Isolation guidelines for Impact Level 5 workloads
Azure Government supports applications that use Impact Level 5 (IL5) data in all available regions. IL5 requirements are defined in the US Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG). IL5 workloads have a higher degree of impact to the DoD and must be secured to a higher standard. When you deploy these workloads on Azure Government, you can meet their isolation requirements in various ways. The guidance in this document addresses configurations and settings needed to meet the IL5 isolation requirements. We'll update this article as we enable new isolation options and the Defense Information Systems Agency (DISA) authorizes new services for IL5 data.
Background
In January 2017, DISA awarded the IL5 Provisional Authorization (PA) to Azure Government, making it the first IL5 PA awarded to a hyperscale cloud provider. The PA covered two Azure Government regions US DoD Central and US DoD East (US DoD regions) that are dedicated to the DoD. Based on DoD mission owner feedback and evolving security capabilities, Microsoft has partnered with DISA to expand the IL5 PA boundary in December 2018 to cover the remaining Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia (US Gov regions). For service availability in Azure Government, see Products available by region.
- For a list of services in scope for DoD IL5 PA in US Gov regions, see Azure Government services by audit scope.
- For a list of services in scope for DoD IL5 PA in US DoD regions, see Azure Government DoD regions IL5 audit scope.
Azure Government is available to US federal, state, local, and tribal governments and their partners. The IL5 expansion to Azure Government honors the isolation requirements mandated by the DoD. Azure Government continues to provide more PaaS services suitable for DoD IL5 workloads than any other cloud services environment.
Principles and approach
You need to address two key areas for Azure services in IL5 scope: compute isolation and storage isolation. We'll focus in this article on how Azure services can help you isolate the compute and storage services for IL5 data. The SRG allows for a shared management and network infrastructure. This article is focused on Azure Government compute and storage isolation approaches for US Gov Arizona, US Gov Texas, and US Gov Virginia regions (US Gov regions). If an Azure service is available in Azure Government DoD regions US DoD Central and US DoD East (US DoD regions) and authorized at IL5, then it is by default suitable for IL5 workloads with no extra isolation configuration required. Azure Government DoD regions are reserved for DoD agencies and their partners, enabling physical separation from non-DoD tenants by design. For more information, see DoD in Azure Government.
Important
You are responsible for designing and deploying your applications to meet DoD IL5 compliance requirements. In doing so, you should not include sensitive or restricted information in Azure resource names, as explained in Considerations for naming Azure resources.
Compute isolation
IL5 separation requirements are stated in Section 5.2.2.3 (Page 51) of the Cloud Computing SRG. The SRG focuses on compute separation during "processing" of IL5 data. This separation ensures that a virtual machine that could potentially compromise the physical host can't affect a DoD workload. To remove the risk of runtime attacks and ensure long running workloads aren't compromised from other workloads on the same host, all IL5 virtual machines and virtual machine scale sets should be isolated by DoD mission owners via Azure Dedicated Host or isolated virtual machines. Doing so provides a dedicated physical server to host your Azure Virtual Machines (VMs) for Windows and Linux.
For services where the compute processes are obfuscated from access by the owner and stateless in their processing of data, you should accomplish isolation by focusing on the data being processed and how it's stored and retained. This approach ensures the data is stored in protected mediums. It also ensures the data isn't present on these services for extended periods unless it's encrypted as needed.
Storage isolation
The DoD requirements for encrypting data at rest are provided in Section 5.11 (Page 122) of the Cloud Computing SRG. DoD emphasizes encrypting all data at rest stored in virtual machine virtual hard drives, mass storage facilities at the block or file level, and database records where the mission owner doesn't have sole control over the database service. For cloud applications where encrypting data at rest with DoD key control isn't possible, mission owners must perform a risk analysis with relevant data owners before transmitting data into a cloud service offering.
In a recent PA for Azure Government, DISA approved logical separation of IL5 from other data via cryptographic means. In Azure, this approach involves data encryption via keys that are maintained in Azure Key Vault and stored in FIPS 140 validated Hardware Security Modules (HSMs). The keys are owned and managed by the IL5 system owner, also known as customer-managed keys (CMK).
Here's how this approach applies to services:
- If a service hosts only IL5 data, the service can control the key for end users. But it must use a dedicated key to protect IL5 data from all other data in the cloud.
- If a service will host IL5 and non-DoD data, the service must expose the option for end users to use their own encryption keys that are maintained in Azure Key Vault. This implementation gives consumers of the service the ability to implement cryptographic separation as needed.
