Visual Studio Team Services Encryption at Rest

Customers interested in ensuring the highest level of protection for their data stored in Visual Studio Team Services (VSTS) often ask about our ability to encrypt their data at rest. To meet these organizational security and compliance requirements, our goal is to fully encrypt all customer data in VSTS. Toward that end, over the past several years we’ve been adopting built-in Azure encryption capabilities and are committed to adopting future capabilities as they become generally available. We are now most of the way there and are committed to closing our few remaining gaps. The rest of this article provides details on the specifics of our approach and coverage.

Background

In on-premises Team Foundation Server (TFS) deployments, nearly all persistent data storage is in SQL Server. This simplifies many scenarios for customers, including setup and configuration, high availability and disaster recovery, and so forth. The only exceptions to this are for features whose data can be rebuilt from the primary data in SQL Server. Reporting data is one example – this data is stored in a relational warehouse and an Analysis Services cube and can be rebuilt from SQL data in the primary operational store as needed.

In Visual Studio Team Services (VSTS), on the other hand, data is distributed across multiple independently deployed services. This enables our individual services to be more resilient while also allowing the feature teams more agility in deploying features to you. Data in VSTS is also stored in a mix of cloud storage mediums – primarily Azure SQL Databases and Azure Storage blobs.

Status

Eighteen months ago, we finished adoption of Transparent Data Encryption (TDE) in SQL Azure Database, after which all data persisted in SQL across all of VSTS was encrypted at rest. SQL serves as the primary storage medium for all work item data other than attachments, all version control metadata, all build metadata, and so forth. All this data is encrypted at rest in VSTS using TDE.

In the past few months, we finished adoption of Azure Storage Service Encryption (SSE) for Data at Rest, and now all data persisted in Azure Storage blobs is also encrypted at rest. Blob storage serves as the primary storage medium for all work item attachments, all version control files, all build logs, and so forth. All this data is encrypted at rest in VSTS using SSE.

Between these two storage mediums and encryption technologies, most customer data in VSTS is now encrypted at rest. We still have more work to do, however, including:

  • Secondary data storage on VM disks. This includes caches on our application tiers, index files for code and work item search, and build/release data on transient hosted build/release agents. For IaaS VMs, we are working on enabling encryption using Azure Disk Encryption (ADE). PaaS VMs (Cloud Service web and worker roles) do not support ADE, and we are looking to migrate our PaaS VMs to Windows Server Containers on IaaS VMs.
  • Primary data storage in Azure Storage Tables, including package management and cloud load testing metadata. Support for encrypting Table data was recently announced, and we will be working quickly to get this data encrypted.

Our goal is encryption-at-rest for all customer data in Visual Studio Team Services. We are now most of the way there, and are committed to closing our few remaining gaps. We will let you know as we continue to make progress.

For more information on all the steps we take to manage and protect customer data in VSTS, see our data protection whitepaper at https://aka.ms/vstssecurity.

5