SlideShare ist ein Scribd-Unternehmen logo

Securing sensitive data with Azure Key Vault

Tom Kerkhove
Tom Kerkhove

As a developer you often have to use & store a lot of sensitive data going from service credentials to connection strings or even encryption keys. But how do I store these in a secure way? How do I know who has access to them and how do I prevent people from copying them and abusing them? On the other hand, SaaS customers have no clue how you store their sensitive data and how they use it. How can they monitor that? How can they revoke your access easily? Watch the recording here - http://azug.be/2015-05-05---securing-sensitive-data-with-azure-key-vault

Software
1 von 31
Securing sensitive data with Azure KeyVault Azug – May 2015
Nice to meet you Tom Kerkhove - Kinect forWindows MVP - Microsoft Azure Advisor - Integration Professional tom.kerkhove@codit.eu +32 473 701 074 @TomKerkhove be.linkedin.com/in/tomkerkhove
How Codit can help? 3 Integration services ➔ Advice ➔ Projects ➔ Implementation ➔ SOA Governance ➔ Managed Services ➔ Integration as a Service ➔ Codit Integration Cloud
Spammer ‘Insecure’
Scenario Demo #1 ➔ Customer applies to the SaaS ➔ GivesTwilio & Azure Storage credentials ➔ Application uses API to send text messages
Summary ➔ Security flaws ➔ Storing sensitive data as clear text in DB ➔ Google authentication as clear text ➔ Unencrypted connection string ➔ Unsecured API ➔ Probably more ➔ On the other hand... ➔ Transport security with SSL (Although default Azure cert) ➔ External login 6 Demo #1
7
8
9
10
Introducing Azure KeyVault
What is Azure KeyVault ➔ Storing sensitive data in hardware security modules (HSM) ➔ Giving back control to the customer ➔ Full controll over key lifecycle with audit logs ➔ Management of all keys in one place ➔ Store encryption keys in HSMs ➔ Removes responsibility from developers ➔ Secure storage for passwords, encryption keys & certificates ➔ Protects sensitive data in production Introducing Azure KeyVault
What is Azure KeyVault ➔ Storing sensitive data in hardware security modules (HSM) ➔ Giving back control to the customer ➔ Full controll over key lifecycle with audit logs ➔ Management of all keys in one place ➔ Store encryption keys in HSMs ➔ Removes responsibility from developers ➔ Secure storage for passwords, encryption keys & certificates ➔ Protects sensitive data in production Introducing Azure KeyVault
Secrets & Keys ➔ Secret ➔ Used to store sequences of bytes ➔ Consumers can read & write secret values to it ➔ Encrypted before stored in vault ➔ Limited to 10 kB ➔ Versioned ➔ Typically used for connection strings, certificates, etc. Introducing Azure KeyVault ➔ Key ➔ Stores a RSA 2048 key ➔ Created by KeyVault owner ➔ Can be used to decrypt/sign with ➔ Can’t be read back ➔ Higher latency When you frequently use keys you should consider storing it as a Secret to improve performance f.e. SSL
Different KeyTypes ➔ HSM Keys ➔ Stored encrypted in HSM ➔ Operations performed on HSM directly ➔ Requires PremiumVault ➔ More secure 15 Introducing Azure KeyVault ➔ Software Keys ➔ Stored encrypted in HSM ➔ Operations performed on VM in Azure ➔ Typically used for Dev/Test ➔ Cheaper
Basic LOB Scenario Database 3. Connect to DB 1. Deploy application 2. Read from settings Fabricam Customer X Single-tenant app App Settings Developer
(More) Secure LOB Scenario Database Single-tenant app 1. Create vault 2. Authorize apps & users 3. Create CS Secret 4. Deploy Application 6. Negotiate Secret Fabricam Customer X App Settings 5. Retrieve Vault URI Manages key / monitor logs Vault Consumer Developer Vault Owner
Vault Owners vs Consumers ➔ Vault Owners ➔ Has full control over vault ➔ All keys & secrets in one place ➔ Ability to change permissions ➔ Ability to fully revoke consumer ➔ Ability to regenerate keys without breaking apps ➔ Audit logs for monitoring Introducing Azure KeyVault ➔ Vault Consumers ➔ Authenticate with Azure AD ➔ Not able to see encrypted keys ➔ Limited to granted permissions
Access Control ➔ Access control based on Azure AD ➔ Access assigned at theVault-level ➔ Permissions to keys ➔ Permissions to secrets ➔ Authentication againstAzure AD ➔ Application ID & Key ➔ Application ID & Certificate ➔ No isolation between clients, they see everything 19 Introducing Azure KeyVault
Access Control
Spammer ‘More Secure’
Sharing credentials with control Demo #2 Codito Subscription Azure Active Directory Web App Azure SQL database Storage (Azure) SaaS Subscription Azure Key Vault 1 2 3 5 6 7 Azure Key Vault 4
Summary ➔ Security flaws ➔ Vault credentials stored as plain-text ➔ Unsecured API ➔ On the other hand... ➔ Message encryption supported based on customer vault ➔ External vault authentication stored in internal vault ➔ Customers data is securely stored in their vault ➔ Encrypted database 23 Demo #2
SQLTransparent Data Encryption
VM Encryption (CloudLink) Introducing Azure KeyVault
Bring-Your-Own-Key (BYOK) Introducing Azure KeyVault
Replication & Isolation ➔ Vault, Keys & Secrets stay within same region ➔ Stored in physical HSMs ➔ Reason - Laws & compliances ➔ Disaster Recovery is hard ➔ Each deployment has own URL ➔ Manual replication only Introducing Azure KeyVault
Pricing Overview ➔ Vault owner pays for everything Introducing Azure KeyVault Standard Premium Secrets & Software-protected keys $0.0112 / 10,000 operations $0.0112 / 10,000 operations HSM Protected keys N/A $0.0112 / 10,000 operations $0.3724 per key per month (For every version of the key)
Public Preview ➔ Currently only available in 6 regions ➔ Limited tooling – PowerShell, .NET & REST API ➔ No SLA
What’s coming ➔ Available in all regions with 99.9+ SLA ➔ Additional tooling ➔ Portal Support ➔ Audit logs
31 “The question is not if you will be hacked, the real question is when.”

