Using Azure Key Vault for Encrypting and Securing your Cloud Workloads Microsoft Ignite 2016 6/4/2018 1:50 AM Using Azure Key Vault for Encrypting and Securing your Cloud Workloads CLD333 Michael Frank & Chris Abberley © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

How to use these to encrypt your cloud workloads with Microsoft Azure Microsoft Ignite 2016 6/4/2018 1:50 AM Session Code Key Take Away: Understand how to use Azure Key Vault to securely handles keys and secrets and How to use these to encrypt your cloud workloads with Microsoft Azure © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Why & What How Pitfalls and complex configurations 6/4/2018 1:50 AM Agenda Why & What Text How Pitfalls and complex configurations The state of security in the cloud What do we need to secure Azure Key Vault basics Azure Key Vault features Key Vault Management Scenarios Demos: Storage encryption Disk encryption SQL - TDE Notes from the field Things we learned © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6/4/2018 1:50 AM Why & What © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Quiz Commissions on Elections Republic of the Philippines Microsoft Ignite 2016 6/4/2018 1:50 AM Commissions on Elections Republic of the Philippines Sony Entertainment and Sony Pictures 340GB of data 228,605 email addresses 1.3 million passport numbers and expiry dates 15.8 million fingerprint records Data was encrypted – Key was in the PHP code of its website Source: https://en.wikipedia.org/wiki/Commission_on_Elections_data_breach Sony Entertainment in 2011 PlayStation Network down Unencrypted Credit Card details of users Sony Pictures in 2014 Personal data of employees and families Confidential emails and salary information A few films (The Interview, Annie) Source: https://en.wikipedia.org/wiki/2011_PlayStation_Network_outage ; https://en.wikipedia.org/wiki/Sony_Pictures_hack Quiz Red Cross Australia My “friend” John 1.74GB file with 1,286,366 records Personal details of 550000 blood donors Data was unencrypted and stored on a unsecured website Found through scanning public addresses for .sql file Source: https://www.troyhunt.com/the-red-cross-blood-service-australias-largest-ever-leak-of-personal-data Had a Crypto locker installed 350GB of personal data Paid $400 to get access back to his Data © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

The state of encryption in the cloud: 6/4/2018 1:50 AM The state of encryption in the cloud: 84% of companies expressed concerns about the safety of data stored in the cloud Source: https://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/the-state-of-encryption-today-wpna.pdf?la=en Protect company data 61% Protect employee data 56% Compliance and Legal requirements 50% Security Policy 49% Awareness of attacks 38% Avoid negative PR 23% Avoid costs of data breach 18% 80% used Cloud Storage but only 39% were encrypting that data Lack of Budget Performance Concerns Lack of Knowledge © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

The quest to securing resources in Azure 6/4/2018 1:50 AM The quest to securing resources in Azure © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

The quest to securing resources in Azure 6/4/2018 1:50 AM The quest to securing resources in Azure Connections strings Credentials Other secrets Secrets Symmetric keys Asymmetric keys Keys Digital Certificates Public key in a wrapper Certificates Public key Private key © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What’s needed from a security module? Microsoft Ignite 2016 6/4/2018 1:50 AM What’s needed from a security module? Secrets and Keys are encrypted at rest 1 Choice of deployment location 2 Choice of encryption method (Software vs Hardware & BOYK) 3 Security module separation 4 Easy access and rights control 5 Low Cost 6 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

How does Azure Key Vault meet the needs: Microsoft Ignite 2016 6/4/2018 1:50 AM How does Azure Key Vault meet the needs: Secrets and Keys are encrypted at rest 1 Choice of deployment country 2 Choice of encryption method (Software vs Hardware & BOYK) 3 Security module separation 4 Easy access and rights control 5 Low Cost 6 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

