Azure Key Vault Presentation

Yann Graindorge

Today, I’m going to introduce you to an Azure security solution that I use almost all the time now in my various Azure architecture security projects, Azure Key Vault.

What Azure Key Vault is solving ?

HSM cost is no longer an issue in Azure

What Azure Key Vault can do ?

Key Management Service

Create and control encryption keys that encrypt your data.

Secrets Management Service

Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.

Certificate Management Service

Provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.

Service with FIPS 140-2 validated HSMs

Use either software or FIPS 140-2 Level 2 validated HSMs to help protect secrets and keys.

Hardware Security Modules (HSMs) are FIPS Level 2 overall, with the following at Level 3:

  • Physical Security
  • Roles, Services, and Authentication
  • EMI/EMC
  • Design Assurance

Azure Key Vault Certification

Software VS Hardware

Both store keys at rest in HSM Hardware.
Software : Encrypt and Decrypt performed in Software on compute VM’s
Hardware : Encrypt and Decrypt performed in the HSM Hardware

Recommended :

  • Use Software in dev/test
  • Hardware in production

Azure Key Vault offers

New Offer – Azure Dedicated HSM

What is it

New service offering, for scenarios that require:

  • FIPS 140-2 Level 3 or CC EAL 4+ to meet compliance needs
  • Direct control of HSMs (Gemalto SafeNet Luna Network HSM 7)
  • Low latency

How does it work

Microsoft hosts and powers the HSMs, and connects them to your VNET. You control everything else.

  • That includes firmware & patches, redundancy & availability, disaster recovery & backup, root keys, capacity plan

Azure Key Vault Security

How to secure your Key Vault ?

  • Authentication – defense in depth
    • For users – Mandate MFA
    • For services – Use MSI (Managed Services Identity)
    • For both – Vnet Service endpoint
  • Authorization – defense in depth
    • Use security groups
    • App + user
  • Monitoring
    • Enable logging…and alerts, reports
  • Other practices
    • Separate security boundaries per app
    • Separate owners between app and key vault

Security: Alert on specific patterns

An interesting feature with Azure Key Vault is to build alert on specific patterns.
We can configure alerts via:

  • Built-in alerts blade
  • Azure Log Analytics

You can configure the alert to go to multiple destinations

  • Email, SMS, Push, Voice, Function App, Logic App, Automation Runbook, WebHook

Which version to choose ?

Azure Key Vault Pricing

Azure Key Vault Best Practices

  • Use MSI to talk to Azure Key Vault (https://aka.ms/azuremsi)
  • “No Secrets” is better than “Managed Secrets
  • Designated Key Vaults for different environments
    • Production, Staging, UAT, Test, Dev, etc.
    • Use automation in CI/CD pipeline to switch references to keys/secrets
  • Role Separation
    • Key Vault owner, Key/Secret Owner, App Owner, App Resource, Auditor, etc.
    • Subscription Administrator?
  • Carefully bootstrap access to Key Vault keys and secrets
  • Use Virtual Network Service Endpoints to further secure access and reduce threat surface for Key Vault