Securing sensitive data with Azure Key VaultTom Kerkhove

Tweet and win an Ignite 2016 ticket #itproceed

Who am I?Tom Kerkhove• Integration Professional at Codit• IoT Competency Lead at Codit• Kinect for Windows MVP• Microsoft Azure Advisor

How can Codit help?Integration services• Advice• Projects• Implementation • SOA Governance• Managed Services• Integration as a Service• Integration Cloud• API Management• Internet of Things

Demo Scenario• Customer applies to the SaaS– Gives Twilio & Azure Storage credentials

• Application uses API to send text messages

SPAMMER ‘INSECURE’

Demo Summary• Security flaws

– Storing sensitive data as clear text in DB– Google authentication as clear text – Unencrypted connection string– Unsecured API– Probably more

• On the other hand...– Transport security with SSL (Although default Azure cert)– External login

Introducing Azure Key Vault

What is Azure Key Vault?• Storing sensitive data in hardware security modules

(HSM)• Giving back control to the customer

– Full controll over key lifecycle with audit logs– Management of all keys in one place– Store encryption keys in HSMs

• Removes responsibility from developers– Secure storage for passwords, encryption keys & certificates– Protects sensitive data in production

Keys Secrets

Azure Key Vault

Secrets• Used to store sequences of bytes• Consumers can read & store secrets• Encrypted before stored in vault• Limited to 10 kB• Versioned

• Typically used for connection strings, certificates, etc.

Keys• Stores a RSA 2048 key• Created by Key Vault owner• Can be used to decrypt/sign with• Can’t be read back• Higher latency

• For frequent usage of keys, store it as a Secret

Different Key Types• Software Keys

– Stored encrypted in HSM

– Operations performed on VM in Azure

– Typically used for Dev/Test

– Cheaper

• HSM Keys– Stored encrypted in HSM– Operations performed

on HSM directly– Requires Premium Vault– More secure

Basic LOB Scenario

Database3. Connect to DB

1. Deploy application

2. Read from settings

Fabricam Customer X

Single-tenant app

App Settings

Developer

(More) Secure LOB Scenario

Database

Single-tenant app

1. Create vault2. Authorize apps & users3. Create CS Secret

4. Deploy Application

6. Negotiate Secret

7. Connect to DB

Fabricam Customer X

App Settings5. Retrieve Vault URI

Manages key / monitor logs

Vault Consumer

Developer

Vault Owner

Vault Owners vs Consumers• Vault Owners

– Has full control over vault– All keys & secrets in one

place– Ability to change

permissions– Ability to fully revoke

consumer– Ability to regenerate keys

without breaking apps– Audit logs for monitoring

• Vault Consumers– Authenticate with

Azure AD – Not able to see

encrypted keys– Limited to granted

permissions

Access Control• Access control based on Azure AD• Access assigned at the Vault-level

– Permissions to keys– Permissions to secrets

• Authentication against Azure AD– Application ID & Key– Application ID & Certificate

• No isolation between clients, they see everything

Access Control

Sharing credentials with controlCodito Subscription

Azure Active Directory

Web App

Azure SQL database Storage (Azure)

SaaS Subscription

Azure Key Vault

1 2

3

5

6

7

Azure Key Vault

4

SPAMMER ‘MORE SECURE’

Summary• Security flaws

– Vault credentials stored as plain-text – Unsecured API

• On the other hand...– Message encryption supported based on customer vault– External vault authentication stored in internal vault– Customers data is securely stored in their vault– Encrypted database

PS C:\Demo> Start-Demo

But there is more!• Azure Storage Client-Side encryption• VM Encryption (CloudLink)• SQL Server Encryption• Bitlocker Encryption

VM Encryption (CloudLink)

Bring-Your-Own-Key (BYOK)

SQL Server Encryption• SQL Server Extensible Key Management

provider available (Preview)– Transparent Data Encryption (TDE)– Column Level Encryption (CLE)– Backup Encryption

• Requires SQL Server Enterprise• Available on-prem & in Azure

SQL SERVER TDE DEMO

Vault Isolation• Vault dedicated to one region– Vault, Keys & Secrets stay within same

region• Stored in physical HSMs• Reason - Laws & compliances

– Each vault has its own URL–Manual synchronisation if required

Replication

North Europe

Azure Key Vault

West Europe

Azure Key Vault

Manually Sync

Pricing Overview(*)

• Vault owner pays for everythingStandard Premium

Secrets & Software-protected keys $0.0112 / 10,000 operations

$0.0112 / 10,000 operations

HSM Protected keys N/A

$0.0112 / 10,000 operations

$0.3724 per key per month (For every version of the key)

* = 50% discount during public preview

Public Preview• Currently only available in 6 regions• PowerShell, .NET & REST API• No SLA

What’s coming?• Available in all regions with 99.9+ SLA• Portal Support• GA ‘real soon’• Audit logs

36

And win a Lumia 635

Feedback form will be sent to you by email

Give me feedback

Follow Technet Belgium@technetbelux

Subscribe to the TechNet newsletteraka.ms/benews

Be the first to know

39

“The question is not if you will be hacked,

the real question is when.”

Thank you!

Belgiums’ biggest IT PRO Conference