17

I am trying to understand the security benefits that Azure Key Vault would offer (or equally AWS KMS)

I understand the benefits of key management, of being able to easily rotate, change, audit key access.

What perplexes me a little though is how it is more secure.

As I understand it, if I develop a web application and want to protect my connection string (for instance) I can create a key pair in Key Vault and save it there. I then create an application in AAD, and use the client ID/Secret/URI to authenticate to Key Vault to obtain my connection string. There is also the possible benefit of restricting that further by Resource Group.

However this now means I have a client ID/Secret/URI to protect.

How is this better?

P.S. I'm not a developer! I just like to poke around in these things to understand them from a devops point of view. So if you could aim your answer at the typical clueless ops guy, that would be appreciated ;)

Liam
  • 22,818
  • 25
  • 93
  • 157
Michael B
  • 10,997
  • 4
  • 29
  • 65
  • This question should be reopened IMO. The title made it sound more off topic than it actually was and given that it has a good answer that answers the question I don't believe it to be opinion based. – Liam Feb 23 '21 at 09:09

2 Answers2

15

Azure Key Vault uses Hardware Security Modules (HSMs) by Thales. Special about HSMs is that they do not give you keys. You create or import a key into an HSM. Later on you give data to the HSM and the HSM is executing cryptographic operations on that data. E.g. encrypting, decrypting, hashing ect. By the way, those hardware devices are really expensive. With Azure Key Vault you are able to use this protection for a small price. That's one benefit using Azure Key Vault.

To your question why this is more secure: Keys are more worth than a single VM that has been compromised. If one of your VMs have been compromised and you would have your encryption keys on that VM, the attacker would have your keys.

If you have only your client ID and secret on your VM, then the attacker has only those credentials but not your keys. And as you know even with those credentials the attacker is not able to get your keys from the HSM. That means the attacker would be able to execute cryptographic operations for a certain amount of time with your credentials. The moment you recognize the attack you invalidate the credentials.

So the difference in a nutshell:

Without HSM: the attacker has your keys and can use those keys as long as they want (and they are valid).

With HSM: the attacker does not have your keys and is only able to execute cryptographic operations with your credentials as long they are valid.

Peter Kirchner
  • 745
  • 5
  • 11
  • OK, I understand how it makes sense to use a HSM for cryptographic operations (well, mostly) is there any benefit to storing plain text secrets there? i.e. my connection string - do I get any benefits from doing that – Michael B Oct 01 '15 at 16:08
  • @MichaelB yes and no. It always depends on the attack. Just examples: If someone connects to your running VM and the attacker knows what he does, than probably not. If the attacker is only able to steal your VHD and you know there's an unauthorized download of your VHD, then you're able to change credentials. Many people don't even know that they got compromised for a long time. With Azure AD in this case you could even see logon activities from different regions. There is no perfect security, all security does is to make the life of an attacker harder or to win time for counter measures. – Peter Kirchner Oct 01 '15 at 16:27
  • 2
    You get the following clear security benefits: 1) segregation - you can have multiple credentials accessing a secret and shutdown only the compromised ones 2) easy rolling - you can change secrets without changing application configuration, 3) audit - knowing who reads and writes to the secret, 4) age protection - set expiry dates for secrets, forcing roll-up or renew, and you get warnings about that, 5) phishing protection - only authorized people can change connection strings, hence it's harder for an attacker to diverge a front-end application to his own database or back-end service. – fernacolo Oct 09 '15 at 20:35
-1

From a developer perspective, to understand concept of azure key vault I would recommend this link -

https://azure.microsoft.com/en-in/documentation/articles/key-vault-whatis/

It describes the need of azure key vault in 3 different perspective for developer-

1. Developer for an Azure application 
2. Developer for Software as a Service (SaaS)
3. Chief security officer (CSO)

However Azure key vault has not been released in full fledged by Microsoft now. Full fledged key vault will be released by December 2015 which will be an extended feature of ARM.

Aatif Akhter
  • 1,745
  • 19
  • 38
  • 2
    I understand what it is, and I've read the documentation, my question is how does it make my application more secure – Michael B Oct 01 '15 at 12:02