Feature Request - add recommendation around Encryption with customer-managed keys (CMK)

[vegazbabz]

Deny or Audit resources without Encryption with a customer-managed key (CMK) is not part of the policy list.

This means it lack recommendation on the scope. Back to some of the other ALZ policies questions, why do policy initiatives exist that are not used or recommended?

I believe this should be implemented on intermediate root group as best practice. However, I do understand that not all clients want to use CMK - although this is best practice and recommended. So really, just some clear guidelines around the usage of CMK should be provided.

[jtracey93]

This comes in the box as nothing built-in exists in the platform. As you correctly call out, not everyone will want/need CMK so we cannot make this a default assignment using the 80/20 rule, therefore it will stay unassigned.

However, customers have it available should they wish to use it.

[vegazbabz]

This comes in the box as nothing built-in exists in the platform. As you correctly call out, not everyone will want/need CMK so we cannot make this a default assignment using the 80/20 rule, therefore it will stay unassigned.

However, customers have it available should they wish to use it.

I completely agree, what I am missing is a place in the wiki that addresses this and mention to people that they have this policy initiative available, and why it would be best practice to use it.

[Springstone]

@vegazbabz This is a good call out, and will be more relevant in the near future, where we are planning on adding more custom policies but not assigning by default. To clarify, CMK is not the best practice for everyone, it's a good practice. Encryption is a best practice, customers managing their own keys is an enhanced/recommended practice, if they have the skills available to do so effectively - hence we have MMK. Your point is taken, and we are in the process of adding custom policies aligned with CMK governance (not assigned by default) but will provide more options to customer wanting that additional level of security - and we'll provide additional wiki guidance aligned with this.

ab33219

[vegazbabz]

To clarify, CMK is not the best practice for everyone, it's a good practice. Encryption is a best practice, customers managing their own keys is an enhanced/recommended practice, if they have the skills available to do so effectively - hence we have MMK.

I disagree from a security point of view, best practice (which might not be 'Microsoft best practice', but 'cloud security best practice') is to have as much control over your key lifecycle as possible. This can only be achieved using CMK to encrypt the DEK. I understand that majority of small and medium-sized enterprises cannot establish this practice due to cost and resource constrains. Nevertheless, that does not mean that it is not best practice. Everything in Azure (and other CSPs) is encrypted by default (using MMK/PMK), which is also expected as a bare minimum for anyone to do business with a CSP. Majority of the "out of the box" security settings in CSPs are not industry best practice, it is more a security baseline (bare minimum).

References CSA 2.1.2 Key Management "... based on the Segregation of Duties security principle, key management ideally should be separated from the cloud provider hosting the data. This provides the greatest protection against both an external breach of the service provider as well as an attack originating from a privileged user/employee of the provider. Additionally, this segregation of duties prevents the cloud provider from unauthorized disclosure of customer data, such as compliance with a subpoena, without the customer knowledge or approval. The customers should retain complete control over their data and only they should be able to comply with disclosure requests."

2.1.6 Data Integrity: "If the encryption key is stored with the CSP, the use of data encryption alone may not provide sufficient assurance that encrypted information has not been altered. Files placed into the cloud for storage may be subject to tampering or replacement in this case, and encryption alone cannot detect this. Combining data encryption with integrity protections such as digital signatures can ensure that data in the cloud remains both private and authentic. Where available, use of trusted time should be considered by using time-stamped signatures on data."

3.1.1 Key Management: "Ideally, the customer maintains control of the encryption keys however, customers need to choose the approach that best matches their risk tolerance and the compliance, government, audit, and/or executive mandated requirements they need to follow."

[Springstone]

@vegazbabz You're totally correct on your viewpoint and analysis, however, we cannot implement this by default given the vast majority aren't ready for CMK. For those few customers that are ready and aligned to CMK we recommend implementing appropriate policies once ALZ is deployed to meet requirements. ALZ is a reference architecture, not perfect for everyone, but perfect for the 80%. We're looking into revisiting the CMK perspective but have a lot of other things on the go at the moment, so may be a while before anything moves in ALZ in that space.

[Springstone]

Addressed in PR #1622, additionally you will be able to choose the scope to apply the initiative.