This approach ensures all key material for decrypting data is stored separately from the data itself using a hardware-based key management solution.
Applying this guidance
IL5 guidelines require workloads to be deployed with a high degree of security, isolation, and control. The following configurations are required in addition to any other configurations or controls needed to meet IL5 requirements. Network isolation, access controls, and other necessary security measures aren't necessarily addressed in this article.
Note
This article tracks Azure services that have received DoD IL5 PA and that require extra configuration options to meet IL5 isolation requirements. Services with IL5 PA that do not require any extra configuration options are not mentioned in this article. For a list of services in scope for DoD IL5 PA in US Gov regions, see Azure Government services by audit scope.
Be sure to review the entry for each service you're using and ensure that all isolation requirements are implemented.
AI + machine learning
For AI and machine learning services availability in Azure Government, see Products available by region. For a list of services in scope for DoD IL5 PA, see Azure Government services by audit scope. Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.
Azure AI Search
- Configure encryption at rest of content in Azure AI Search by using customer-managed keys in Azure Key Vault.
Azure Machine Learning
- Configure encryption at rest of content in Azure Machine Learning by using customer-managed keys in Azure Key Vault. Azure Machine Learning stores snapshots, output, and logs in the Azure Blob Storage account that's associated with the Azure Machine Learning workspace and customer subscription. All the data stored in Azure Blob Storage is encrypted at rest with Microsoft-managed keys. Customers can use their own keys for data stored in Azure Blob Storage. See Configure encryption with customer-managed keys stored in Azure Key Vault.
Azure AI services: Content Moderator
- Configure encryption at rest of content in the Content Moderator service by using customer-managed keys in Azure Key Vault.
Azure AI services: Custom Vision
- Configure encryption at rest of content in Azure AI Custom Vision using customer-managed keys in Azure Key Vault.
Azure AI services: Face
- Configure encryption at rest of content in the Face service by using customer-managed keys in Azure Key Vault.
Azure AI Language Understanding (LUIS)
- Configure encryption at rest of content in the Language Understanding service by using customer-managed keys in Azure Key Vault.
Azure AI Language Understanding (LUIS) is part of Azure AI Language.
Azure AI services: Azure OpenAI
- Configure encryption at rest of content in Azure OpenAI using customer-managed keys in Azure Key Vault.
Azure AI services: Personalizer
- Configure encryption at rest of content in Azure AI Personalizer using customer-managed keys in Azure Key Vault.
Azure AI services: QnA Maker
- Configure encryption at rest of content in Azure AI QnA Maker using customer-managed keys in Azure Key Vault.
Azure AI QnA Maker is part of Azure AI Language.
Azure AI Speech
- Configure encryption at rest of content in Speech Services by using customer-managed keys in Azure Key Vault.
Azure AI services: Translator
- Configure encryption at rest of content in the Translator service by using customer-managed keys in Azure Key Vault.
Analytics
For Analytics services availability in Azure Government, see Products available by region. For a list of services in scope for DoD IL5 PA, see Azure Government services by audit scope. Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.
Azure Databricks
- Azure Databricks can be deployed to existing storage accounts that have enabled appropriate Storage encryption with Key Vault managed keys.
- Configure customer-managed Keys (CMK) for your Azure Databricks Workspace and Databricks File System (DBFS).
Azure Data Explorer
- Data in Azure Data Explorer clusters in Azure is secured and encrypted with Microsoft-managed keys by default. For extra control over encryption keys, you can supply customer-managed keys to use for data encryption and manage encryption of your data at the storage level with your own keys.
Azure HDInsight
- Azure HDInsight can be deployed to existing storage accounts that have enabled appropriate Storage service encryption, as discussed in the guidance for Azure Storage.
- Azure HDInsight enables a database option for certain configurations. Ensure the appropriate database configuration for transparent data encryption (TDE) is enabled on the option you choose. This process is discussed in the guidance for Azure SQL Database.
Azure Stream Analytics
- Configure encryption at rest of content in Azure Stream Analytics by using customer-managed keys in Azure Key Vault.
Azure Synapse Analytics
- Add transparent data encryption with customer-managed keys via Azure Key Vault. For more information, see Azure SQL transparent data encryption. The instructions to enable this configuration for Azure Synapse Analytics are the same as the instructions to do so for Azure SQL Database.