How does Azure Key Vault meet the needs: Microsoft Ignite 2016 6/4/2018 1:50 AM How does Azure Key Vault meet the needs: Secrets and Keys are encrypted at rest 1 All Data in the KeyVault is encrypted Choice of deployment country Choice of which datacentre and which resource group we want to deploy to 2 Choice of encryption method (Software vs Hardware & BOYK) Standard vs Premium edition BOYK 3 Security module separation Create as many Key Vaults as you want 4 Easy access and rights control Management via PS / Azure AD / RBAC 5 Low Cost Price is 0.03$ / 10.000 6 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Azure Key Vault summary Microsoft Ignite 2016 6/4/2018 1:50 AM Azure Key Vault summary Cloud hosted, HSM backed service for managing cryptographic keys and features using certified FIPS 140-2 Level 2 standards Encrypt keys and small secrets (up to 10kb) Import or generate your keys Simplify and automate tasks for SSL/TLS certificates All Keys stay in HSM boundary You cannot retrieve the private key Key Vault is deployed in minutes Comes in two flavors – Standard and Premium With premium Key Vaults all secrets and keys are stored on a HSM $0.03$/10.000 operations Certification renewal – 3$ per renew request HSM protected keys: 1$ per key per month © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6/4/2018 1:50 AM How © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Key Vault: RBAC - Admin Roles and Resource 6/4/2018 1:50 AM Key Vault: RBAC - Admin Roles and Resource Azure Admin / Key Vault Owner: Creates the Key Vault Allows Applications and Users access Updates permissions Deletes key vault Key/Secret Owner: Adds / updates and removes Keys and secrets Application Owner: Configures Applications with Application Service Principal and Secret URI Has Azure AD identity Retrieves the Key / Secret Can add / update keys and secrets Application / Azure resource: Allows Applications and Users access Auditor: © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Key Vault: Workflow Microsoft Ignite 2016 6/4/2018 1:50 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Company Scenario : AAAF 6/4/2018 1:50 AM Company Scenario : AAAF PowerShell scripts with credentials in plain text Store credentials as secrets and request from KV during execution Windows Server VMs that are not encrypted Use Bitlocker extension Store Azure Bitlocker Key within KeyVault SQL Server 2016 Use TDE within SQL Store TDE Key in KeyVault Use SQL extensions to configure SQL © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Replace plain text credentials in Powershell with secrets in KeyVault Microsoft Ignite 2016 6/4/2018 1:50 AM Replace plain text credentials in Powershell with secrets in KeyVault Michael Frank Chris Abberley © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Encrypt Azure VMs with BitLocker and Key Vault Microsoft Ignite 2016 6/4/2018 1:50 AM Encrypt Azure VMs with BitLocker and Key Vault Michael Frank Chris Abberley © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Encrypt SQL Database with TDE and Key Vault Microsoft Ignite 2016 6/4/2018 1:50 AM Encrypt SQL Database with TDE and Key Vault Michael Frank Chris Abberley © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Pitfalls & Complex scenarios 6/4/2018 1:50 AM Pitfalls & Complex scenarios © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Pitfalls DR Restoring VMs Key Vault Access Moving VMs Microsoft Ignite 2016 6/4/2018 1:50 AM Pitfalls DR Restoring VMs Key Vault Access Moving VMs Automatic Rollovers Bitlocker requirements Required access to other Cloud resources KEK SDKs Encrypting with certs © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

How to use these to encrypt your cloud workloads with Microsoft Azure Session Code Key Take Away: Understand how to use Azure Key Vault to securely handles keys and secrets and How to use these to encrypt your cloud workloads with Microsoft Azure

Continue your Ignite learning path 6/4/2018 1:50 AM Continue your Ignite learning path Visit Channel 9 to access a wide range of Microsoft training and event recordings https://channel9.msdn.com/ Head to the TechNet Eval Centre to download trials of the latest Microsoft products http://Microsoft.com/en-us/evalcenter/ Visit Microsoft Virtual Academy for free online training visit https://www.microsoftvirtualacademy.com © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6/4/2018 1:50 AM Thank you Chat with us in the Speaker Lounge Find us Michael @ https://www.linkedin.com/in/kiwibayer Chris @ https://www.linkedin.com/in/chrisabberley © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.