Solidifying Microsoft Azure Security for SharePoint and SQL in the Cloud

Best Practices to ensure data stored in SQL and SharePoint are protected when stored up in Microsoft Azure in the cloud.

More and more organizations are moving SharePoint and SQL workloads into Microsoft Azure in the cloud because of the simplicity of spinning up servers in the cloud, adding more capacity, decreasing capacity without having to BUY servers on-premise. What used to cost organizations $20,000, $50,000, or more in purchasing servers, storage, network bandwidth, replica disaster recovery sites, etc and delay SharePoint and SQL rollouts by weeks or month is now completely managed by spinning up virtual machines up in Azure and customizing and configuring systems in the Cloud.

But the question always comes up, is it "safe" to put SQL data and SharePoint content up in the cloud? The answer is absolutely YES, that SQL and SharePoint up in Azure are perfectly safe to store protected content up in the cloud AS LONG AS the systems are configured properly!  And in fact, we have configured SharePoint and SQL to actually be MORE SAFE (significantly more safe!) up in Azure than most organizations can claim their security today on-premise.

Here's the layers of security that can be put in place to PROTECT SharePoint and SQL up in Azure:

  • Microsoft Azure Security:  First of all, specific to what Microsoft does for security, a visit to Microsoft's Azure "Trust Center" ( ) can provide organizations information about what Microsoft does built-in to their Azure cloud services. There's a whitepaper on Microsoft's security ( up on the Trust site. Within the Trust site, if you click on Privacy it'll go through their statements and audits on privacy and security, and if you click on Compliance, it'll provide you information about their compliance to ISO, HIPAA, SOC 1 / SOC 2 / SSAE / ISAE Attestations, etc...  There's a LOT there, and I'd say that MOST organizations that question Microsoft's Azure datacenter security need to ask themselves if they have 7-layers of defense, 3rd party audited security controls, security and compliance certifications, and the like.

BUT, the concern most security and compliance officers have is what if Microsoft is subpoenaed to hand over information OR what if somebody happens to hack their way past the 7-layers of defense, or potentially a rogue employee compromises the system, the above standards, audits, etc are good but not foolproof. SO, my recommendation has been to ENCRYPT your content and YOU keep your encryption key. Here's what can be layered ON TOP OF what Microsoft provides:

  • Encrypt SQL:  With Microsoft providing virtual machines that organizations can install SQL Server on those VMs, what an organization can (and should do) is to ENCRYPT their SQL databases! Microsoft has what is called "Transparent Data Encryption" (TDE) that allows an organization to encrypt the ENTIRE database and KEEP the key! TDE encryption will protect data in a SQL database, including obviously SharePoint content since SharePoint content is stored in a SQL database. This is a highly effective manner in keeping you in charge of your information, see Section 5 in this SQL on Azure Tutorial on encrypting the SQL data

If someone gains access to your database, either by legal power or by unauthorized access, the database itself is encrypted, so the blobs of encrypted "stuff" is useless to them.  The key(s) would have to be subpoenaed separately, or someone would have to steal the keys off your site in addition to the databases that are up in Azure...

BUT then the comment comes up that with data up in the cloud, "anyone" can access the data directly from anyplace in the world... The answer, NO, not unless you want everyone in the world to access the content directly from the Internet. If you have protected data you ONLY want your employees in your corporate offices to access the information, then by default, Azure does NOT expose data externally. You actually have to configure your Azure and SQL Virtual Machine to have a public Internet address, and you have to configure Azure to open up firewall ports to gain direct access to your VMs/Servers up in Azure. If you ONLY want your employees to access content up in Azure (SQL data or SharePoint data that is being stored on SQL), then create a SECURED TUNNEL between your corporate sites to Microsoft Azure. Couple ways you can do this:

  • Site to Site VPN:  You can create a Site to Site VPN between your datacenter to Microsoft Azure, using IPSec to protect the channel of communications to YOUR data. Microsoft Azure provides site to site connectivity from Cisco, Brocade, Checkpoint, Sonicwall, Fortinet, Juniper, etc, or you can simply configure an old fashion Microsoft Windows RRAS server for a S2S secured VPN tunnel. LOTS of ways to create a secured and protected tunnel between your office(s) and Microsoft Azure where there is NO direct connection into your data.
  • Site to Site using Express Route:  Another way to create a connection between your offices and Microsoft is through what Microsoft calls "Express Route". Express Route is a PRIVATE connection between your enterprise and Microsoft, effectively a "last mile" type private connection right into Azure. Microsoft has partnered with companies like Equinix (and soon others) ( so there are MANY local onramps to connect organizations right into Azure. With Express Route, you're not even going through a tunnel over the general internet, you actually have a direct connection (not over the Internet) to your Azure servers.  Internal users go over your LAN/WAN to access data in Azure, and presumably your remote users have some form of 2-factor authentication and encryption if they are remote, connecting into your environment that will then go across Express Route in an encrypted direct transport to your Azure data.

For those who are hardcore and STILL beat me down on security to Azure where a 7-level deep secured datacenter, with encrypted databases, connected over secured encrypted connections is not good enough, then one more thing we have done for organizations is to ENCRYPT the content that gets stored in the encrypted databases! For something like SharePoint, Microsoft has a technology called Rights Management Services (RMS) that allows organizations to set policies so that every Word doc, Excel spreadsheet, PDF file, JPG graphic, TIF file, PowerPoint presentation, etc is ENCRYPTED as it is stored in a SharePoint Library.

  • Encryption of Content within SharePoint:  Microsoft Rights Management Services (RMS) encryption is tied to user's Active Directory credentials, so that the content is encrypted upon user creation and access, and is stored in SharePoint protected, and then even if a user takes content OUT of SharePoint and accidentally (or absent-mindedly) uploads the content to DropBox, Box, OneDrive, etc that the actual FILE (doc, spreadsheet, etc) remains encrypted and accessible ONLY by authorized targeted recipients of the content

So now you are taking something like a Word doc, it's encrypted automatically with Microsoft RMS (which the keys remain in Active Directory, so YOU own and keep the keys), transported over an encrypted and protected tunnel, saved in an encrypted SQL database (which you own and keep the keys for the database as well), in a Microsoft datacenter that has 7-layers of security and a pile of security audits and certifications noting the protection in place.

With ALL this in place, I have YET to have a compliance officer or a security officer tell me that they are doing a better job at securing content on their own and can poke holes in this process.  It is most certainly MORE security than pretty much every organization that I've seen has put in place TODAY for their servers, databases, SharePoint content, etc in terms of layers of security, multiple levels of encryption, and even down to the file level of content stored in SharePoint that prevents data leakage outside of the environment.


Rand Morimoto is the President of Convergent Computing, a strategy and technology consulting firm headquartered in the San Francisco Bay Area. Dr. Morimoto is the author of the book "Cybersecurity: Being Cyber Aware and Cyber Safe" and was the Internet Security Advisor to President Bush, and Y2K Advisor to President Clinton.

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoft SubnetMicrosoftsecuritycloud computinginternet

More about Brocade CommunicationsBushCiscoEquinixExcelFortinetISOJuniperLANMicrosoftRandRMS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rand Morimoto

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts