SlideShare a Scribd company logo

Azure Key Vault with a PaaS Architecture and ARM Template Deployment

Download as PPTX, PDF
Roy Kim
Roy Kim

This is a presentation I held at a local Azure user group. The session abstract: Azure Key Vault is a tool for securely storing and accessing secrets. We will go through a popular Azure PaaS Architecture pattern using Key Vault to store a password. I will demo and walk through the general configuration of a dedicated Azure Function app, Azure SQL and Key Vault that was deployed with automation. I will then go through fairly advanced techniques and best practices on how to deploy Azure Key Vault and a password secret with ARM templates. Finally, a very brief look at my Azure DevOps Pipeline to deploy the ARM template. You will come away with an understanding of an applied use case of leveraging Azure Key vault for a PaaS solution in better managing a password secret.

Technology
1 of 37
Azure Key Vault and Automated Deployment Toronto Azure Group June 11, 2019 Roy Kim @RoyKimYYZ roy@roykim.ca
Agenda By: Roy Kim roykim.ca 1. Azure Key Vault Overview 2. PaaS Architecture Pattern with Key Vault 3. ARM Template Techniques 4. Azure DevOps Pipeline
Bio  Roy Kim  16+ Years of Microsoft Technology Solutions  Azure, SharePoint, Office 365  Microsoft MVP  Independent/Freelance IT Consultant  Blog: www.roykim.ca github.comroykimyyz  University of Toronto – Computer Science Author: Roy Kim By: Roy Kim
Dev/UAT/Prod EnvironmentDev/UAT/Prod EnvironmentDev/UAT/Prod Environment Physical Server Grass Roots Development Story By: Roy Kim Password Config File Database Configuration Settings SSL Certificate pfx Web App Server File server Source Control Application Code Developers IT Ops How to isolate storage of the secret or certificate from code and source control? How to isolate role based access to the secret or certificate? How to integrate the access and use of keys from the application or CI/CD pipelines? How to audit and view history of the access? How to consolidate/centralize/streamline management? How to automate deployment for reusable architecture patterns or models? Dev env UAT/Prod env Enterprise Architect Info Security Architect Deploy Dev UAT Prod Stored Stored Once upon a time .. there was an app development team …
Key Vault By: Roy Kim  Secrets Management - Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets  Key Management - easy to create and control the encryption keys used to encrypt your data.  Certificate Management - easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.  Store secrets backed by Hardware Security Modules - The secrets and keys can be protected either by software or FIPS 140-2 Level 2 validates HSMs  A hardware security module is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. - Wikipedia https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
Key Vault By: Roy Kim  Centralize application secrets  Securely store secrets and keys  Monitor access and use  Simplified administration of application secrets  Integrate with other Azure services https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
Azure Key Vault & PaaS Architecture Pattern By: Roy Kim ARM Template
Key Vault By: Roy Kim
Key Vault Secrets By: Roy Kim  Store and manage tokens, passwords, certificates (e.g. pfx), API keys, and other secrets Secret Value Secret Name: LOBWebAppSecret
Key Vault Secrets – Use Cases By: Roy Kim  Database connection string password  Passwords or any other secret string in an application configuration file.  E.g. Twitter, Google Maps API Key  Azure storage account keys  Leveraging the Azure SDK in your application code or scripts to access key vault
Key Vault Certificates By: Roy Kim  Provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.
Key Vault Key By: Roy Kim  Cryptographic operations may be performed using the key: Sign and Verify: Strictly, this operation is "sign hash" or "verify hash", as Key Vault doesn't support hashing of content as part of signature creation. Applications should hash the data to be signed locally, then request that Key Vault sign the hash. Verification of signed hashes is supported as a convenience operation for applications that may not have access to [public] key material. https://en.wikipedia.org/wiki/Digital_signature
Key Vault Key By: Roy Kim Key Encryption / Wrapping: A key stored in Key Vault may be used to protect another key, typically a symmetric content encryption key (CEK). When the key in Key Vault is asymmetric, key encryption is used. For example, RSA-OAEP and the WRAPKEY/UNWRAPKEY operations are equivalent to u/DECRYPT. When the key in Key Vault is symmetric, key wrapping is used. For example, AES-KW. The WRAPKEY operation is supported as a convenience for applications that may not have access to [public] key material. Encrypt and Decrypt: A key stored in Key Vault may be used to encrypt or decrypt a single block of data. The size of the block is determined by the key type and selected encryption algorithm. The Encrypt operation is provided for convenience, for applications that may not have access to [public] key material. For best application performance, encrypt operations should be performed locally.
Key Vault Key By: Roy Kim  RSA Key
Key Vault Key - Use Cases By: Roy Kim For storage accounts encryption, user your own key
Key Vault Key - Use Cases By: Roy Kim TDE with customer-managed keys in Azure Key Vault allows to encrypt the Database Encryption Key (DEK) with a customer-managed asymmetric key called TDE Protector. Aka BYOK – “bring your own key” In the BYOK scenario, the TDE Protector is stored in a customer-owned and managed Azure Key Vault, Azure’s cloud-based external key management system.
