Achieve data sovereignty by gaining control over encryption keys: three approaches enabled by Utimaco’s EKMaaS within the Microsoft Azure environment

From geopolitical risks to rising compliance fines, data sovereignty has become a key priority shaping IT strategies across organizations. For the security leaders, this creates a dilemma. On one side, regulatory demands and board-level pressure require stronger control over data. On the other hand, most organizations rely on complex cloud environments that were not built with sovereignty as a core principle. Additionally, data sovereignty cannot be reduced to data residency as it is only one part of the picture. Residency answers where data is stored, and sovereignty answers who controls it. The challenge is practical: how to introduce real control without disrupting existing operations.

Platforms like Microsoft Azure are widely used by global organizations to run applications and databases. This raises a critical question; how can data sovereignty be effectively achieved in such environments? More specifically, how can companies and public institutions maintain a high level of control while continuing to operate within Azure-based infrastructures? 

In this blog, we explore three approaches organizations can use to maintain control and achieve full data sovereignty within Microsoft Azure environments. 

Learn more on how Utimaco’s EKMaaS and Microsoft Azure work together to enable data sovereignty. Join a webinar here with Thomas Treml, Cloud CTO at Microsoft, and Mudit Gaur, Head of EKMaaS at Utimaco.

Data Sovereignty Is About Residency and Control

To achieve data sovereignty, three elements must align. First, starting with the control over where data is stored. This relates to data residency, which focuses on geography by keeping data within defined regional boundaries while maintaining strict access controls.

Going further, establishing how data is encrypted, and who can access it which relates to sovereignty controls which centers around encryption. In order to be in full control, the encryption must treat data when it is at rest, in transit and in use. Lastly, control and ownership of the encryption keys must be clearly defined.

Achieving True Data Sovereignty 

In standard cloud setups, data is encrypted at rest, and the keys are managed by the cloud provider. This introduces a limitation: the provider remains part of the trust chain. From a sovereignty perspective, that is a dependency many organizations want to remove. Additionally, in order to reach greater independence from the cloud provider, organizations want to gain full control over the key lifecycle.

To achieve this, organizations with applications and databases deployed in cloud services such as Azure can utilize External Key Management Systems, reliably separating key storage and management from the Cloud Service Providers environment.  Utimaco provides several on-premises as well as a Service-based solutions to 
choose from. Utimaco’s cloud-based Enterprise Secure Key Manager as a Service (EKMaaS)  is the solution fully integrated within the integrated Azure environment which provides three options to establish data sovereignty in the cloud.

Three Approaches to Realize Data Sovereignty 

Bring Your Own Key (BYOK)

In this scenario, Utimaco’s EKMaaS encrypts Microsoft’s key using a key encryption key (KEK). The key remains outside of Microsoft Azure, with its full lifecycle managed externally.

This approach gives organizations the ability to revoke data access when needed, since all data is encrypted with a customer-managed key held outside the cloud operator’s environment.

Double Key Encryption (DKE)

In this approach, Microsoft 365 files are encrypted twice using two keys. One key is managed within the Microsoft environment, while the second key is managed externally through Utimaco’s EKMaas. 

In practice, this means that when a user downloads an encrypted file, decryption happens on the user’s laptop by accessing EKMAaS. The second key is never exposed to Azure. 

When the revocation is needed, it can be done via EKMaaS for all the files.  

Hold Your Own Key (HYOK) - upcoming 

In contrast to the BYOK approach, HYOK architecture allows key vaults to be configured within Azure while connecting to an external key vault hosted in the Utimaco environment, using EKMaaS and General Purpose Hardware Security Modules (GP HSMs)  to protect the keys.

The key storage and lifecycle are fully offloaded from Azure and managed within the EKMaaS environment.

How You Can Benefit from Integration of Utimaco’s EKMaaS and Microsoft Azure 

Organizations can achieve data sovereignty in a proven environment like Microsoft Azure while maintaining full control over their encryption keys with Utimaco’s EKMaaS.

This includes retaining authority over the master backup key, with the ability to revoke, rotate, or destroy keys when needed. It also requires centralized key management across cloud and on-premises environments, enabling a consistent and unified approach.

With this setup, organizations gain compliance and control through full key visibility and auditability across all environments.
Learn more about the Microsoft Azure & Utimaco’s EKMaaS integrated solution here. 

Two industry experts, Thomas Treml and Mudit Gaur, discussed how organizations can achieve data sovereignty during a recent webinar. Access the webinar here to explore their insights.

Achieve Data Sovereignty with Utimaco’s EKMaaS

The Enterprise Key Manager as a Service (EKMaaS) is a cloud-based solution within Utimaco’s Trust as a Service portfolio. It integrates the functionality of a Key Management System with that of a general-purpose Hardware Security Module (HSM). The service ensures strict separation between data and encryption keys while providing streamlined management across the entire key lifecycle. 

Start your free EKMaaS trial now.

About the Author

Peter Czempas

Product Marketing Manager, Utimaco