3 min read

Manage, Handle and Control Your Own Key in the MS Azure Key Vault

Dawn M. Turner (guest) : 17. January 2022

BYOK MYOK FIPS 140 Key Management in the Cloud MS-Azure
Manage, Handle and Control Your Own Key in the MS Azure Key Vault

Microsoft’s Azure Key Vault Managed HSM allows customers to safeguard their cryptographic keys for their cloud applications and be standards-compliant. It is a highly available, fully managed, single-tenant cloud service that uses FIPS 140-2 Level 3 validated hardware security modules (HSMs). Here we will discuss the reasons why customers who have a centrally managed key management system on-premises in their data center should use a hosted HSM for managing their keys in the MS Azure Key Vault.

Highly Available, Fully Managed, Single-Tenant HSM

Azure’s Key Vault Managed HSM as a service is:

#1. Highly available and zone resilient

Where zones are supported, there are multiple HSM partitions contained in each HSM cluster that spans across a minimum of two availability zones. In the event of a hardware failure, member partitions in the HSM cluster are automatically migrated to healthy nodes.

#2. Fully management of keys

The service handles HSM provisioning, maintenance, configuration and patching throughout the entire life cycle of keys.

#3. Single-tenancy

Instead of multi-tenants, each managed instance of HSM is dedicated to just one customer, while comprising a cluster of multiple HSM partitions. Each customer’s HSM cluster is cryptographically isolated through the use of a separate customer-specific security domain.

Enhanced Data Protection, Access Control & Compliance

Controlling access, protecting data and meeting requirements for compliance are essential for proper key management. Azure’s Key Vault accomplishes this all via the following six factors:

#1. Data residency

Customer data is not stored or processed outside the region where the customer deploys the instance of the HSM in the managed HSM. It remains under the control of the customer.

#2 Monitoring and auditing with Azure Log Analytics

Customer data is not stored or processed outside the region where the customer deploys the instance of the HSM in the managed HSM. It remains under the control of the customer.

#3. Centralized key management with restricted access

Critical, high-value keys are managed across the organization in only one place. Through granular permissions per key, access to each key is controlled according to the principle of “least privileged access.”

#4. Isolating access control

Through the managed HSM “local RBAC” access control model, designated HSM cluster administrators are given complete control over the HSMs This control cannot be overridden by management group, subscription or resource group administrators.

#5. Private endpoints for secure connections

Private endpoints are used to allow applications running in a virtual network to connect to managed HSMs privately and securely.

#6. Compliance with FIPS 140-2 Level 3 validated HSMs

Azure Key Vault protects data and meets the compliance requirements of Federal Information Protection Standard (FIPS) 140-2 Level 3 validated HSMs. These managed HSMs use Marvell LiquidSecurity HSM adapters.

Cryptomathic’s Cryptographic Key Management System (CKMS) and MS Azure Key Vault

MS Azure Key Vault allows for customers to generate their HSM-protected keys from their on-premises HSM and securely import them into a managed HSM. Microsoft has officially validated Cryptomathic’s Cryptographic Key Management System (CKMS) to support Azure Key Vault bring-your-own-key (BYOK), which enables users to "manage your own key" (MYOK), "handle your own key" (HYOK) or "control your own key" (CYOK) - depending on which acronym you find most appealing.

 

Read White Paper

References