Key Vault Access Policies By: Roy Kim Key Vault access policies grant permissions separately to keys, secrets, or certificate. For Resource Manager to access the secrets inside this Key Vault from deployment, set enabledForTemplateDeployment must be true. Access Policies
What are ARM Templates Author: Roy Kim By: Roy Kim  Infrastructure-as-code A JavaScript Object Notation (JSON) file that defines one or more resources to deploy to a resource group or subscription. The template can be used to deploy the resources consistently and repeatedly  Azure Resource Manager  deployment and management service for Azure.  provides a consistent management layer that enables you to create, update, and delete resources in your Azure subscription.
Why ARM Templates? Author: Roy Kim By: Roy Kim  Preferred deployment method for Azure resources  Fast - Parallel deployment of resources  Audit deployment operations  Idempotent - to apply one or more operations against a resource resulting in the same outcome.  Cloud consistency across Azure, Azure Stack, Azure Gov
Some Benefits By: Roy Kim Resource Manager provides several benefits:  deploy, manage, and monitor all the resources for your solution as a group, rather than handling these resources individually.  repeatedly deploy your solution throughout the development lifecycle and have confidence your resources are deployed in a consistent state.  manage your infrastructure through declarative templates rather than scripts.  define the dependencies between resources so they're deployed in the correct order.  apply access control to all services in your resource group because Role-Based Access Control (RBAC) is natively integrated into the management platform.  apply tags to resources to logically organize all the resources in your subscription.  clarify your organization's billing by viewing costs for a group of resources sharing the same tag.
The ARM Template Design By: roy@roykim.ca keyvault.json AppServicePlan.json Main Template: azuredeploy-app-main.json Parameters sqlserver.json website.json Credits: Some Icon made by SmashIcons from www.flaticon.com
Linked Template for Modularization By: roy@roykim.ca
Linked Template and Output By: roy@roykim.ca Logical sequence keyvault.json sqlserver.json 1 2 3 azuredeploy-app-main.json
Azure Key Vault Secret To SQL Server By: roy@roykim.ca Logical sequence No real ARM syntax for brevity keyvault.json sqlserver.json 1 2 3 azuredeploy-app-main.json linked template Parameters: dbadmin password as secure string Outputs: Key vault resourceId linked template Parameters: dbadmin password as key vault reference secret value
By: roy@roykim.ca "secretsObject": { "value": { "secrets": [ { "secretName": "[variables('dbpasswordsecretName')]", "secretValue": "[parameters('sqlAdministratorLoginPassword')]" } ] } }
By: roy@roykim.ca "name": "linkedTemplate-sqlserver", "type": "Microsoft.Resources/deployments", "dependsOn": ["linkedTemplate-keyvault"], "properties": { .. }, "parameters": { .. }, "sqlAdministratorLogin": { "value": "[parameters('sqlAdministratorLogin')]" }, "sqlAdministratorLoginPassword": { "reference": { "keyVault": { "id": "[reference('linkedTemplate-keyvault').outputs.rkkeyvault.value]" }, "secretName": "[variables('dbpasswordsecretName')]" } }, }
The ARM Deployment Order By: roy@roykim.ca keyvault.json AppServicePlan.json Main Template: azuredeploy-app-main.json Parameters sqlserver.json website.json dependsOn dependsOn dependsOn 1 1 2 3 4
The ARM Deployment Order By: roy@roykim.ca
Azure DevOps Pipeline By: Roy Kim 1. Get ARM Templates from public git repo 2. Deploy ARM Templates into Azure resource group. ARM template deploys app code from another GitHub repo 3. Build SQL project and Deploy DACPAC
Azure DevOps Pipeline By: Roy Kim Pull ARM Templates from public git repo
Azure DevOps Pipeline By: Roy Kim Deploy ARM Templates into Azure resource group
Azure DevOps Build Pipeline – SQL DB By: Roy Kim YAML Build Pipeline Build SQL project Deploy DACPAC file for creating tables and populating data
Azure DevOps Pipeline By: Roy Kim Trigger an Azure DevOps Pipeline that is the existing Build pipeline for SQL Deployment
ARM Template Challenges By: roy@roykim.ca • Heavy learning curve • Very syntax oriented. Need to find the exact JSON syntax ARM template operations and functions to achieve the functional objective. Need to look at many examples and reverse engineer or piece together techniques. • Microsoft Azure Documentation always shows Azure PowerShell and CLI examples of deploying and configuring resources, but very little reference to ARM template.
Future considerations for this demo solution Author: Roy Kim By: Roy Kim Better group management - Group related resources types into its own Resource Group and deploy accordingly Better Security - Leverage managed identity where possible - Deploy ARM templates into Azure storage accounts with secured SAS token instead of a public GitHub repo - Investigate SSL cert auto renewal process Include App Monitoring - Create an ARM template to provision Application Insights for the application
References By: roy@roykim.ca • https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and- certificates#key-vault-secrets • Best Practices - https://blogs.msdn.microsoft.com/mvpawardprogram/2018/05/01/azure- resource-manager/ • Key Vault Explorer • www.github.com/roykimyyz Credits: Some Icon made by SmashIcons from www.flaticon.com
Q & A By: Roy Kim • @RoyKimYYZ • roy@roykim.ca www.roykim.ca github.comRoyKimYYZ