Data Factory
- Secure data store credentials by storing encrypted credentials in a Data Factory managed store. Data Factory helps protect your data store credentials by encrypting them with certificates managed by Microsoft. For more information about Azure Storage security, see Azure Storage security overview. You can also store the data store's credentials in Azure Key Vault. Data Factory retrieves the credentials during the execution of an activity. For more information, see Store credentials in Azure Key Vault.
Event Hubs
- Configure encryption at rest of content in Azure Event Hubs by using customer-managed keys in Azure Key Vault.
Power BI
- Configure encryption at rest of content in Power BI by using customer-managed keys in Azure Key Vault.
Compute
For Compute services availability in Azure Government, see Products available by region. For a list of services in scope for DoD IL5 PA, see Azure Government services by audit scope. Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.
Batch
- Enable user subscription mode, which will require a Key Vault instance for proper encryption and key storage. For more information, see the documentation on batch account configurations.
Virtual machines and virtual machine scale sets
You can use Azure virtual machines with multiple deployment mediums. You can do so for single virtual machines and for virtual machines deployed via the Azure virtual machine scale sets feature.
All virtual machines should use Disk Encryption for virtual machines or Disk Encryption for virtual machine scale sets, or place virtual machine disks in a storage account that can hold Impact Level 5 data as described in the Azure Storage section.
Important
When you deploy VMs in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia, you must use Azure Dedicated Host, as described in the next section.
Azure Dedicated Host
Azure Dedicated Host provides physical servers that can host one or more virtual machines and that are dedicated to one Azure subscription. Dedicated hosts are the same physical servers used in our datacenters, provided as a resource. You can provision dedicated hosts within a region, availability zone, and fault domain. You can then place VMs directly into your provisioned hosts, in whatever configuration meets your needs.
These VMs provide the necessary level of isolation required to support IL5 workloads when deployed outside of the dedicated DoD regions. When you use Dedicated Host, your Azure VMs are placed on an isolated and dedicated physical server that runs only your organization’s workloads to meet compliance guidelines and standards.
Current Dedicated Host SKUs (VM series and Host Type) that offer the required compute isolation include SKUs in the VM families listed on the Dedicated Host pricing page.
Isolated virtual machines
Virtual machine scale sets aren't currently supported on Azure Dedicated Host. But specific VM types, when deployed, consume the entire physical host for the VM. Isolated VM types can be deployed via virtual machine scale sets to provide proper compute isolation with all the benefits of virtual machine scale sets in place. When you configure your scale set, select the appropriate SKU. To encrypt the data at rest, see the next section for supportable encryption options.
Important
As new hardware generations become available, some VM types might require reconfiguration (scale up or migration to a new VM SKU) to ensure they remain on properly dedicated hardware. For more information, see Virtual machine isolation in Azure.
Disk encryption for virtual machines
You can encrypt the storage that supports these virtual machines in one of two ways to support necessary encryption standards.
- Use Azure Disk Encryption to encrypt the drives by using dm-crypt (Linux) or BitLocker (Windows):
- Use Azure Storage service encryption for storage accounts with your own key to encrypt the storage account that holds the disks:
Disk encryption for virtual machine scale sets
You can encrypt disks that support virtual machine scale sets by using Azure Disk Encryption:
Containers
For Containers services availability in Azure Government, see Products available by region. For a list of services in scope for DoD IL5 PA, see Azure Government services by audit scope. Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.
Azure Kubernetes Service
- Configure encryption at rest of content in AKS by using customer-managed keys in Azure Key Vault.
Container Instances
- Azure Container Instances automatically encrypts data related to your containers when it's persisted in the cloud. Data in Container Instances is encrypted and decrypted with 256-bit AES encryption and enabled for all Container Instances deployments. You can rely on Microsoft-managed keys for the encryption of your container data, or you can manage the encryption by using your own keys. For more information, see Encrypt deployment data.
Container Registry
- When you store images and other artifacts in a Container Registry, Azure automatically encrypts the registry content at rest by using service-managed keys. You can supplement the default encryption with an extra encryption layer by using a key that you create and manage in Azure Key Vault.
Databases
For Databases services availability in Azure Government, see Products available by region. For a list of services in scope for DoD IL5 PA, see Azure Government services by audit scope. Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.
Azure Cosmos DB
- Data stored in your Azure Cosmos DB account is automatically and seamlessly encrypted with keys managed by Microsoft (service-managed keys). Optionally, you can choose to add a second layer of encryption with keys you manage (customer-managed keys). For more information, see Configure customer-managed keys for your Azure Cosmos DB account with Azure Key Vault.
