Protecting Cloud Workloads against Undisclosed Access in Microsoft Azure

An international law firm and longtime customer of WinMagic has leveraged our flagship encryption and key management platform – SecureDoc Enterprise Server – to protect thousands of endpoint devices against loss or theft. In this era of digital transformation though, protecting endpoints is only one of many projects within their security and risk management portfolio. Now as the organization aim to leverage the undeniable benefits of cloud computing, IT had a new mandate to move their existing server infrastructure to Microsoft Azure. Security and compliance risks could no longer prevent cloud migration, despite concerns about undisclosed access to sensitive workloads; particularly those related to client cases, which could be subject to subpoena or government access.

Since the firm had relied successfully on SecureDoc to protect their endpoints for many years, they looked to WinMagic to help deliver a secure and compliant move of encrypted workloads to the Cloud. The first step in building out a successful migration strategy to Microsoft Azure was to engage with their infrastructure manager to understand their needs. Here were their requirements:

  • Zero-Trust Security– Understanding that certain lawful demands for customer data from Microsoft could disclose sensitive information (See Here), both the law firm and their clients required assurance that under no circumstance would the CSP or other tenants have undisclosed access to sensitive workloads or keys without their prior knowledge or consent.
  • Secure “Lift and Shift” – The customer builds enterprise-approved vSphere virtual machine (VM) images then move the images to Azure to be launched into production. As the VMs are migrated to Azure (known as “lift and shift”), data could not be exposed at any point throughout the process – including in transit.
  • Minimal Disruption – Encryption had to be transparent and automated as well, with minimal IT intervention required during regular VM startup and operations.
  • Compliance Visibility – Security teams also required a single dashboard to report the compliance state of all VMs across their Azure infrastructure. More importantly, if an unprotected VM is created, they required the ability to detect and take action on it.

After reviewing the customer’s needs, it became apparent that WinMagic’s SecureDoc CloudVM solution would be an ideal fit for their strategic requirements. The proposed solution included:

Workload (VM) Protection

Firstly, SecureDoc CloudVM was used to encrypt vSphere images – including the OS and all data – to provide baseline protection. Special attention was given to not just who controls the keys, but also who controls the encryption itself. For this, CloudVM agent-based workload encryption gave the customer complete control over the security and authentication of their workloads.

A previous blog written by Garry McCracken ( discussed the basic encryption and key management models for the cloud. The three different models include SSE, SSE-CPK and CSE.


Model Definition
Server Side Encryption (SSE) Encryption performed by the cloud service provider using keys owned and managed by the cloud service provider
Server Side Encryption with Customer Provided Keys (SSE-CPK) Encryption performed by the cloud service provider using keys owned and managed by the customer (Also known as BYOK –   Bring Your Own Key)
Client Side Encryption Encryption performed by the customer (in the cloud) using keys owned and managed by the customer


Of these three models, only client-side encryption – with keys controlled and accessed by an on-premises key manager – met the security requirements for control of the data.

Phase 1 – Windows Workloads

In Phase 1, the firm required immediate protection of virtual machines running Windows Server 2012 and later. SecureDoc CloudVM offered fast and secure VM-level encryption for the Windows workloads. Leveraging PBConnex – WinMagic’s unique network-powered authentication solution – the VM reaches back to the enterprise-controlled key manager to retrieve the encryption keys, all before the OS even boots. Keys are delivered securely over the network, never supplied to an Azure API or Azure Infrastructure, even when offline. Authentication is automated and transparent, allowing VMs to boot securely within seconds.

Enterprise Key Management

Next, SecureDoc Enterprise Server (SES) was configured to sync with Azure for frequent discovery and import of all new or cloned VMs, enabling real-time compliance visibility. Once imported, SES automatically cross-references each workload with pre-configured security policies. Essentially, it asks “Did the VM check in with SES? Has it been encrypted? Are the necessary recovery keys available?” – all within minutes. That way, if an Azure admin at the firm were to start up a rogue VM, it would become apparent on the SES console that there is a non-compliant (unprotected) workload. Actions can then be taken to quarantine, enforce encryption or deny access to the VM.

Phase 2 – Linux Workloads                      

Thus far, the implementation of our solution has gone remarkably well. In phase 2, we will move onto encrypting the customer’s Linux VMs using CloudVM for Linux, with the basic architecture remaining the same. CloudVM for Linux will layer on top of dm-crypt encryption built into Linux OS. At this point, they will use the same enterprise-controlled platform and console as they used for the Windows VMs, as well as their existing endpoint deployments – having one single pane of glass to manage and monitor encryption across their entire distributed, hybrid IT architecture. Now, the customer can reduce time and resources that would have otherwise been spent on multiple solutions – far exceeding their expectations.

Previous Post
Pre-Boot Authentication: Wisdom in Security – Part 2
Next Post
Your Feedback Is Important To Us