Recommended

Microsoft Reactor Toronto 5/5/2020 | Azure Kubernetes In Action - Running and...
Microsoft Reactor Toronto 5/5/2020 | Azure Kubernetes In Action - Running and...Microsoft Reactor Toronto 5/5/2020 | Azure Kubernetes In Action - Running and...
Microsoft Reactor Toronto 5/5/2020 | Azure Kubernetes In Action - Running and...Roy Kim
 
Azure AD App Proxy Login Scenarios with an On Premises Applications - TSPUG
Azure AD App Proxy Login Scenarios with an On Premises Applications - TSPUGAzure AD App Proxy Login Scenarios with an On Premises Applications - TSPUG
Azure AD App Proxy Login Scenarios with an On Premises Applications - TSPUGRoy Kim
 
Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Kris Wagner
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOPeter Selch Dahl
 
Azure Active Directory
Azure Active DirectoryAzure Active Directory
Azure Active DirectorySovelto
 
Windows azure active directory
Windows azure active directoryWindows azure active directory
Windows azure active directoryKrunal Trivedi
 
Programming with Azure Active Directory
Programming with Azure Active DirectoryProgramming with Azure Active Directory
Programming with Azure Active DirectoryJoonas Westlin
 
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnEWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnPeter Selch Dahl
 

Recommended

Microsoft Reactor Toronto 5/5/2020 | Azure Kubernetes In Action - Running and...
Microsoft Reactor Toronto 5/5/2020 | Azure Kubernetes In Action - Running and...Microsoft Reactor Toronto 5/5/2020 | Azure Kubernetes In Action - Running and...
Microsoft Reactor Toronto 5/5/2020 | Azure Kubernetes In Action - Running and...Roy Kim
 
Azure AD App Proxy Login Scenarios with an On Premises Applications - TSPUG
Azure AD App Proxy Login Scenarios with an On Premises Applications - TSPUGAzure AD App Proxy Login Scenarios with an On Premises Applications - TSPUG
Azure AD App Proxy Login Scenarios with an On Premises Applications - TSPUGRoy Kim
 
Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Kris Wagner
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOPeter Selch Dahl
 
Azure Active Directory
Azure Active DirectoryAzure Active Directory
Azure Active DirectorySovelto
 
Windows azure active directory
Windows azure active directoryWindows azure active directory
Windows azure active directoryKrunal Trivedi
 
Programming with Azure Active Directory
Programming with Azure Active DirectoryProgramming with Azure Active Directory
Programming with Azure Active DirectoryJoonas Westlin
 
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnEWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnPeter Selch Dahl
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active DirectoryPavel Revenkov
 
A guide on Aws Security Token Service
A guide on Aws Security Token ServiceA guide on Aws Security Token Service
A guide on Aws Security Token ServiceBlazeclan Technologies Private Limited
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active DirectoryKrunal Trivedi
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An IntroductionVenkatesh Narayanan
 
Federation
Federation Federation
Federation Amazon Web Services
 
Identity Security - Azure Active Directory
Identity Security - Azure Active DirectoryIdentity Security - Azure Active Directory
Identity Security - Azure Active DirectoryEng Teong Cheah
 
Certifications for Azure Developers
Certifications for Azure DevelopersCertifications for Azure Developers
Certifications for Azure DevelopersKrunal Trivedi
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanNCCOMMS
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best PracticesAmazon Web Services
 
Understanding Azure AD
Understanding Azure ADUnderstanding Azure AD
Understanding Azure ADNew Horizons Ireland
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Goran Karmisevic
 
Azure Active Directory
Azure Active DirectoryAzure Active Directory
Azure Active DirectoryThurupathan Vijayakumar
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Amazon Web Services
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365nelmedia
 
O365Con18 - Exploring Conditional Access to content stored in Office 365 - Pa...
O365Con18 - Exploring Conditional Access to content stored in Office 365 - Pa...O365Con18 - Exploring Conditional Access to content stored in Office 365 - Pa...
O365Con18 - Exploring Conditional Access to content stored in Office 365 - Pa...NCCOMMS
 
Azure active directory
Azure active directoryAzure active directory
Azure active directoryRaju Kumar
 
Microsoft Azure ad in 10 slides
Microsoft Azure ad in 10 slidesMicrosoft Azure ad in 10 slides
Microsoft Azure ad in 10 slidesAndre Debilloez
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best PracticesAmazon Web Services
 
Access Security - Privileged Identity Management
Access Security - Privileged Identity ManagementAccess Security - Privileged Identity Management
Access Security - Privileged Identity ManagementEng Teong Cheah
 
Identity and o365 on Azure
Identity and o365 on AzureIdentity and o365 on Azure
Identity and o365 on AzureMostafa
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 

More Related Content

What's hot

Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active DirectoryPavel Revenkov
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active DirectoryKrunal Trivedi
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An IntroductionVenkatesh Narayanan
 
Identity Security - Azure Active Directory
Identity Security - Azure Active DirectoryIdentity Security - Azure Active Directory
Identity Security - Azure Active DirectoryEng Teong Cheah
 
