Recommendations for data encryption

Applies to Power Platform Well-Architected Security checklist recommendation:

If your data isn't protected, it can be maliciously modified, which leads to loss of integrity and confidentiality.

This guide describes the recommendations for encrypting and protecting your data. Encryption is the process of using cryptography algorithms to make the data unreadable and lock the data with a key. In the encrypted state, data can't be deciphered. It can only be decrypted by using a key that's paired with the encryption key.

Definitions

Key design strategies

Organizational mandates or regulatory requirements might enforce encryption mechanisms. For example, there might be a requirement that data must remain only in the selected region, and copies of the data are maintained in that region.

These requirements are often the base minimum. Strive for a higher level of protection. You're responsible for preventing confidentiality leaks and tampering of sensitive data, whether it's external user data or employee data.

Data is an organization’s most valuable and irreplaceable asset, and encryption serves as the last and strongest line of defense in a multi-layered data security strategy. Microsoft business cloud services and products use encryption to safeguard customer data and help you maintain control over it.

Encryption scenarios

Encryption mechanisms likely need to secure the data in three stages:

• Data at rest is all information that's kept in storage objects. By default, Microsoft stores and manages the database encryption key for your environments using a Microsoft-managed key. However, Power Platform provides a customer-managed encryption key (CMK) for added data protection control, where you can self-manage the database encryption key.

• Data in processing is data that is being used as part of an interactive scenario, or when a background process, such as a refresh, touches it. Power Platform loads data in processing into the memory space of one or more service workloads. To facilitate the workload's functionality, data that's stored in memory isn't encrypted.

• Data in transit is information that's transferred between components, locations, or programs. Azure uses industry standard transport protocols such as Transport Layer Security (TLS) between user devices and Microsoft data centers, and within data centers themselves.

Native encryption mechanisms

By default, Microsoft stores and manages the database encryption key for your environments using a Microsoft-managed key. However, Power Platform provides a customer-managed encryption key (CMK) for added data protection control, where you can self-manage the database encryption key. The encryption key resides in your own Azure key vault, which allows you to rotate or swap the encryption key on demand. It also allows you to prevent Microsoft's access to your customer data when you revoke the key access to our services at any time.

Encryption keys

By default, Power Platform services use Microsoft-managed encryption keys to encrypt and decrypt data. Azure is responsible for key management.

You can opt for customer-managed keys. Power Platform still uses your keys, but you're accountable for key operations.

Power Platform facilitation

The following sections describe Power Platform features and capabilities you can use to encrypt your data.

Customer managed key

All customer data stored in Power Platform is encrypted using a strong Microsoft-managed encryption key by default. Organizations with data privacy and compliance requirements to secure their data and manage their own keys can use the customer managed key capability. The customer managed key provides added data protection where you self-manage the data encryption key associated with your Dataverse environment. Using this capability enables you to rotate or swap encryption keys on demand. Also, it prevents Microsoft from being able to access your data when you revoke the key from the service. For more information, see Manage your customer-managed encryption key.

Data residency

An Azure Active Directory (Azure AD) tenant houses information that's relevant to an organization and its security. When an Azure AD tenant signs up for Power Platform services, the tenant's selected country or region is mapped to the most suitable Azure geography where a Power Platform deployment exists. Power Platform stores customer data in the tenant's assigned Azure geography, or home geo, except where organizations deploy services in multiple regions.

Power Platform services are available in specific Azure geographies. For more information about where Power Platform services are available, where your data is stored, and how it's used, see Microsoft Trust Center. Commitments concerning the location of customer data at rest are specified in the Data Processing Terms of the Microsoft Online Services Terms. Microsoft also provides data centers for sovereign entities.

Data at rest

Unless otherwise stated in documentation, customer data remains in its original source (for example, Dataverse or SharePoint). All data persisted by Power Platform is encrypted by default using Microsoft-managed keys.

Data in processing

Data is in processing when it's being used as part of an interactive scenario, or when a background process, such as a refresh, touches it. Power Platform loads data in processing into the memory space of one or more service workloads. To facilitate the workload's functionality, data that's stored in memory isn't encrypted.

Data in transit

Power Platform requires all incoming HTTP traffic to be encrypted using TLS 1.2 or higher. Requests that try to use TLS 1.1 or lower are rejected.

For more information, see About data encryption in Power Platform and Data storage and governance in Power Platform.

See also

• About data encryption
• Data storage and governance in Power Platform
• Power Platform security FAQs
• Manage your customer-managed encryption key

Security checklist

Refer to the complete set of recommendations.