Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault

465 views

Published on

It is not a secret that it is hard to manage sensitive information. Azure Key Vault allows you to securely store this kind of information ranging from secrets & certificates to cryptographic keys.

Great! But how do you use it? How do I authenticate with it and how do I build robust applications with it?

Come join me and I'll walk you through the challenges and give you some recommendations.

Published in: Technology
  • Be the first to comment

Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault

  1. 1. Building secure cloud applications with Azure Key Vault Tom Kerkhove Azure Architect at Codit, MSFT Azure MVP
  2. 2. Thank you to our sponsors! Gold Sponsors Silver Sponsors Community Sponsors
  3. 3. Hi! Tom Kerkhove • Azure Architect at Codit • Microsoft Azure MVP & Advisor • Belgian Azure User Group (AZUG) blog.tomkerkhove.be @TomKerkhove tomkerkhove
  4. 4. Web Worker Appsettings.json
  5. 5. Great! Let’s ship it?! × No centralized secret management × No secure storage for sensitive information × No way to revoke access for a specific user/application × No way to updating secrets when they have expired/been rolled × No control over whom has access
  6. 6. Introducing Azure Key Vault • Provides secure storage for sensitive information, including storing cryptographic keys in hardware security modules (HSM) • Automatically failing over to secondary region in read-only mode • Allows you to : • Store sensitive information as secret • Use keys for cryptographical purposes • Manage certificates
  7. 7. Keys & Secrets • Secret • Used to store sequences of bytes • Consumers can read & write secret values to it • Encrypted before stored in vault • Limited to 10 kB • Typically used for connection strings, authentication keys, etc. • Key • Stores a RSA 2048, 3072 & 4096 key • Can be used to perform crypto operations such as encryption & signing • Cannot be read back • Higher latency
  8. 8. Different types of keys • Software Keys • Operations performed on VM in Azure • Typically used for Dev/Test • Cheap • HSM Keys • Stored encrypted in HSM • Operations performed on HSM directly • Requires Premium Vault • More secure
  9. 9. Personas
  10. 10. Last March this happend....
  11. 11. https://blog.nuget.org/20180322/Incident-Report-NuGet-org-downtime-March-22.html
  12. 12. Use Certificates
  13. 13. Certificate lifecycle management
  14. 14. Authenticating to Azure Key Vault • Authentication is fully handled by Azure Active Directory • Only works for the default Azure AD directory • Use basic or certificate authentication • However, you still need to store authentication information in your configuration private async Task<string> AuthenticationCallback(string authority, string resource, string scope) { var adApplicationId = configuration.Get<string>("KeyVault.Auth.ApplicationId"); var adApplicationSecret = configuration.Get<string>("KeyVault.Auth.AppSecret"); var authContext = new AuthenticationContext(authority); var clientCredential = new ClientCredential(adApplicationId, adApplicationSecret); var token = await authContext.AcquireTokenAsync(resource, clientCredential); return token.AccessToken; }
  15. 15. Authenticating to Azure Key Vault
  16. 16. Web Worker Appsettings.json Vault Owner Receive Token Authenticate
  17. 17. Code
  18. 18. Great! Let’s ship it?! ✓ Control over whom has access ✓ Centralized secret management ✓ Secure storage for sensitive information ✓ Capability to revoke access for a specific user/application ✓ Capability to update secrets when they have expired/been rolled × Keys to the kingdom are still stored as before
  19. 19. Enter Azure AD Managed Service Identity (MSI) • Delegate authentication to the Azure resource that runs your app • Azure Resource Manager will create & assign an Azure AD Application to your resource • Currently only supports system-defined AD Application names • Not all Azure services support this, yet • No authentication information nor authentication logic required • Super easy and more secure
  20. 20. Web Worker Receive Token Authenticate MSI
  21. 21. Great! Let’s ship it?! ✓ Control over whom has access ✓ Centralized secret management ✓ Secure storage for sensitive information ✓ Capability to revoke access for a specific user/application ✓ Capability to update secrets when they have expired/been rolled ✓ Authentication delegated to Azure ❕ Not all Azure services already support MSI
  22. 22. Authorization
  23. 23. Authorization • Managing vault instance (“control-plane”) • Based on RBAC roles • Managing vault contents (“data-plane”) • Defined in “Advanced Access Policies” • Granular control over assigned permissions • Permissions defined on a vault-level • Assigned to AD user, group or application • Ie. only set secrets without being able to see them
  24. 24. Demo Time!
  25. 25. Authorization • Be careful about whom can manage your vault instance • Take into account that people can add themselves to permissions to the vault contents • Use least-priviledge principle • If they don’t need it, don’t give it to them
  26. 26. Web Worker MSI Admin Console DB MSI