Certifications for Azure Developers
Certifications for Azure DevelopersCertifications for Azure Developers
Certifications for Azure DevelopersKrunal Trivedi
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanNCCOMMS
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Goran Karmisevic
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Amazon Web Services
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365nelmedia
 
O365Con18 - Exploring Conditional Access to content stored in Office 365 - Pa...
O365Con18 - Exploring Conditional Access to content stored in Office 365 - Pa...O365Con18 - Exploring Conditional Access to content stored in Office 365 - Pa...
O365Con18 - Exploring Conditional Access to content stored in Office 365 - Pa...NCCOMMS
 
Azure active directory
Azure active directoryAzure active directory
Azure active directoryRaju Kumar
 
Microsoft Azure ad in 10 slides
Microsoft Azure ad in 10 slidesMicrosoft Azure ad in 10 slides
Microsoft Azure ad in 10 slidesAndre Debilloez
 
Access Security - Privileged Identity Management
Access Security - Privileged Identity ManagementAccess Security - Privileged Identity Management
Access Security - Privileged Identity ManagementEng Teong Cheah
 
Identity and o365 on Azure
Identity and o365 on AzureIdentity and o365 on Azure
Identity and o365 on AzureMostafa
 

What's hot (20)

Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active Directory
 
A guide on Aws Security Token Service
A guide on Aws Security Token ServiceA guide on Aws Security Token Service
A guide on Aws Security Token Service
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active Directory
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An Introduction
 
Federation
Federation Federation
Federation
 
Identity Security - Azure Active Directory
Identity Security - Azure Active DirectoryIdentity Security - Azure Active Directory
Identity Security - Azure Active Directory
 
Certifications for Azure Developers
Certifications for Azure DevelopersCertifications for Azure Developers
Certifications for Azure Developers
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 
Understanding Azure AD
Understanding Azure ADUnderstanding Azure AD
Understanding Azure AD
 
Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101Windsor AWS UG Deep dive IAM 2 - no json101
Windsor AWS UG Deep dive IAM 2 - no json101
 
Azure Active Directory
Azure Active DirectoryAzure Active Directory
Azure Active Directory
 
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365
 
O365Con18 - Exploring Conditional Access to content stored in Office 365 - Pa...
O365Con18 - Exploring Conditional Access to content stored in Office 365 - Pa...O365Con18 - Exploring Conditional Access to content stored in Office 365 - Pa...
O365Con18 - Exploring Conditional Access to content stored in Office 365 - Pa...
 
Azure active directory
Azure active directoryAzure active directory
Azure active directory
 
Microsoft Azure ad in 10 slides
Microsoft Azure ad in 10 slidesMicrosoft Azure ad in 10 slides
Microsoft Azure ad in 10 slides
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 
Access Security - Privileged Identity Management
Access Security - Privileged Identity ManagementAccess Security - Privileged Identity Management
Access Security - Privileged Identity Management
 
Identity and o365 on Azure
Identity and o365 on AzureIdentity and o365 on Azure
Identity and o365 on Azure
 

Similar to Azure Key Vault with a PaaS Architecture and ARM Template Deployment

Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101Mario-Leander Reimer
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101QAware GmbH
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or diePriyanka Aash
 
Introduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDKIntroduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDKPeter Selch Dahl
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsAmazon Web Services
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsAleksandr Maklakov
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021lior mazor
 
Azure presentation nnug dec 2010
Azure presentation nnug dec 2010Azure presentation nnug dec 2010
Azure presentation nnug dec 2010Ethos Technologies
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도Amazon Web Services Korea
 
Continuous Deployment @ AWS Re:Invent
Continuous Deployment @ AWS Re:InventContinuous Deployment @ AWS Re:Invent
Continuous Deployment @ AWS Re:InventJohn Schneider
 
Continuous Integration and Deployment Best Practices on AWS (ARC307) | AWS re...
Continuous Integration and Deployment Best Practices on AWS (ARC307) | AWS re...Continuous Integration and Deployment Best Practices on AWS (ARC307) | AWS re...
Continuous Integration and Deployment Best Practices on AWS (ARC307) | AWS re...Amazon Web Services
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 

Similar to Azure Key Vault with a PaaS Architecture and ARM Template Deployment (20)

Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
 
Introduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDKIntroduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDK
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startups
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Azure presentation nnug dec 2010
Azure presentation nnug dec 2010Azure presentation nnug dec 2010
Azure presentation nnug dec 2010
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
 
Continuous Deployment @ AWS Re:Invent
Continuous Deployment @ AWS Re:InventContinuous Deployment @ AWS Re:Invent
Continuous Deployment @ AWS Re:Invent
 
Continuous Integration and Deployment Best Practices on AWS (ARC307) | AWS re...
Continuous Integration and Deployment Best Practices on AWS (ARC307) | AWS re...Continuous Integration and Deployment Best Practices on AWS (ARC307) | AWS re...
Continuous Integration and Deployment Best Practices on AWS (ARC307) | AWS re...
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 

