Sumedh Barde Devendra Tiwari BRK2706 Microsoft Cloud Customers use Microsoft cloud in many ways Microsoft Confidential SaaS Office 365 Azure SQL P aaS Azure Storage Azure HDInsight ID: 437423
Download Presentation The PPT/PDF document "Introduction to Azure Key Vault" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Introduction to Azure Key Vault
Sumedh BardeDevendra Tiwari
BRK2706Slide3
Microsoft Cloud
Customers use Microsoft cloud in many ways
Microsoft Confidential
SaaS
Office 365
Azure SQL
P
aaS
Azure Storage
Azure
HDInsight
IaaS
SQL ServerApache
One common problem: “How do I manage my keys and secrets?”
Developers
IT ProsSlide4
Key Management asks from our customers
“I need to keep encryption keys in
HSMs
(FIPS140-2 Level 2+).”“I need to control the lifecycle of my encryption keys.”“I want to control keys for my cloud apps from a single place.”“I need to keep encryption keys in country.”“I need to keep encryption keys on-premises.”“I need to keep encryption keys
in dedicated HSMs.”
“I want my data encrypted at rest, and …”Slide5
Key Management options
“I need to keep encryption keys in
HSMs
(FIPS140-2 Level 2+).”“I need to control the lifecycle of my encryption keys.”“I want to control keys for my cloud apps from a single place
.”“I need to keep encryption keys in country.”
“I need to keep encryption keys on-premises
.”“I need to keep encryption keys in dedicated HSMs
.”
For
yourappsFor SaaS
apps
Your on-premises HSMs
Azure Key Vault
Per country AzureSlide6
Secret management asks from our customers
“
My app on Azure has passwords and cryptographic keys…”
“I need to (re)use AD users and groups to manage access to secrets.”“I need a safe place to save these in Azure.” Solution: Azure Key Vault
“I do NOT want to be in the news for a silly mistake”Slide7
Today: Developer
builds LOB application
App
Deploy
app
…AND keys, secrets
Dev@Fabrikam
Your secrets
WILL proliferate
.
To more places than
you can imagine.Slide8
Phase 1:
Developer
builds LOB application
App
Key
Vault
Create Key Vault
Authorize app, users
Create/import keys/secrets
Deploy
app, configured with URI of key/secret
5. Use key/secret
Dev@FabrikamSlide9
Phase
2: App moves into pilot
App
Key
Vault
5. Use key/secret
Create Key Vault
Authorize app, users
Create/import keys/secrets
Deploy
app, configured with URI of key/secret
Dev@Fabrikam
CISO@FabrikamSlide10
Phase
3: App moves into production
App
Key
Vault
5. Use key/secret
Create Key Vault
Authorize app, users
Create/import keys/secrets
Manage keys/secrets
HSM
HSM
HSM
7. Monitor logs
Deploy
app, configured with URI of key/secret
Dev@Fabrikam
CISO@Fabrikam
No
change in app code!Slide11
Phase
4: Scale, deploy more apps in minutes
5. Use key/secret
Create Key Vault
Authorize app, users
Create/import keys/secrets
Manage keys/secrets
HSM
HSM
HSM
7. Monitor logs
Deploy
app, configured with URI of key/secret
Key
Vault
App 3
Dev@Fabrikam
CISO@Fabrikam
Key
Vault
App 2
Key
Vault
App 1Slide12
Multi-tenant app offers customer-managed keys
Contoso
Key
Vault
Key
Vault
Key
Vault
Multi-tenant app
Trey
Litware
Dev@Fabrikam
App can use tenants’ keys, but cannot see them.
Key
owner gets log,
can
revoke access.Slide13
Users and apps authenticate to your key vaults using your organization’s Azure AD
Benefits for organizations:
Organizations can centrally revoke access to ALL key vaults in their organization.If a user leaves, they instantly lose access to ALL key vaults in the organization.Organizations can customize authentication via the options in Azure AD.
