Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing sensitive data with Azure Key Vault

2,303 views

Published on

As a developer you often have to use & store a lot of sensitive data going from service credentials to connection strings or even encryption keys. But how do I store these in a secure way? How do I know who has access to them and how do I prevent people from copying them and abusing them? On the other hand, SaaS customers have no clue how you store their sensitive data and how they use it. How can they monitor that? How can they revoke your access easily?

Watch the recording here - http://azug.be/2015-05-05---securing-sensitive-data-with-azure-key-vault

Published in: Software
  • Be the first to comment

Securing sensitive data with Azure Key Vault

  1. 1. Securing sensitive data with Azure KeyVault Azug – May 2015
  2. 2. Nice to meet you Tom Kerkhove - Kinect forWindows MVP - Microsoft Azure Advisor - Integration Professional tom.kerkhove@codit.eu +32 473 701 074 @TomKerkhove be.linkedin.com/in/tomkerkhove
  3. 3. How Codit can help? 3 Integration services ➔ Advice ➔ Projects ➔ Implementation ➔ SOA Governance ➔ Managed Services ➔ Integration as a Service ➔ Codit Integration Cloud
  4. 4. Spammer ‘Insecure’
  5. 5. Scenario Demo #1 ➔ Customer applies to the SaaS ➔ GivesTwilio & Azure Storage credentials ➔ Application uses API to send text messages
  6. 6. Summary ➔ Security flaws ➔ Storing sensitive data as clear text in DB ➔ Google authentication as clear text ➔ Unencrypted connection string ➔ Unsecured API ➔ Probably more ➔ On the other hand... ➔ Transport security with SSL (Although default Azure cert) ➔ External login 6 Demo #1
  7. 7. 7
  8. 8. 8
  9. 9. 9
  10. 10. 10
  11. 11. Introducing Azure KeyVault
  12. 12. What is Azure KeyVault ➔ Storing sensitive data in hardware security modules (HSM) ➔ Giving back control to the customer ➔ Full controll over key lifecycle with audit logs ➔ Management of all keys in one place ➔ Store encryption keys in HSMs ➔ Removes responsibility from developers ➔ Secure storage for passwords, encryption keys & certificates ➔ Protects sensitive data in production Introducing Azure KeyVault
  13. 13. What is Azure KeyVault ➔ Storing sensitive data in hardware security modules (HSM) ➔ Giving back control to the customer ➔ Full controll over key lifecycle with audit logs ➔ Management of all keys in one place ➔ Store encryption keys in HSMs ➔ Removes responsibility from developers ➔ Secure storage for passwords, encryption keys & certificates ➔ Protects sensitive data in production Introducing Azure KeyVault
  14. 14. Secrets & Keys ➔ Secret ➔ Used to store sequences of bytes ➔ Consumers can read & write secret values to it ➔ Encrypted before stored in vault ➔ Limited to 10 kB ➔ Versioned ➔ Typically used for connection strings, certificates, etc. Introducing Azure KeyVault ➔ Key ➔ Stores a RSA 2048 key ➔ Created by KeyVault owner ➔ Can be used to decrypt/sign with ➔ Can’t be read back ➔ Higher latency When you frequently use keys you should consider storing it as a Secret to improve performance f.e. SSL
  15. 15. Different KeyTypes ➔ HSM Keys ➔ Stored encrypted in HSM ➔ Operations performed on HSM directly ➔ Requires PremiumVault ➔ More secure 15 Introducing Azure KeyVault ➔ Software Keys ➔ Stored encrypted in HSM ➔ Operations performed on VM in Azure ➔ Typically used for Dev/Test ➔ Cheaper
  16. 16. Basic LOB Scenario Database 3. Connect to DB 1. Deploy application 2. Read from settings Fabricam Customer X Single-tenant app App Settings Developer
  17. 17. (More) Secure LOB Scenario Database Single-tenant app 1. Create vault 2. Authorize apps & users 3. Create CS Secret 4. Deploy Application 6. Negotiate Secret Fabricam Customer X App Settings 5. Retrieve Vault URI Manages key / monitor logs Vault Consumer Developer Vault Owner
  18. 18. Vault Owners vs Consumers ➔ Vault Owners ➔ Has full control over vault ➔ All keys & secrets in one place ➔ Ability to change permissions ➔ Ability to fully revoke consumer ➔ Ability to regenerate keys without breaking apps ➔ Audit logs for monitoring Introducing Azure KeyVault ➔ Vault Consumers ➔ Authenticate with Azure AD ➔ Not able to see encrypted keys ➔ Limited to granted permissions
  19. 19. Access Control ➔ Access control based on Azure AD ➔ Access assigned at theVault-level ➔ Permissions to keys ➔ Permissions to secrets ➔ Authentication againstAzure AD ➔ Application ID & Key ➔ Application ID & Certificate ➔ No isolation between clients, they see everything 19 Introducing Azure KeyVault
  20. 20. Access Control
  21. 21. Spammer ‘More Secure’
  22. 22. Sharing credentials with control Demo #2 Codito Subscription Azure Active Directory Web App Azure SQL database Storage (Azure) SaaS Subscription Azure Key Vault 1 2 3 5 6 7 Azure Key Vault 4
  23. 23. Summary ➔ Security flaws ➔ Vault credentials stored as plain-text ➔ Unsecured API ➔ On the other hand... ➔ Message encryption supported based on customer vault ➔ External vault authentication stored in internal vault ➔ Customers data is securely stored in their vault ➔ Encrypted database 23 Demo #2
  24. 24. SQLTransparent Data Encryption
  25. 25. VM Encryption (CloudLink) Introducing Azure KeyVault
  26. 26. Bring-Your-Own-Key (BYOK) Introducing Azure KeyVault
  27. 27. Replication & Isolation ➔ Vault, Keys & Secrets stay within same region ➔ Stored in physical HSMs ➔ Reason - Laws & compliances ➔ Disaster Recovery is hard ➔ Each deployment has own URL ➔ Manual replication only Introducing Azure KeyVault
  28. 28. Pricing Overview ➔ Vault owner pays for everything Introducing Azure KeyVault Standard Premium Secrets & Software-protected keys $0.0112 / 10,000 operations $0.0112 / 10,000 operations HSM Protected keys N/A $0.0112 / 10,000 operations $0.3724 per key per month (For every version of the key)
  29. 29. Public Preview ➔ Currently only available in 6 regions ➔ Limited tooling – PowerShell, .NET & REST API ➔ No SLA
  30. 30. What’s coming ➔ Available in all regions with 99.9+ SLA ➔ Additional tooling ➔ Portal Support ➔ Audit logs
  31. 31. 31 “The question is not if you will be hacked, the real question is when.”

×