With increasing concerns about data security, Azure Key Vault, the cloud service offered by Microsoft for the management and protection of sensitive information, promises organizations to simplify the management of credentials and to centralize and protect encryption keys, secrets and certificates used in their applications and services. In this article, we will better see what it is, how it works, how it can help us protect our sensitive data and at what cost.
Nowadays, data security has become much more important due to stolen passwords and hacked sites, and with the increase in attacks, the solutions developed against them have increased. At this point, key management products are one of the methods developed as an alternative to the need to store sensitive data in applications.
These products create layers between the application and the sensitive data used within the application. Thanks to these levels, they provide solutions for data storage and offer secure and centralized management.
Microsoft Azure Key Vault is a cloud-based security service offered as part of the Microsoft Azure. It provides a secure, centralized storage solution for cryptographic keys and secrets, such as passwords, certificates, and keys used for encryption.
Azure Key Vault allows organizations to securely store and manage sensitive information, such as application secrets and cryptographic keys, in a way that is easily accessible to authorized users and applications. This allows organizations to improve their cybersecurity and reduce the risk of data breaches.
Neither the applications nor Microsoft have direct access to the keys. Instead, users grant permissions for their own and third-party applications to use keys as needed.
To understand how Azure Key Vault works, it is necessary to understand what a 'vault' is in the first instance.
This is nothing more than a secure container designed to manage and protect sensitive information such as secrets, keys, and certificates. It functions as a central unit that holds this critical data, offering advanced protection and facilitating their management.
The vault centralizes the management of secrets, keys, and certificates. Through a single interface, users can add, update and configure these elements, as well as manage access policies to determine who can view or modify the data.
All secrets in a vault are stored in encrypted form. Azure Key Vault encrypts secrets at rest with a hierarchy of encryption keys, with all the keys in that hierarchy protected by modules that comply with FIPS 140-2 standards.
The encryption is transparent and requires no action on the part of the user, and the service encrypts its secrets when it adds them and automatically decrypts them when it reads them.
Azure Key Vault accepts data, encrypts it, stores and manages secrets as sequences of octets (8-bit bytes) and returns a secret identifier (ID). The identifier can be used to retrieve the secret later.
Access control for secrets managed in the Key Vault is provided at the level of the Key Vault that contains those secrets. Users can create one or more vaults to hold secrets and are required to maintain appropriate segmentation and management for various scenarios.
Azure Key Vault has three main tasks that define the basis of its capabilities for securely managing cryptographic assets. These tasks are key management, secrets management, and certificate management. Each of them plays a role in ensuring the confidentiality, integrity, and availability of critical cryptographic data within the Azure cloud environment.
The term 'key' in Azure Key Vault refers specifically to cryptographic keys used for encryption, decryption, and digital signatures. These cryptographic keys are crucial for ensuring the security and integrity of data within Azure services and applications, and Azure Key Vault serves as a secure, centralized repository, giving organizations the ability to easily generate, store and control them.
The importance of key management lies in its ability to protect sensitive data through its careful administration. Whether they are symmetric keys or asymmetric keys consisting of pairs of public and private keys for more complex cryptographic operations, Azure Key Vault takes care of their storage and protects them from unauthorized access or potential security threats.
By centralizing key management, organizations can effectively simplify the process of managing their lifecycle, implement key rotation, monitor key usage, and verify key activities to ensure compliance with industry standards and regulations.
In addition, Azure Key Vault offers key versioning and auditing capabilities, providing a complete view of key usage and access history. Organizations can track key activities, monitor changes, and obtain information on key usage patterns, improving their ability to effectively detect and respond to potential security incidents.
'Secrets' are sensitive information that must be kept securely and accessible only to authorized users and applications. This information can be of different types, such as:
Azure Key Vault provides a secure, centralized repository for managing secrets, allowing organizations to store secrets in a secure and encrypted manner. Instead of inserting secrets directly into the application code or configuration files, users can retrieve them from Azure Key Vault during execution, reducing the risk of accidental exposure or unauthorized access to sensitive information.
The main advantages of this type of management are two:
Digital certificates play an essential role in ensuring the authenticity, integrity and confidentiality of data transmitted over the Internet. They are widely used to protect communication channels, enable encryption, and verify the identity of parties in various scenarios, such as web server certificates, client certificates, and code signing certificates.
In Azure Key Vault, organizations can securely store and manage X.509 certificates. These certificates can be generated directly within Key Vault or imported from external sources. Azure Key Vault supports both self-signed certificates and certificates signed by trusted certificate authorities, offering a flexible solution to meet different certification needs.
Organizations can easily create, renew and revoke certificates as needed, ensuring that they remain current and valid, and the centralized nature of Azure Key Vault allows organizations to access and manage certificates through APIs or client libraries, simplifying the integration of certificates into applications and services.
