Experts Live Europe 2019

Transcript

1. Psst. Top Secret! Keeping Secrets with Azure Key Vault Manuel

   Meyer Azure Architect, Trivadis AG www.manuelmeyer.net @manumeyer1
2. None
3. None

4. Vulnerabilities „Bad Firewall Config“ „Operating System Bugs“ „Lazy Sysadmins“ „Flawed

   Web Server Config“

5. Applications 83% Operating Systems13% Hardware 4% VULNERABILITY CLASSIFICATION

6. https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

7. 2 Problems: The User & the IT People

8. The User

9. My Approach (before) „If you use the same password everywhere

   = no good“ 1 Low Security Password: heybuddy24 1 High Security Passwort: htowi_fle98dk$$+djk(43.

10. My Approach (today) Keepass MFA.

11. My Approach (today) qhjp7n0Qdnctw87G5cPg Lkjsdk32lkö2dlkj3klj%&/lkjs() slkjsEWeio***djfkl1109823lskjwJ … Single Place for

    Passwords Auto-Complete 439 entries.

12. www.haveibeenpwned.com Troy Hunt

13. None

14. Azure Key Vault in a Nutshell 1. Store and protect

    “Secret Stuff” Keys, Secrets, Certificates 2. “Provide” them to Cloud Apps and Services.

15. Basics ▪ Key ▪ A cryptographic RSA key. ▪ Keys

    CAN NOT be read from KV. ▪ Apps must ask KV to encrypt, decrypt, sign ▪ Secret ▪ A sequence of bytes (under 25kb) ▪ Authorized users write secrets to KV ▪ Authorized apps read secrets from KV ▪ Certificate.

16. Basics Management Plane Data Plane Manage the “Secret Stuff” “Work

    with the Secret Stuff” RBAC Access Policy

17. Basics ▪ Software Protected Keys ▪ FIPS 140-2 Level 1

    ▪ HSM Protected Keys ▪ FIPS 140-2 Level 2 10k Operations = 0.03 EUR Cert Renewal: 2.53 EUR HSM Keys: 0.84 EUR per Key HSM Advanced: 4.22 per Key.
18. None
19. None

20. IaaS Disk Encryption 1. In Key Vault Access Policies, allow

    Disk Encryption 2. Create a Key 3. Configure Disk Encryption on Virtual Machine 4. Reboot.
21. None
22. None

23. Digital Envelope, CEK, KEK, What??? Source: Nilay Parikh, https://blog.nilayparikh.com/azure/development/best-practices-client-side-encryption-with-azure-storage-services/

24. Demo: Client Side Storage Encryption 1. Create a Storage Account

    (done) 2. Create an Application to Upload a blob (Done: ClientSideEncryptionDemo) 3. Register the Application in AAD (done) This creates a Service Principal (objectId, secret) 4. Configure the Application to use Service Principal (done) 5. Create a Key in Key Vault “ClientSideEncryptionKey” 6. Use a KV Access Policy to allow the App to use the Key “ClientSideEncryptionKey” 7. Run the Application.
25. None
26. None

27. Lets write some code! App

28. www.shhgit.darkport.co.uk

29. Lets write some code! App

30. Goal: Remove Secrets from config ▪ 1. Use a Service

    Principal Needs objectId and Secret from App Registration ▪ 2. Use a managed Identity (MSI) App Service supports MSI.

31. Demo: Remove Secrets from App Config 1. Create a Secret

    in KeyVault 2. AppServivce: Enable Managed Identity (MSI) 3. Key Vault: Add Access Policy for MSI 4. Add Code to Request Secret from Key Vault.
32. None

33. Recap ▪ Key Vaults store ▪ Keys: Can not leave

    Key Vault ▪ Secrets: Arbitrary strings ▪ Certificates: Certificates ▪ Secret Management via Management Plane (Portal, secured by AD RBAC) ▪ Secret Usage via Data Plane (REST API, Key Vault Access Policy) ▪ Scenarios ▪ Use Key Vault to enable IaaS Disk Encryption ▪ Use Key Vault to do Client Side Encryption for Storage ▪ Use Key Vault to keep secrets out of code with Managed Identity (MSI).

34. Thank you! Manuel Meyer www.manuelmeyer.net @manumeyer1 [email protected]