Is it safe to store SSN's in Azure Cloud?

Given the current state of public cloud, I would argue that in many cases it is in fact more secure than on-premise storage. Granted I work for Microsoft, but my opinion both pre-dates my employment, and extends to competitors like Amazon and Google as well. Companies whose business models are built on data center operational expertise and excellence, are simply always going to be better and running and protecting their assets than companies who view IT and data as simply a cost to be tightly controlled.

That said, there are definitely a couple of things that I would take a careful look at.

  • How are they encrypting the data? Encryption is easy to get wrong, and with data as structured as SSNs, and with such a small domain, getting it wrong could result in a significant breach of confidentiality.

  • How are they managing access? For this you need to look not only at who has access via the application and to the machines, but from an Azure-specific perspective, who has access to the resource groups and the subscription?

  • Key management. Azure offers HSM-based key-storage. For significantly sensitive data, you should ensure they're using an HSM-protected Key Vault.


To add to Xander's answer, there are a few things to consider:

  • Company policy
  • IaaS, PaaS, and SaaS multi-tenancy
  • Key management
  • Current internal security posture

Company policy

Some companies are okay with *aaS, some companies say a certain level of PII is okay to store off-prem without encryption, or require encryption for a certain level, and say above that level, no off-prem storage. If the company does not have those policies, encourage them to get those policies.

Multi-tenancy

Multi-tenancy, or hosting multiple customers in the platform or network space. This makes pivoting and sniffing of traffic easier.

Some providers will give you a dedicated instance if you are willing to pay a little (or a lot) extra.

Key management

As Xander mentioned, some providers (Amazon and Microsoft do this for sure, I don't know about Google, though I'd guess they do) offer an HSM for key management. Is the company trusting of the SEE code in the HSM? Is the company willing to give out the key to encrypting and decrypting identity significant data? Can the company control the SEE code?

Company security posture

Does this company have a mature vendor management process? Incident response process? What happens if one of these providers is breached? Does the company IR team have the ability to work with the provider? Will the provider be held to a contract to notify the company in the event of a detected breach? Will logs be forwarded to a company log monitoring solution? Is that log monitoring solution monitored and maintained? Does the company have a mature security testing and review program?

These are all questions that should be asked and answered beyond "is it safe?" because policies, security posture, and provider environment impact that "is it safe?" a lot.