Announcing General Availability for Power Platform Customer-managed key (CMK)
We are excited to announce the General Availability for Power Platform Customer-managed key (CMK)!
Microsoft Power Platform empowers you to do more with less by making it easier than ever to securely scale low-code adoption, increase organizational collaboration, and infuse AI and automation into all your business processes. Microsoft Power Platform comes with advanced risk and compliance features that give you an easy cost-effective way to cover your risks and compliance needs.
Protecting your data and meeting your compliance needs
CMK allows customers to meet their data and privacy regulatory requirements, and to meet the enterprise promise on enabling customers with greater control over the security of their data.
Encryption is one of several defenses-in-depth that are available to secure storage. All the customer data and configuration information stored in Power Platform is encrypted at rest with strong Microsoft-managed encryption keys by default. Using CMK provides added data protection control, by allowing customers to manage their own encryption keys. When managed key encryption is used, all business-critical data is encrypted with a user-provided Azure Key Vault key. This provides the ability for customers to rotate/swap the encryption key on demand. It also provides the ability for customers to revoke Microsoft’s access to sensitive information by revoking the access to the key, at any time.
The control and management of using your own key to encrypt data at-rest is one of the main risks and compliance requirements for enterprises using Cloud software-as-a-service applications. Power Platform provides this CMK service in a cost-effective way to help you meet your needs.
Mercedes Benz has found success with CMK in Dataverse overarchingly, as it’s made it easier for them to build more complex solutions on their enterprise-data.
“Preventing other parties from accessing data stored in the cloud has been a key concern for Mercedes-Benz from the beginning. This is becoming even more important as we embraced the “cloud-first” paradigm striving to make the most out of cloud capabilities. We deem the risk so severe that we do not allow confidential data to be stored in the cloud if that risk is not mitigated properly. This made the use of Dataverse and the low-code/no-code capabilities complex using the Power Platform. Microsoft’s new security features help a lot in this regard, CMK being the key aspect but not underestimating the rest like IP-based cookie binding and IP firewall, subnet delegation, and others. While the features in [themselves] are changing the game, the support, consulting, and help implementing these are a constant boon for our security efforts and just one more reason why we place our trust in Microsoft’s Power Platform.”
—Patric Liebelt, Lead Center of Enablement Microsoft Power Platform, Mercedes-Benz
How do you control and manage your encryption key
The Azure Key Vault admin creates a key vault and generates an encryption key. A Power Platform Enterprise policy is then created which points to the key. The key vault admin grants the Power Platform Enterprise policy access to the key vault to read the key, and then grants a Power Platform local admin Read access to the Power Platform Enterprise policy.
The Power Platform local admin logs into the Power Platform Admin Center (PPAC) and add the Power Platform environment to the Power Platform Enterprise policy. All the environment data is automatically encrypted with the encryption key.
You can choose to add one environment or multiple environments for each Enterprise policy. And you can remove the environment from the Enterprise policy at any time to revert the encryption back to Microsoft-managed key.
Customer has total control of the encryption key that resides in their own Azure Key Vault. Microsoft Support staff does not have access to your key vault and/or your key, and therefore you have overall control over how and when your data can be used. If you delete or revoke access to your key vault and/or the key, all the environment(s) that is encrypted with the key will be disabled and can no longer be accessible by your users and/or Microsoft.