Azure Key Vault Architectural Considerations

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
15
Video Transcription
00:00
>> Hello, Cybrarians.
00:00
Welcome to Lesson 2.5 of Module 2 of this course
00:00
titled AZ-301: Microsoft Azure Architect Design.
00:00
Some quick information on what we'll
00:00
be covering in this lesson.
00:00
We'll start by out covering
00:00
>> Azure Key Vault availability.
00:00
>> I'll talk about a concept of
00:00
shared responsibility as it relates to this.
00:00
I'll talk about security,
00:00
which also has the concept of
00:00
shared responsibility but I'll give you best practices
00:00
on what you need to do to
00:00
ensure security of the Azure Key Vault for SAS.
00:00
Then I'll talk about compliance and
00:00
how that relates to Azure Key Vault.
00:00
Finally, I'll talk about Azure Key Vault monitoring.
00:00
When it comes to Azure Key Vault availability,
00:00
it's a shared responsibility.
00:00
Microsoft has certain responsibilities
00:00
that we need to be aware of,
00:00
and we have certain responsibilities
00:00
when we're doing our configuration.
00:00
In terms of Microsoft responsibilities here they are.
00:00
You cannot have a key vault resource in Azure without
00:00
replication because of the sensitivity
00:00
of the type of service.
00:00
The key vault contents is automatically replicated,
00:00
so the paired region of the region that you selected.
00:00
If you're not familiar with the concept
00:00
of paired regions,
00:00
I'll advice you to have a look at
00:00
Cybrary's video content around other Azure information.
00:00
If there were to be a failure
00:00
in the region that you selected,
00:00
Microsoft automatically and transparently fails
00:00
over your service to the other region,
00:00
to the paired region where it's been replicated to.
00:00
Now, be aware that if this were to happen,
00:00
it could take about a few minutes for
00:00
your service to become online again.
00:00
Whenever you're building anything
00:00
that's using your key vault service,
00:00
be aware of that and always
00:00
implement try back into your code.
00:00
Also, after a failover is completed
00:00
and your service becomes online
00:00
>> in the secondary region,
00:00
>> it's only a limited set of operations that are
00:00
possible because it's going to be
00:00
online in read-only mode,
00:00
so certain requests types would not work.
00:00
If your primary region comes
00:00
back online and the failed back is
00:00
triggered by Microsoft all the request types
00:00
including read and write becomes available once again.
00:00
When it comes to our responsibilities here,
00:00
best practices for Azure Key Vault availability.
00:00
Number 1, enables soft delete.
00:00
This is useful in cases of
00:00
accidental deletes or
00:00
even malicious deletes that may happen.
00:00
This ensures that when the key vault itself or
00:00
objects within the key vault are
00:00
deleted that's going to be retained for 90 days.
00:00
In the event of the key vault or objects and it's been
00:00
deleted to avoid that
00:00
now been purged because if it's purged,
00:00
that means it's going to be deleted
00:00
forever in the case where it cannot be recovered.
00:00
What you may want to also do is
00:00
to enable purge protection.
00:00
This ensures that when
00:00
the objects and key vault are deleted,
00:00
they cannot be purged until
00:00
after the 90 days retention has passed.
00:00
Both of these configurations for soft delete and
00:00
purged protection cannot be
00:00
enabled using the Azure portal for now,
00:00
so you have to use it at
00:00
Azure CLI or Azure PowerShell to enable them.
00:00
Using resource lock is also a good practice if you have
00:00
a very sensitive key vault resource.
00:00
You don't want any modifications to happen after
00:00
you've configured it the way you want to configure it.
00:00
You may want to use resource lock to lock that down.
00:00
Also taking backup is very important,
00:00
especially when you're talking about you'll have
00:00
a case of a rogue insider or maybe
00:00
you deleted a vault or you
00:00
deleted object in the vault and then
00:00
you change your mind later.
00:00
In this case, backup is what's going to help you.
00:00
Let's talk about Azure Key Vault security.
00:00
Number 1, you want to limit access to
00:00
the key vault management plane
00:00
using role-based access control.
00:00
Remember that if someone has access or
00:00
certain level of access in the management plane,
00:00
they could in essence give themselves
00:00
permission to the data plane to be able to read,
00:00
set in key information
00:00
from within the key vault resource.
00:00
You want to lock this down and
00:00
follow the principle of least privilege.
00:00
You also want to limit access to
00:00
the key vault data plane using access policies.
00:00
In other words, who has
00:00
access into the data or the objects that
00:00
you're storing inside a key vault use
00:00
access policies to lock that down.
00:00
From a network connectivity perspective,
00:00
if your key vault is only going to be
00:00
used by internal services,
00:00
especially if they're running on Microsoft Azure,
00:00
you want to limit access on the network layer also.
00:00
That's the defense in depth.
