Azure Credential Management

Use cases

To manage and safe guard the credentials. What are the credentials?

1. Certificates
2. Keys
   1. API Keys
   2. Encryption Keys (It’s recommended to use RSA-Keys to encrypt data at rest)
   3. Storage Keys
   4. Event Hub Access Keys
   5. …
3. Values
   1. DB Connection strings
   2. …

There available services on Azure are as follows:

• Key/Vault
• HSM
• HashiCorp Vault

Key/Vault

HSM

• HSM kinds and both support FIPS (Federal Information Processing Standard) 140-2 Level 3.
  • Keyvault Managed HSM [MS DOC]
  • Dedicated HSM [MS DOC]

For more info refer to COMPUTER SECURITY RESOURCE CENTER.

• Consider your organizational data security compliance by provisioning the HSM e.g.
  • Soft delete retention period e.g. 60 days
  • Purge protection enabled
  • Fully isolated private endpoint
  • Logging enabled
  • Specify the allowed region

Managed vs. Dedicated

Managed	Dedicated
	HSM hosted in a MS datacenter that is connected directly to a customer virtual network (VNet). It obtains a private IP address from the VNet address space. MS doesn’t have any access to HSM and the customer is a full administrative access and functionality.
Security Domain (It’s the disaster recovery solution)	Doesn’t need

Dedicated HSM Availability & Disaster Recovery Model

Managed HSM Availability & Disaster Recovery Model

The following features provide the availability & disaster recovery requirements:

• Security Domain
• Soft Delete + Retention Period
• Purge protection

HashiCorp Vault