Azure Key Vault, as per the name itself is to be understood, is the safehouse to safeguard the cryptographic keys and secrets that are used by your applications, servers or even by your Cloud applications / services.
All of your authentication keys, storage account keys, data encryption keys and also the PFX files and passwords that are protected by Hardware Security Modules (HSMs) can be encrypted and stored in the Azure Key Vault.
If you opt to import or generate keys in HSMs then Microsoft Azure processes these keys in FIPS 140-2 Level 2 validated Hardware and Firmware that are validated HSMs.
Azure Key Vault enables the process of Key management and also at the same time allows to maintain control over the keys that access or encrypt your data. There is a definite help to the developers in the process of generating keys for the development / testing systems and then they can be switched to production keys within few seconds.
The full control is provided to the Security administrators to grant or revoke these permissions to the keys as required. Refer to the section below to understand how Azure Key Vault comes into rescue for developers at different levels:
As a developer of an Azure application, you would want to develop an application that uses keys for signing, authorizing, authenticating, encrypting keys. If this application is external to your own application, then it serves the purpose of being available for developers working in geographically distributed locations.
If that external application can then be protected without even having to intervene from a developer’s perspective – this is what will be happening:
Keys will be stored in a Key Vault and these can be easily invoked by a URI when deemed needed
Keys are safeguarded by Azure with its industry standard algorithms, Hardware Security Modules (HSMs)
Keys will be processed in the HSMs on Azure datacenters where the application is hosted, ensuring that it provides better reliability, reduced latency
As a developer of SaaS based services, you don’t want to hold additional responsibilities or liabilities for the customers’ tenants’ keys and secrets.
The customers should be owning and managing the keys that they require and hold, just so that the focus is always on doing what is needed the most – this is what will be happening if Azure Key Vault is in the loop:
Customers will be able to import their keys and secrets into Azure Key Vault and manage them thereafter.
When any of the customers’ SaaS applications needs to engage in any cryptographic operations, Azure Key Vault does these without the applications even seeing these customers’ keys.
As a Chief Security Officer (CSO), you want to know whether or not your applications comply with the FIPS 140-2 Level 2 HSMs specifications for the best possible secure key management.
Even when there are multiple Azure services or resources, these key management activities should be ideally from a single location on Azure – this is what will be happening if you rely on Azure Key Vault:
HSMs are by default FIPS 140-2 Level 2 compliant
Azure Key Vault is designed in such a way that not even Microsoft sees or extract your keys
Your key usage is logged almost near real-time, ensuring the much needed security
Azure Key Vault provides a single UI nevertheless how many ever Key Vaults are used underneath and also irrespective of what applications uses these keys.
Azure Key Vaults can be created by one who holds a valid Azure subscription. The implementation and management of thus created Key Vaults can be done by the Organization’s administrators who manage the other Azure services defined for the same Organization.
An administrator who signs in with an Azure subscription, creating a Key Vault for an Organization to store keys will then be responsible for the following responsibilities or operational tasks such as the below:
To create or to import a key / secret
To revoke or to delete a key / secret
To authorize users or applications in order to access the Azure Key Vault in order to manage their own keys or secrets
Sign, encrypt or configure keys usage
To monitor the keys usage
What does Azure Key Vault offer?
Let us look at the offerings that Azure Key Vault has to offer to the end customers, let it system administrators or application developers or developers themselves.
Using Azure Key Vault, you as a security administrator will take the first step to securing the data on cloud via the best possible ways towards secure key management.
This can be done by encrypt keys and small secrets like passwords that use keys and gets stored in hardware security modules (HSMs).
You can monitor and audit the necessary logging information via the pipe logs into Azure HDInsight. This data can also go into your SIEM tools for required monitoring and analysis for any possible security threats.
With the usage of Azure Key Vault, you don’t really have to provision, or configure or patch or maintain any HSM’s or any other key management softwares for that sake.
You can add additional vaults and secrets with very less effort and this can be centrally managed. You can also simplify and automate the necessary tasks that relate to the maintenance of SSL / TLS certificates.
Azure Key Vault also enables you to enroll for any possible renewals of your certificates from Public Certificate authorities.
Storing the keys on Azure Key Vault ensures that the keys, secrets and all the necessary authoritative details are available on the Cloud rather than on premises.
Azure Key Vault can very quickly fill the void of any excessive HSMs to be deployed for your organization, as it meets your cryptographic needs for your application on demand.
You can replicate a copy of your vault onto your own HSMs for durability from the Azure datacenters.
This article provides a brief introduction into the services provided by Microsoft Azure and excessively discusses about the pros and cons of Azure Key Vault. Using Azure Key Vault all your key management related tasks and the necessary monitoring can be done all at one place. Please refer to the official Azure documentation if you’re in need of any further details that aren’t present on this article.
Get Updates on Tech posts, Interview & Certification questions and training schedules