Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Azure Key Vault for Encrypting and Securing your Cloud Workloads

Published byBaldwin Johns Modified over 6 years ago

Similar presentations

Presentation on theme: "Using Azure Key Vault for Encrypting and Securing your Cloud Workloads"— Presentation transcript:

1 Using Azure Key Vault for Encrypting and Securing your Cloud Workloads
Microsoft Ignite 2016 6/4/2018 1:50 AM Using Azure Key Vault for Encrypting and Securing your Cloud Workloads CLD333 Michael Frank & Chris Abberley © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 How to use these to encrypt your cloud workloads with Microsoft Azure
Microsoft Ignite 2016 6/4/2018 1:50 AM Session Code Key Take Away: Understand how to use Azure Key Vault to securely handles keys and secrets and How to use these to encrypt your cloud workloads with Microsoft Azure © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Agenda Why & What How Pitfalls and complex configurations
6/4/2018 1:50 AM Agenda Why & What Text How Pitfalls and complex configurations The state of security in the cloud What do we need to secure Azure Key Vault basics Azure Key Vault features Key Vault Management Scenarios Demos: Storage encryption Disk encryption SQL - TDE Notes from the field Things we learned © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 6/4/2018 1:50 AM Why & What © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Quiz Commissions on Elections Republic of the Philippines
Microsoft Ignite 2016 6/4/2018 1:50 AM Commissions on Elections Republic of the Philippines Sony Entertainment and Sony Pictures 340GB of data 228,605 addresses 1.3 million passport numbers and expiry dates 15.8 million fingerprint records Data was encrypted – Key was in the PHP code of its website Source: Sony Entertainment in 2011 PlayStation Network down Unencrypted Credit Card details of users Sony Pictures in 2014 Personal data of employees and families Confidential s and salary information A few films (The Interview, Annie) Source: ; Quiz Red Cross Australia My “friend” John 1.74GB file with 1,286,366 records Personal details of blood donors Data was unencrypted and stored on a unsecured website Found through scanning public addresses for .sql file Source: Had a Crypto locker installed 350GB of personal data Paid $400 to get access back to his Data © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 The state of encryption in the cloud:
6/4/2018 1:50 AM The state of encryption in the cloud: 84% of companies expressed concerns about the safety of data stored in the cloud Source: Protect company data 61% Protect employee data 56% Compliance and Legal requirements 50% Security Policy 49% Awareness of attacks 38% Avoid negative PR 23% Avoid costs of data breach 18% 80% used Cloud Storage but only 39% were encrypting that data Lack of Budget Performance Concerns Lack of Knowledge © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 The quest to securing resources in Azure
6/4/2018 1:50 AM The quest to securing resources in Azure © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 The quest to securing resources in Azure
6/4/2018 1:50 AM The quest to securing resources in Azure Connections strings Credentials Other secrets Secrets Symmetric keys Asymmetric keys Keys Digital Certificates Public key in a wrapper Certificates Public key Private key © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 What’s needed from a security module?
Microsoft Ignite 2016 6/4/2018 1:50 AM What’s needed from a security module? Secrets and Keys are encrypted at rest 1 Choice of deployment location 2 Choice of encryption method (Software vs Hardware & BOYK) 3 Security module separation 4 Easy access and rights control 5 Low Cost 6 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 How does Azure Key Vault meet the needs:
Microsoft Ignite 2016 6/4/2018 1:50 AM How does Azure Key Vault meet the needs: Secrets and Keys are encrypted at rest 1 Choice of deployment country 2 Choice of encryption method (Software vs Hardware & BOYK) 3 Security module separation 4 Easy access and rights control 5 Low Cost 6 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 How does Azure Key Vault meet the needs:
Microsoft Ignite 2016 6/4/2018 1:50 AM How does Azure Key Vault meet the needs: Secrets and Keys are encrypted at rest 1 All Data in the KeyVault is encrypted Choice of deployment country Choice of which datacentre and which resource group we want to deploy to 2 Choice of encryption method (Software vs Hardware & BOYK) Standard vs Premium edition BOYK 3 Security module separation Create as many Key Vaults as you want 4 Easy access and rights control Management via PS / Azure AD / RBAC 5 Low Cost Price is 0.03$ / 6 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Azure Key Vault summary
Microsoft Ignite 2016 6/4/2018 1:50 AM Azure Key Vault summary Cloud hosted, HSM backed service for managing cryptographic keys and features using certified FIPS Level 2 standards Encrypt keys and small secrets (up to 10kb) Import or generate your keys Simplify and automate tasks for SSL/TLS certificates All Keys stay in HSM boundary You cannot retrieve the private key Key Vault is deployed in minutes Comes in two flavors – Standard and Premium With premium Key Vaults all secrets and keys are stored on a HSM $0.03$/ operations Certification renewal – 3$ per renew request HSM protected keys: 1$ per key per month © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 6/4/2018 1:50 AM How © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Key Vault: RBAC - Admin Roles and Resource
6/4/2018 1:50 AM Key Vault: RBAC - Admin Roles and Resource Azure Admin / Key Vault Owner: Creates the Key Vault Allows Applications and Users access Updates permissions Deletes key vault Key/Secret Owner: Adds / updates and removes Keys and secrets Application Owner: Configures Applications with Application Service Principal and Secret URI Has Azure AD identity Retrieves the Key / Secret Can add / update keys and secrets Application / Azure resource: Allows Applications and Users access Auditor: © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Key Vault: Workflow Microsoft Ignite 2016 6/4/2018 1:50 AM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Company Scenario : AAAF
6/4/2018 1:50 AM Company Scenario : AAAF PowerShell scripts with credentials in plain text Store credentials as secrets and request from KV during execution Windows Server VMs that are not encrypted Use Bitlocker extension Store Azure Bitlocker Key within KeyVault SQL Server 2016 Use TDE within SQL Store TDE Key in KeyVault Use SQL extensions to configure SQL © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Replace plain text credentials in Powershell with secrets in KeyVault
Microsoft Ignite 2016 6/4/2018 1:50 AM Replace plain text credentials in Powershell with secrets in KeyVault Michael Frank Chris Abberley © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Encrypt Azure VMs with BitLocker and Key Vault
Microsoft Ignite 2016 6/4/2018 1:50 AM Encrypt Azure VMs with BitLocker and Key Vault Michael Frank Chris Abberley © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Encrypt SQL Database with TDE and Key Vault
Microsoft Ignite 2016 6/4/2018 1:50 AM Encrypt SQL Database with TDE and Key Vault Michael Frank Chris Abberley © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Pitfalls & Complex scenarios
6/4/2018 1:50 AM Pitfalls & Complex scenarios © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Pitfalls DR Restoring VMs Key Vault Access Moving VMs
Microsoft Ignite 2016 6/4/2018 1:50 AM Pitfalls DR Restoring VMs Key Vault Access Moving VMs Automatic Rollovers Bitlocker requirements Required access to other Cloud resources KEK SDKs Encrypting with certs © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 How to use these to encrypt your cloud workloads with Microsoft Azure
Session Code Key Take Away: Understand how to use Azure Key Vault to securely handles keys and secrets and How to use these to encrypt your cloud workloads with Microsoft Azure