Empfohlen

Azure key vault
Azure key vaultAzure key vault
Azure key vault
Rahul Nath
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting Started
Taswar Bhatti
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
David J Rosenthal
 
Azure governance v4.0
Azure governance v4.0Azure governance v4.0
Azure governance v4.0
Marcos Oikawa
 
[Azure Governance] Lesson 2 : Azure Locks
[Azure Governance] Lesson 2 : Azure Locks[Azure Governance] Lesson 2 : Azure Locks
[Azure Governance] Lesson 2 : Azure Locks
☁ Hicham KADIRI ☁
 
[Azure Governance] Lesson 1 : Azure Naming Convention
[Azure Governance] Lesson 1 : Azure Naming Convention[Azure Governance] Lesson 1 : Azure Naming Convention
[Azure Governance] Lesson 1 : Azure Naming Convention
☁ Hicham KADIRI ☁
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 

Empfohlen

Azure key vault
Azure key vaultAzure key vault
Azure key vault
Rahul Nath
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting Started
Taswar Bhatti
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
David J Rosenthal
 
Azure governance v4.0
Azure governance v4.0Azure governance v4.0
Azure governance v4.0
Marcos Oikawa
 
[Azure Governance] Lesson 2 : Azure Locks
[Azure Governance] Lesson 2 : Azure Locks[Azure Governance] Lesson 2 : Azure Locks
[Azure Governance] Lesson 2 : Azure Locks
☁ Hicham KADIRI ☁
 
