Encryption and Key Management for Microsoft Azure

Alliance Key Manager for Microsoft Azure

Encryption and Key Management for Microsoft Azure

Your Data in Microsoft Azure is Encrypted. How are You Managing the Keys?

Using the same FIPS 140-2 compliant key management solution found in Townsend Security’s HSM, Alliance Key Manager for Microsoft Azure is easily deployed in Microsoft Azure using management options provided by Microsoft. The solution addresses the complexity of the cloud with comprehensive encryption and key management for a defensible security plan that will protect your business, reduce the chance of data breaches, meet compliance requirements.

    A Key Management Solution for Data in the Cloud

    Alliance Key Manager for Microsoft Azure is a full virtual machine (VM) that you can run on demand. Because Alliance Key Manager for Microsoft Azure is deployed as a Microsoft Azure virtual machine, you only pay for what you use. Alliance Key Manager for Microsoft Azure can protect data in any Microsoft Azure environment (IaaS and PaaS) and can protect data in any non-Azure environment such as other cloud platforms, hosting providers, and traditional IT data centers.

    Neglecting Encryption Key Management is a Business Risk

    Encryption and key management have become a key strategic IT security issue. Protecting your encryption keys mitigates the risk of data breaches and cyber-attacks, as well as protects an organization’s brand, reputation and credibility.  Alliance Key Manager for Microsoft Azure addresses these challenges by helping enterprises reduce risk, support business continuity, and demonstrate compliance.

    Microsoft Azure Virtual Private Cloud (VPC)

    Encryption key management is a critical security function and many organizations may want to implement Alliance Key Manager in a virtual private cloud architecture to meet their security goals or to meet compliance regulations. Alliance Key Manager for Microsoft Azure can be deployed in a Microsoft Azure VPC environment without any changes.

    Key Mirroring for High Availability (HA)

    Because encryption and key management are mission critical functions, Alliance Key Manager fully implements real-time mirroring of encryption keys and key access policies and supports active-active mirroring to another virtual instance of Alliance Key Manager or a physical HSM. While most Microsoft Azure users will mirror to a key management instance in a different availability zone, multiple mirroring targets are supported and you can chose the key management topology that makes the most sense.

    Encryption Key Management Ready-To-Use

    Alliance Key Manager for Microsoft Azure creates everything you need to protect your sensitive data on first boot! Within seconds of starting your AKM Microsoft Azure virtual machine you will automatically receive a 30-day trial license, generate a certificate authority and client-side credentials, and generate encryption keys that you can immediately use with SQL Server, SharePoint, and other applications you run in Microsoft Azure.

    Protect Information in These Applications

    Many Microsoft solutions run natively on top of Microsoft SQL Server Enterprise, which can take advantage of Transparent Data Encryption (TDE).  Alliance Key Manager can be deployed in Microsoft Azure to protect databases and applications using TDE that include:

    • Microsoft SQL Server Enterprise
    • Microsoft SharePoint
    • Microsoft Dynamics CRM, AX, GP, etc.
    • User .NET applications (and other languages) 

    Microsoft Azure SQL Database

    Developers can use the Cryptographic Service Providers (CSPs) built into the Microsoft .NET Framework to access Advanced Encryption Standard (AES) algorithms to encrypt their sensitive data. You can add encryption key management to your .NET applications to implement automatic column-level encryption.

    SQL Server 2008-2018 Enterprise Edition

    Enterprises can easily encrypt sensitive SQL Server data using Microsoft Extensible Key Management (EKM)  with Transparent Data Encryption (TDE) or Cell Level Encryption.  Alliance Key Manager integrates seamlessly with Microsoft’s EKM implementation and provides the fastest and easiest way to achieve database protection in Microsoft Azure.

    SQL Server Standard and Web Edition

    Enterprises using SQL Server Standard or Web Editions can easily encrypt sensitive data using Alliance Key Manager for Microsoft Azure’s .NET AES encryption libraries. You can add compliant encryption to your SQL Server .NET applications or implement automatic column-level encryption.

    SharePoint TDE Encryption

    Enterprises using SharePoint in Microsoft Azure to store files and documents with sensitive information can secure this information using the Alliance Key Manager SQL Server TDE encryption solution for the content database to protect files and documents stored outside of SharePoint’s SQL Server content database. Encryption keys are securely stored away from the SharePoint documents to meet compliance regulations and security best practices.

    Microsoft Dynamics CRM, AX, GP, Encryption

    Enterprises using Microsoft Dynamics applications in the Azure cloud can protect data in these applications by implementing SQL Server TDE encryption using the Alliance Key Manager EKM provider solution. End users may inadvertently store sensitive information in these applications, and Alliance Key Manager for Microsoft Azure can encrypt the entire SQL Server database to protect this information.

    Microsoft .NET Encryption and Key Management

    Enterprises using custom .NET applications written in C# can easily encrypt sensitive data using Alliance Key Manager for Microsoft Azure’s .NET AES encryption libraries. You can add compliant encryption to your .NET applications for data protection in non-Microsoft databases, or for any unstructured data you wish to protect. Alliance Key Manager for Microsoft Azure assures organizations that their data is meeting data security best practices, as well compliance requirements for dual control and separation of duties.


    Encryption Key Management for Edge Computing

    Edge computing requires that applications and infrastructure move closer to end users to achieve performance and availability goals. For edge computing customers, this often means that application deployments move to cloud or remote on-premise facilities. With Alliance Key Manager for Edge Computing, businesses can affordably extend Alliance Key Manager to edge environments - in the cloud or on-premise.


    Deployment & Training Services Are Included
    Complexity is usually the largest concern in integrating encryption key management.  Townsend Security has simplified the process. When businesses choose Alliance Key Manager, they not only receive industry leading encryption key management, but free deployment and security hardening services. Townsend Security’s services team will: 

    • Install and initialize Alliance Key Manager (AKM) virtual image
    • TLS certificate management, download and expiration date tracking
    • Redundancy implementation of mirroring
    • Backup configuration support
    • Security log forwarding via Syslog
    • MFA activation
    • Installation and configuration of Admin Console for key lifecycle management
    • Key retrieval configuration including vSphere, SQL TDE, MongoDB TDE, etc... 
    Certifications and Validations

    NIST AES compliance (ECB and CBC modes of encryption)

    NIST SHA validation

    NIST RNG validation (x9.31)

    NIST HMAC validation

    NIST FIPS 140-2, level 1



    TLS authenticated secure communications

    GUI console for key management

    Secure web application for server management

    Key Sizes

    AES 128, 192, 256 bit symmetric keys

    RSA 1024,2048, 3072, 4096 bit asymmetric keys

    Supported Azure Environments

    Windows Server 2008, 2008 R2, and 2012 (IaaS)

    Windows Azure (PaaS)

    SQL Azure (PaaS)