Why can't the keys be managed in an end-to-end fashion? Wasn't it Cloudflare announcing something like that a few months ago, with clients having their own key-servers that Cloudflare itself can't access?
They can be, but this avoids the round-trip time entirely. Microsoft's not forcing you to keep your secrets in the cloud if you don't want to, what they're saying is, "you don't have to run it all yourself if you don't want to" or for those already in the cloud, "it's more secure (or audit-able, at least) to store and share secrets using an HSM than to use plain-text on a hard drive". Of course, nothing's perfect, and even your secrets will eventually end up in RAM, but that's why they call it "defense-in-depth" right? Plus, it means if you're encrypting something, you can use the HSM to do it and know that only the HSM box has the keys to what you're encrypting, and it's dedicated and designed for that task. I personally like HSMs as a concept and look forward to lower cost options as we rely more on encryption in the cloud.
I realize the "it's easier" part. That's why most of us use email over TLS/STARTTLS instead of PGP. However, I don't think Microsoft is going to address the "trust" issue foreign governments and companies have with American clouds right now.
Granted, I'm only picking on Microsoft because they are announcing this now, and I think they could've done better. But I assume Amazon and Google's encryption also relies on "trusting them" (+ the US gov).
They all need to adopt more end-to-end solutions from end-user services to enterprise cloud services. Perhaps especially for enterprise cloud services, since I think they have more to lose by putting their trust in the cloud providers instead of building their own clouds, and they could be more reluctant to adopt their services because of that.
Maybe the cloud companies aren't feeling this as much now since there seems to be "growth" coming in anyway, but when the market will stabilize a bit, they will probably start feeling it. It's kind of how Blackberry didn't feel the they are banking on a bad strategy in the post-iPhone years, because they were still seeing "growth" during that time, mostly from other markets, hiding the fact they were using a bad strategy, and they were only growing because of brand inertia from previous years.
I suppose nothing on Azure would stop you from connecting your Azure instances to your own HSM outside of their DCs (although that would make maintenance your problem instead of Microsoft's).
Granted, that solution wouldn't be as nicely integrated with their other services. I guess from a business POV, making it easier to be compliant with various security standards that require practices like encrypt-at-rest > building a solution that's secure even against state actors.
Very few businesses really have this requirement. End of the day, if the Feds show up with a warrant or warrant-like paper, I'm not going to jail for my employer. Hell, if I was locked up defending their data, I'd probably be expected to charge my accruals for my absence.
