If someone gains access to your database, either by legal power or by unauthorized access, the database itself is encrypted, so the blobs of encrypted "stuff" is useless to them. The key(s) would have to be subpoenaed separately, or someone would have to steal the keys off your site in addition to the databases that are up in Azure...
BUT then the comment comes up that with data up in the cloud, "anyone" can access the data directly from anyplace in the world... The answer, NO, not unless you want everyone in the world to access the content directly from the Internet. If you have protected data you ONLY want your employees in your corporate offices to access the information, then by default, Azure does NOT expose data externally. You actually have to configure your Azure and SQL Virtual Machine to have a public Internet address, and you have to configure Azure to open up firewall ports to gain direct access to your VMs/Servers up in Azure. If you ONLY want your employees to access content up in Azure (SQL data or SharePoint data that is being stored on SQL), then create a SECURED TUNNEL between your corporate sites to Microsoft Azure. Couple ways you can do this:
- Site to Site VPN: You can create a Site to Site VPN between your datacenter to Microsoft Azure, using IPSec to protect the channel of communications to YOUR data. Microsoft Azure provides site to site connectivity from Cisco, Brocade, Checkpoint, Sonicwall, Fortinet, Juniper, etc, or you can simply configure an old fashion Microsoft Windows RRAS server for a S2S secured VPN tunnel. LOTS of ways to create a secured and protected tunnel between your office(s) and Microsoft Azure where there is NO direct connection into your data.
- Site to Site using Express Route: Another way to create a connection between your offices and Microsoft is through what Microsoft calls "Express Route". Express Route is a PRIVATE connection between your enterprise and Microsoft, effectively a "last mile" type private connection right into Azure. Microsoft has partnered with companies like Equinix (and soon others) (http://blog.equinix.com/2014/05/microsoft-azure-expressroute-now-available-in-equinix-data-centers-customers-tap-benefits-to-deliver-hybrid-cloud-solutions/) so there are MANY local onramps to connect organizations right into Azure. With Express Route, you're not even going through a tunnel over the general internet, you actually have a direct connection (not over the Internet) to your Azure servers. Internal users go over your LAN/WAN to access data in Azure, and presumably your remote users have some form of 2-factor authentication and encryption if they are remote, connecting into your environment that will then go across Express Route in an encrypted direct transport to your Azure data. https://azure.microsoft.com/en-us/services/expressroute/
For those who are hardcore and STILL beat me down on security to Azure where a 7-level deep secured datacenter, with encrypted databases, connected over secured encrypted connections is not good enough, then one more thing we have done for organizations is to ENCRYPT the content that gets stored in the encrypted databases! For something like SharePoint, Microsoft has a technology called Rights Management Services (RMS) that allows organizations to set policies so that every Word doc, Excel spreadsheet, PDF file, JPG graphic, TIF file, PowerPoint presentation, etc is ENCRYPTED as it is stored in a SharePoint Library.
- Encryption of Content within SharePoint: Microsoft Rights Management Services (RMS) encryption is tied to user's Active Directory credentials, so that the content is encrypted upon user creation and access, and is stored in SharePoint protected, and then even if a user takes content OUT of SharePoint and accidentally (or absent-mindedly) uploads the content to DropBox, Box, OneDrive, etc that the actual FILE (doc, spreadsheet, etc) remains encrypted and accessible ONLY by authorized targeted recipients of the content http://office.microsoft.com/en-us/business/microsoft-azure-rights-management-FX104179392.aspx
Sign up for CIO Asia eNewsletters.