More from Roy Kim

Azure App Gateway and Log Analytics under Penetration Tests
Azure App Gateway and Log Analytics under Penetration TestsAzure App Gateway and Log Analytics under Penetration Tests
Azure App Gateway and Log Analytics under Penetration TestsRoy Kim
 
Applying Advanced Techniques to Azure Web Apps
Applying Advanced Techniques to Azure Web AppsApplying Advanced Techniques to Azure Web Apps
Applying Advanced Techniques to Azure Web AppsRoy Kim
 
Big Data Analytics from Azure Cloud to Power BI Mobile
Big Data Analytics from Azure Cloud to Power BI MobileBig Data Analytics from Azure Cloud to Power BI Mobile
Big Data Analytics from Azure Cloud to Power BI MobileRoy Kim
 
Design and Configure Azure App Service Web Apps
Design and Configure Azure App Service Web AppsDesign and Configure Azure App Service Web Apps
Design and Configure Azure App Service Web AppsRoy Kim
 
SharePoint 2016 Hybrid Overview
SharePoint 2016 Hybrid OverviewSharePoint 2016 Hybrid Overview
SharePoint 2016 Hybrid OverviewRoy Kim
 
SharePoint Hosted Add-in with AngularJS and Bootstrap
SharePoint Hosted Add-in with AngularJS and BootstrapSharePoint Hosted Add-in with AngularJS and Bootstrap
SharePoint Hosted Add-in with AngularJS and BootstrapRoy Kim
 
Designing for SharePoint Provider Hosted Apps
Designing for SharePoint Provider Hosted AppsDesigning for SharePoint Provider Hosted Apps
Designing for SharePoint Provider Hosted AppsRoy Kim
 
Microsoft Azure For Solutions Architects
Microsoft Azure For Solutions ArchitectsMicrosoft Azure For Solutions Architects
Microsoft Azure For Solutions ArchitectsRoy Kim
 
SharePoint 2013 Hosted App Presentation by Roy Kim
SharePoint 2013 Hosted App Presentation by Roy KimSharePoint 2013 Hosted App Presentation by Roy Kim
SharePoint 2013 Hosted App Presentation by Roy KimRoy Kim
 
Networking For Application Developers by Roy Kim
Networking For Application Developers by Roy KimNetworking For Application Developers by Roy Kim
Networking For Application Developers by Roy KimRoy Kim
 
SharePoint Saturday 2010 - SharePoint 2010 Content Organizer Feature
SharePoint Saturday 2010 - SharePoint 2010 Content Organizer FeatureSharePoint Saturday 2010 - SharePoint 2010 Content Organizer Feature
SharePoint Saturday 2010 - SharePoint 2010 Content Organizer FeatureRoy Kim
 

More from Roy Kim (11)

Azure App Gateway and Log Analytics under Penetration Tests
Azure App Gateway and Log Analytics under Penetration TestsAzure App Gateway and Log Analytics under Penetration Tests
Azure App Gateway and Log Analytics under Penetration Tests
 
Applying Advanced Techniques to Azure Web Apps
Applying Advanced Techniques to Azure Web AppsApplying Advanced Techniques to Azure Web Apps
Applying Advanced Techniques to Azure Web Apps
 
Big Data Analytics from Azure Cloud to Power BI Mobile
Big Data Analytics from Azure Cloud to Power BI MobileBig Data Analytics from Azure Cloud to Power BI Mobile
Big Data Analytics from Azure Cloud to Power BI Mobile
 
Design and Configure Azure App Service Web Apps
Design and Configure Azure App Service Web AppsDesign and Configure Azure App Service Web Apps
Design and Configure Azure App Service Web Apps
 
SharePoint 2016 Hybrid Overview
SharePoint 2016 Hybrid OverviewSharePoint 2016 Hybrid Overview
SharePoint 2016 Hybrid Overview
 
SharePoint Hosted Add-in with AngularJS and Bootstrap
SharePoint Hosted Add-in with AngularJS and BootstrapSharePoint Hosted Add-in with AngularJS and Bootstrap
SharePoint Hosted Add-in with AngularJS and Bootstrap
 
Designing for SharePoint Provider Hosted Apps
Designing for SharePoint Provider Hosted AppsDesigning for SharePoint Provider Hosted Apps
Designing for SharePoint Provider Hosted Apps
 
Microsoft Azure For Solutions Architects
Microsoft Azure For Solutions ArchitectsMicrosoft Azure For Solutions Architects
Microsoft Azure For Solutions Architects
 
SharePoint 2013 Hosted App Presentation by Roy Kim
SharePoint 2013 Hosted App Presentation by Roy KimSharePoint 2013 Hosted App Presentation by Roy Kim
SharePoint 2013 Hosted App Presentation by Roy Kim
 
Networking For Application Developers by Roy Kim
Networking For Application Developers by Roy KimNetworking For Application Developers by Roy Kim
Networking For Application Developers by Roy Kim
 
SharePoint Saturday 2010 - SharePoint 2010 Content Organizer Feature
SharePoint Saturday 2010 - SharePoint 2010 Content Organizer FeatureSharePoint Saturday 2010 - SharePoint 2010 Content Organizer Feature
SharePoint Saturday 2010 - SharePoint 2010 Content Organizer Feature
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Azure Key Vault with a PaaS Architecture and ARM Template Deployment