In addition, Key Vault's integration with Azure services, such as Azure App Service and Azure Functions, allows for seamless use of certificates in various Azure-based applications. For example, developers can associate SSL/TLS certificates stored in Azure Key Vault with their web applications hosted on Azure App Service, providing secure, encrypted communication between client and server.
Access control in Azure Key Vault takes place on two separate plans: the management plan and the data plan.
The management plan allows users to perform operations such as deleting Key Vault, updating access policies, and viewing properties. This plan is responsible for the overall management of the cloud resource, such as configuring and administering Key Vaults.
However, users who have access to this plan cannot access the actual data contained in the Key Vault itself. In other words, even though you can manage Key Vault settings and configurations, you don't have the ability to view or manipulate the secrets, keys, and certificates stored inside.
On the other hand, the data plane is the one in which operations take place on the data itself within the Key Vault. In this plan, you can add, delete, and modify Key Vault objects such as secrets, keys, and certificates.
However, you cannot perform operations related to managing access policies or Key Vault configurations in this plan. For example, you can delete a specific key, but you can't delete the Key Vault itself or change access policies.
We have created the Infrastructure & Security team, focused on the Azure cloud, to better respond to the needs of our customers who involve us in technical and strategic decisions. In addition to configuring and managing the tenant, we also take care of:
With Dev4Side, you have a reliable partner that supports you across the entire Microsoft application ecosystem.
Key Vault by Microsoft Azure offers two main models for access management: Access Policies and Role-Based Access Control (RBAC). Both models allow you to control who can access and manage keys, secrets and certificates within a Key Vault, but they use different approaches.
The traditional model, known as Access Policies, has been used for a long time by Azure Key Vault (and is still usable) but is now considered obsolete by most cybersecurity experts. With Access Policies, you can configure specific permissions for individual users, groups, or service identities. Each policy defines the operations that an entity can perform on keys, secrets, and certificates within the Key Vault.
For example, a policy might allow a user to read a secret but not modify it. This model is configurable directly in the Key Vault resource itself and offers very detailed control at the individual asset level. However, Access Policies are managed in isolation from other Azure authorization systems, which can result in more complex management in large scale scenarios.
The RBAC model, on the other hand, represents an evolution in access control and integrates with the Azure global authorization system. The model assigns access rights to resources based on the roles defined within an organization. In practice, users are associated with specific roles, and each role has a predetermined set of permissions that define the actions that users in that role can perform on different resources.
For example, in an Azure environment, an administrator can create roles such as' reader ',' author 'or' administrator 'and assign them to various users or groups. The 'reader' role may only have permissions to view resources, while the 'author' role may also include the ability to edit and create resources. This approach centralizes permission management, making it easier and more consistent to administer permissions on a large scale.
The RBAC model is now universally preferred by developers and administrators for managing access to Azure Key Vault over the traditional model for various reasons that reflect modern resource management needs and the complexity of business infrastructures.
First of all, it integrates perfectly with the Azure ecosystem and provides a centralized approach to managing permissions through the platform, simplifying administration at the subscription and resource group levels.
Developers and administrators can use the predefined Azure roles or create customized ones, making it easier to apply the same access policies uniformly across different resources and services offered by the Microsoft cloud platform, allowing for more consistent management of permissions, reducing the risk of errors and simplifying the daily operations of administrators.
In addition, RBAC offers better visibility and control thanks to its integration with the Azure management interface and subscription-level security policies. Changes to roles and assignments can be tracked and managed through Azure Activity and Azure Monitor logs.
Another benefit of RBAC is its ability to manage permissions at a more granular and modular level. In a complex context, where you have multiple resources and services, RBAC allows you to define and manage permissions on a large scale without having to individually configure permissions for each individual Key Vault. This is especially useful in development and production environments that require detailed and centralized management.
Not only do you need to protect yourself from attacks, and often the loss or accidental deletion of something can be just as disastrous for your digital infrastructures.
Luckily for us, Azure Key Vault has a very useful feature called soft-delete. This feature allows Key Vaults and Key Vault objects to remain recoverable for a period ranging from 7 to 90 days (if a period is not specified, the default value is set to 90 days). So if someone accidentally deletes something, it's still possible to recover it within this time frame.
Soft-delete is enabled by default on new Key Vaults, and if a Key Vault has soft-delete enabled, it can never be disabled. By design, Azure Key Vault makes it difficult for users to lose their keys.
In addition to soft-delete, there is also purge protection. This is another security feature that goes beyond soft-delete, preventing accidental permanent deletion. If you want to protect your Key Vault from deletion while it is in the soft-delete state, delete protection ensures that no one can delete it before the soft-delete period has expired. Once delete protection is enabled, just like soft-delete, it cannot be disabled.
