Table of Contents

Introduction

Why Azure NetApp Files?

DoD IL5 compliance in Azure Government

Azure NetApp Files reaches feature parity between Azure Government and Azure Commercial

New Azure NetApp Files encryption features

Double encryption at rest

Volume encryption with customer-managed keys in Azure Government

Volume encryption with customer-managed keys with managed Hardware Security Module (HSM)

Conclusion

Additional Information

 

Introduction

 

 

The federal government and regulated industries customers require the same performance and enterprise-grade services that private industry does. But they also have many extra security and compliance requirements, especially from a data storage, access, and sovereignty perspective. These extra security and compliance needs make it more difficult for the public sector and regulated industries customers to operate in Azure’s public cloud services.

 

Co-authors: Richard Crofford (Azure NetApp Files Technical Marketing Engineer)

 

Why Azure NetApp Files?

Azure NetApp Files is a high-performance, enterprise-class file storage service that is natively integrated with Azure Government. Azure NetApp Files is a high-performance, scalable, and secure storage service for running mission-critical applications and workloads in Azure.

Azure NetApp Files integration with Azure services makes the migration process easy, enabling users to move their workloads from their premises to the cloud with minimal effort. It meets all critical compliance and regulatory requirements for public sector and regulated industry customers, thanks to its advanced security and compliance features.

 

Azure NetApp Files saves time and money by enhancing cloud application deployment and operation with added security and compliance, enabling your organization to focus on innovation rather than administration, delivering greater value.

 

 

For organizations looking to migrate their applications and workloads to Azure, Azure NetApp Files provides a seamless experience for migrating Windows apps and SQL Server, Linux OSS apps and databases, and SAP on Azure.

https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-solution-architectures

 

DoD IL5 compliance in Azure Government

Azure NetApp Files in Azure Government regions and the latest security and compliance features discussed in this article mean that customers who require DoD IL5 can now benefit from Azure NetApp Files for their enterprise workloads.

 

Azure Government supports applications that use IL5 data in all available regions. IL5 requirements are defined in the U.S. DoD Cloud Computing Security Requirements Guide (SRG). IL5 workloads have a higher impact on the DoD and must be secured to a higher standard. When these workloads are deployed in Azure Government, the isolation requirements can be met in various ways.

 

The three key capabilities and services available to support the stringent data security and storage isolation requirements of the U.S. federal government are Azure NetApp Files, customer-managed keys, and Azure Key Vault. Using all three not only achieves IL5 compliance, it also allows customers to gain access to high-performance and enterprise-class storage to migrate their mission-critical workloads to Azure.

 

Azure Government uses physically isolated data centers and networks that are in the United States only. This location restriction provides the highest level of security, compliance, and sovereignty for customer deployments. Azure Government services handle data that is subject to government regulations and requirements, such as FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD IL4, DoD IL5, and CJIS. Compared with Azure Commercial globally, Azure Government offers customers an extra layer of protection. Contractual commitments restrict storage of customer data to the United States, and potential access to systems that process customer data is limited to screened workers in the United States.

 

Azure NetApp Files reaches feature parity between Azure Government and Azure Commercial

Azure NetApp Files is available in Azure Commercial for all customers, including those in the public sector and regulated industries. With the latest security and compliance enhancements, Azure NetApp Files now offers full feature parity between Azure Government and Azure Commercial regions. Now, public sector and regulated industries customers can enjoy many of the same features as their Azure Commercial counterparts, such as the following.

• Cross-region replication (CRR) – With this disaster recovery capability, Azure NetApp Files volumes can be replicated from one Azure region to another quickly and cost effectively, protecting data from unforeseeable regional failures.
• Cross-zone replication (CZR) – Enables asynchronous replication of Azure NetApp Files volumes from one Azure availability zone (AZ) to another within the same region, protecting data from unforeseeable zone failures without the need for host-based data replication.
• Standard network features – These features provide an enhanced virtual networking experience for a seamless and consistent experience with the security posture of all their workloads, including Azure NetApp Files.
• Storage with cool access – Saves cost by turning on the cool option in a capacity pool of Azure NetApp Files volumes on any service level to have inactive data transparently moved from the volume (the hot tier) to an Azure storage account (the cool tier).

Although these enterprise-class features were ideal for public sector and regulated industries, Azure NetApp Files in Azure Government did not meet all the security and compliance requirements necessary for public sector and regulated industries customers to move production workloads. This situation changed recently with the announcement of several new features that enhance data safety, security, and compliance by protecting it at the data and control plane layers, mitigating the threat of attacks and unplanned data loss.

 

New Azure NetApp Files encryption features

This blog explores the following new Azure NetApp Files features:

 

• Double encryption at rest
• Volume encryption with customer-managed keys in Azure Government
• Volume encryption with customer-managed keys with managed Hardware Security Module (HSM)

To reiterate, with these latest security and compliance feature releases, feature parity has been reached between Azure NetApp Files in Azure Government and Azure Commercial.

 

Double encryption at rest

Financial institutions, military users, business customers, governments, healthcare institutions, and more all use critical data. Single encryption at rest may be sufficient for some data, but double encryption at rest is necessary for data where a breach of confidentiality would be catastrophic. Leaks of information such as customer-sensitive data, names, addresses, and government identification can result in extremely high liability. That risk can be mitigated by protecting data confidentiality with double encryption at rest.

