Trust anchors in the Azure cloud
OK, I’m biased, but it’s hard to argue that crypto isn’t a critical enabler of trust in a digital world. Whether that trust is focused on confidentiality, integrity or authenticity any form of cryptographic trust comes down to the secrecy and quality of keys. Now, as we think about establishing trust in cloud environments the challenge of managing keys in the cloud comes into stark focus and anything that purports to make that task easier deserves a closer look.
Before we do, let’s remind ourselves of the problem. There are lots of different sort of keys, but here I’m going to focus on application level keys, keys that encrypt and decrypt data or other secrets as they are used and keys that sign messages or documents as they are shared. Unfortunately, all too often these keys are hard coded into applications or at least directly handled alongside the application.
The problem with this is that keys are unnecessarily exposed, they can be easily found, stolen or substituted. The application development lifecycle can be complex, fragmented and poorly scrutinized – involving many individuals with little or no direct interest in operational security. In the cloud, development teams can spring up test and pre-production instances with ease and risk exposing keys and credentials that may well be destined for production environments. Once in production, applications face debugging, performance optimization and patching operations that again often involving individuals far removed from the security team.
If keys can be stolen they can be used with impunity and the higher up the key hierarchy the greater the damage. Theft of master keys or key encryption keys would likely be disastrous. So, it should be clear by now, keys need to be locked down. Unfortunately, if attackers can’t actually steal the keys they’re unlikely to pack their bags and go home. Instead they’ll try to misuse the keys – typically by corrupting the applications that have the rights to access them. This is never a good thing but at least it forces the attackers to work in broad daylight under the watchful eye of auditing systems and other intrusion detectors - it limits their scope, forces them to move quickly and eventually, when they make a mistake, gives them away.
Keeping this risk under control is hard enough even in an on-premise datacenter. For many years hardware security modules (HSMs) have been used to protect the usage and management of keys and, in some cases their use is actually mandated as a compliance issue. But applying these measures to achieve a higher level of assurance in the cloud has proved to be difficult, until now.
With the launch of the public preview of Azure Key Vault, Microsoft have taken a big step forward, essentially creating a crypto-as-a-service capability within Azure for use by enterprise, ISVs and Microsoft themselves. I’m proud to say that the new service is based on the use of Thales Azure RMS and the ‘bring your own key' or BYOK capability where keys that are managed in on-premise Thales HSMs can be securely uploaded to Azure based HSMs to provide end to end assurance.
Any Azure based application can use the Key Vault service to access a variety of key management capabilities such as key creation, backup and rotation as well as basic crypto operations like encrypt/decrypt and sign and have the option to perform all operations within the secure boundary of the HSM. But Key Vault is more than just a good source of strong keys and a safe place to keep them. The new service creates true separation between security operations teams and application owners and wraps the whole thing up with a powerful audit capability, all delivered with the resiliency and scale that you would expect from Azure.
When we think about clouds much is made of their multi-tenancy, different organizations using the same core infrastructure, but less air time is given to the need for role separation within each organization. Often times that isn’t a big deal but when it comes to crypto it’s a huge issue. Keys are the Achilles heel of crypto and minimizing the group of individuals that can manage keys and isolating them from app developers, testers and contractors is critical. Key management is about keeping secrets and it should only be performed by individuals that appreciate what that really means and that are equipped with tools that enforce the appropriate policies and that can attest to the actions that they take. That’s what Microsoft have brought to Azure and Dan Plastina and his team should take credit for leading the way.