[Azure Governance] Lesson 1 : Azure Naming Convention
[Azure Governance] Lesson 1 : Azure Naming Convention[Azure Governance] Lesson 1 : Azure Naming Convention
[Azure Governance] Lesson 1 : Azure Naming Convention
☁ Hicham KADIRI ☁
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance Model
Karl Ots
 
Azure governance
Azure governanceAzure governance
Azure governance
girish goudar
 
Govern your Azure environment through Azure Policy
Govern your Azure environment through Azure PolicyGovern your Azure environment through Azure Policy
Govern your Azure environment through Azure Policy
Microsoft Tech Community
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access management
Dinusha Kumarasiri
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
Allen Brokken
 
Azure 101
Azure 101Azure 101
Azure 101
Korry Lavoie
 
Azure Tutorial For Beginners | Microsoft Azure Tutorial For Beginners | Azure...
Azure Tutorial For Beginners | Microsoft Azure Tutorial For Beginners | Azure...Azure Tutorial For Beginners | Microsoft Azure Tutorial For Beginners | Azure...
Azure Tutorial For Beginners | Microsoft Azure Tutorial For Beginners | Azure...
Simplilearn
 
[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy
☁ Hicham KADIRI ☁
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
Karina Matos
 
Introduction to Azure Blueprints
Introduction to Azure BlueprintsIntroduction to Azure Blueprints
Introduction to Azure Blueprints
Cheah Eng Soon
 
Azure Governance
Azure GovernanceAzure Governance
Azure Governance
Benjamin Hüpeden
 
Azure Monitoring Overview
Azure Monitoring OverviewAzure Monitoring Overview
Azure Monitoring Overview
gjuljo
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standard
arnaudlh
 
Azure Fundamentals || AZ-900
Azure Fundamentals || AZ-900Azure Fundamentals || AZ-900
Azure Fundamentals || AZ-900
thisiswali
 
The Layman's Guide to Microsoft Azure
The Layman's Guide to Microsoft AzureThe Layman's Guide to Microsoft Azure
The Layman's Guide to Microsoft Azure
Aptera Inc
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Stephane Lapointe: Governance in Azure, keep control of your environments
Stephane Lapointe: Governance in Azure, keep control of your environmentsStephane Lapointe: Governance in Azure, keep control of your environments
Stephane Lapointe: Governance in Azure, keep control of your environments
MSDEVMTL
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
 
Azure role based access control (rbac)
Azure role based access control (rbac)Azure role based access control (rbac)
Azure role based access control (rbac)
Srikanth Kappagantula
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure security
Bruno Capuano
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
Tom Kerkhove
 
Microsoft Azure vs Amazon Web Services (AWS) Services & Feature Mapping
Microsoft Azure vs Amazon Web Services (AWS) Services & Feature MappingMicrosoft Azure vs Amazon Web Services (AWS) Services & Feature Mapping
Microsoft Azure vs Amazon Web Services (AWS) Services & Feature Mapping
Ilyas F ☁☁☁
 

Weitere ähnliche Inhalte

Was ist angesagt?

Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance Model
Karl Ots
 
Azure Tutorial For Beginners | Microsoft Azure Tutorial For Beginners | Azure...
Azure Tutorial For Beginners | Microsoft Azure Tutorial For Beginners | Azure...Azure Tutorial For Beginners | Microsoft Azure Tutorial For Beginners | Azure...
Azure Tutorial For Beginners | Microsoft Azure Tutorial For Beginners | Azure...
Simplilearn
 

Was ist angesagt? (20)

Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance Model
 
Azure governance
Azure governanceAzure governance
Azure governance
 
Govern your Azure environment through Azure Policy
Govern your Azure environment through Azure PolicyGovern your Azure environment through Azure Policy
Govern your Azure environment through Azure Policy
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access management
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
Azure 101
Azure 101Azure 101
Azure 101
 
Azure Tutorial For Beginners | Microsoft Azure Tutorial For Beginners | Azure...
Azure Tutorial For Beginners | Microsoft Azure Tutorial For Beginners | Azure...Azure Tutorial For Beginners | Microsoft Azure Tutorial For Beginners | Azure...
Azure Tutorial For Beginners | Microsoft Azure Tutorial For Beginners | Azure...
 
