As we are seeing world is rapidly migrating to Cloud Service Providers to get the advantages associated with cloud computing, such as cost saving, security, flexibility, mobility, and sustainability. In this all the organizations big concerns are security, as this is critical aspect of any cloud service model, which offerings involve sensitive data.
Also, we know Secure secret management is essential to protect data in the cloud. Already we have seen how to setup hashiCorp Vault, today let’s discuss about Azure Key Vault Service and how to use it.
What is the Azure Key Vault?
Azure Key Vault streamlines the secret, key, and certificate management process and enables you to maintain strict control over secrets/keys that access and encrypt your data. This expedites the overall project delivery by having developers create keys quickly for development and testing, and then seamlessly migrate them to production keys.
Here will see few more details about where its used, terms in key vault, how does it work, and also some benefits of using azure key vault, in this section.
This service focuses on the security of the below subjects:
- Secret Management
The Azure Key Vault service can be used to securely store and control access of secrets, such as authentication keys, storage account keys, passwords, tokens, API keys, .pfx files, and other secrets. - Key Management
The Azure Key Vault service can be used to manage the encryption keys for data encryption. - Certificate Management
The Azure Key Vault service enables you to provision, manage, and deploy SSL/TLS certificates seamlessly for use with Azure integrated services.
Terms used in Azure Key Vault:
Secret: A Secret is a small data blob (up to 10 KB in size) used in the authorization of users/applications with the help of a Key Vault. In a nutshell, Key Vault helps in mitigating the risk associated with the storage of secrets in a non-secure location.
Keys: Keys are also used in the authorization of users/applications to perform any operation while invoking the cryptographic functions of the Key Vault. Unlike secrets, Keys doesn’t leave the secure boundaries of the Key Vault.
Key Vault Owner: An administrator who creates the Key Vault and authorizes the users/applications for various authentication specific operations.
Key Owner/Secret Owner/Vault Consumer: An administrator who owns the Key/Secret for the specific user/application and is responsible for Key/Secret creation in the Key Vault.
Please note that Key Vault owner and Key/Secret owner roles might be handled by the same administrator, but it’s not necessary.
Service Principal: Identity created (user group/application) for use with applications to access Azure resources.
Application Owner: An administrator who handles the application configuration, including authentication against the Azure Active Directory in the form of URI using Key Vault.
Application: An application authenticates itself from the Key Vault with the help of Keys/Secrets.
Access Policy: Statements that grant access to service principal permissions to perform various operations on keys/secrets in Key Vault.
Steps to authenticate an application with the Key Vault:
- The application which needs authentication is registered with Azure Active Directory as a Service Principal.
- The key Vault Owner/Administrator will then create a Key Vault and then attaches the ACLs (Access Control Lists) to the Vault so that the Application can access it.
- The application initiates the connection and authenticates itself against the Azure Active Directory to get the token successfully.
- The application then presents this token to the Key Vault to get access.
- The Vault validates the token and grants access to the application based on successful token verification.
Benefits:
- Secrets Management – in a secure manner, one can store and control access to tokens, passwords, certificates, API keys, and other secrets.
- Key Management – As a key management solution, Azure Key Vault simplifies the process of creating and managing encryption keys.
- Certificate Management – It serves as a service to provision, manages, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates. These can be used with Azure and other internal connected resources.
- Hardware Security Modules – Secrets and keys can be protected by software, or FIPS 140-2 Level 2 validated HSMs.
Next section will see about how to create a azure key vault and use it. Stay tuned.