Security is a huge concern for data and IT administrators, especially those using cloud infrastructures like Microsoft Azure. Luckily, there are services such as Azure Key Vault (AKV) that work to add an additional layer to data protection. Yet many Azure users are unfamiliar with AKV or are too scared to use it.
Learning the nuances of Azure Key Vault can seem like a daunting task, but in the end the benefits of using it far outweigh the worry and effort of implementing it. Here’s why.
What is Azure Key Vault?
Azure Key Vault is an Azure service that protects data with hardware security modules (HSMs), which are currently considered the gold standard for data security practices. AKV eliminates the need for source code to contain sensitive information and streamlines the management of keys and passwords—which is essential to protecting data in the cloud.
AKV also allows developers to quickly create and test keys by eliminating the need to provision, configure, and maintain HSMs and other key management software. This is particularly beneficial for small and midsize businesses that have their own IT departments but limited resources.
Understanding Keys and Secrets in AKV
Azure Key Vault contains several security assets including keys and secrets, which are new terms to some IT departments but simple to understand. A key is used to encrypt, decrypt, and sign data; once you define one, apps and users may no longer access it directly. AKV uses the key on behalf of the entity requesting it without ever allowing the key to leave the vault.
Secrets within AKV refer to information that only authorized users and applications can directly access. Some common examples of secrets include API passwords and connection strings for services such as Azure Blob Storage, which provides massively scalable object storage for unstructured data.
Applications can also use secrets to protect sensitive data. Developers frequently place connection strings in configuration files even though these strings often contain sensitive data. Azure Key Vault removes security vulnerability from this process by providing developers with credentials for the service principal and Uniform Resource Identifiers (URI) instead of the connection string itself. The administrator who originally created the service principal will provide these credentials while the credentials for the URI will come from the secret within the AKV. The combination of credentials allows developers to retrieve the connection string when the application starts, and it remains in the memory if the application is running.
Benefits of Vault Containers
Vault containers have two main benefits: They’re easier for security professionals to create and make the system more secure. For instance, developers can’t add keys and secrets to source control because they can’t directly access them. Another benefit for security professionals is that granting and revoking access to these security assets is easier because they’re now centralized within AKV, which serves as an abstraction layer around keys and secrets.
Vault containers are also easy to create. This is a big benefit for IT administrators as security is oftentimes a large time suck. Vault containers help save time by enabling technicians to create an AKV and add it to an Azure Resource Group, which they can do through Azure CLI, Azure PowerShell, and Azure Portal. Administrators simply enter or select the “add” command within the CLI and PowerShell or click a button in the portal, enter the name of the AKV, and connect to a resource group.