 

When data is transported over networks, additional encryption such as Transport Layer Security (TLS) can help to protect data in transit. But once the data has arrived, protection is necessary to help address the vulnerability of data at rest. Using Azure NetApp Files double encryption at rest complements the security that’s inherent with the physically secure cloud storage in Azure data centers.

 

Azure NetApp Files double encryption at rest provides two levels of encryption protection: a hardware-based encryption layer (encrypted SSD drives) and a software-encryption layer. The hardware-based encryption layer resides at the physical storage level, using FIPS 140-2 certified drives. The software-based encryption layer is at the volume level, completing the second level of encryption protection. For more information, see Azure NetApp Files double encryption at rest.

 

When a volume is created in a double encryption capacity pool, the default key management (the Encryption Key Source field) is Microsoft-managed key, and the other choice is customer-managed key (CMK). Using customer-managed keys requires additional preparation of an Azure Key Vault and other details. For more information about using volume encryption with customer managed keys, see Configure customer-managed keys for Azure NetApp Files volume encryption or watch this How-to video:

 

 

Volume encryption with customer-managed keys in Azure Government

With the release of customer-managed keys for Azure NetApp Files volume encryption in Azure Government, public sector and regulated industries customers who require DoD IL5 support can now benefit from enhanced volume encryption. This advance enables customers to securely move mission-critical workloads, such as databases, Azure virtual desktops, and high-performance computing (HPC), to Azure NetApp Files.

 

Customer-managed keys (CMK) is a security feature that allows organizations to take control of their keys and manage them independently from the cloud service provider. In the context of Azure NetApp Files, customer-managed keys enable customers to encrypt and decrypt their data stored in Azure NetApp Files by using their own keys, so that they have exclusive access control.

 

Customer-managed keys in Azure NetApp Files enhances data protection in the following ways.

 

• Enhanced data security - By using customer-managed keys, organizations can strengthen the security of their data stored in Azure NetApp Files. With customer-managed keys, the keys are generated, managed, and stored within the organization’s own infrastructure, reducing the risk of unauthorized access to sensitive information. This approach offers an additional layer of protection against data breaches and insider threats.
• Compliance and regulatory requirements - Many industries and regions have stringent data protection regulations that require organizations to maintain control over their keys. Customer-managed keys in Azure NetApp Files allows businesses to meet these compliance requirements by keeping the keys in their possession, providing an auditable trail of key management, which is essential for regulatory compliance audits.
• Protection against unauthorized access - Customer-managed keys offers organizations protection against unauthorized access to their data. Even if a breach or unauthorized access occurs in the cloud environment, the encrypted data remains inaccessible without the corresponding keys. This protection minimizes the risk of data exposure and helps organizations maintain the confidentiality of their sensitive information.
• Trust and confidence - Customer-managed keys gives organizations a sense of trust and confidence in the security of their data. By having exclusive control over the keys, organizations can keep their data protected, fostering trust with their customers, partners, and stakeholders.

 

Volume encryption with customer-managed keys with managed Hardware Security Module (HSM)

Azure NetApp Files volume encryption with customer-managed keys with the managed Hardware Security Module (HSM) is an extension to customer-managed keys for the Azure NetApp Files volumes encryption feature. Customer-managed keys with managed HSM allows encryption keys to be stored in a more secure FIPS 140-2 Level 3 HSM instead of the FIPS 140-2 Level 1 or Level 2 service used by Azure Key Vault (AKV). For more information, see Configure customer-managed keys with managed Hardware Security Module for Azure NetApp Files volume encryption.

 

An Azure Key Vault Managed HSM is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables customers to safeguard cryptographic keys for cloud applications, using FIPS 140-2 Level 3 validated HSM. For more information, see What is Azure Key Vault Managed HSM.

 

This option is especially crucial for public sector and regulated industries customers with highly sensitive data. Using an Azure Key Vault Managed HSM along with an Azure NetApp Files volume ensures the protection of sensitive information and compliance with all security requirements. These HSMs are tamper-resistant, provide isolated access control, enhance data protection and compliance, and are dedicated to a single customer.

 

Conclusion                          

With the latest security and compliance feature releases, Azure NetApp Files has achieved feature parity between Azure Government and Azure Commercial. Additionally, Azure NetApp Files now offers a comprehensive set of security and compliance features, ensuring the secure storage of sensitive information for all customers.

 

The release of customer-managed keys in Azure Government enables public sector and regulated industries customers who require IL5 compliance to use Azure NetApp Files for their mission-critical workloads. With its ease of use, cost efficiency, and robust support, Azure NetApp Files is an essential service for public sector and regulated industry customers, enabling them to leverage the cloud while meeting their unique requirements.

 

Additional Information

1. Solution architectures using Azure NetApp Files | Microsoft Learn
2. Azure NetApp Files for Azure Government | Microsoft Learn
3. Azure NetApp Files double encryption at rest | Microsoft Learn
4. Configure customer-managed keys for Azure NetApp Files volume encryption | Microsoft Learn
5. Configure customer-managed keys with managed Hardware Security Module for Azure NetApp Files volume encryption | Microsoft Learn
6. Quick Bytes:  What is Azure NetApp Files
7. How-to: Configure customer-managed keys for Azure NetApp Files volume encryption