Hello, Siberians work into this lesson on azure key vote. This lesson is part of the eight more do off the is at 500 Microsoft Azure Security technologies costs
quick information on watch Recovering in this lesson.
We'll start with an overview off Azure Key vote
Well, then this cost secret keys and certificates.
Other concepts that will cover includes keyboard service, tears,
management and data planes,
access policy and advance access policy.
Soft leads and part of protection
back up on this store and finally, network connectivity options. Let's get into this.
Let's start by reviewing What is your key vote is a jockey vote is more than one thing.
It is a secret management service.
It's a key management service on it's also it's certificates management service,
a jockey vote also as integrations with other azure services like as your storage and your help service on as your discs.
For example, we mentioned in our lesson on azure storage on Are We Can Integrate Eat with a jerky vote for automatic access key management.
Let's have a look at what secret keys and certificates heart.
First of all, secret secrets are data on the 10 kilobytes that are applications can start on retrieve in plain text in key votes.
Examples off secrets of passwords on database connection strings. We can start this information a secrete in azure key vote.
Then we have keys, keys, a cryptographic keys generated using on how Gordon
on a jockey votes supports on Lee the accuracy on elliptic off keys.
We can import keys that we created elsewhere, using the supported our government him into key vote. We can also generate keys in key votes.
Give out supports the 2048 30 72 on 40 96 arrests. A key sizes. It also supports elliptic cough types. P to 56 p. 384 p 5 to 1 and p 256 Cape
set ever get refers toe SSL TLS X five or nine certificates.
This could be either self signed SSL Telus certificates generator in key vote or this could be SSL TLS that Ricketts purchased from publicly trusted CS.
It's important to note that key vote does not issue publicly. Trusted certificates are we sell them itself.
What gave odds does is it provides the ability to simplify and automate certain tasks. For example, the involvement and renewal off certificates for supported certificates. Authorities
at the moment to certificate authorities are supported on Does a digits. It's on Global Sign.
Let's talk about the service tears off as your key vote as our key vote Astro serviced years the standard fear on the premium tier
and here the men differences. The standard tears supports only software protected secrets and keys, while the premium tier supports both software and it s m protect that secrets and keys.
The standard here also supports only software generated keys, while the premium tier supports both software on HSM generated keys
a jerky vote as two planes off access first the management plane.
This is where an administrator can perform management operations like creating and deleting vote retrieving the properties off the vote on updating. We can access the data plane
toe access. This plane we must authenticates to azure 80
on the level of access is determined by the Outback configuration.
The second plane is the data plane on. This is where a user on application can access the items in the vote operations like viewing secret keys and set Ricketts Happens added data plane
toe access. This plane a user must authenticates toe as you're 80
on the level of access is determined by something called access policies.
Let's see out. It's clear distinction between the management plane on the data plane allows US toe have a true separation of Roe's framework.
So in this scenario, we after those we have a security administrator was responsible for managing the vote on for proper safekeeping off what is start in it
on. We have an application developer who is working on applications that needs to be able to access the keys, secrets and certificates in the vote. So in this scenario, we give the security administrator access to the management plane using robes. Access control. How back
on that will allow her to retrieve usage, logging for keys, secrets and certificates
on the application. Developer is given access to the data plane using an access policy to allow them to retrieve the needed start information from the vote.
As mentioned earlier access policies I used to grant data plane access to users on applications.
There was another option that we can configure toe allow as your services to seamlessly access key vote as part of an automated process
that is called Advanced Access policy
on your three men use cases off advance access policy,
they have to grant access to veteran machines for deployment.
This specifies whether an agile virtual machine can retrieve certificates toward a secret from the key vote.
We can use it to grant access to azure resource manager for templates deployment. So maybe to retrieve a secret value as a perimeter during deployment, we can also use it to gun access for as your disk encryption volume. Encryption on this is to allow veteran machines to retrieve secrets from the key vote to unwrap disk encryption keys
as Jackie vote as two features to protect us against accidental or militias. Vote or vote objects delish in this two features as soft leads and part protection. So let's look at them as yourself. The lead allows us to recover a delete key vote or Kivar object
would in a configurable retention period.
We have the option to config our retention period between seven and 90 days if no configuration is specified that the fault recovery period that besets toe 90 days if a key vote is deleted and soft, the leaders enabled the vote will remain in a subscription as they didn't vote, and we can recover it from that state.
Part protection, on the other hand, is used to protects deleted, vote on object during the retention period when part protection is configured, a vote on object in the deleted state
cannot be parched onto the retention period has passed in other world. It allows us to enforce the retention policy.
We cannot disable part protection once with and neighborhood. It's the first time a jockey what content is automatically replicated toe another VG in within the same geography. This is a replication that's transparent to house and happens automatically in the background and in the event off a Vigen failure.
Microsoft automatically fails over the service.
On this fail over and even the fill back happens automatically and in the background. DNS will simply be redirected to the other region.
However, there some scenarios where we want to take a back up off important keys. Secrets and certificates on a jockey vote allows us to do these individually
backed up keys. Secrets and certificates can only be really start to key vote in the same azure subscription on within the same geography.
Talking about network connectivity options
by the fault. As your key vote allows network level access toe all public I p addresses, we can just to restrict this access to traffic from specified public I P addresses or azure virtual networks to implement this with configure keyboard firewall rules.
We can also configure private endpoint for private network level access to our vote.
Its importance. The notes that regardless off network access, a request was still needs to be authenticated by Azure 80 for its to be accepted.
But what is does is it adds an extra level off defense in debt.
He has some supplementary links for futher studies on the topics covered in this lesson.
On the other, somebody off what we covered.
We started with an overview off azure key vote. Within this cost secret keys and certificates, we covered other concepts like serviced years management and data planes, access policy and advance access policy. Solve the lead and punch protection
back up on the store and finally, natural connectivity options.
Thanks very much for watching on. I'll see you in the next lesson