[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy[Azure Governance] Lesson 4 : Azure Policy
[Azure Governance] Lesson 4 : Azure Policy
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
 
Introduction to Azure Blueprints
Introduction to Azure BlueprintsIntroduction to Azure Blueprints
Introduction to Azure Blueprints
 
Azure Governance
Azure GovernanceAzure Governance
Azure Governance
 
Azure Monitoring Overview
Azure Monitoring OverviewAzure Monitoring Overview
Azure Monitoring Overview
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standard
 
Azure Fundamentals || AZ-900
Azure Fundamentals || AZ-900Azure Fundamentals || AZ-900
Azure Fundamentals || AZ-900
 
The Layman's Guide to Microsoft Azure
The Layman's Guide to Microsoft AzureThe Layman's Guide to Microsoft Azure
The Layman's Guide to Microsoft Azure
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
 
Stephane Lapointe: Governance in Azure, keep control of your environments
Stephane Lapointe: Governance in Azure, keep control of your environmentsStephane Lapointe: Governance in Azure, keep control of your environments
Stephane Lapointe: Governance in Azure, keep control of your environments
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
 
Azure role based access control (rbac)
Azure role based access control (rbac)Azure role based access control (rbac)
Azure role based access control (rbac)
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure security
 

Andere mochten auch

ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
Tom Kerkhove
 
Microsoft Azure vs Amazon Web Services (AWS) Services & Feature Mapping
Microsoft Azure vs Amazon Web Services (AWS) Services & Feature MappingMicrosoft Azure vs Amazon Web Services (AWS) Services & Feature Mapping
Microsoft Azure vs Amazon Web Services (AWS) Services & Feature Mapping
Ilyas F ☁☁☁
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
IBM Security
 
Tokyo Azure Meetup #5 - Microservices and Azure Service Fabric
Tokyo Azure Meetup #5 - Microservices and Azure Service FabricTokyo Azure Meetup #5 - Microservices and Azure Service Fabric
Tokyo Azure Meetup #5 - Microservices and Azure Service Fabric
Tokyo Azure Meetup
 

Andere mochten auch (16)

ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key VaultITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
 
Microsoft Azure vs Amazon Web Services (AWS) Services & Feature Mapping
Microsoft Azure vs Amazon Web Services (AWS) Services & Feature MappingMicrosoft Azure vs Amazon Web Services (AWS) Services & Feature Mapping
Microsoft Azure vs Amazon Web Services (AWS) Services & Feature Mapping
 
Making the Most of Search in SharePoint Online - TechEd North America
Making the Most of Search in SharePoint Online - TechEd North AmericaMaking the Most of Search in SharePoint Online - TechEd North America
Making the Most of Search in SharePoint Online - TechEd North America
 
Cloud Native Key Management
Cloud Native Key ManagementCloud Native Key Management
Cloud Native Key Management
 
Azure Service Fabric Cluster の作成
Azure Service Fabric Cluster の作成Azure Service Fabric Cluster の作成
Azure Service Fabric Cluster の作成
 
GAB 2015 - Nouveautes sur le stockage de donnees dans Azure
GAB 2015 - Nouveautes sur le stockage de donnees dans AzureGAB 2015 - Nouveautes sur le stockage de donnees dans Azure
GAB 2015 - Nouveautes sur le stockage de donnees dans Azure
 
Introduccion Backup azure
Introduccion Backup azure Introduccion Backup azure
Introduccion Backup azure
 