  • 1. Azure Key Vault and Automated Deployment Toronto Azure Group June 11, 2019 Roy Kim @RoyKimYYZ roy@roykim.ca
  • 2. Agenda By: Roy Kim roykim.ca 1. Azure Key Vault Overview 2. PaaS Architecture Pattern with Key Vault 3. ARM Template Techniques 4. Azure DevOps Pipeline
  • 3. Bio  Roy Kim  16+ Years of Microsoft Technology Solutions  Azure, SharePoint, Office 365  Microsoft MVP  Independent/Freelance IT Consultant  Blog: www.roykim.ca github.comroykimyyz  University of Toronto – Computer Science Author: Roy Kim By: Roy Kim
  • 4. Dev/UAT/Prod EnvironmentDev/UAT/Prod EnvironmentDev/UAT/Prod Environment Physical Server Grass Roots Development Story By: Roy Kim Password Config File Database Configuration Settings SSL Certificate pfx Web App Server File server Source Control Application Code Developers IT Ops How to isolate storage of the secret or certificate from code and source control? How to isolate role based access to the secret or certificate? How to integrate the access and use of keys from the application or CI/CD pipelines? How to audit and view history of the access? How to consolidate/centralize/streamline management? How to automate deployment for reusable architecture patterns or models? Dev env UAT/Prod env Enterprise Architect Info Security Architect Deploy Dev UAT Prod Stored Stored Once upon a time .. there was an app development team …
  • 5. Key Vault By: Roy Kim  Secrets Management - Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets  Key Management - easy to create and control the encryption keys used to encrypt your data.  Certificate Management - easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.  Store secrets backed by Hardware Security Modules - The secrets and keys can be protected either by software or FIPS 140-2 Level 2 validates HSMs  A hardware security module is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. - Wikipedia https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
  • 6. Key Vault By: Roy Kim  Centralize application secrets  Securely store secrets and keys  Monitor access and use  Simplified administration of application secrets  Integrate with other Azure services https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
  • 7. Azure Key Vault & PaaS Architecture Pattern By: Roy Kim ARM Template
  • 9. Key Vault Secrets By: Roy Kim  Store and manage tokens, passwords, certificates (e.g. pfx), API keys, and other secrets Secret Value Secret Name: LOBWebAppSecret
  • 10. Key Vault Secrets – Use Cases By: Roy Kim  Database connection string password  Passwords or any other secret string in an application configuration file.  E.g. Twitter, Google Maps API Key  Azure storage account keys  Leveraging the Azure SDK in your application code or scripts to access key vault
  • 11. Key Vault Certificates By: Roy Kim  Provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.
  • 12. Key Vault Key By: Roy Kim  Cryptographic operations may be performed using the key: Sign and Verify: Strictly, this operation is "sign hash" or "verify hash", as Key Vault doesn't support hashing of content as part of signature creation. Applications should hash the data to be signed locally, then request that Key Vault sign the hash. Verification of signed hashes is supported as a convenience operation for applications that may not have access to [public] key material. https://en.wikipedia.org/wiki/Digital_signature
  • 13. Key Vault Key By: Roy Kim Key Encryption / Wrapping: A key stored in Key Vault may be used to protect another key, typically a symmetric content encryption key (CEK). When the key in Key Vault is asymmetric, key encryption is used. For example, RSA-OAEP and the WRAPKEY/UNWRAPKEY operations are equivalent to u/DECRYPT. When the key in Key Vault is symmetric, key wrapping is used. For example, AES-KW. The WRAPKEY operation is supported as a convenience for applications that may not have access to [public] key material. Encrypt and Decrypt: A key stored in Key Vault may be used to encrypt or decrypt a single block of data. The size of the block is determined by the key type and selected encryption algorithm. The Encrypt operation is provided for convenience, for applications that may not have access to [public] key material. For best application performance, encrypt operations should be performed locally.
  • 14. Key Vault Key By: Roy Kim  RSA Key
  • 15. Key Vault Key - Use Cases By: Roy Kim For storage accounts encryption, user your own key
  • 16. Key Vault Key - Use Cases By: Roy Kim TDE with customer-managed keys in Azure Key Vault allows to encrypt the Database Encryption Key (DEK) with a customer-managed asymmetric key called TDE Protector. Aka BYOK – “bring your own key” In the BYOK scenario, the TDE Protector is stored in a customer-owned and managed Azure Key Vault, Azure’s cloud-based external key management system.
  • 17. Key Vault Access Policies By: Roy Kim Key Vault access policies grant permissions separately to keys, secrets, or certificate. For Resource Manager to access the secrets inside this Key Vault from deployment, set enabledForTemplateDeployment must be true. Access Policies