In a nutshell: once you delete a Key Vault resource with the soft-delete option enabled, it enters the soft-delete state for a pre-established period. If delete protection is also enabled, it is not possible to force the deletion before the period has expired. It is a multi-level protection model that requires multiple steps to be taken to delete an asset, making the process as secure as possible.
Speaking instead of backup, Azure recommends backing up only those secrets that are critical to the business; due to the nature of Key Vaults, the objects stored in them are already guaranteed to be available: “Key Vault maintains availability in disaster scenarios and automatically forwards requests to a paired region without any user intervention.”
The vault itself cannot be backed up. This can be annoying, but you need to back up each object and then restore them one by one. To do this, you must download a blob containing the secret in encrypted form, which you can then upload back to your Azure Key Vault.
A powerful tool like Azure Key Vault can be extremely valuable for the security of your data, but on its own it can do little if you don't use it with intelligence and common sense.
Only by following the right usage practices can companies get the most efficiency and security from the service and in this section we will take a closer look at some of these practices, listed below:
Regarding the cost structure, the prices for using Azure Key Vault vary depending on the type of operation and the plan chosen.
The main cost of the service is dictated by the amount of operations and the amount of resources used. The operations include requests for access to secrets, encryption and decryption operations, and key management. Each type of operation has a specific cost, and these costs can accrue based on how often the service is used.
Azure Key Vault offers users two different levels of service that can affect costs: Standard and Premium.
The Standard plan includes costs associated with creating, reading, updating and deleting keys and secrets. In addition, there is a fee for storing each item, which is based on the number of keys and secrets kept. Backup and restore operations, if necessary, incur additional expenses.
The Premium plan, on the other hand, includes the same types of transaction fees as the Standard plan, but offers advanced features such as hardware key protection (HSM) and greater scalability. This plan also includes fees for storing keys and secrets, with additional costs associated with keys protected by HSM and advanced functionality such as certificate management and integration with other Azure resources.
Another component of the costs concerns the number of keys and certificates managed. If you use a lot of keys or certificates, this can increase your overall cost. For example, managing a large number of certificates or keys on a premium plan may involve additional expenses compared to a standard plan.
Specific rates may vary and are subject to change by Microsoft, so it's always a good idea to consult the official Azure page for the most up-to-date and detailed pricing information. You can find it hither and with the convenient tool provided you can calculate the cost of use based on the region and currency used for payments.
Data security has always been one of the most important aspects in the tech sector and in recent years, given recent technological developments and the advent of the cloud, its importance has become central.
According to statistical research conducted through a survey in which 300 CISOs participated, the configuration of security in the cloud environment and the threats related to identity and access management have remained the main concerns in the world of cybersecurity, representing 67% and 61% of the votes of CISO professionals, respectively.
Azure Key Vault aims, within the complex Azure ecosystem, to respond to these concerns, offering with its functionalities a service for the protection of sensitive data with a robust and centralized infrastructure, which gives administrators and cybersecurity experts the ability to protect the most critical information and to comprehensively control their access by users without compromising their user experience.
Azure Key Vault is a cloud service from Microsoft that allows organizations to centralize and protect sensitive information such as cryptographic keys, secrets, and certificates used in their applications and services. It provides secure and centralized management, improving cybersecurity and reducing the risk of data breaches.
Azure Key Vault uses' vaults' as secure containers to manage and protect sensitive information. These vaults allow users to add, update, and configure secrets, keys, and certificates through a single interface. All information is stored in encrypted form, providing enhanced protection.
Azure Key Vault offers three main features: key management, secret management, and certificate management. Key management allows you to create and control cryptographic keys for encrypting and decrypting data. Secrets management allows you to store and protect sensitive information such as passwords, connection strings and API keys. Certificate management supports the management and renewal of SSL/TLS certificates, with the ability to distribute them automatically.
Access to Azure Key Vault is controlled through access policies that define who can view or modify the data within the vault. Users can specify detailed permissions for applications and people, ensuring that only authorized entities can access sensitive information.
To ensure maximum security, it is important to implement strict access policies that clearly define who has access to secrets and keys. It is recommended that you use the soft-delete and purge protection functionality to protect your data from accidental or malicious deletion. In addition, regular backups ensure that sensitive information is protected in case of emergencies.
The costs of Azure Key Vault vary based on the use of the service, the number of operations performed and the amount of data stored. Microsoft offers different pricing plans to meet the needs of organizations. For specific details, we recommend that you consult the official documentation or the Dev4Side website.
The Infra & Security team focuses on the management and evolution of our customers' Microsoft Azure tenants. Besides configuring and managing these tenants, the team is responsible for creating application deployments through DevOps pipelines. It also monitors and manages all security aspects of the tenants and supports Security Operations Centers (SOC).