Improving Application Security With Azure
Improving Application Security With AzureImproving Application Security With Azure
Improving Application Security With Azure
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
WordPress 使いのためのMicrosoft Azure 超入門
WordPress 使いのためのMicrosoft Azure 超入門 WordPress 使いのためのMicrosoft Azure 超入門
WordPress 使いのためのMicrosoft Azure 超入門
 
Security: cloud controls to secure digital media workloads
Security: cloud controls to secure digital media workloadsSecurity: cloud controls to secure digital media workloads
Security: cloud controls to secure digital media workloads
 
Tokyo Azure Meetup #5 - Microservices and Azure Service Fabric
Tokyo Azure Meetup #5 - Microservices and Azure Service FabricTokyo Azure Meetup #5 - Microservices and Azure Service Fabric
Tokyo Azure Meetup #5 - Microservices and Azure Service Fabric
 
Azure Stream Analytics
Azure Stream AnalyticsAzure Stream Analytics
Azure Stream Analytics
 
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
 
Azure Cloud PPT
Azure Cloud PPTAzure Cloud PPT
Azure Cloud PPT
 

Ähnlich wie Securing sensitive data with Azure Key Vault

Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Roy Kim
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications
guest879f38
 
Secure auditing and deduplicating data in cloud
Secure auditing and deduplicating data in cloudSecure auditing and deduplicating data in cloud
Secure auditing and deduplicating data in cloud
CloudTechnologies
 

Ähnlich wie Securing sensitive data with Azure Key Vault (20)

Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
 
Keepler | Full-Stack Serverless Applications on GCP
Keepler | Full-Stack Serverless Applications on GCPKeepler | Full-Stack Serverless Applications on GCP
Keepler | Full-Stack Serverless Applications on GCP
 
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key VaultTechdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDK
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
 
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
 
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8s
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!
 
Introduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDKIntroduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDK
 
Vijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secretsVijayanirmala a_community_builders_guidebook_for_securing_your_secrets
Vijayanirmala a_community_builders_guidebook_for_securing_your_secrets
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications
 
Securing your Azure Identity Infrastructure
Securing your Azure Identity InfrastructureSecuring your Azure Identity Infrastructure
Securing your Azure Identity Infrastructure
 
Securing APIs for ultimate security and privacy with Azure | Codit Webinar
Securing APIs for ultimate security and privacy with Azure | Codit WebinarSecuring APIs for ultimate security and privacy with Azure | Codit Webinar
Securing APIs for ultimate security and privacy with Azure | Codit Webinar
 
Secure auditing and deduplicating data in cloud
Secure auditing and deduplicating data in cloudSecure auditing and deduplicating data in cloud
Secure auditing and deduplicating data in cloud
 
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptxConfidential Computing in Azure - SlideShare Ed Dec 2022.pptx
Confidential Computing in Azure - SlideShare Ed Dec 2022.pptx
 
Secure your applications with Azure AD and Key Vault
Secure your applications with Azure AD and Key VaultSecure your applications with Azure AD and Key Vault
Secure your applications with Azure AD and Key Vault
 
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
 

Mehr von Tom Kerkhove

Microsoft Ignite 2019 - API management for microservices in a hybrid and mult...
Microsoft Ignite 2019 - API management for microservices in a hybrid and mult...Microsoft Ignite 2019 - API management for microservices in a hybrid and mult...
Microsoft Ignite 2019 - API management for microservices in a hybrid and mult...
Tom Kerkhove
 

Mehr von Tom Kerkhove (20)

Techorama 2022 - Adventures of building Promitor, an open-source product
Techorama 2022 - Adventures of building Promitor, an open-source productTechorama 2022 - Adventures of building Promitor, an open-source product
Techorama 2022 - Adventures of building Promitor, an open-source product
 
Microsoft Partners - Application Autoscaling Made Easy With Kubernetes Event-...
Microsoft Partners - Application Autoscaling Made Easy With Kubernetes Event-...Microsoft Partners - Application Autoscaling Made Easy With Kubernetes Event-...
Microsoft Partners - Application Autoscaling Made Easy With Kubernetes Event-...
 