Azure Database for MySQL
- Data encryption with customer-managed keys for Azure Database for MySQL enables you to bring your own key (BYOK) for data protection at rest. This encryption is set at the server level. For a given server, a customer-managed key, called the key encryption key (KEK), is used to encrypt the data encryption key (DEK) used by the service. For more information, see Azure Database for MySQL data encryption with a customer-managed key.
Azure Database for PostgreSQL
- Data encryption with customer-managed keys for Azure Database for PostgreSQL Single Server is set at the server level. For a given server, a customer-managed key, called the key encryption key (KEK), is used to encrypt the data encryption key (DEK) used by the service. For more information, see Azure Database for PostgreSQL Single Server data encryption with a customer-managed key.
Azure Healthcare APIs (formerly Azure API for FHIR)
Azure Healthcare APIs supports Impact Level 5 workloads in Azure Government with this configuration:
- Configure encryption at rest of content in Azure Healthcare APIs using customer-managed keys in Azure Key Vault
Azure SQL Database
- Add transparent data encryption with customer-managed keys via Azure Key Vault. For more information, see Azure SQL transparent data encryption with customer-managed key.
SQL Server Stretch Database
- Add transparent data encryption with customer-managed keys via Azure Key Vault. For more information, see Azure SQL transparent data encryption with customer-managed key.
Hybrid
Azure Stack Edge
- You can protect data at rest via storage accounts because your device is associated with a storage account that's used as a destination for your data in Azure. You can configure your storage account to use data encryption with customer-managed keys stored in Azure Key Vault. For more information, see Protect data in storage accounts.
Integration
For Integration services availability in Azure Government, see Products available by region. For a list of services in scope for DoD IL5 PA, see Azure Government services by audit scope. Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.
Service Bus
- Configure encryption of data at rest in Azure Service Bus by using customer-managed keys in Azure Key Vault.
Internet of Things
For Internet of Things services availability in Azure Government, see Products available by region. For a list of services in scope for DoD IL5 PA, see Azure Government services by audit scope. Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.
Azure IoT Hub
- Azure IoT Hub provides encryption of data at rest and in transit. Azure IoT Hub uses Microsoft-managed keys to encrypt the data.
Management and governance
For Management and governance services availability in Azure Government, see Products available by region. For a list of services in scope for DoD IL5 PA, see Azure Government services by audit scope.
Automation
- By default, your Azure Automation account uses Microsoft-managed keys. You can manage the encryption of secure assets for your Automation account by using your own keys. When you specify a customer-managed key at the level of the Automation account, that key is used to protect and control access to the account encryption key for the Automation account. For more information, see Encryption of secure assets in Azure Automation.
Azure Managed Applications
- You can store your managed application definition in a storage account that you provide when you create the application. Doing so allows you to manage its location and access for your regulatory needs, including storage encryption with customer-managed keys. For more information, see Bring your own storage.
Azure Monitor
- By default, all data and saved queries are encrypted at rest using Microsoft-managed keys. Configure encryption at rest of your data in Azure Monitor using customer-managed keys in Azure Key Vault.
Log Analytics
Log Analytics, which is a feature of Azure Monitor, is intended to be used for monitoring the health and status of services and infrastructure. The monitoring data and logs primarily store logs and metrics that are service generated. When used in this primary capacity, Log Analytics supports Impact Level 5 workloads in Azure Government with no extra configuration required.
Log Analytics may also be used to ingest extra customer-provided logs. These logs may include data ingested as part of operating Microsoft Defender for Cloud or Microsoft Sentinel. If the ingested logs or the queries written against these logs are categorized as IL5 data, then you should configure customer-managed keys (CMK) for your Log Analytics workspaces and Application Insights components. Once configured, any data sent to your workspaces or components is encrypted with your Azure Key Vault key. For more information, see Azure Monitor customer-managed keys.
Azure Site Recovery
- You can replicate Azure VMs with managed disks enabled for customer-managed keys from one Azure region to another. For more information, see Replicate machines with customer-managed keys enabled disks.
Microsoft Intune
- Intune supports Impact Level 5 workloads in Azure Government with no extra configuration required. Line-of-business apps should be evaluated for IL5 restrictions prior to uploading to Intune storage. While Intune does encrypt applications that are uploaded to the service for distribution, it doesn't support customer-managed keys.
