Azure Key Vault Overview Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
15
Video Transcription
00:00
>> Hello Cyberians.
00:00
Welcome to lesson 2.1 of module 2 of this class titled,
00:00
AZ 301, Microsoft Azure Architect Design.
00:00
In this video, we'll be covering the following.
00:00
We'll start out by introducing what Azure Key Vault is.
00:00
As you see, Azure Key Vault is a lot of
00:00
things and has many capabilities.
00:00
I will then show you a sample scenario that will
00:00
hopefully help you to understand
00:00
some use cases for Azure Key Vault.
00:00
I will then go over some of
00:00
the core concepts of Azure Key Vault service.
00:00
I'll be covering keys, secrets,
00:00
and certificates and what its concepts
00:00
are as related to the Azure Key Vault service.
00:00
Let's get into this.
00:00
First of all, let's describe
00:00
what the Azure Key Vault service is.
00:00
What exactly is the purpose of the service?
00:00
Azure Key Vault has three main purposes.
00:00
Number 1, it's a key management service.
00:00
Number 2, It's a secret management service,
00:00
and number 3,
00:00
it's a certificate management service.
00:00
Those are the three main purposes of Azure Key Vault,
00:00
and as we go on in this lesson,
00:00
those purposes will be clearer
00:00
to you as to what they mean.
00:00
One other thing I would like to mention to you
00:00
about Azure Key Vault is that it has
00:00
amazing integration with
00:00
other Azure services and we'll see
00:00
some of those in lessons in
00:00
this module things like Azure Storage,
00:00
Azure disk, Azure App Service have
00:00
natively built integration with Azure Key Vault.
00:00
For example with Azure disk,
00:00
the encryption keys can be stored in Azure Key Vault.
00:00
We'll see that in a demo.
00:00
Let's take an example of
00:00
a three-tier application implemented in Azure
00:00
to get to understand
00:00
the use case of Azure Key Vault even further.
00:00
This sample application as
00:00
a front-end API which collects data about the state
00:00
of different services and then it
00:00
stores the information in an Azure Storage account.
00:00
The middle tier or the application logic,
00:00
which in this case is
00:00
running in an Azure Virtual Machine,
00:00
then retrieves data from the Storage Accounts,
00:00
does some processing according to the Programmed Logic,
00:00
and then sends out a tweet
00:00
if they are irregularities with the service,
00:00
so just understand that simple application.
00:00
Just how many secret keys or certificates do
00:00
you think that would need to
00:00
implement a scenario like this?
00:00
Let's examine this.
00:00
First, our Virtual Machine needs an admin password.
00:00
This could probably be replaced by
00:00
joining the virtual machine to
00:00
an Active Directory domain and
00:00
then using domain-managed identity.
00:00
>> But let's say for this case,
00:00
>> it's a non-domain joint Virtual Machine.
00:00
>> Number 2, the front-end API
00:00
that is running in Azure web app
00:00
needs the storage account key to be able to study
00:00
information that it's collecting
00:00
>> in that storage account.
00:00
>> Also, the application logic code
00:00
which is running within our virtual machine
00:00
needs the storage account key to be able to
00:00
retrieve the data that was stored by the front-end API,
00:00
so it could do its own processing.
00:00
Number 3, for application logic to be able to
00:00
tweet out the state of the Soviets
00:00
in need a Twitter API key.
00:00
Let's not forget that
00:00
a front-end API if it running HTTPS,
00:00
which is ideally what we want,
00:00
we need a TLS certificate.
00:00
For compliance reasons, we may want
00:00
a storage account to use
00:00
an encryption key managed by our organization,
00:00
and not the default Microsoft managed key.
00:00
Also for security and compliance reasons,
00:00
we want the disks that are
00:00
attached to our VM to be encrypted.
00:00
All what we just described
00:00
>> are keys, secret certificates,
00:00
>> which in each case we don't
00:00
want to fall into the wrong hands,
00:00
and for that to happen,
00:00
they have to be properly managed and
00:00
their lifecycle properly governed.
00:00
This is the type of scenario
00:00
that Azure Key Vault can help us to solve.
00:00
Let's see how Azure Key Vault could
00:00
help us with solving some of these issues.
00:00
Take for example, the VM password.
00:00
This can be stored as a secret in Azure Key Vault.
