Sorry missed this I'm very familiar with ADE and its inner workings, more curious about the security threat model surrounding it vs just normal encrypted storage at rest. In theory to me anybody with access to the bek keys in the keyvault is the issue, we do enough restores everyday that if we only had a break glass account with access there would be more then enough signals to make our secops guys go nuts. Our current model is if you can make a vm you can get to the bek keys for the server. Which basically is no different then encrypted storage at rest. bitlocker was meant for devices that you can gain physical access to not really cloud servers but for some reason we were asked to do ADE and I'm just trying to find an argument thats valid as to why ADE has a secops advantage over normal encrypted at rest storage.
thanks

I have the same questions.
My understanding is : the benefit of ADE is that, if you do make a vhd snapshot, that disk is encrypted. While a vhd/snapshot created from an SSE protected disk, is not encrypted. Is this correct?

Yes you are correct, I think what I've found is that you can put as much protection around sse as you can ade, its all about access permissions anybody with access to the bek keys can export the disks. In our case we need to access the bek keys several times a day which can be painful when you are in a hurry and if we limited the access to the keys that would be even more painful. Bitlocker is useful when you have a room that you can't control or laptops etc.

this might be a little late but SSE provides encryption at rest where ADE provides both encryption at rest and in transit. 

 

from a threat point of view if a storage account is compromised the disks on that storage can be accessed as unencrypted where with the use of ADE a compromised storage does not necessarily compromise the vm disk. 

 

I know the difference in ade and sse but more often then not the only real protection you have is the auditing of access to either the bek keys or the storage account, you can't prevent this access if you did then nobody would be able to restore a bek encrypted disk, so its these accounts that need to be audited, normally you'd create a break glass account but since restores are happening at the rate of 10 to 20 a day the auditing value of the break glass account is diminished greatly.