Azure Key Vault Architectural Considerations

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

14 hours 28 minutes
Video Transcription
Hello, Siberians Work on to Lesson 2.5. Off Ma do to off this car stated, is that Reserva one Microsoft Azure Arctic design.
So some quick information on what will be covering in this lesson
who started by covering azure key vote availability, and I'll talk about the concept of shared responsibility as it relates to this.
I will talk about security, which also has the concept of shared responsibility. But I'll give you best practices on what you need to do to ensure security of the azure key. Vote with us.
Then I'll talk about compliance and how that relates to azure key votes on. Finally, I'll talk about azure key vote monitoring.
When it comes to azure key vote availability, it's a shared responsibility. Microsoft has certain responsibilities that we need to be a way off on. We have certain responsibilities when we're doing our configuration in terms off Mike's off responsibilities.
Hey there.
So you cannot have a key vote resource and has your with doubt replication.
Because of the sensitivity of the type of service.
The key vote contents is automatically replicator to the P ed region of the vision that you selected if you're not familiar with the concept off Pierre regions. Our advice youto have a look at Sai Berries video content around other azure information.
If they were to be a failure, individually selected Microsoft automatically and transparently fails over
your service to the other vision to the P ed region. White been replicated toe.
Now be aware that if they went, if this were to happen, could take about few minutes for your savage to become online again. So whenever you're building your seven whenever whenever you're building and feel that using your keyboard service be aware of that and always implement, try back
into your court.
Also, after a fellow vice completed
Andi, your service becomes online in the secondary region.
It's only a limited set off operations that are possible because it's gonna be online. Invade on the moat, so certain requests types will not work
on DDE.
If your primary region comes back online and they feel back it's triggered by Microsoft or the request types, including video, right becomes available once again.
So when it comes to our responsibilities, their best practices for azure key vote availability number one enable soft the lead.
This is useful in cases off accidental leads or even malicious the leads that may happen.
So the same shows that when the key vote itself objects within, keep out of the later that's gonna be retained for 90 days
in the event off the key vote objects and it's been deleted.
Tow. Avoid that now being perched because if its parts that meat is gonna be deleted forever in the case way cannot recover. So what you may want to also do is to enable part protection.
So this and shows that when they give out our objects and keep water deleted, they cannot be parched until after the night of this retention has passed
both off this configuration for Sultanate and part protection cannot be enabled these in the azure part off for now. So you have to use it as your CLI or is your partial to enable them
using resource lock is also a good practice if you have very sensitive key votes recess on, but you don't want any modifications toe happen after you've configured it the way you want to configure it may want to use results lock toe lock That down.
Also taken back up is very important, especially when you're talking about you have a case of a rogue insider. Or maybe you deleted it about Italy that object in the vault, and then you change your mind later. In this case, you backup is what's gonna help you.
So let's talk about your key votes. Security number one. You want to limit access to the key of autumn management plane is involved. It's access control. Remember that if someone has access or sudden level of access in the management plane, the code in essence, give themselves permission to the data plane to be able to read
said in key information
from within the cave arteries. Us. So you want to lock this down and follow the principle off this privilege?
You also want to limit access to the key votes. Data plane is an access policies In other words, who as access into the data or the objects that you're stuck inside the key vote use access policies to lock that down
from a network connectivity perspective. If your key vote is only gonna be used by internal service is
especially if they're running and Microsoft Azure, you want to limit access on the network layer. Also, that's the defense in that right. You want to ensure that
you only allow access from networks that need to be able to access the key vote, and you can do this by just going under. The firewalls and virtual networks configuration off the key vote.
We talked about this earlier when it comes to availability, but also applies to security and neighbors off the leading part protection on. Also, remember to take backups. You'll be glad you do if you encounter a security attack that tries to deny you service.
And then finally, you want to enable diagnostic locks for monitoring and review. This especially important if you want to be able to review If Southern people are misusing their pre abilities and giving themselves permission into the data plane, you want diagnostic looks to be able to read who is accessing what from within
the resource itself.
When it comes to compliance. It's also shared responsibility on when I talk about complaints in Hangzhou. I like to emphasize that
there's nothing like its azure GDP are compliant or its Azure Phipps compliant. Compliance in hasher is on a service by service basis. It does this service have this level of compliance is the question to ask. So when it comes to azure key votes, this'd levels off compliance that
it's achieved
on. You can find this documentation on Microsoft website
the way that we use the azure key vote resource also impacts on compliance in many cases. So friends like Hannibal in Logan is not something that Mike's off would do for us in terms of enable antagonistic lugging, but far be able to achieve certain compliance from walks.
We needs to enable diagnostic lugging Sophie's like enabling part protection or enabling soft leads.
It's also very important things like using resource lotsa purple protect from delusion off a modification feels like taking backups are very important when it comes to achieve in complaints. Off course. It goes beyond what I've listed on the screen, but you get the idea.
Let's talk about monitoring
when it comes to monitoring of azure key votes. There, two men levels off locks that you want to pay attention to. Number one is the activity lock.
Activity log is enabled by default. We don't need to do anything to enable activity logs.
This log event on the management plan. What created the results would litter. The results were created around objects with dilated, an object and all those sorts of stuff.
You can export the switch storage account for archiving. You can stream it to azure event or where you collect with the top party software or third party same system.
Or you could just pass it directly towards your monitor logs, also known as agile Logan. And it takes to be able to do set in Deep Dive analytics, and them is in the Cousteau query language.
Now we have the diagnostic locks, which is nine neighborhood by default, and this is very key and very important.
It's either recommended to enable this
once you enable that you can access the log in information in about 10 minutes. So it's not something that instant instance where you start seeing are the information. Give it about 10 minutes before you start seeing the locks. Also what is loved when you enable diagnostics looks hold the authenticated
rest a p I request to the key vote resource itself a lox. I include filled records and again, that's very important for security on complaints reasons, So oppressions on the key vote operations on the keys and the secrets and its certificate within the key vote on authenticated request that result in a 41 response.
So this information that you will not get if you do not enable diagnostic logs
So you always wants to ensure that this log is enabled
for every production key vote.
So what if we discussed in this video? So in this video with discussed azure key about availability, security compliance and monitoring which are different architectural principles or design principles for as your kid about service,
Yes, I'm good information for simplemente materials, which you can use for further studies
as a kid got documentation as your key vote fit back, which is for useful to be able to see what existing limitations, um
does your kid got service has
and what people are requesting for. You could also add the a vote on. Also, I just give up up there to give you information as makes off improve on the service and things that have changed. So thanks very much for joining me in this particular lesson.
This is the hand of this model. I'll see you in the next month
Up Next