All geek questions in one place

Why use Azure Key Vault

I'm trying to understand the security benefits that Azure Key Vault offers (or equally AWS KMS)

I understand the benefits of key management, the ability to easily rotate, modify, and access audit keys.

Which puzzles me a bit, but how much safer.

As I understand it, if I am developing a web application and want to protect my connection string (for example), I can create a key pair in Key Vault and save it there. Then I create the application in AAD and use the client identifier / secret / URI for authentication in Key Vault to get my connection string. There is also the potential benefit of limiting this within the Resource Group.

However, now this means that I have a client identifier / secret / URI for protection.

How is that better?

PS I'm not a developer! I just want to pop in these things in order to understand them in terms of debots. So, if you could direct your answer to a typical guy who would not know, that would be appreciated;)

+5
source share
2 answers

Azure Key Vault uses Thales Hardware Security Modules (HSMs) . Especially about HSM is that they do not give you the keys. You create or import a key in HSM. Later you give HSM data, and HSM performs cryptographic operations on this data. For instance. encryption, decryption, hashing, etc. By the way, these hardware devices are really expensive. With Azure Key Vault, you can use this protection for a small price. This is one of the benefits of using Azure Key Vault.

To your question , why is it safer . Keys are more valuable than one vulnerable VM that has been compromised. If one of your virtual machines has been compromised and you have encryption keys on this virtual machine, the attacker will have your keys.

If your virtual machine has only your client ID and secret, then the attacker has only these credentials, but not your keys. And, as you know, even with these credentials, an attacker cannot get your HSM keys. This means that an attacker will be able to perform cryptographic operations for a certain time with your credentials. The moment you recognize the attack, you will cancel the credentials.

So, the difference in a nutshell:

Without HSM: the attacker has your keys and they can use these keys as long as they want (and they are valid).

With HSM: an attacker does not have your keys and can perform cryptographic operations with your credentials if they are valid.

+5
source

From the developer's point of view, to understand the concept of the azure key, I would recommend this link -

https://azure.microsoft.com/en-in/documentation/articles/key-vault-whatis/

It describes the need for using an azure key in 3 different perspectives for developers -

1. Developer for an Azure application 2. Developer for Software as a Service (SaaS) 3. Chief security officer (CSO)

However, the Azure Key Vault has not yet been released by Microsoft. Full key storage will be released by December 2015, which will be an enhanced feature of ARM.

0
source

Source: https://habr.com/ru/post/1232662/

More articles:


All Articles