  27. 27. Great! Let’s ship it?! ✓ Secrets securely stored × Everybody can access each others secrets × Single point of failure • Think about your security boundaries • Vault level permissions – Be careful whom can do what • Use multiple Key Vault instances if they have different security boundaries • Use resource locks on your vault instance • Prevent people from accidentally deleting all your secrets
  28. 28. Web Worker MSI Admin Console DB MSI Customer PortalAdmin Console
  29. 29. Web Worker MSI Admin Console DB MSI Customer PortalAdmin Console
  30. 30. Web Worker WorkerWorkerWorker Worker Worker WorkerWorkerWorker Worker Web WebWebWeb Web Web WebWebWeb
  31. 31. Great! Let’s ship it?! ✓ Secrets securely stored ✓ Seperation of domains × Not scalable • Cache secrets • Avoids hitting Azure Key Vault when scaling out • Avoids unrequired network calls • Use in-memory cache only and make it short-lived • Your application should be aware of this
  32. 32. Web Worker WorkerWorkerWorker Worker Worker WorkerWorkerWorker Worker Web WebWebWeb Web Web WebWebWeb Cache Cache CacheCacheCache Cache Cache CacheCacheCache
  33. 33. Web Worker Appsettings.json “Using API Key ‘XYZ’” Cache
  34. 34. Great! Let’s ship it?! × You cannot trust your vault consumers × People leave the company, but what do they take with them? × Leaked credentials are not being revoked • Automatically generate new authentication keys • Limits risk of leaked credentials usage • (Azure) Automation is your best friend • Your application should be aware of this ❕ You cannot do this with all secrets ❕ Be careful – Other applications might be using the same credentials
  35. 35. WebCache Key: foo Secret: ServiceBus Name: ServiceBus Secret: foo Step 1: Generate new secondary key Step 2: Update secret to use secondary key Step 3: Generate new primary key Step 4: Update secret to use primary key Generate keys
  36. 36. Name: ServiceBus Secret: bar WebCache Key: foo Secret: ServiceBus Name: ServiceBus Secret: foo Step 1: Generate new secondary key Step 2: Update secret to use secondary key Step 3: Generate new primary key Step 4: Update secret to use primary key Generate keys Get uncached secret Key: bar
  37. 37. Key Rotation in Action
  38. 38. Key Vault enables new scenarios
  39. 39. Key Vault enables new scenarios • Sync on-premises HSMs to Azure Key Vault • Enables Bring-Your-Own-Key • Azure SQL Database / SQL Server • Azure Data Lake Store • Azure Storage • Automatically rotatation Azure Storage keys
  40. 40. Encryption with SQL - BYOK
  41. 41. Encryption with SQL - BYOK
  42. 42. Auditing & Operations
  43. 43. Auditing & Operations • Full audit trail containing every action • “Azure Key Vault Analytics” solution in Log Analytics (http://bit.ly/key-vault-log-analytics)
  44. 44. Tips
  45. 45. Tips • Be transparent • Secrets & keys are versioned, make sure that consumers are aware of these • This is important for cryptographical scenarios where decryption needs to use the correct version of the key • Key Vault is not a configuration store • You need to build your own configuration store • Dependencies fail • Make sure you handle downtime of your dependency, if possible at all • Key Vault integration in VSTS
  46. 46. Managing secrets in VSTS Variable Groups* Build / Release Environment Built-in Task* Inline** * Integration with Azure Key Vault
  47. 47. Using Key Vault in variable groups
  48. 48. Getting secrets inside your build/release
  49. 49. Making security in Azure simpler
  50. 50. Secrets made easy with • OSS library that makes it easier to build secure apps on Azure. • Provides a (cached*) Key Vault secret provider out-of-the-box, more to come. • GitHub – https://github.com/arcus-azure/arcus.security • Docs - security.arcus-azure.net * Memory cache only for now, as this is most secure
  51. 51. Secrets made easy with Arcus • Get started quickly: • PM> Install-Package Arcus.Security.Secrets.AzureKeyVault -Version 0.1.0-alpha • Example: var clientId = Configuration.GetValue<string>("Arcus:ServicePrincipal:ClientId"); var clientKey = Configuration.GetValue<string>("Arcus:ServicePrincipal:AccessKey"); var keyVaultUri = Configuration.GetValue<string>("Arcus:KeyVault:Uri"); var vaultAuthenticator = new ServicePrincipalAuthenticator(clientId, clientKey); var vaultConfiguration = new KeyVaultConfiguration(keyVaultUri); var keyVaultSecretProvider = new KeyVaultSecretProvider(vaultAuthenticator, vaultConfiguration); var secretValue = await keyVaultSecretProvider.Get(“EventGrid-AuthKey");
  52. 52. Wrap-Up
  53. 53. Takeaways • Security should not be an after thought • It is about limiting the risk of exposure, not removing it • Go Key Vault all the way, including build & release • Do not use one central Key Vault, use one per security domain • Delegate authentication to Azure with Azure AD MSI • Automatically roll your secrets and keep your vault up to date • Use Arcus.Security to get easily started! (open for feedback) • More information on security.arcus-azure.net
  54. 54. 54
  55. 55. Track 1 • 11:55 – 12:40 • Architecting Autonomous Driving Solutions on Azure • Kristof Rennen Track 2 • 11:55 – 12:40 • From One Release Per Quarter To 30 Times A Day • Marcel de Vries

×