Security has become more and more important as we move to the cloud and countries & companies are being hacked – remember the Sony hack? But how do we securely store sensitive data such as connection strings to our databases? Where do we store our encryption keys? Can I share them with my customers? How do I prevent abuse of my secrets and block them from doing so?
That’s what this session is all about – I will introduce you to the concepts of Microsoft Azure Key Vault where you can use this as it allows you to securely store keys, credentials and other secrets in the cloud. We will also have a look at how it enables us to store encryption keys for SQL Server TDE and how it can help you safeguard your cloud solutions even more.
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
1. Securing sensitive data with
Azure Key Vault
Tom Kerkhove
Tweet and win an Ignite 2016 ticket #itproceed
2. Who am I?
Tom Kerkhove
• Integration Professional at Codit
• IoT Competency Lead at Codit
• Kinect for Windows MVP
• Microsoft Azure Advisor
3. How can Codit help?
Integration services
• Advice
• Projects
• Implementation
• SOA Governance
• Managed Services
• Integration as a Service
• Integration Cloud
• API Management
• Internet of Things
4.
5. Demo Scenario
• Customer applies to the SaaS
– Gives Twilio & Azure Storage credentials
• Application uses API to send text messages
7. Demo Summary
• Security flaws
– Storing sensitive data as clear text in DB
– Google authentication as clear text
– Unencrypted connection string
– Unsecured API
– Probably more
• On the other hand...
– Transport security with SSL (Although default Azure cert)
– External login
11. What is Azure Key Vault?
• Storing sensitive data in hardware security modules
(HSM)
• Giving back control to the customer
– Full controll over key lifecycle with audit logs
– Management of all keys in one place
– Store encryption keys in HSMs
• Removes responsibility from developers
– Secure storage for passwords, encryption keys & certificates
– Protects sensitive data in production
13. Secrets
• Used to store sequences of bytes
• Consumers can read & store secrets
• Encrypted before stored in vault
• Limited to 10 kB
• Versioned
• Typically used for connection strings, certificates, etc.
14. Keys
• Stores a RSA 2048 key
• Created by Key Vault owner
• Can be used to decrypt/sign with
• Can’t be read back
• Higher latency
• For frequent usage of keys, store it as a Secret
15. Different Key Types
• Software Keys
– Stored encrypted in
HSM
– Operations performed
on VM in Azure
– Typically used for
Dev/Test
– Cheaper
• HSM Keys
– Stored encrypted in
HSM
– Operations performed
on HSM directly
– Requires Premium Vault
– More secure
16. Basic LOB Scenario
Database
3. Connect to DB
1. Deploy application
2. Read from settings
Fabricam Customer X
Single-tenant app
App Settings
Developer
18. Vault Owners vs Consumers
• Vault Owners
– Has full control over vault
– All keys & secrets in one
place
– Ability to change
permissions
– Ability to fully revoke
consumer
– Ability to regenerate keys
without breaking apps
– Audit logs for monitoring
• Vault Consumers
– Authenticate with Azure AD
– Not able to see encrypted
keys
– Limited to granted
permissions
19. Access Control
• Access control based on Azure AD
• Access assigned at the Vault-level
– Permissions to keys
– Permissions to secrets
• Authentication against Azure AD
– Application ID & Key
– Application ID & Certificate
• No isolation between clients, they see everything
23. Summary
• Security flaws
– Vault credentials stored as plain-text
– Unsecured API
• On the other hand...
– Message encryption supported based on customer vault
– External vault authentication stored in internal vault
– Customers data is securely stored in their vault
– Encrypted database
31. Vault Isolation
• Vault dedicated to one region
– Vault, Keys & Secrets stay within same region
• Stored in physical HSMs
• Reason - Laws & compliances
– Each vault has its own URL
– Manual synchronisation if required
33. Pricing Overview(*)
• Vault owner pays for everything
Standard Premium
Secrets & Software-protected keys
$0.0112 / 10,000
operations
$0.0112 / 10,000
operations
HSM Protected keys N/A
$0.0112 / 10,000
operations
$0.3724 per key per
month
(For every version of the key)
* = 50% discount during public preview