Your ORG is in control via Active DirectorySlide14
Secret
What: Any sequence of bytes under 25KB. E.g. SQL connection string,
PFX
file, AES encryption key.How used: Authorized users/apps write and read back the secret value. Objects in play
Key
What:
A cryptographic key. RSA
2048.
How used:
A key cannot be read back.
Caller
must ask the service to decrypt / sign with the key.
Key Vault
Container for related keys and secrets that are managed together.Unit of access control, unit of billing.An Azure resource, like a storage account.
Azure subscription, Resource groups, Azure AD IdentitiesSlide15
Key Vault object modelSlide16
HSM-protected key
Operations on this key are performed inside HSMs (Thales nShield, FIPS 140-2 Level 2).
Software-protected key
Operations on this key are performed in VMs on Azure (FIPS 140-2 Level 1 pending).When stored, they are encrypted with a key chain that terminates in HSMs.Types of keysSlide17
To create and manage a key vault
Azure PowerShellAzure Resource Manager and Key Vault REST API + client SDK
To use a key vault
Multiple applications pre-integrated with Key VaultIf you are writing your own application, use Azure Key Vault REST API + client SDKWays to use the Key Vault serviceSlide18
Offline
Key Vault owner sets ACL on key vault that specifies WHO can do WHICH operations.
Each entry is the pair : {Azure AD identity, operations}.
Key Operations: Create Key, Import Key, Delete Key, Encrypt, Decrypt, Wrap, Unwrap, Backup, Restore.Secret Operations: Get, Set, Delete, List.At runtimeKey Vault service checks caller’s Azure AD token against permissions on the key vault, before performing operation.AuthorizationSlide19
Demo
Create a key vaultCreate an Azure AD identity to access the key vaultSlide20
Demo
Disk encryption in Azure VMSQL Server Transparent Data EncryptionSlide21
Current status
Service was released in Public Preview
in
Jan
2015
.
Services leveraging Key Vault:
Azure RMS as
BYOK
SQL Server Transparent Data
Encryption
CloudLink SecureVMAzure Storage client SDKAzure VM certificate
managementAzure VM volume encryption – announcedOffice 365 Advanced Encryption – announcedGeneral Availability ‘real soon now’Until then, no SLA but team is operating as though we have one (service is operating at 99.9+)Usage Logs coming in a future release. Slide22
Geo-availability and isolation
Available in
6 regions in US
2 regions in Europe
4 regions in Asia
1 region in South America
All
Azure regions over time.
Isolation
Key Vaults, Keys, Secrets stay within region.
Hardware ensures that cryptographic keys for a
GEO
cannot
be used in data centers in other geos.Slide23
Preview Pricing
Details:
http://azure.microsoft.com/en-us/pricing/details/key-vault/
Secrets and Software-protected keys
$0.015 / 10,000 operations
HSM Protected keys$0.015 / 10,000 operations +$
0.50 per key per month (every version
counted separately)
Pricing for Key Vault owners
Pricing for Application ownersWhen an application uses a key vault, the owner of that key vault pays.e.g. if a multi-tenant SaaS application uses key vaults supplied by their customers, the latter pay for usage of the key vault. The SaaS vendor pays zero.Slide24
Resources
Docs
http://aka.ms/kvdocs
Blog
http://aka.ms/kvblog
Feedback
AzureKeyVault@microsoft.com
Community
https://social.msdn.microsoft.com/forums/azure/en-US/home?forum=AzureKeyVault
Slide25
Related sessions
BRK3490 Enabling data protection in Microsoft AzureSlide26
In closing
Key Vault enables you to stay in control your keys and secrets.
Anchored to your Active Directory
Protected by HSMs
Key Vault does this while retaining “cloud expectations”
Quick to deploy and scale.
Pay only for what you use.
Scales with your cloud app.
Key Vault
enables segregation of duty between managing keys and managing apps/data.
Key Vault makes it easy to move your application from development to pilot to production.Slide27
Visit
Myignite
at
http://myignite.microsoft.com
or download and use the
Ignite
Mobile App
with the QR code above.Please evaluate this sessionYour feedback is important to us!Slide28