Microsoft-managed keys. For data subject to strict compliance requirements, encryption with customer-managed keys (CMK) stored in Azure Key Vault is recommended. This ensures Microsoft cannot access the data without the customer's key.

Azure Key Vault: soft delete and purge protection

Key Vault soft delete retains deleted secrets, keys, and certificates for a configurable period (7 to 90 days) before permanent deletion. Without this feature, accidental or malicious deletion of a key is irreversible and can render encrypted data permanently inaccessible. Purge protection prevents permanent deletion during the retention period, even by an administrator.

Enabling via Azure CLI

# Activer soft delete et purge protection sur un Key Vault existant :
az keyvault update \
  --name mykeyvault \
  --enable-soft-delete true \
  --enable-purge-protection true

# Vérifier le chiffrement TDE avec CMK sur Azure SQL :
az sql server tde-key show --resource-group myRG --server myserver

Storage accounts: encryption and infrastructure

Azure storage accounts encrypt data at rest by default. However, infrastructure encryption (double encryption) and customer-managed keys aren't enabled by default. For particularly sensitive data, these additional options increase protection. Publicly accessible storage accounts (anonymous access enabled) are a risk frequently found during audits.

Access key rotation

Azure storage accounts have two access keys (key1 and key2) that give complete access to all data in the account. These keys are never automatically rotated. A compromised key gives unlimited access to the account. Azure Key Vault can manage automatic key rotation. A better approach is to use Managed Identities and Azure Storage RBAC rather than direct access keys.

Azure disks and advanced threat protection

Azure managed disks are encrypted by default with platform-managed keys. For advanced compliance requirements, customer-managed keys (stored in Key Vault) and host-side encryption are available. Microsoft Defender for SQL (formerly Advanced Threat Protection) detects abnormal activity on SQL databases (injection attacks, access from unusual locations). It's not enabled by default and must be explicitly configured per server or at the subscription level.

Summary

  1. Enable soft delete and purge protection on Key Vault: protection against accidental or malicious deletions
  2. Encryption with customer-managed keys: for Azure SQL and sensitive storage accounts
  3. Regular access key rotation: or better, use Managed Identities and RBAC
  4. Disable public access to storage accounts: access control via RBAC only
  5. Enable Microsoft Defender for SQL: detection of abnormal database activity

A question after reading?

Want to audit your Azure configuration? Send a message.

Or book a 30-minute scoping call directly

Book a call