securing sensitive data with azure key vault (tom kerkhove @ itproceed)
TRANSCRIPT
Securing sensitive data with Azure Key VaultTom Kerkhove
Tweet and win an Ignite 2016 ticket #itproceed
Who am I?Tom Kerkhove• Integration Professional at Codit• IoT Competency Lead at Codit• Kinect for Windows MVP• Microsoft Azure Advisor
How can Codit help?Integration services• Advice• Projects• Implementation • SOA Governance• Managed Services• Integration as a Service• Integration Cloud• API Management• Internet of Things
Demo Scenario• Customer applies to the SaaS– Gives Twilio & Azure Storage credentials
• Application uses API to send text messages
Demo Summary• Security flaws
– Storing sensitive data as clear text in DB– Google authentication as clear text – Unencrypted connection string– Unsecured API– Probably more
• On the other hand...– Transport security with SSL (Although default Azure cert)– External login
What is Azure Key Vault?• Storing sensitive data in hardware security modules
(HSM)• Giving back control to the customer
– Full controll over key lifecycle with audit logs– Management of all keys in one place– Store encryption keys in HSMs
• Removes responsibility from developers– Secure storage for passwords, encryption keys & certificates– Protects sensitive data in production
Secrets• Used to store sequences of bytes• Consumers can read & store secrets• Encrypted before stored in vault• Limited to 10 kB• Versioned
• Typically used for connection strings, certificates, etc.
Keys• Stores a RSA 2048 key• Created by Key Vault owner• Can be used to decrypt/sign with• Can’t be read back• Higher latency
• For frequent usage of keys, store it as a Secret
Different Key Types• Software Keys
– Stored encrypted in HSM
– Operations performed on VM in Azure
– Typically used for Dev/Test
– Cheaper
• HSM Keys– Stored encrypted in HSM– Operations performed
on HSM directly– Requires Premium Vault– More secure
Basic LOB Scenario
Database3. Connect to DB
1. Deploy application
2. Read from settings
Fabricam Customer X
Single-tenant app
App Settings
Developer
(More) Secure LOB Scenario
Database
Single-tenant app
1. Create vault2. Authorize apps & users3. Create CS Secret
4. Deploy Application
6. Negotiate Secret
7. Connect to DB
Fabricam Customer X
App Settings5. Retrieve Vault URI
Manages key / monitor logs
Vault Consumer
Developer
Vault Owner
Vault Owners vs Consumers• Vault Owners
– Has full control over vault– All keys & secrets in one
place– Ability to change
permissions– Ability to fully revoke
consumer– Ability to regenerate keys
without breaking apps– Audit logs for monitoring
• Vault Consumers– Authenticate with
Azure AD – Not able to see
encrypted keys– Limited to granted
permissions
Access Control• Access control based on Azure AD• Access assigned at the Vault-level
– Permissions to keys– Permissions to secrets
• Authentication against Azure AD– Application ID & Key– Application ID & Certificate
• No isolation between clients, they see everything
Sharing credentials with controlCodito Subscription
Azure Active Directory
Web App
Azure SQL database Storage (Azure)
SaaS Subscription
Azure Key Vault
1 2
3
5
6
7
Azure Key Vault
4
Summary• Security flaws
– Vault credentials stored as plain-text – Unsecured API
• On the other hand...– Message encryption supported based on customer vault– External vault authentication stored in internal vault– Customers data is securely stored in their vault– Encrypted database
But there is more!• Azure Storage Client-Side encryption• VM Encryption (CloudLink)• SQL Server Encryption• Bitlocker Encryption
SQL Server Encryption• SQL Server Extensible Key Management
provider available (Preview)– Transparent Data Encryption (TDE)– Column Level Encryption (CLE)– Backup Encryption
• Requires SQL Server Enterprise• Available on-prem & in Azure
Vault Isolation• Vault dedicated to one region– Vault, Keys & Secrets stay within same
region• Stored in physical HSMs• Reason - Laws & compliances
– Each vault has its own URL–Manual synchronisation if required
Pricing Overview(*)
• Vault owner pays for everythingStandard Premium
Secrets & Software-protected keys $0.0112 / 10,000 operations
$0.0112 / 10,000 operations
HSM Protected keys N/A
$0.0112 / 10,000 operations
$0.3724 per key per month (For every version of the key)
* = 50% discount during public preview
Follow Technet Belgium@technetbelux
Subscribe to the TechNet newsletteraka.ms/benews
Be the first to know