What you need to know about Microsoft Azure Key Vault
It’s a cornerstone of modern data center security
Derek Martin | April 6, 2015
You might have heard the adage that there are only two kinds of companies on earth: those that have been hacked and those that don’t know it yet. It’s mostly true. The bad guys are already in your network, and expending resources to prevent them from being in your network is a waste of those resources. It is better for organizations to expend resources securing the data where it sits, wherever that may be.
Given that, it’s a good idea to encrypt ... well, everything. This includes anything that touches the public cloud, whether it’s a virtual machine, database, set of files or services, or even application keys. Microsoft stands apart from all other cloud vendors in this regard. It insists that whatever data you put into its services remains your data.
There are numerous instances of Microsoft going to bat legally, politically, and technically to safeguard your data. And it doesn’t disguise this fact: “it’s your data—encrypt it with our service.” It doesn’t want or need the private key. If compelled to release your data, or a data leak occurs, only your organization will be able to decrypt it. In order to provide that level of trust, Microsoft has introduced the public preview of a service that already runs under the covers within Office 365 and has been available as a standalone third-party solution for some time: Microsoft Azure Key Vault service.
According to Microsoft’s announcement on January 8, 2015, Azure Key Vault is “a cloud-hosted HSM-backed service for managing cryptographic keys and other secrets used in your cloud applications. You will be able to use it for all your important workloads both on premises and cloud hosted.” This is the same technology that lives just below the surface of Azure Rights Management services and various components of Office 365. Azure Key Vault provides a foundational mechanism for organizations to enable cloud and mobile access to information and resources while easily keeping the private key to that encrypted data secure from both prying eyes, and the vendor hosting the content. And because it underpins many modern data center technologies, it can be considered a unifying and enabling technology that allows organizations to reduce their spend on competing, niche solutions and move toward a holistic, enterprise-grade key management storage solution.
When considering moving workloads into the public cloud, there are a few important things to keep in mind:
- Start by analyzing your application and business requirements, and determine where the real needs are. This approach enables your business to make informed, non-technical decisions about its security posture before implementation.
- Once that is complete and there’s a determined need to encrypt whole VMs in the public cloud, deploy CloudLink, which integrates with Azure and Azure Key Vault.
- Next, protect the secrets of the applications that run on those VMs. For example, a .Net-based line of business application that has service account user names, passwords, and connection strings. Azure Key Vault protects those as well.
- Finally, if the database that backs your application sits in a SQL server on another VM or in SQL Azure, encrypt the database with Azure Key Vault.
The above steps offer very different protection levels—including VM, application and database—all using a single, unified, and open service. Organizations typically stop there, but there are still some important missing pieces—namely how to effectively and securely manage those private keys and patterns for writing the applications to effectively use the key service without exposing the private key and other secrets. Without proper training and governance of the Key Vault Service, at best, all you have gained is some obfuscation, and at worst, you've made your efforts to secure your service even worse by placing all your secrets in one spot.
With Microsoft’s Azure Key Vault it’s possible to not only keep the bad guys out, but to move an application to the public cloud and increase your security posture while reducing costs. That’s a powerful story.
Derek Martin is an accomplished Microsoft systems development integrator. Derek has 14 years of experience in developing and deploying public and private clouds, Office 365, Exchange, Lync, SharePoint, and other Microsoft solutions as well as integrating line-of-business applications. He is Slalom's Modern Data Center Practice Area Lead and a Microsoft VTSP for Windows Azure; certified in SharePoint; and has strong skills across a variety of technology suites. He’s focused on applying technology to help achieve business goals and objectives through the utilization of existing infrastructure investments. Follow Derek on Twitter: @thebookofdoodle.