As a developer you often have to use & store a lot of sensitive data going from service credentials to connection strings or even encryption keys. But how do I store these in a secure way? How do I know who has access to them and how do I prevent people from copying them and abusing them? On the other hand, SaaS customers have no clue how you store their sensitive data and how they use it. How can they monitor that? How can they revoke your access easily?
Watch the recording here - http://azug.be/2015-05-05---securing-sensitive-data-with-azure-key-vault
2. Nice to meet you
Tom Kerkhove
- Kinect forWindows MVP
- Microsoft Azure Advisor
- Integration Professional
tom.kerkhove@codit.eu
+32 473 701 074
@TomKerkhove
be.linkedin.com/in/tomkerkhove
3. How Codit can help?
3
Integration services
➔ Advice
➔ Projects
➔ Implementation
➔ SOA Governance
➔ Managed Services
➔ Integration as a Service
➔ Codit Integration Cloud
5. Scenario
Demo #1
➔ Customer applies to the SaaS
➔ GivesTwilio & Azure Storage credentials
➔ Application uses API to send text messages
6. Summary
➔ Security flaws
➔ Storing sensitive data as clear text in DB
➔ Google authentication as clear text
➔ Unencrypted connection string
➔ Unsecured API
➔ Probably more
➔ On the other hand...
➔ Transport security with SSL (Although default Azure cert)
➔ External login
6
Demo #1
12. What is Azure KeyVault
➔ Storing sensitive data in hardware security modules (HSM)
➔ Giving back control to the customer
➔ Full controll over key lifecycle with audit logs
➔ Management of all keys in one place
➔ Store encryption keys in HSMs
➔ Removes responsibility from developers
➔ Secure storage for passwords, encryption keys & certificates
➔ Protects sensitive data in production
Introducing Azure KeyVault
13. What is Azure KeyVault
➔ Storing sensitive data in hardware security modules (HSM)
➔ Giving back control to the customer
➔ Full controll over key lifecycle with audit logs
➔ Management of all keys in one place
➔ Store encryption keys in HSMs
➔ Removes responsibility from developers
➔ Secure storage for passwords, encryption keys & certificates
➔ Protects sensitive data in production
Introducing Azure KeyVault
14. Secrets & Keys
➔ Secret
➔ Used to store sequences of
bytes
➔ Consumers can read & write
secret values to it
➔ Encrypted before stored in
vault
➔ Limited to 10 kB
➔ Versioned
➔ Typically used for connection
strings, certificates, etc.
Introducing Azure KeyVault
➔ Key
➔ Stores a RSA 2048 key
➔ Created by KeyVault owner
➔ Can be used to decrypt/sign
with
➔ Can’t be read back
➔ Higher latency
When you frequently use keys you should consider
storing it as a Secret to improve performance f.e. SSL
15. Different KeyTypes
➔ HSM Keys
➔ Stored encrypted in HSM
➔ Operations performed on
HSM directly
➔ Requires PremiumVault
➔ More secure
15
Introducing Azure KeyVault
➔ Software Keys
➔ Stored encrypted in HSM
➔ Operations performed on
VM in Azure
➔ Typically used for Dev/Test
➔ Cheaper
16. Basic LOB Scenario
Database
3. Connect to DB
1. Deploy application
2. Read from settings
Fabricam Customer X
Single-tenant app
App Settings
Developer
18. Vault Owners vs Consumers
➔ Vault Owners
➔ Has full control over vault
➔ All keys & secrets in one place
➔ Ability to change permissions
➔ Ability to fully revoke
consumer
➔ Ability to regenerate keys
without breaking apps
➔ Audit logs for monitoring
Introducing Azure KeyVault
➔ Vault Consumers
➔ Authenticate with Azure AD
➔ Not able to see encrypted keys
➔ Limited to granted
permissions
19. Access Control
➔ Access control based on Azure AD
➔ Access assigned at theVault-level
➔ Permissions to keys
➔ Permissions to secrets
➔ Authentication againstAzure AD
➔ Application ID & Key
➔ Application ID & Certificate
➔ No isolation between clients, they see everything
19
Introducing Azure KeyVault
22. Sharing credentials with control
Demo #2
Codito Subscription
Azure
Active Directory
Web App
Azure SQL database
Storage (Azure)
SaaS Subscription
Azure Key Vault
1 2
3
5
6
7
Azure Key Vault
4
23. Summary
➔ Security flaws
➔ Vault credentials stored as plain-text
➔ Unsecured API
➔ On the other hand...
➔ Message encryption supported based on customer vault
➔ External vault authentication stored in internal vault
➔ Customers data is securely stored in their vault
➔ Encrypted database
23
Demo #2
27. Replication & Isolation
➔ Vault, Keys & Secrets stay within same region
➔ Stored in physical HSMs
➔ Reason - Laws & compliances
➔ Disaster Recovery is hard
➔ Each deployment has own URL
➔ Manual replication only
Introducing Azure KeyVault
28. Pricing Overview
➔ Vault owner pays for everything
Introducing Azure KeyVault
Standard Premium
Secrets & Software-protected keys
$0.0112 / 10,000
operations
$0.0112 / 10,000
operations
HSM Protected keys N/A
$0.0112 / 10,000
operations
$0.3724 per key per
month
(For every version of the key)
29. Public Preview
➔ Currently only available in 6 regions
➔ Limited tooling – PowerShell, .NET & REST API
➔ No SLA
30. What’s coming
➔ Available in all regions with 99.9+ SLA
➔ Additional tooling
➔ Portal Support
➔ Audit logs