Introduction to Promitor
Introduction to PromitorIntroduction to Promitor
Introduction to Promitor
 
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...
Azure Lowlands 2020 - API management for microservices in a hybrid and multi-...
 
NDC London 2021 - Application Autoscaling Made Easy With Kubernetes Event-Dri...
NDC London 2021 - Application Autoscaling Made Easy With Kubernetes Event-Dri...NDC London 2021 - Application Autoscaling Made Easy With Kubernetes Event-Dri...
NDC London 2021 - Application Autoscaling Made Easy With Kubernetes Event-Dri...
 
Global Azure Virtual - Application Autoscaling with KEDA
Global Azure Virtual - Application Autoscaling with KEDAGlobal Azure Virtual - Application Autoscaling with KEDA
Global Azure Virtual - Application Autoscaling with KEDA
 
Building Bruges 2020 - Adventures of building a multi-tenant PaaS on Microsof...
Building Bruges 2020 - Adventures of building a multi-tenant PaaS on Microsof...Building Bruges 2020 - Adventures of building a multi-tenant PaaS on Microsof...
Building Bruges 2020 - Adventures of building a multi-tenant PaaS on Microsof...
 
AZUG Lightning Talk - Application autoscaling on Kubernetes with Kubernetes E...
AZUG Lightning Talk - Application autoscaling on Kubernetes with Kubernetes E...AZUG Lightning Talk - Application autoscaling on Kubernetes with Kubernetes E...
AZUG Lightning Talk - Application autoscaling on Kubernetes with Kubernetes E...
 
IglooConf 2020 - API management for microservices in a hybrid and multi-cloud...
IglooConf 2020 - API management for microservices in a hybrid and multi-cloud...IglooConf 2020 - API management for microservices in a hybrid and multi-cloud...
IglooConf 2020 - API management for microservices in a hybrid and multi-cloud...
 
IglooConf 2020 - Adventures of building a multi-tenant PaaS on Microsoft Azure
IglooConf 2020 - Adventures of building a multi-tenant PaaS on Microsoft AzureIglooConf 2020 - Adventures of building a multi-tenant PaaS on Microsoft Azure
IglooConf 2020 - Adventures of building a multi-tenant PaaS on Microsoft Azure
 
Microsoft Ignite 2019 - API management for microservices in a hybrid and mult...
Microsoft Ignite 2019 - API management for microservices in a hybrid and mult...Microsoft Ignite 2019 - API management for microservices in a hybrid and mult...
Microsoft Ignite 2019 - API management for microservices in a hybrid and mult...
 
Integrate UK 2019 - Adventures of building a (multi-tenant) PaaS on Microsoft...
Integrate UK 2019 - Adventures of building a (multi-tenant) PaaS on Microsoft...Integrate UK 2019 - Adventures of building a (multi-tenant) PaaS on Microsoft...
Integrate UK 2019 - Adventures of building a (multi-tenant) PaaS on Microsoft...
 
Techdays Finland 2019 - Adventures of building a (multi-tenant) PaaS on Micro...
Techdays Finland 2019 - Adventures of building a (multi-tenant) PaaS on Micro...Techdays Finland 2019 - Adventures of building a (multi-tenant) PaaS on Micro...
Techdays Finland 2019 - Adventures of building a (multi-tenant) PaaS on Micro...
 
Next Generation Data Integration with Azure Data Factory
Next Generation Data Integration with Azure Data FactoryNext Generation Data Integration with Azure Data Factory
Next Generation Data Integration with Azure Data Factory
 
Intelligent Cloud Conference 2018 - Automatically scaling Kubernetes pods bas...
Intelligent Cloud Conference 2018 - Automatically scaling Kubernetes pods bas...Intelligent Cloud Conference 2018 - Automatically scaling Kubernetes pods bas...
Intelligent Cloud Conference 2018 - Automatically scaling Kubernetes pods bas...
 