00:00
The ARM template deployment service can then
00:00
be given permissions to retrieve the key
00:00
from Key Vault during deployments to avoid
00:00
starving the password in
00:00
plain text within a template or parameter files.
00:00
This is what that looks like in practice.
00:00
As you can see in the diagram on the screen,
00:00
the secret is stored in the Key vaults,
00:00
which is the VM password,
00:00
and that will not be referenced in a parameter file.
00:00
The ARM template deployment service
00:00
would then be given permission so that you can
00:00
retrieve the password at the point of deployment and
00:00
apply that password to our virtual machine.
00:00
What about this situation of a storage account key?
00:00
We could start this as a secret in Azure Key Vault.
00:00
The front-end application code and
00:00
the middle-tier application logic code could then be
00:00
granted permissions to retrieve
00:00
this key from Azure Key Vaults, at the point of use.
00:00
They could then use the key that they've retrieved to
00:00
perform different operations
00:00
>> against the storage account.
00:00
>> What about a certificate in our scenario,
00:00
the TLS certificate could either be generated
00:00
in Azure Key Vault as a self-signed certificate or
00:00
Azure Key Vault could
00:00
integrate with the top part is that of
00:00
certificate provider like digit ads
00:00
to generate the certificate,
00:00
which can then be retrieved and used by Azure web app.
00:00
Now that we have a good understanding of the purpose of
00:00
Azure Key Vault and
00:00
the problems they can help us to solve.
00:00
Let's go ahead and review what exactly
00:00
the terms that we've been making
00:00
references to, what those terms mean.
00:00
Let's take for example
00:00
the term secrets in Azure Key Vault.
00:00
A secret in Azure Key Vault means that data that's on
00:00
that 10 kilobytes that our application
00:00
can store and retrieve in plain texts.
00:00
Now, our application can retrieve that in plain text,
00:00
but it is stored encrypted at rest with keys that are
00:00
protected by HSM which
00:00
our address security must use in Azure Key Vault.
00:00
Examples of what we call
00:00
secrets in Azure Key Vault are passwords,
00:00
database connection strings,
00:00
storage account connection strings, etc.
00:00
It can be used to support addition of PFX file,
00:00
so they used to be an option
00:00
to hack PFX files as secretes,
00:00
but this is now deprecated.
00:00
What about keys? Keys in
00:00
Azure Key Vault refers to cryptographic keys,
00:00
that is, secrets generated using an algorithm,
00:00
and specifically referring to asymmetric keys.
00:00
This can be inputted are generated in Azure Key Vault.
00:00
One of the good use cases of keys is we
00:00
can use them to further protect secrets,
00:00
sort of like what happens in a TLS scenario where you
00:00
use the asymmetric key to protect the symmetric key.
00:00
This is also like a good use case for Azure Key Vault.
00:00
But what algorithm does it support?
00:00
It's support RSA and Elliptic Curve keys.
00:00
When we talk about RSA keys it support keys
00:00
of 2,048, 3,072,
00:00
and 4,096 sizes,
00:00
and for ECC keys,
00:00
it support P-256,
00:00
P-384 P-521, and P-256K.
00:00
By the way, you won't be required to
00:00
remember those for the exams from my understanding.
00:00
Finally, let's talk about certificates.
00:00
These are much more straightforward,
00:00
it's a simply as SSL or TLS
00:00
certificates that we have purchased from public CAs.
00:00
We can automatically enroll or renew this certificate
00:00
>> via the Key Vault that is provided that
00:00
>> the public CA is supported by Azure Key Vault.
00:00
It's important to understand this,
00:00
Key Vault does not issue public certificates.
00:00
Key Vault does not resell certificate from CAs.
00:00
Key Vault simply provides the ability to simplify
00:00
>> the automation of certain tasks on certificates.
00:00
>> For example, in terms of
00:00
enrolling and renewing certificates,
00:00
Key Vault can integrate with
00:00
your third-party certificate providers
00:00
to automatically do this,
00:00
and also it can create or
00:00
automatically generate self-signed certificates.
00:00
Examples of public CAs that are
00:00
supported in Azure Key Vault are
00:00
Digicerts and GlobalSign,
00:00
so those are supported.
00:00
I'll go ahead and pause this video here,
00:00
and then I'll resume the next lesson.
00:00
In this module, we'll talk about
00:00
the different service tiers of
00:00
Azure Key Vault and
00:00
other useful information that
00:00
you need to know for your exam.
Up Next