  • 18. What are ARM Templates Author: Roy Kim By: Roy Kim  Infrastructure-as-code A JavaScript Object Notation (JSON) file that defines one or more resources to deploy to a resource group or subscription. The template can be used to deploy the resources consistently and repeatedly  Azure Resource Manager  deployment and management service for Azure.  provides a consistent management layer that enables you to create, update, and delete resources in your Azure subscription.
  • 19. Why ARM Templates? Author: Roy Kim By: Roy Kim  Preferred deployment method for Azure resources  Fast - Parallel deployment of resources  Audit deployment operations  Idempotent - to apply one or more operations against a resource resulting in the same outcome.  Cloud consistency across Azure, Azure Stack, Azure Gov
  • 20. Some Benefits By: Roy Kim Resource Manager provides several benefits:  deploy, manage, and monitor all the resources for your solution as a group, rather than handling these resources individually.  repeatedly deploy your solution throughout the development lifecycle and have confidence your resources are deployed in a consistent state.  manage your infrastructure through declarative templates rather than scripts.  define the dependencies between resources so they're deployed in the correct order.  apply access control to all services in your resource group because Role-Based Access Control (RBAC) is natively integrated into the management platform.  apply tags to resources to logically organize all the resources in your subscription.  clarify your organization's billing by viewing costs for a group of resources sharing the same tag.
  • 21. The ARM Template Design By: roy@roykim.ca keyvault.json AppServicePlan.json Main Template: azuredeploy-app-main.json Parameters sqlserver.json website.json Credits: Some Icon made by SmashIcons from www.flaticon.com
  • 22. Linked Template for Modularization By: roy@roykim.ca
  • 23. Linked Template and Output By: roy@roykim.ca Logical sequence keyvault.json sqlserver.json 1 2 3 azuredeploy-app-main.json
  • 24. Azure Key Vault Secret To SQL Server By: roy@roykim.ca Logical sequence No real ARM syntax for brevity keyvault.json sqlserver.json 1 2 3 azuredeploy-app-main.json linked template Parameters: dbadmin password as secure string Outputs: Key vault resourceId linked template Parameters: dbadmin password as key vault reference secret value
  • 25. By: roy@roykim.ca "secretsObject": { "value": { "secrets": [ { "secretName": "[variables('dbpasswordsecretName')]", "secretValue": "[parameters('sqlAdministratorLoginPassword')]" } ] } }
  • 26. By: roy@roykim.ca "name": "linkedTemplate-sqlserver", "type": "Microsoft.Resources/deployments", "dependsOn": ["linkedTemplate-keyvault"], "properties": { .. }, "parameters": { .. }, "sqlAdministratorLogin": { "value": "[parameters('sqlAdministratorLogin')]" }, "sqlAdministratorLoginPassword": { "reference": { "keyVault": { "id": "[reference('linkedTemplate-keyvault').outputs.rkkeyvault.value]" }, "secretName": "[variables('dbpasswordsecretName')]" } }, }
  • 27. The ARM Deployment Order By: roy@roykim.ca keyvault.json AppServicePlan.json Main Template: azuredeploy-app-main.json Parameters sqlserver.json website.json dependsOn dependsOn dependsOn 1 1 2 3 4
  • 28. The ARM Deployment Order By: roy@roykim.ca
  • 29. Azure DevOps Pipeline By: Roy Kim 1. Get ARM Templates from public git repo 2. Deploy ARM Templates into Azure resource group. ARM template deploys app code from another GitHub repo 3. Build SQL project and Deploy DACPAC
  • 30. Azure DevOps Pipeline By: Roy Kim Pull ARM Templates from public git repo
  • 31. Azure DevOps Pipeline By: Roy Kim Deploy ARM Templates into Azure resource group
  • 32. Azure DevOps Build Pipeline – SQL DB By: Roy Kim YAML Build Pipeline Build SQL project Deploy DACPAC file for creating tables and populating data
  • 33. Azure DevOps Pipeline By: Roy Kim Trigger an Azure DevOps Pipeline that is the existing Build pipeline for SQL Deployment
  • 34. ARM Template Challenges By: roy@roykim.ca • Heavy learning curve • Very syntax oriented. Need to find the exact JSON syntax ARM template operations and functions to achieve the functional objective. Need to look at many examples and reverse engineer or piece together techniques. • Microsoft Azure Documentation always shows Azure PowerShell and CLI examples of deploying and configuring resources, but very little reference to ARM template.
  • 35. Future considerations for this demo solution Author: Roy Kim By: Roy Kim Better group management - Group related resources types into its own Resource Group and deploy accordingly Better Security - Leverage managed identity where possible - Deploy ARM templates into Azure storage accounts with secured SAS token instead of a public GitHub repo - Investigate SSL cert auto renewal process Include App Monitoring - Create an ARM template to provision Application Insights for the application
  • 36. References By: roy@roykim.ca • https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and- certificates#key-vault-secrets • Best Practices - https://blogs.msdn.microsoft.com/mvpawardprogram/2018/05/01/azure- resource-manager/ • Key Vault Explorer • www.github.com/roykimyyz Credits: Some Icon made by SmashIcons from www.flaticon.com
  • 37. Q & A By: Roy Kim • @RoyKimYYZ • roy@roykim.ca www.roykim.ca github.comRoyKimYYZ

