Azure VMware Solution – Maximizing Security and Control with Customer-Managed Keys

Datacenter networking servers

In this article, I look at Azure VMware Solution, a Microsoft virtual machine (VM) service, verified by VMware, that runs on Microsoft Azure infrastructure. And specifically, how you can add a second layer of encryption to your datastore and ensure Microsoft cannot read or write any data within your private cloud.

Data security is a top priority for many organizations, especially when it comes to sensitive and regulated data. Encryption is one of the most effective ways to protect data from unauthorized access, but not all encryption solutions are created equal.

Azure VMware Solution – what is customer-managed keys?

Some encryption solutions rely on service providers to manage the encryption keys, which may not meet the compliance and governance requirements of some industries and customers. That’s why Azure VMware Solution, a first-party Azure service that provides private clouds containing VMware vSphere clusters built from dedicated bare-metal Azure infrastructure, now supports encryption with customer-managed keys.

Rahi Patel, a Senior Technical Program Manager in the Azure VMware Solution product group at Microsoft, has made a significant contribution to the field of cloud computing with his innovative development of the Customer-Managed Keys feature. This feature is a critical point in the field of data security and compliance, providing customers with an unparalleled degree of control and security.

Azure VMware Solution topology
Azure VMware Solution topology (Image Credit: Microsoft)

Customer-managed keys give customers maximum control over their encrypted vSAN data on Azure VMware Solution. Customers can use Azure Key Vault to generate customer-managed keys and centralize the key management process. Azure Key Vault is a cloud service that provides secure storage and management of secrets, such as keys, passwords, certificates, and tokens. Azure Key Vault also integrates with Microsoft Entra ID (formerly Azure Active Directory) for role-based access control and auditing.

Adding a second layer of encryption in Azure VMware Solution with customer-managed keys

Customer-managed keys don’t disable default vSAN datastore encryption. Instead, they add a second layer of encryption on top of the default one. This means that customer-managed keys deliver double encryption, a critical requirement for finance industries with stringent regulations.

Customer-managed keys also enable you to revoke access to data at any time by disabling or deleting the keys used for encryption, making it impossible for Azure VMware Solution to read or write any data within the customer’s private cloud.

The benefits extend beyond control. Customers also have full authority over the key lifecycle, including the rotation of the key to align with corporate policies. The central management and organization of keys in Azure Key Vault further streamline the process.

A significant leap forward in cloud security

In conclusion, the introduction of customer-managed keys in Azure VMware Solution represents a significant leap forward in cloud security. It empowers users with greater control over their data while providing enhanced security features that meet and exceed industry standards. The innovative contribution of Rahi Patel in creating this feature has set a new benchmark in the field of cloud security.

Learn more about how to Configure customer-managed key encryption at rest in Azure VMware Solution