Azure Key Vault Flashcards
Azure Key Vault helps solve which problems?
Azure Key Vault helps solve the following problems:
Secrets Management - Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets
Key Management - Azure Key Vault can be used as a Key Management solution. Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data.
Certificate Management - Azure Key Vault lets you easily provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and your internal connected resources.
Azure Key Vault has 2 service tiers….
Azure Key Vault has two service tiers: Standard, which encrypts with a software key, and a Premium tier, which includes hardware security module(HSM)-protected keys.
Why use Azure Key Vault?
Centralize application secrets
Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault greatly reduces the chances that secrets may be accidentally leaked. When using Key Vault, application developers no longer need to store security information in their application. Not having to store security information in applications eliminates the need to make this information part of the code. For example, an application may need to connect to a database. Instead of storing the connection string in the app’s code, you can store it securely in Key Vault.
Your applications can securely access the information they need by using URIs. These URIs allow the applications to retrieve specific versions of a secret. There is no need to write custom code to protect any of the secret information stored in Key Vault.
Securely store secrets and keys
Access to a key vault requires proper authentication and authorization before a caller (user or application) can get access. Authentication establishes the identity of the caller, while authorization determines the operations that they are allowed to perform.
Authentication is done via Azure Active Directory. Authorization may be done via Azure role-based access control (Azure RBAC) or Key Vault access policy. Azure RBAC can be used for both management of the vaults and access data stored in a vault, while key vault access policy can only be used when attempting to access data stored in a vault.
Azure Key Vaults may be either software-protected or, with the Azure Key Vault Premium tier, hardware-protected by hardware security modules (HSMs). Software-protected keys, secrets, and certificates are safeguarded by Azure, using industry-standard algorithms and key lengths. For situations where you require added assurance, you can import or generate keys in HSMs that never leave the HSM boundary. Azure Key Vault uses nCipher HSMs, which are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated. You can use nCipher tools to move a key from your HSM to Azure Key Vault.
Finally, Azure Key Vault is designed so that Microsoft does not see or extract your data.
Monitor access and use
Once you have created a couple of Key Vaults, you will want to monitor how and when your keys and secrets are being accessed. You can monitor activity by enabling logging for your vaults. You can configure Azure Key Vault to:
+Archive to a storage account.
+Stream to an event hub.
+Send the logs to Azure Monitor logs.
You have control over your logs and you may secure them by restricting access and you may also delete logs that you no longer need.
Simplified administration of application secrets
When storing valuable data, you must take several steps. Security information must be secured, it must follow a life cycle, and it must be highly available. Azure Key Vault simplifies the process of meeting these requirements by:
+Removing the need for in-house knowledge of Hardware Security Modules.
+Scaling up on short notice to meet your organization’s usage spikes.
+Replicating the contents of your Key Vault within a region and to a secondary region. Data replication ensures high availability and takes away the need of any action from the administrator to trigger the failover.
+Providing standard Azure administration options via the portal, Azure CLI and PowerShell.
+Automating certain tasks on certificates that you purchase from Public CAs, such as enrollment and renewal.
In addition, Azure Key Vaults allow you to segregate application secrets. Applications may access only the vault that they are allowed to access, and they can be limited to only perform specific operations. You can create an Azure Key Vault per application and restrict the secrets stored in a Key Vault to a specific application and team of developers.
Integrate with other Azure services
As a secure store in Azure, Key Vault has been used to simplify scenarios like:
+Azure Disk Encryption
+The always encrypted and Transparent Data Encryption functionality in SQL server and Azure SQL Database
+Azure App Service.
Key Vault itself can integrate with storage accounts, event hubs, and log analytics.
Key Vault itself can integrate with …
Key Vault itself can integrate with storage accounts, event hubs, and log analytics.
Name a few Best Practices for secrets management in Key Vault
Best practices for secrets management in Key Vault
Azure Key Vault allows you to securely store service or application credentials like passwords and access keys as secrets. All secrets in your key vault are encrypted with a software key. When you use Key Vault, you no longer need to store security information in your applications. Not having to store security information in applications eliminates the need to make this information part of the code.
Examples of secrets that should be stored in Key Vault:
- Client application secrets
- Connection strings
- Passwords
- Access keys (Redis Cache, Azure Event Hubs, Azure Cosmos DB)
- SSH keys
Any other sensitive information, like IP addresses, service names, and other configuration settings, should be stored in Azure App Configuration rather than in Key Vault.
Each individual key vault defines security boundaries for secrets. For a single key vault per application, per region, per environment, we recommend that you provide granular isolation of secrets for an application.
For more information about best practices for Key Vault, see Best practices to use Key Vault.
Configuration and storing
Store credential information required to access database or service in secret value. In the case of compound credentials like username/password, it can be stored as a connection string or JSON object. Other information required for management should be stored in tags, i.e., rotation configuration.
For more information about secrets, see About Azure Key Vault secrets.
Secrets rotation
Secrets are often stored in application memory as environment variables or configuration settings for entire application lifecycle, which makes them sensitive to unwanted exposure. Because secrets are sensitive to leakage or exposure, it’s important to rotate them often, at least every 60 days.
For more information about the secrets rotation process, see Automate the rotation of a secret for resources that have two sets of authentication credentials.
Access and network isolation
You can reduce the exposure of your vaults by specifying which IP addresses have access to them. Configure your firewall to only allow applications and related services to access secrets in the vault to reduce the ability of attackers to access secrets.
For more information about network security, see Configure Azure Key Vault networking settings.
Additionally, applications should follow least privileged access by only having access to read secrets. Access to secrets can be controlled either with access policies or with Azure role-based access control.
For more information about access control in Azure Key Vault, see:
- Provide access to Key Vault keys, certificates, and secrets with Azure role-based access control
- Assign a Key Vault access policy
Service limits and caching
Key Vault was originally created with throttling limits specified in Azure Key Vault service limits. To maximize your throughput rates, here are two recommended best practices:
- Cache secrets in your application for at least eight hours.
- Implement exponential back-off retry logic to handle scenarios when service limits are exceeded.
For more information about throttling guidance, see Azure Key Vault throttling guidance.
Monitoring
To monitor access to your secrets and their lifecycle, turn on Key Vault logging. Use Azure Monitor to monitor all secrets activities in all your vaults in one place. Or use Azure Event Grid to monitor the lifecycle of secrets, because it has easy integration with Azure Logic Apps and Azure Functions.
For more information, see:
- Azure Key Vault as Event Grid source
- Azure Key Vault logging
- Monitoring and alerting for Azure Key Vault
Backup and purge protection
Turn on purge protection to guard against forced deletion of the secret. Take regular backups of your vault when you update, delete, or create secrets within a vault.
- To read about the Azure PowerShell backup command, see Backup secret.
- To read about the Azure CLI backup command, see Backup secret.