Today, I’m going to introduce you to an Azure security solution that I use almost all the time now in my various Azure architecture security projects, Azure Key Vault.
What Azure Key Vault is solving ?
HSM cost is no longer an issue in Azure
What Azure Key Vault can do ?
Key Management Service
Create and control encryption
keys that encrypt your data.
Secrets Management Service
Securely store and tightly
control access to tokens, passwords, certificates, API keys, and other secrets.
Certificate Management Service
Provision, manage, and deploy
public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS)
certificates for use with Azure and your internal connected resources.
Service with FIPS 140-2 validated HSMs
Use either software or FIPS 140-2
Level 2 validated HSMs to help protect secrets and keys.
Hardware Security Modules (HSMs) are FIPS Level 2 overall, with the following at Level 3:
- Physical Security
- Roles, Services, and Authentication
- Design Assurance
Azure Key Vault Certification
Software VS Hardware
Both store keys at rest in HSM Hardware.
Software : Encrypt and Decrypt performed in Software on compute VM’s
Hardware : Encrypt and Decrypt performed in the HSM Hardware
- Use Software in dev/test
- Hardware in production
Azure Key Vault offers
New Offer – Azure Dedicated HSM
What is it
New service offering, for scenarios that require:
- FIPS 140-2 Level 3 or CC EAL 4+ to meet compliance needs
- Direct control of HSMs (Gemalto SafeNet Luna Network HSM 7)
- Low latency
How does it work
Microsoft hosts and powers the HSMs, and connects them to your VNET. You control everything else.
- That includes firmware & patches, redundancy & availability, disaster recovery & backup, root keys, capacity plan
Azure Key Vault Security
How to secure your Key Vault ?
- Authentication – defense in depth
- For users – Mandate MFA
- For services – Use MSI (Managed Services Identity)
- For both – Vnet Service endpoint
- Authorization – defense in depth
- Use security groups
- App + user
- Enable logging…and alerts, reports
- Other practices
- Separate security boundaries per app
- Separate owners between app and key vault
Security: Alert on specific patterns
An interesting feature with Azure Key Vault is to build alert on specific patterns.
We can configure alerts via:
- Built-in alerts blade
- Azure Log Analytics
You can configure the alert to go
to multiple destinations
- Email, SMS, Push, Voice, Function App, Logic App, Automation Runbook, WebHook
Which version to choose ?
Azure Key Vault Pricing
Azure Key Vault Best Practices
- Use MSI to talk to Azure Key Vault (https://aka.ms/azuremsi)
- “No Secrets” is better than “Managed Secrets”
- Designated Key Vaults for different environments
- Production, Staging, UAT, Test, Dev, etc.
- Use automation in CI/CD pipeline to switch references to keys/secrets
- Role Separation
- Key Vault owner, Key/Secret Owner, App Owner, App Resource, Auditor, etc.
- Subscription Administrator?
- Carefully bootstrap access to Key Vault keys and secrets
- Use Virtual Network Service Endpoints to further secure access and reduce threat surface for Key Vault