Intelligent Cloud Conference 2018 - Next Generation of Data Integration with ...
Intelligent Cloud Conference 2018 - Next Generation of Data Integration with ...Intelligent Cloud Conference 2018 - Next Generation of Data Integration with ...
Intelligent Cloud Conference 2018 - Next Generation of Data Integration with ...
 
NDC Minnesota - Analyzing StackExchange data with Azure Data Lake
NDC Minnesota - Analyzing StackExchange data with Azure Data LakeNDC Minnesota - Analyzing StackExchange data with Azure Data Lake
NDC Minnesota - Analyzing StackExchange data with Azure Data Lake
 
NDC Sydney - Analyzing StackExchange with Azure Data Lake
NDC Sydney - Analyzing StackExchange with Azure Data LakeNDC Sydney - Analyzing StackExchange with Azure Data Lake
NDC Sydney - Analyzing StackExchange with Azure Data Lake
 
TechDays NL 2016 - Building your scalable secure IoT Solution on Azure
TechDays NL 2016 - Building your scalable secure IoT Solution on AzureTechDays NL 2016 - Building your scalable secure IoT Solution on Azure
TechDays NL 2016 - Building your scalable secure IoT Solution on Azure
 
Integration Monday - Analysing StackExchange data with Azure Data Lake
Integration Monday - Analysing StackExchange data with Azure Data LakeIntegration Monday - Analysing StackExchange data with Azure Data Lake
Integration Monday - Analysing StackExchange data with Azure Data Lake
 

Kürzlich hochgeladen

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 

Kürzlich hochgeladen (20)

Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 

Securing sensitive data with Azure Key Vault

  • 1. Securing sensitive data with Azure KeyVault Azug – May 2015
  • 2. Nice to meet you Tom Kerkhove - Kinect forWindows MVP - Microsoft Azure Advisor - Integration Professional tom.kerkhove@codit.eu +32 473 701 074 @TomKerkhove be.linkedin.com/in/tomkerkhove
  • 3. How Codit can help? 3 Integration services ➔ Advice ➔ Projects ➔ Implementation ➔ SOA Governance ➔ Managed Services ➔ Integration as a Service ➔ Codit Integration Cloud
  • 5. Scenario Demo #1 ➔ Customer applies to the SaaS ➔ GivesTwilio & Azure Storage credentials ➔ Application uses API to send text messages
  • 6. Summary ➔ Security flaws ➔ Storing sensitive data as clear text in DB ➔ Google authentication as clear text ➔ Unencrypted connection string ➔ Unsecured API ➔ Probably more ➔ On the other hand... ➔ Transport security with SSL (Although default Azure cert) ➔ External login 6 Demo #1
  • 7. 7
  • 8. 8
  • 9. 9
  • 10. 10
  • 12. What is Azure KeyVault ➔ Storing sensitive data in hardware security modules (HSM) ➔ Giving back control to the customer ➔ Full controll over key lifecycle with audit logs ➔ Management of all keys in one place ➔ Store encryption keys in HSMs ➔ Removes responsibility from developers ➔ Secure storage for passwords, encryption keys & certificates ➔ Protects sensitive data in production Introducing Azure KeyVault
  • 13. What is Azure KeyVault ➔ Storing sensitive data in hardware security modules (HSM) ➔ Giving back control to the customer ➔ Full controll over key lifecycle with audit logs ➔ Management of all keys in one place ➔ Store encryption keys in HSMs ➔ Removes responsibility from developers ➔ Secure storage for passwords, encryption keys & certificates ➔ Protects sensitive data in production Introducing Azure KeyVault
  • 14. Secrets & Keys ➔ Secret ➔ Used to store sequences of bytes ➔ Consumers can read & write secret values to it ➔ Encrypted before stored in vault ➔ Limited to 10 kB ➔ Versioned ➔ Typically used for connection strings, certificates, etc. Introducing Azure KeyVault ➔ Key ➔ Stores a RSA 2048 key ➔ Created by KeyVault owner ➔ Can be used to decrypt/sign with ➔ Can’t be read back ➔ Higher latency When you frequently use keys you should consider storing it as a Secret to improve performance f.e. SSL
  • 15. Different KeyTypes ➔ HSM Keys ➔ Stored encrypted in HSM ➔ Operations performed on HSM directly ➔ Requires PremiumVault ➔ More secure 15 Introducing Azure KeyVault ➔ Software Keys ➔ Stored encrypted in HSM ➔ Operations performed on VM in Azure ➔ Typically used for Dev/Test ➔ Cheaper
  • 16. Basic LOB Scenario Database 3. Connect to DB 1. Deploy application 2. Read from settings Fabricam Customer X Single-tenant app App Settings Developer
  • 17. (More) Secure LOB Scenario Database Single-tenant app 1. Create vault 2. Authorize apps & users 3. Create CS Secret 4. Deploy Application 6. Negotiate Secret Fabricam Customer X App Settings 5. Retrieve Vault URI Manages key / monitor logs Vault Consumer Developer Vault Owner
  • 18. Vault Owners vs Consumers ➔ Vault Owners ➔ Has full control over vault ➔ All keys & secrets in one place ➔ Ability to change permissions ➔ Ability to fully revoke consumer ➔ Ability to regenerate keys without breaking apps ➔ Audit logs for monitoring Introducing Azure KeyVault ➔ Vault Consumers ➔ Authenticate with Azure AD ➔ Not able to see encrypted keys ➔ Limited to granted permissions
  • 19. Access Control ➔ Access control based on Azure AD ➔ Access assigned at theVault-level ➔ Permissions to keys ➔ Permissions to secrets ➔ Authentication againstAzure AD ➔ Application ID & Key ➔ Application ID & Certificate ➔ No isolation between clients, they see everything 19 Introducing Azure KeyVault
  • 22. Sharing credentials with control Demo #2 Codito Subscription Azure Active Directory Web App Azure SQL database Storage (Azure) SaaS Subscription Azure Key Vault 1 2 3 5 6 7 Azure Key Vault 4
  • 23. Summary ➔ Security flaws ➔ Vault credentials stored as plain-text ➔ Unsecured API ➔ On the other hand... ➔ Message encryption supported based on customer vault ➔ External vault authentication stored in internal vault ➔ Customers data is securely stored in their vault ➔ Encrypted database 23 Demo #2
  • 27. Replication & Isolation ➔ Vault, Keys & Secrets stay within same region ➔ Stored in physical HSMs ➔ Reason - Laws & compliances ➔ Disaster Recovery is hard ➔ Each deployment has own URL ➔ Manual replication only Introducing Azure KeyVault
  • 28. Pricing Overview ➔ Vault owner pays for everything Introducing Azure KeyVault Standard Premium Secrets & Software-protected keys $0.0112 / 10,000 operations $0.0112 / 10,000 operations HSM Protected keys N/A $0.0112 / 10,000 operations $0.3724 per key per month (For every version of the key)
  • 29. Public Preview ➔ Currently only available in 6 regions ➔ Limited tooling – PowerShell, .NET & REST API ➔ No SLA
  • 30. What’s coming ➔ Available in all regions with 99.9+ SLA ➔ Additional tooling ➔ Portal Support ➔ Audit logs
  • 31. 31 “The question is not if you will be hacked, the real question is when.”

Hinweis der Redaktion

  1. - Key stored in config file encrypted/unencrypted
  2. TDE – Transparent Data Encryption
  3. - On-Prem to Cloud sync - HSM-To-HSM (Secure transfer)