Tech ONTAP Blogs
Tech ONTAP Blogs
The federal government and regulated industries customers require the same performance and enterprise-grade services that private industry does. But they also have many extra security and compliance requirements, especially from a data storage, access, and sovereignty perspective. These extra security and compliance needs make it more difficult for the public sector and regulated industries customers to operate in Azure’s public cloud services.
Azure NetApp Files is a high-performance, enterprise-class file storage service that is natively integrated with Azure Government. Azure NetApp Files is a high-performance, scalable, and secure storage service for running mission-critical applications and workloads in Azure.
Azure NetApp Files integration with Azure services makes the migration process easy, enabling users to move their workloads from their premises to the cloud with minimal effort. It meets all critical compliance and regulatory requirements for public sector and regulated industry customers, thanks to its advanced security and compliance features.
Azure NetApp Files saves time and money by enhancing cloud application deployment and operation with added security and compliance, enabling your organization to focus on innovation rather than administration, delivering greater value.
For organizations looking to migrate their applications and workloads to Azure, Azure NetApp Files provides a seamless experience for migrating Windows apps and SQL Server, Linux OSS apps and databases, and SAP on Azure.
https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-solution-architectures
Azure NetApp Files in Azure Government regions and the latest security and compliance features discussed in this article mean that customers who require DoD IL5 can now benefit from Azure NetApp Files for their enterprise workloads.
Azure Government supports applications that use IL5 data in all available regions. IL5 requirements are defined in the U.S. DoD Cloud Computing Security Requirements Guide (SRG). IL5 workloads have a higher impact on the DoD and must be secured to a higher standard. When these workloads are deployed in Azure Government, the isolation requirements can be met in various ways.
The three key capabilities and services available to support the stringent data security and storage isolation requirements of the U.S. federal government are Azure NetApp Files, customer-managed keys, and Azure Key Vault. Using all three not only achieves IL5 compliance, it also allows customers to gain access to high-performance and enterprise-class storage to migrate their mission-critical workloads to Azure.
Azure Government uses physically isolated data centers and networks that are in the United States only. This location restriction provides the highest level of security, compliance, and sovereignty for customer deployments. Azure Government services handle data that is subject to government regulations and requirements, such as FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD IL4, DoD IL5, and CJIS. Compared with Azure Commercial globally, Azure Government offers customers an extra layer of protection. Contractual commitments restrict storage of customer data to the United States, and potential access to systems that process customer data is limited to screened workers in the United States.
Azure NetApp Files is available in Azure Commercial for all customers, including those in the public sector and regulated industries. With the latest security and compliance enhancements, Azure NetApp Files now offers full feature parity between Azure Government and Azure Commercial regions. Now, public sector and regulated industries customers can enjoy many of the same features as their Azure Commercial counterparts, such as the following.
Although these enterprise-class features were ideal for public sector and regulated industries, Azure NetApp Files in Azure Government did not meet all the security and compliance requirements necessary for public sector and regulated industries customers to move production workloads. This situation changed recently with the announcement of several new features that enhance data safety, security, and compliance by protecting it at the data and control plane layers, mitigating the threat of attacks and unplanned data loss.
This blog explores the following new Azure NetApp Files features:
To reiterate, with these latest security and compliance feature releases, feature parity has been reached between Azure NetApp Files in Azure Government and Azure Commercial.
Financial institutions, military users, business customers, governments, healthcare institutions, and more all use critical data. Single encryption at rest may be sufficient for some data, but double encryption at rest is necessary for data where a breach of confidentiality would be catastrophic. Leaks of information such as customer-sensitive data, names, addresses, and government identification can result in extremely high liability. That risk can be mitigated by protecting data confidentiality with double encryption at rest.
When data is transported over networks, additional encryption such as Transport Layer Security (TLS) can help to protect data in transit. But once the data has arrived, protection is necessary to help address the vulnerability of data at rest. Using Azure NetApp Files double encryption at rest complements the security that’s inherent with the physically secure cloud storage in Azure data centers.
Azure NetApp Files double encryption at rest provides two levels of encryption protection: a hardware-based encryption layer (encrypted SSD drives) and a software-encryption layer. The hardware-based encryption layer resides at the physical storage level, using FIPS 140-2 certified drives. The software-based encryption layer is at the volume level, completing the second level of encryption protection. For more information, see Azure NetApp Files double encryption at rest.
When a volume is created in a double encryption capacity pool, the default key management (the Encryption Key Source field) is Microsoft-managed key, and the other choice is customer-managed key (CMK). Using customer-managed keys requires additional preparation of an Azure Key Vault and other details. For more information about using volume encryption with customer managed keys, see Configure customer-managed keys for Azure NetApp Files volume encryption or watch this How-to video:
With the release of customer-managed keys for Azure NetApp Files volume encryption in Azure Government, public sector and regulated industries customers who require DoD IL5 support can now benefit from enhanced volume encryption. This advance enables customers to securely move mission-critical workloads, such as databases, Azure virtual desktops, and high-performance computing (HPC), to Azure NetApp Files.
Customer-managed keys (CMK) is a security feature that allows organizations to take control of their keys and manage them independently from the cloud service provider. In the context of Azure NetApp Files, customer-managed keys enable customers to encrypt and decrypt their data stored in Azure NetApp Files by using their own keys, so that they have exclusive access control.
Customer-managed keys in Azure NetApp Files enhances data protection in the following ways.
Azure NetApp Files volume encryption with customer-managed keys with the managed Hardware Security Module (HSM) is an extension to customer-managed keys for the Azure NetApp Files volumes encryption feature. Customer-managed keys with managed HSM allows encryption keys to be stored in a more secure FIPS 140-2 Level 3 HSM instead of the FIPS 140-2 Level 1 or Level 2 service used by Azure Key Vault (AKV). For more information, see Configure customer-managed keys with managed Hardware Security Module for Azure NetApp Files volume encryption.
An Azure Key Vault Managed HSM is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables customers to safeguard cryptographic keys for cloud applications, using FIPS 140-2 Level 3 validated HSM. For more information, see What is Azure Key Vault Managed HSM.
This option is especially crucial for public sector and regulated industries customers with highly sensitive data. Using an Azure Key Vault Managed HSM along with an Azure NetApp Files volume ensures the protection of sensitive information and compliance with all security requirements. These HSMs are tamper-resistant, provide isolated access control, enhance data protection and compliance, and are dedicated to a single customer.
With the latest security and compliance feature releases, Azure NetApp Files has achieved feature parity between Azure Government and Azure Commercial. Additionally, Azure NetApp Files now offers a comprehensive set of security and compliance features, ensuring the secure storage of sensitive information for all customers.
The release of customer-managed keys in Azure Government enables public sector and regulated industries customers who require IL5 compliance to use Azure NetApp Files for their mission-critical workloads. With its ease of use, cost efficiency, and robust support, Azure NetApp Files is an essential service for public sector and regulated industry customers, enabling them to leverage the cloud while meeting their unique requirements.