Global Azure Bootcamp 2017 - Azure Key Vault
Download as PPTX, PDF1 like452 views
Alberto Diaz Martin is the Chief Technology and Innovation Officer at Encamina, with over 14 years in the IT industry focusing on Microsoft technologies. The document discusses Azure Key Vault, emphasizing its features for managing and securing cryptographic keys and secrets, encryption methods, and cost. It outlines workflows for using Azure Key Vault and its role in protecting sensitive data and credentials in various applications.
Global Azure Bootcamp 2017 - Azure Key Vault
- 1. #GlobalAzure
- 2. #GlobalAzure Alberto Diaz Martin Chief Technology and Innovation Officer http://blogs.encamina.com/por-una-nube-sostenible/ adiazcan Alberto Diaz cuenta con más de 14 años de experiencia en la Industria IT, todos ellos trabajando con tecnologías Microsoft. Actualmente, es Chief Technology Innovation Officer en ENCAMINA, liderando el desarrollo de software con tecnología Microsoft, y miembro del equipo de Dirección. Para la comunidad, trabaja como organizador y speaker de las conferencias más relevantes del mundo Microsoft en España, en las cuales es uno de los referentes en SharePoint, Office 365 y Azure. Autor de diversos libros y artículos en revistas profesionales y blogs, en 2013 empezó a formar parte del equipo de Dirección de CompartiMOSS, una revista digital sobre tecnologías Microsoft. Desde 2011 ha sido nombrado Microsoft MVP, reconocimiento que ha renovado por sexto año consecutivo. Se define como un geek, amante de los smartphones y desarrollador. Fundador de TenerifeDev (www.tenerifedev.com), un grupo de usuarios de .NET en Tenerife, y coordinador de SUGES (Grupo de Usuarios de SharePoint de España, www.suges.es)
- 5. #GlobalAzure Qué y por qué Azure Key Vault
- 6. • 1.74GB file with 1,286,366 records • Personal details of 550000 blood donors • Data was unencrypted and stored on a unsecured website • Found through scanning public addresses for .sql file Source: https://www.troyhunt.com/the-red-cross-blood-service-australias-largest-ever- leak-of-personal-data Duraba Corporation Earth Broadcasting in 2011 • PlayStation Network down • Unencrypted Credit Card details of users Earth Broadcasting in 2014 • Personal data of employees and families • Confidential emails and salary information • A few films (The Interview, Annie) Source: https://en.wikipedia.org/wiki/2011_PlayStation_Network_outage ; https://en.wikipedia.org/wiki/Sony_Pictures_hack Earth Broadcasting Company • Had a Crypto locker installed • 350GB of personal data • Paid $400 to get access back to his Data My “friend” Nyota Uhura • 340GB of data • 228,605 email addresses • 1.3 million passport numbers and expiry dates • 15.8 million fingerprint records • Data was encrypted – Key was in the PHP code of its website Source: https://en.wikipedia.org/wiki/Commission_on_Elections_data_breach Galactic Mining Company Quiz
- 7. The quest to securing resources in Azure
- 8. Symmetric keys Asymmetric keys Keys Public key Private key Digital Certificates Public key in a wrapper Certificates Connections strings Credentials Other secrets Secrets
- 9. • Secrets and Keys are encrypted at rest 1 • Choice of deployment location 2 • Choice of encryption method (Software vs Hardware & BOYK) 3 • Security module separation 4 • Easy access and rights control 5 • Low Cost 6
- 10. • Secrets and Keys are encrypted at rest 1 • Choice of deployment country 2 • Choice of encryption method (Software vs Hardware & BOYK) 3 • Security module separation 4 • Easy access and rights control 5 • Low Cost 6
- 11. • Low Cost • Easy access and rights control • Security module separation • Secrets and Keys are encrypted at rest • Choice of deployment country • Choice of encryption method (Software vs Hardware & BOYK) 1 2 3 4 5 6 All Data in the KeyVault is encrypted Price is 0.03$ / 10.000 Management via PS / Azure AD / RBAC Create as many Key Vaults as you want Choice of which datacentre and which resource group we want to deploy to Standard vs Premium edition BOYK
- 12. Cloud hosted, HSM backed service for managing cryptographic keys and features using certified FIPS 140-2 Level 2 standards Encrypt keys and small secrets (up to 10kb) Import or generate your keys Simplify and automate tasks for SSL/TLS certificates All Keys stay in HSM boundary You cannot retrieve the private key Key Vault is deployed in minutes Comes in two flavors – Standard and Premium With premium Key Vaults all secrets and keys are stored on a HSM $0.03$/10.000 operations Certification renewal – 3$ per renew request HSM protected keys: 1$ per key per month
- 13. #GlobalAzure Cómo y Dónde usar Azure Key Vault
- 15. Key Vault: Workflow Azure Admin / Key Vault Owner Azure Active Directory 1. Create service principal Key Vault 2. Create Key Vault Configure access for service principal Key / Secret Owner 3. create Key / Secret Application or Azure Resource 5. Configure Application / Azure resource with the service principal and Key / Secret URI 6. Authenticate against AAD 7. receive token from AAD 8.Send token to Key Vault 9. Access Key Vault and retrieve Key / Secret 4. communicate service principal and Key / Secret URI Application Owner
- 16. • • • •
- 17. Usemos Azure Key Vaul para: No entregar las claves o password de nuestros servicios Encriptar las máquinas virtuales, los Storage, nuestros datos, … Guardar nuestros certificados