23 Continue your Ignite learning path
6/4/2018 1:50 AM Continue your Ignite learning path Visit Channel 9 to access a wide range of Microsoft training and event recordings Head to the TechNet Eval Centre to download trials of the latest Microsoft products Visit Microsoft Virtual Academy for free online training visit © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24 6/4/2018 1:50 AM Thank you Chat with us in the Speaker Lounge Find us Michael @ Chris @ © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Using Azure Key Vault for Encrypting and Securing your Cloud Workloads"

Similar presentations

Session 1.

Session 1.
demo © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.

demo © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.
demo QueryForeign KeyInstance /sm:body()/x:Order/x:Delivery/y:TrackingId1Z01234567893.

demo QueryForeign KeyInstance /sm:body()/x:Order/x:Delivery/y:TrackingId1Z
A deep dive into Azure AD B2C

A deep dive into Azure AD B2C
Microsoft Virtual Academy

Microsoft Virtual Academy
Making of the Ignite Bot

Making of the Ignite Bot
Now, let’s implement/trial Windows Defender Advanced Threat Protection

Now, let’s implement/trial Windows Defender Advanced Threat Protection
Microsoft Virtual Academy

Microsoft Virtual Academy
Microsoft Virtual Academy

Microsoft Virtual Academy
Microsoft Virtual Academy

Microsoft Virtual Academy
Microsoft Virtual Academy

Microsoft Virtual Academy
Microsoft Virtual Academy

Microsoft Virtual Academy
Configuration Management with Azure Automation DSC

Configuration Management with Azure Automation DSC
Microsoft Virtual Academy

Microsoft Virtual Academy
SharePoint Online Management and Control

SharePoint Online Management and Control
11/11/2018 Desktop Virtualization Corey Hynes Kyle Rosenthal President Technical Lead HynesITe Inc Spider Consulting P/L @holSystems @windowspcguy.

11/11/2018 Desktop Virtualization Corey Hynes Kyle Rosenthal President Technical Lead HynesITe Inc Spider Consulting @windowspcguy.
Microsoft Virtual Academy

Microsoft Virtual Academy
Microsoft Ignite NZ 25-28 October 2016 SKYCITY, Auckland.

Microsoft Ignite NZ October 2016 SKYCITY, Auckland.
Microsoft Virtual Academy

Microsoft Virtual Academy
Microsoft Virtual Academy

Microsoft Virtual Academy

Similar presentations

Ads by Google