1. Microsoft Build 2016
9/16/2018 4:09 PM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Managing secrets for Azure apps
Session code
Managing secrets for Azure apps
Sumedh Barde
Lead Program Manager, Microsoft Azure

3. Regardless of how you build your cloud app
Web Apps
VMs
Service Fabric Apps
Cloud Services
Containers

4. One challenge you can count on is…
Web Apps
VMs
Secrets
Certificates
SQL Connection Strings
Storage account keys
Service Fabric Apps
Cloud Services
Passwords
SSH keys
Encryption keys
Containers

5. One reason is the bad guys
Web Apps
VMs
Secrets
Certificates
Certificates
SQL Connection Strings
Storage account keys
Service Fabric Apps
Cloud Services
Passwords
SSH keys
Encryption keys
Containers

6. But the biggest reason, BY FAR, is negligence
Web Apps
VMs
Secrets
80% of data breaches are caused by silly mistakes by those responsible for managing secrets
Certificates
SQL Connection Strings
Storage account keys
Service Fabric Apps
Cloud Services
Passwords
SSH keys
Encryption keys
Containers

7. Silly mistakes lead to huge consequences
Microsoft Build 2016
9/16/2018 4:09 PM
Silly mistakes lead to huge consequences
Web Apps
VMs
Leaks
Secrets
Outages
80% of data breaches are caused by silly mistakes by those responsible for managing secrets
Certificates
SQL Connection Strings
Storage account keys
Service Fabric Apps
Cloud Services
Passwords
SSH keys
You added some keys temporarily, and before you know it one of your teammates has pushed the change to github.
Or you kept your certificates on your internal file server, and someone recycled the hard drives without wiping.
Or you shared your connection strings with your team mates by secure mail. But one of them lost their phone in a taxi cab.
Or you decide to be cautious and decide to only keep in your head. But then how do you deploy automatically every few hours?
As your team grows 10x, rate of mistakes grows 10x.
Encryption keys
Containers
Compliance violations
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Best practices for handling secrets
9/16/2018 4:09 PM
Best practices for handling secrets
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. Best practices Inventory your secrets. Certificate1.pfx
Certificate2.pem
Password1
Password2
DBConnectionString1
StorageAccountKey1
StorageAccountKey2

10. Best practices Inventory your secrets.
Store them in stores designed for secrets.
Storage account keys
Certificates
Encryption keys
Passwords
Azure Key Vault

11. Azure Active Directory
Best practices
Azure Active Directory
App1 - VMs
Inventory your secrets.
Store them in stores designed for secrets.
Tie access to your directory.
App2 - Web App
Storage account keys
Certificates
Encryption keys
Passwords
App3 - Service Fab
App4 - Cloud Service
Azure Key Vault
App5 - Containers
Your apps

12. Best practices Inventory your secrets.
App1 - VMs
Inventory your secrets.
Store them in stores designed for secrets.
Tie access to your directory.
Minimize permissions, review permissions periodically.
App2 - Web App
Storage account keys
Certificates
Encryption keys
Passwords
App3 - Service Fab
App4 - Cloud Service
Secret Custodians
(only a handful)
App5 - Containers
App developers
(the rest of your team)

13. Best practices Inventory your secrets.
App1 - VMs
Storage account keys
Certificates
Encryption keys
Passwords
Inventory your secrets.
Store them in stores designed for secrets.
Tie access to your directory.
Minimize permissions, review permissions periodically.
App2 - Web App
Storage account keys
Certificates
Encryption keys
Passwords
App3 - Service Fab
Storage account keys
Certificates
Encryption keys
Passwords
App4 - Cloud Service
Secret Custodians
Storage account keys
Certificates
Encryption keys
Passwords
App5 - Containers
Storage account keys
Certificates
Encryption keys
Passwords
App developers

14. Security Analysts & Auditors
Best practices
App1 - VMs
Inventory your secrets.
Store them in stores designed for secrets.
Tie access to your directory.
Minimize permissions, review permissions periodically.
Log access, review logs.
App2 - Web App
Storage account keys
Certificates
Encryption keys
Passwords
App3 - Service Fab
App4 - Cloud Service
Secret Custodians
Logs
App5 - Containers
Security Analysts & Auditors
App developers

15. Security Analysts & Auditors
Best practices
App1 - VMs
Inventory your secrets.
Store them in stores designed for secrets.
Tie access to your directory.
Minimize permissions, review permissions periodically.
Log access, review logs.
Rotate secrets periodically.
App2 - Web App
Storage account keys
Certificates
Encryption keys
Passwords
App3 - Service Fab
App4 - Cloud Service
Secret Custodians
App5 - Containers
Security Analysts & Auditors
App developers

