Azure encryption ADE VS SSE threat modeling.

Question

Since we have 3k+ VM'S in azure and hundreds with unfortuantely TB's of spanned disks per VM all created prior to the increase in disk size so ADE causes us great pain in terms of restores etc. Due to this I was walking down the threat model and found no real differences between SSE and ADE in terms of threats. Any thoughts on this, what threat does SSE expose vs ADE, I couldn't find any? things to consider, insider vs external threats etc.

Thanks greatly in advance.

tony roth · Answer

Sorry missed this I'm very familiar with ADE and its inner workings, more curious about the security threat model surrounding it vs just normal encrypted storage at rest. In theory to me anybody with access to the bek keys in the keyvault is the issue, we do enough restores everyday that if we only had a break glass account with access there would be more then enough signals to make our secops guys go nuts. Our current model is if you can make a vm you can get to the bek keys for the server. Which basically is no different then encrypted storage at rest. bitlocker was meant for devices that you can gain physical access to not really cloud servers but for some reason we were asked to do ADE and I'm just trying to find an argument thats valid as to why ADE has a secops advantage over normal encrypted at rest storage.
thanks

goncalvesjfet · Answer

Hi Tony,it could be helpful to respond your question:Azure Disk Encryption leverages either the DM-Crypt feature of Linux or the BitLocker feature of Windows to encrypt managed disks with customer-managed keys within the guest VM. Server-side encryption with customer-managed keys improves on ADE by enabling you to use any OS types and images for your VMs by encrypting data in the Storage service.more references you could visit: https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption

joanna · Answer

I have the same questions.My understanding is : the benefit of ADE is that, if you do make a vhd snapshot, that disk is encrypted. While a vhd/snapshot created from an SSE protected disk, is not encrypted. Is this correct?

tony roth · Answer

Yes you are correct, I think what I've found is that you can put as much protection around sse as you can ade, its all about access permissions anybody with access to the bek keys can export the disks. In our case we need to access the bek keys several times a day which can be painful when you are in a hurry and if we limited the access to the keys that would be even more painful. Bitlocker is useful when you have a room that you can't control or laptops etc.

icecold320 · Answer

this might be a little late but SSE provides encryption at rest where ADE provides both encryption at rest and in transit.&nbsp;&nbsp;from a threat point of view if a storage account is compromised the disks on that storage can be accessed as unencrypted where with the use of ADE a compromised storage does not necessarily compromise the vm disk.&nbsp;&nbsp;

Forum Discussion

Azure encryption ADE VS SSE threat modeling.

6 Replies

Resources