Editor's Notes

  1. A .pfx includes both the public and private key for the associated certificate (NEVER share this outside your organization); it can be used for TLS/SSL on web site, for digitally signing messages or authorization tokens, or for authenticating to a partner system. A .cer file only has the public key (this is what you typically exchange with integration partners); it can be used to verify tokens or client authentication requests, and it is what is received by an HTTP client from a server in the SSL handshake.
  2. To access the secrets inside this Key Vault from Resource Manager deployment, enabledForTemplateDeployment must be true.
  3. To access the secrets inside this Key Vault from Resource Manager deployment, enabledForTemplateDeployment must be true.
  4. SQL Allow Access to Azure Services To allow applications from Azure to connect to your Azure SQL server, Azure connections must be enabled. When an application from Azure attempts to connect to your database server, the firewall verifies that Azure connections are allowed. A firewall setting with starting and ending address equal to 0.0.0.0 indicates Azure connections are allowed. This option configures the firewall to allow all connections from Azure including connections from the subscriptions of other customers. When selecting this option, make sure your login and user permissions limit access to only authorized users. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure Key Vault
  5. To access the secrets inside this Key Vault from Resource Manager deployment, enabledForTemplateDeployment must be true.
  6. https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates#key-vault-secrets https://stackoverflow.com/questions/53727248/why-does-getting-a-certificate-from-azure-key-vault-require-it-to-be-stored-as-a https://blogs.technet.microsoft.com/neales/2017/06/26/getting-a-private-certificate-from-key-vault/
  7. https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates#key-vault-secrets https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-storage-keys https://docs.microsoft.com/en-us/azure/key-vault/key-vault-key-rotation-log-monitoring#key-rotation-using-azure-automation
  8. https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates#key-vault-secrets https://docs.microsoft.com/en-us/azure/app-service/web-sites-purchase-ssl-web-site
  9. https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates#key-vault-keys
  10. https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates#key-vault-keys https://crypto.stackexchange.com/questions/64184/how-much-extra-security-does-key-wrapping-provide So why is encryption or wrapping useful? Well, not all keys have the same properties. Some keys such as public key for asymmetric systems can be distributed using a public key infrastructure, but they can perfectly use to wrap AES keys to perform key establishment. Other keys are distributed in advance, taking advantage of the moment in time that the key can be established. Yet others take advantage of hardware protection in HSMs or smart cards. So key wrapping is an important tool to perform key management. Note that one wrapping key can be used to wrap many other keys. As for your examples: yes, a key can be transported over TLS. However, TLS is point to point transport security. After TLS is stripped you'd just have the key. It is much more secure to wrap the key and provide end-to-end security. With a bit of luck the key may be unwrapped directly within a HSM and never even appear in memory. Note that earlier forms of TLS, the TLS_RSA ciphersuites, actually perform a form of key wrapping to establish the master secret to derive the session keys from.
  11. https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates#key-vault-secrets https://docs.microsoft.com/en-us/azure/app-service/web-sites-purchase-ssl-web-site
  12. https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates#key-vault-keys https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-azure-sql?view=sql-server-2017#customer-managed-transparent-data-encryption---bring-your-own-key
  13. https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates#key-vault-keys https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-azure-sql?view=sql-server-2017#customer-managed-transparent-data-encryption---bring-your-own-key
  14. To access the secrets inside this Key Vault from Resource Manager deployment, enabledForTemplateDeployment must be true. Trusted Microsoft services include: Azure Virtual Machines deployment service Azure Resource Manager template deployment service Azure Disk Encryption volume encryption service Azure Backup Exchange Online SharePoint Online Azure Information Protection Azure App Service: Web Apps Azure SQL Azure Storage Azure Data Lake Storage Azure Databricks Azure Machine Learning Service
  15. https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview#the-benefits-of-using-resource-manager https://blogs.msdn.microsoft.com/cloud_solution_architect/2017/08/09/understanding-idempotence-and-scope-in-azure-resource-manager-templates/ https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview#the-benefits-of-using-resource-manager
  16. https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview#the-benefits-of-using-resource-manager https://blogs.msdn.microsoft.com/cloud_solution_architect/2017/08/09/understanding-idempotence-and-scope-in-azure-resource-manager-templates/ https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview#the-benefits-of-using-resource-manager
  17. Credits: Some Icon made by SmashIcons from www.flaticon.com  https://blogs.msdn.microsoft.com/mvpawardprogram/2018/05/01/azure-resource-manager/
  18. Credits: Some Icon made by SmashIcons from www.flaticon.com  https://blogs.msdn.microsoft.com/mvpawardprogram/2018/05/01/azure-resource-manager/
  19. Credits: Some Icon made by SmashIcons from www.flaticon.com  https://blogs.msdn.microsoft.com/mvpawardprogram/2018/05/01/azure-resource-manager/
  20. Credits: Some Icon made by SmashIcons from www.flaticon.com  https://blogs.msdn.microsoft.com/mvpawardprogram/2018/05/01/azure-resource-manager/
  21. Credits: Some Icon made by SmashIcons from www.flaticon.com  https://blogs.msdn.microsoft.com/mvpawardprogram/2018/05/01/azure-resource-manager/
  22. Credits: Some Icon made by SmashIcons from www.flaticon.com  https://blogs.msdn.microsoft.com/mvpawardprogram/2018/05/01/azure-resource-manager/