Three questions and answers: Mastering encryption in the Azure Cloud

If you have your data in the Azure cloud, you want to know it's safe – and that means encrypted. The crucial question is: Are Microsoft's keys sufficient, or should you prefer your own? Azure offers options and combinations, but the offering is not easy to grasp. Armin Berberovic, title author of the new iX 3/2026, explains how to approach it and where you should definitely be in control of the keys.

From press releases to calendars to business secrets, companies hold a lot of data. How can you systematically determine protection classes?

The damage that data can cause in the wrong hands is crucial for classifying data into a protection class. A common classification is into public, internal, confidential, and strictly confidential data. A press release would be an example of public information that the company shares with the public of its own accord. It is not expected that an attacker can harm the company with this information. It's different when business secrets are stolen. Here, not only is there a risk of reputational damage, but blackmail by criminal gangs or weakening of one's own competitiveness are among the possible consequences.

From when should one rely on one's own keys, when might Microsoft's managed ones also be acceptable? And how is the use of one's own keys implemented in Azure?

For the protection of public and internal data, Microsoft-managed keys are sufficient. They require little effort and are cost-effective. As is often the case in IT security, this is a discretionary decision where costs and effort must be weighed against potential damages. Neither should one "shoot sparrows with cannons" nor "save at the wrong end," which is why, at the latest from the "confidential" protection class, key management should be taken into one's own hands.

For customer-owned keys, Azure uses a multi-stage encryption process known as Envelope Encryption. This technique uses two keys: a Key Encryption Key (KEK) and a Data Encryption Key (DEK). As the name suggests, the KEK is used to encrypt a second key, for example, to securely store the second key somewhere. This process, known as "wrapping," is applied to the DEK, which encrypts the data.

If a file is to be decrypted, the DEK must first be "unwrapped" (decrypted) using the KEK, and then the file is decrypted with the DEK. A self-managed key in Azure is the KEK. This can be stored in Azure Key Vault, either with software-based protection or, in the Premium tier, also in an HSM, and used with other Azure services via various interfaces. In its function as KEK, it protects the DEK with which the respective service encrypts its data.

What additional measures are recommended for the highest level of confidentiality?

The use of a Hardware Security Module (HSM) is essential for strictly confidential data. An HSM is a dedicated hardware module that performs cryptographic operations using an integrated microprocessor and offers special protection for keys stored there. It has additional security mechanisms that actively react to tampering attempts. If such an attempt is detected, the stored keys can be deleted or the HSM deactivated. Thus, HSMs offer better protection against tampering than purely software-based protection measures.

Armin, thank you for the answers! An overview of encryption under Azure is available in the new iX. We also show how to manage the monitoring of local Windows servers via the Microsoft cloud – and look at what else is possible on-premises with Microsoft. All this and many other topics can be found by readers in the March issue, which is available now in the heise shop or at newsstands.

In the series "Three Questions and Answers," iX aims to get to the heart of today's IT challenges – whether from the user's perspective at the PC, the manager's view, or an administrator's daily routine. Do you have suggestions from your daily practice or that of your users? Whose tips on which topic would you like to read concisely? Then feel free to write to us or leave a comment in the forum.

(axk)