16. Security Analysts & Auditors
Best practices
App1 - VMs
Inventory your secrets.
Store them in stores designed for secrets.
Tie access to your directory.
Minimize permissions, review permissions periodically.
Log access, review logs.
Rotate secrets periodically.
Automate.
App2 - Web App
Storage account keys
Certificates
Encryption keys
Passwords
App3 - Service Fab
App4 - Cloud Service
Secret Custodians
App5 - Containers
Security Analysts & Auditors
App developers

17. Leveraging Azure Key Vault
9/16/2018 4:09 PM
Leveraging Azure Key Vault
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. Azure Key Vault – bird’s eye view
9/16/2018 4:09 PM
Azure Key Vault – bird’s eye view
Subscription
Secret Store as a service
Store and manage SECRETs.
Isolate cryptographic keys.
Backed by HSMs
Azure Resource Provider
Anchored to Azure AD
Authentication requires Azure AD token
Permissions expressed in terms of Azure AD identities
Integrated with other Azure services / SDKs
Allows automated flows of secrets from source to destination.
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19. Read/write/use via REST API / SDK / PSH / CLI
Subscription
Subscription

20. Interfaces to Azure Key Vault
9/16/2018 4:09 PM
Interfaces to Azure Key Vault
Azure Resource Manager interface
Use this to create, delete, get properties, update properties/permissions on a key vault.
REST API, SDK (.Net/Java/Node.JS), command line (PowerShell, X-plat CLI), ARM templates.
Azure Key Vault interface
Use this to write secrets & keys into the key vault, read secrets, use keys.
REST API, SDK (.Net/Java/Node.JS), command line (PowerShell, X-plat CLI).
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21. Available worldwide, isolated by geo
Regions US
West, East, East 2, Central, North Central, South Central
Europe
North, West
Asia
East, Southeast
Japan
East, West
Australia
Brazil
South
USGov
Iowa, Virginia
China
North, East
You choose the region when creating your key vault.
Secrets and keys in that key vault are stored in that region, and backed up in second region within same geo. 6 total copies  you get very high durability.
Your read/write requests are affinitized to the primary region. But service fails over automatically within region, or to secondary region  you get high availability.

22. Demo Create key vault Add a password, storage account key, PFX
Microsoft Build 2016
9/16/2018 4:09 PM
Demo
Create key vault
Add a password, storage account key, PFX
Set permissions
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. Distribute secrets via Azure Resource Manager
9/16/2018 4:09 PM
Distribute secrets via Azure Resource Manager
When you deploy via Azure Resource Manager (ARM)
You can have ARM read secrets from your key vault and pass them as parameters to the resources you are creating. You must grant ARM permission to your key vault.
Ditto when updating those parameters.
Azure Compute Service
Your VMs
Storage account keys
Certificates
Encryption keys
Passwords
VM Admin Password
Azure Resource Manager
Azure
SQL DB service
SQL Server Admin Password
Azure SQL
Your SQL Servers
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24. Distribute certificates to VMs / Web Apps
9/16/2018 4:09 PM
Distribute certificates to VMs / Web Apps
Azure Compute service can deploy certificates from your key vault to your VMs “just-in-time” when the VM launches. You can also trigger it to re-deploy certificates if you update them in your key vault.
A similar flow exists with Azure Web Apps.
Azure Compute Service
Your VMs
Storage account keys
Certificates
Encryption keys
Passwords
Azure
Web Apps service
Azure SQL
Your Web App
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25. After bootstrap read/write other secrets directly
9/16/2018 4:09 PM
After bootstrap read/write other secrets directly
Authenticate to Azure AD using the certificate that was deployed to your VM.
Then read / write secrets from your key vault.
You must register your app in Azure AD, and grant it permission to your key vault a priori.
Azure Compute Service
Your VMs
Storage account keys
Certificates
Encryption keys
Passwords
Read/write secrets
Azure
Web Apps service
Authenticate
Azure SQL
Your Web App
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26. Or wire it into your custom deployment tool
9/16/2018 4:09 PM
Or wire it into your custom deployment tool
Storage account keys
Certificates
Encryption keys
Passwords
Your own deployment engine
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27. Resources Docs http://aka.ms/kvdocs Blog http://aka.ms/kvblog Feedback
Community

28. Please Complete An Evaluation Form Your input is important!
9/16/2018
Please Complete An Evaluation Form Your input is important!
Required Slide
*delete this box when your slide is finalized
SAMPLE or
Update phone image to a Microsoft phone.
© 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29. SAMPLE Evaluate this session Required Slide
9/16/2018
Evaluate this session
Required Slide
*delete this box when your slide is finalized
Speakers: This slide will be updated during the scrub process with a unique QR code. Attendees scan the QR code to access the eval for your session.
SAMPLE
Speakers: Please note this slide will be updated with your session’s QR code during the scrub process which is outlined on side 3. Attendees can scan the QR code for access to your session’s eval.
© 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30. 9/16/2018 4:09 PM Dark gray background.
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.