Azure Key Vault is an Azure service that protects data with Hardware Security Modules (HSMs), which is currently the gold standard in data security. Many third-party tools and services use Key Vault for Microsoft Azure platforms, including Nerdio for Azure. Key Vault eliminates the need for source code to contain sensitive information and streamlines the management of keys. It also allows developers to quickly create and test keys, which is particularly beneficial for a Small- and Medium-sized Business (SMB) with an IT department.
However, many Azure users who have never used Key Vault are more scared of it than they are of any Halloween monster. This article discusses five reasons why Key Vault is nothing to be afraid of.
1. Keys and secrets are simple concepts to understand.
An Azure Key Vault (AKV) contains security assets, such as keys and secrets, which are more of a treat than a trick. A key is used to encrypt, decrypt, and sign data, but no application or user may directly access the key once it has been added to an AKV. The AKV uses the key on behalf of the entity requesting it without allowing the key to leave the vault. On the other hand, a secret is information that authorized users and applications can directly access. Common examples of secrets include API passwords and connection strings for services such as Azure Blob Storage.
2. Vault Containers make your system more secure.
Many SMBs have a security officer who is responsible for preventing hackers and other ghosts from accessing sensitive data. The security officer will typically create AKVs, which provide two basic security benefits. First, developers can’t add keys and secrets to source control because they can’t directly access them. The second benefit is that granting and revoking access to these security assets is easier because they’re now centralized with an AKV, which serves as an abstraction layer around keys and secrets.
3. Vault Containers are easy to create.
Security often becomes a vampire for administrators by sucking up their time. Vault containers help destroy this monster by creating an AKV and adding it to an Azure Resource Group, which can be done through Azure CLI, Azure PowerShell, and the Azure Portal. Enter the “add” command in CLI and PowerShell, or click the “Add” button in the portal to start this process. Enter the name of the AKV and connect to a resource group. Select a location for the AKV and a pricing tier to create the AKV.
The access policy defaults to full access, although you can modify it at this point. Key Vault provides a set of advanced policies that control the ways in which Azure services interact with the AKV. You’ll typically want to allow all of your Azure services some degree of access.
4. Key Vault can grant access to both users and applications.
You can prevent users from directly accessing an asset in the AKV by only allowing applications to have access, which requires you to create a service principal with the Azure Active Directory. A user with User Management Authorization, typically a global administrator, must create the service principal and add it to the list of principals for that vault. The administrator may then grant the service principal access to the AKV.
The service principal’s permissions apply to the entire vault. This fact is a key consideration in creating service principals because you can’t assign permissions to individual assets. However, you can overcome this limitation by creating a separate vault for each asset, allowing you to segregate permissions across assets.
5. Applications can use secrets to protect sensitive data.
Developers often place connection strings in configuration files even though they typically contain sensitive data. An AKV can eliminate this security vulnerability by providing developers with credentials for the service principal and Uniform Resource Identifiers (URI) rather than the connection string itself. The global administrator who created the service principal will typically provide the credentials for the service principal, while the credentials for the URI will come from the secret in the AKV. The combination of these two items allows developers to retrieve the connection string when the application starts, which remains in memory as long as the application is running.
AKV can be intimidating at first, but it isn’t that difficult to learn. Its added security and ease of use makes AKV well worth the effort, especially for SMBs with an IT department. The elimination of sensitive information in source code is also beneficial for software development.