Azure Key Vault – The Cloud Based HSM
A hardware security module (HSM) is a physical computing device that protects and manages digital keys for strong authentication and provides crypto processing. These modules usually come in the form of a plug-in card or an external device that attaches directly to a computer or network server.Azure Key Vault first became available as a public screening in January 2015 and became generally available in same year of June. It is available in Standard and Premium service levels. There is no set up fee and users are billed for operations and keys. So, let’s dive deep in and know more about AKV and its benefits of HSM.
To help you out of this hardware misery, Microsoft offers you Azure Key Vault (AKV) in the cloud. It offers the benefits of HSM and managing it.
HOW SAFE IS STORING DELICATE DATA IN AKV?
Storing data in a database and an HSM is not the same. The data does not simply stay in a file on user’s server. This information is stored in hardware device and the device offers the user many features such as auditing, tamper-proofing, encryption, etc. What Microsoft provides in the form of AKV is an interface using which the user can access the HSM device in a safe way.
If the user wants further assurance about the integrity of the key, the user can generate it right inside of the HSM. Isn’t it cool? Microsoft processes keys in FIPS 140-2 Level 2 validated HSMs and even Microsoft cannot see or extract the user’s keys. With logging enabled, you can pipe the logs to Azure HD Insight or SIEM solutions for threat detection.
PATCHING, PROVISIONING, AND OTHER INFRASTRUCTURE ISSUES
Microsoft does, just like other Azure IaaS resources. They provide an SLA of 99.9% effective processing for Key Vault transactions within 5 seconds.
WHAT KIND OF DATA SHOULD BE STORED?
The user can store PFX files and manage your SSL certificates using AKV. Database Connection strings, Social Network client keys, Subscription Keys, License Keys, and many more keys could be stored and managed easily using AKV.
CREATING AND MANAGING KEY VAULTS
Azure Key Vault offers a way to securely store credentials and other keys and secrets, but the user code needs to authenticate to Key Vault to recover them. Managed Service Identity (MSI) makes resolving this problem simpler by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). The user can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having any credentials in the user’s code.