00:00
You want to ensure that you only allow
00:00
access from networks that
00:00
needs to be able to access the key vault.
00:00
You can do this by just going under the firewalls and
00:00
virtual networks configuration of the key vault.
00:00
We talked about this earlier
00:00
when it comes to availability,
00:00
but it also applies to security,
00:00
enables soft delete and purge protection,
00:00
and also remember to take backups.
00:00
You'll be glad you do if you encounter
00:00
a security attack that tries to deny you service.
00:00
Then finally, you want to enable
00:00
diagnostic logs for monitoring and review.
00:00
This is especially important if you want to be
00:00
able to review if certain people are
00:00
misusing their privileges and
00:00
giving themselves permission into the data plane,
00:00
you want diagnostic logs to be able to read who is
00:00
accessing what from within the resource itself.
00:00
When it comes to compliance,
00:00
it's also a shared responsibility.
00:00
When I talk about compliance in Azure,
00:00
I like to emphasize that there's nothing like is
00:00
Azure GDPR compliant or is Azure FIPS compliant.
00:00
Compliance in Azure is on a service-by-service basis.
00:00
Does this surveys have this level of compliance,
00:00
is the question to ask.
00:00
When it comes to Azure Key Vault these are the levels
00:00
of compliance that it achieved.
00:00
You can find this documentation on the
00:00
>> Microsoft website.
00:00
>> Now, the way that we use
00:00
the Azure Key Vault resource also
00:00
impacts on compliance in many cases.
00:00
Things like enabling logging
00:00
is not something that Microsoft
00:00
would do for us in terms
00:00
>> of enabling diagnostic logging.
00:00
>> But for us to be able to
00:00
achieve certain compliance frameworks,
00:00
we need to enable diagnostic logging.
00:00
Things like enabling purge protection or
00:00
enabling soft delete it's also very important.
00:00
Things like using resource locks to protect
00:00
from deletion or from modification.
00:00
Things like taking backups are
00:00
very important when it comes to achieving compliance.
00:00
Of course, it goes beyond what I've listed on
00:00
the screen but you get the idea.
00:00
Let's talk about monitoring.
00:00
When it comes to monitoring of Azure Key Vault,
00:00
there are two main levels of
00:00
logs that you want to pay attention to.
00:00
Number 1 is the Activity Log.
00:00
Activity Log is enabled by default.
00:00
We don't need to do anything to enable activity logs.
00:00
This log event on the management plane.
00:00
Who created the results?
00:00
Who deleted the results?
00:00
Who created an object,
00:00
who deleted an object,
00:00
and all those sorts of stuff.
00:00
You can export this to a storage account for archiving.
00:00
You can stream it to Azure Event that way you could
00:00
collect with a third party software,
00:00
or third-party SIEM system,
00:00
or you could just pass it directly
00:00
>> to Azure monitor logs,
00:00
>> also known as Azure Log Analytics to be able to do
00:00
certain deep-dive analytics on
00:00
damages and the Kusto Query Language.
00:00
Now we have the diagnostic logs
00:00
which is now enabled by default,
00:00
and this is very key and very important.
00:00
It's highly recommended to enable this.
00:00
Once you enable that,
00:00
you can access the logging information
00:00
in about 10 minutes.
00:00
It's not something that instant
00:00
where you start seeing all the information.
00:00
Give it about 10 minutes
00:00
before you start seeing the logs.
00:00
Also, what is logged when you enable diagnostics logs?
00:00
All the authenticated rest API requests
00:00
to the key vault resource itself
00:00
and logs that include failed request.
00:00
Again, that's very important for
00:00
security and compliance reasons.
00:00
Operations on the key vault.
00:00
Operations on the keys and
00:00
the secrets and certificates within
00:00
the key vault unauthenticated request
00:00
that result in a 401 response.
00:00
These are information that you will not get
00:00
if you do not enable diagnostic logs.
00:00
You always want to ensure that this log is
00:00
enabled for every production key vault.
00:00
What have we discussed in this video?
00:00
In this video, we discussed
00:00
Azure Key Vault availability, security, compliance,
00:00
and monitoring, which are
00:00
different architectural principles or
00:00
design principles for Azure Key Vault service.
00:00
Here are some good information for
00:00
supplementary materials which you
00:00
can use for further studies.
00:00
Azure Key Vault documentation,
00:00
Azure Key Vault feedback,
00:00
which is very useful to be able to see
00:00
what existing limitations
00:00
the Azure Key Vault service has,
00:00
and what people are requesting for.
00:00
You could also add your vote there.
00:00
Also, Azure Key Vault update to give you
00:00
information as Microsoft improve
00:00
on the service and things that have changed.
00:00
Thanks very much for
00:00
joining me in this particular lesson.
00:00
This is the end of this module.
00:00
I'll see you in the next module.
Up Next