Media
For Media services availability in Azure Government, see Products available by region. For a list of services in scope for DoD IL5 PA, see Azure Government services by audit scope. Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.
Media Services
- Configure encryption at rest of content in Media Services by using customer-managed keys in Azure Key Vault.
Migration
For Migration services availability in Azure Government, see Products available by region. For a list of services in scope for DoD IL5 PA, see Azure Government services by audit scope. Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.
Azure Data Box
- Configure encryption at rest of content in Azure Data Box using customer-managed keys in Azure Key Vault.
Azure Migrate
- Configure encryption at rest of content in Azure Migrate by using customer-managed keys in Azure Key Vault.
Security
For Security services availability in Azure Government, see Products available by region. For a list of services in scope for DoD IL5 PA, see Azure Government services by audit scope. Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.
Azure Information Protection
- Configure encryption at rest of content in Azure Information Protection using customer-managed keys in Azure Key Vault.
Microsoft Sentinel (formerly Azure Sentinel)
- Configure encryption at rest of content in Microsoft Sentinel by using customer-managed keys in Azure Key Vault.
Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security)
- Configure encryption at rest of content in Microsoft Defender for Cloud Apps using customer-managed keys in Azure Key Vault.
Storage
For Storage services availability in Azure Government, see Products available by region. For a list of services in scope for DoD IL5 PA, see Azure Government services by audit scope. Guidance below is provided only for IL5 PA services that require extra configuration to support IL5 workloads.
Azure Archive Storage
- Azure Archive Storage is a tier of Azure Storage. It automatically helps secure data at rest by using 256-bit AES encryption. Just like hot and cool tiers, Archive Storage can be set at the blob level. To enable access to the content, you need to rehydrate the archived blob or copy it to an online tier, at which point you can enforce customer-managed keys that are in place for your online storage tiers. When you create a target storage account for IL5 data in Archive Storage, add storage encryption via customer-managed keys. For more information, see Storage encryption with Key Vault managed keys.
- The target storage account for Archive Storage can be located in any Azure Government region.
Azure File Sync
- Configure encryption at rest of content in Azure File Sync by using customer-managed keys in Azure Key Vault.
Azure HPC Cache
- Configure encryption at rest of content in Azure HPC Cache using customer-managed keys in Azure Key Vault
Azure Import/Export
- By default, the Import/Export service will encrypt data that's written to the hard drive for transport. When you create a target storage account for import and export of IL5 data, add storage encryption via customer-managed keys. For more information, see Storage encryption with Key Vault managed keys in this article.
- The target storage account for import and source storage account for export can be located in any Azure Government region.
Azure NetApp Files
- Configure encryption at rest of content in Azure NetApp Files using customer-managed keys
Azure Storage
Azure Storage consists of multiple data features: Blob storage, File storage, Table storage, and Queue storage. Blob storage supports both standard and premium storage. Premium storage uses only SSDs, to provide the fastest performance possible. Storage also includes configurations that modify these storage types, like hot and cool to provide appropriate speed-of-availability for data scenarios.
Blob storage and File storage always use the account encryption key to encrypt data. Queue storage and Table storage can be optionally configured to encrypt data with the account encryption key when the storage account is created. You can opt to use customer-managed keys to encrypt data at rest in all Azure Storage features, including Blob, File, Table, and Queue storage. When you use an Azure Storage account, you must follow the steps below to ensure the data is protected with customer-managed keys.
Storage encryption with Key Vault managed keys
To implement Impact Level 5 compliant controls on an Azure Storage account that runs in Azure Government outside of the dedicated DoD regions, you must use encryption at rest with the customer-managed key option enabled. The customer-managed key option is also known as bring your own key.
For more information about how to enable this Azure Storage encryption feature, see Configure encryption with customer-managed keys stored in Azure Key Vault.
Note
When you use this encryption method, you need to enable it before you add content to the storage account. Any content that's added before the customer-managed key is configured will be protected with Microsoft-managed keys.
StorSimple
- To help ensure the security and integrity of data moved to the cloud, StorSimple allows you to define cloud storage encryption keys. You specify the cloud storage encryption key when you create a volume container.
Next steps
Learn more about Azure Government:
- Acquiring and accessing Azure Government
- Azure Government overview
- Azure Government compliance
- DoD Impact Level 5
- DoD in Azure Government
- Azure Government services by audit scope
- Azure Government security
- Azure guidance for secure isolation
Start using Azure Government: