Key management and certificate management in Microsoft Cloud for Sovereignty
Cryptographic authentication and encryption are effective strategies for meeting confidentiality, privacy, and data sovereignty requirements. However, the effectiveness of these solutions relies on the security and resilience of the underlying cryptographic technologies and operational processes. This article introduces concepts that you should be familiar with when planning for using encryption keys and digital certificates to secure the workloads that you're migrating to the cloud.
Key management
Cryptographic materials are stored and managed in Azure using Azure Key Vault, which is available in both multitenant and single-tenant deployment modes. Azure Key Vault (AKV) provides cloud native key, secret, and certificate management in a multitenant service that is backed by FIPS 140-validated hardware security modules. Azure Key Vault Managed HSM is a single-tenant service that provides you with full administrative control over your organization's security domain and associated encryption keys.
Recommendations for effective key management
Platform controls, while imperative, aren't the only aspect of effective key management. Microsoft also presents several best practices for effective key management.
Access controls
If you're using the Standard or Premium SKUs of Azure Key Vault, we recommend deploying one vault per application, environment, and region, in order to enforce least privilege. If you're using Managed HSM, deploying a smaller number of centralized vaults may be preferred to manage costs. Regardless of the SKU you deploy, you must tightly regulate the vault access using Role-Based Access Control (RBAC) and ensure that access policies within each vault adhere to the principle of least privilege. We recommend granting access to users, groups, and applications at a specific scope, such as subscription, resource group, or just a specific key vault, using Azure RBAC predefined roles. Controlling access is critical and recommended on the management and the data planes.
Backup and recovery
You need to have regular backups at the HSM level and for specific keys. We recommend that you configure soft-delete and purge protection features to guard against accidental and malicious deletions. Azure Monitor, which is fully integrated with Managed HSM, is recommended for monitoring and logging access to key vaults. For more information, see Azure Managed HSM Best practices.
Key rotation
Ensure that regular rotations of Customer Managed Keys (CMKs) are performed, with the frequency determined by your organization's policy. Keys should also be rotated if an administrator with key access leaves or changes roles, or if any CMK is compromised. Autorotation is supported through Azure Key Vault and Azure Managed HSM. When possible, ensure that the rotation process is automated, executed without any human interactions, and tested to ensure effectiveness. In emergencies such as a compromised key, you need a robust system to regenerate secrets immediately. If automation of this process isn't feasible, we recommend setting up alerts to prevent certificate expirations and outages.
Note
While rotating CMKs for confidential VMs is supported, the automation process isn't yet supported. You can view more recommendations here.
HSM-related recommendations
Some customers express interest in keeping their keys separate from data by storing the keys in an external HSM, either on a third-party cloud or on-premises. Although this step might seem a natural transition from managing on-premises environments, an external HSM can introduce new risks at the identity, network, and software layers. An external HSM might also increase performance risks and introduce concerns such as latency-causing network issues, SLA issues caused by issues with the third-party HSM, and maintenance and training costs. Additionally, third-party HSMs may not provide important features such as soft-delete and purge protection.
For more information about the technical controls built into the Sovereign Landing Zone (SLZ) to enforce appropriate key management practices, see policy portfolio.
Certificate management
Digital security certificates are widely used to secure communications for cloud applications. The overhead associated with certificate management activities, including issuing, rotating, and revoking certificates, can grow quickly as more workloads are migrated to the cloud. Customers who are planning to migrate their workloads to the Microsoft Cloud for Sovereignty should understand their digital security certificate scenarios so that they can develop certificate management plans as part of their cloud migration.
Common digital certificate scenarios
This section describes common cloud scenarios that use digital certificates to secure communications.
Web site authentication and encryption
Web sites use TLS certificates to verify their identity to visitors and to encrypt communications. Public websites normally use certificates from public certificate authorities (CA), but organizations often use certificates from a private CA for websites that aren't exposed to the public. In either case, certificates for websites must be renewed when they expire or when the integrity of the certificate is in question. For organizations with a large web presence, managing these certificates can require significant planning and effort.
Service authentication
Distributed applications and microservices often use a stateless session model, which allows for flexibility in handling application requests, but might also require additional authentication and encryption to mitigate security risks. Certificates are often used for mutual authentication between application layers and components. Often, these components are managed by decentralized application development teams, which make the management of digital certificates difficult to track and monitor across the enterprise.
Infrastructure authentication
Servers and network devices often use client certificates for authentication across the corporate network and during maintenance activities. Organizations that use solutions like Active Directory or Kerberos usually have to manage client certificates for their deployed infrastructure.
Other Certificate scenarios
Endpoint management solutions often use device certificates to authenticate end-user devices like PCs, Laptops, and mobile devices. Code-signing certificates are used in development environments to verify the publisher of software as part of an organization's application security approach.
Certificate lifecycle management in the cloud
Platform-managed certificates vs. customer-managed certificates
Azure PaaS services that provide encryption for data in transit usually implement the encryption using digital certificates managed by the platform and associated with the default hostname that is assigned on resource creation. When you want to use a custom domain name with the resources you deploy to the cloud, you need to configure a certificate that can be used by external users when they access the service. For intra-service communication between Azure services that aren't configured to use custom domain names, platform-managed certificates are the default means on encrypting data in transit. If you want to use certificates associated with custom domain names, see the documentation for the Azure services that you're planning to deploy, such as the following examples.
Create certificates with Azure Key Vault
Azure Key Vault provides customers with cloud-native certificate management features that allow the Azure platform to use certificates that customers create or import. You can either create self-signed certificates in Key Vault, request a certificate from an issuer, or import a certificate from your own certificate authority. Key Vault also helps you specify policies for certificates, such as whether to make certificates exportable or nonexportable.
- Get Started with Key Vault Certificates
- Integrating Key Vault with Integrated Certificate Authorities
- Create and merge a certificate signing request in Key Vault
Create certificates on-premises and manage them in Azure
If you want to issue certificates from an on-premises certificate authority, you can import those certificates to Azure Key Vault for use by other Azure services. After a certificate is exported as a PEM or PFX file, you can import it into Azure Key Vault.
Create and manage certificates on-premises with third-party solutions
Organizations that already have enterprise-grade certificate management capabilities can consider whether to integrate their on-premises solutions with their workloads in the cloud. Many on-premises certificate authority and certificate management solutions can integrate with Key Vault using the REST API and managed identities.
Decentralized certificate management
One approach to scale an organization's certificate management capabilities is to decentralize the issuance and management of certificates to application and infrastructure teams. Solutions like Azure Key Vault allow an organization to standardize on acceptable key management technologies and processes, without centralizing the administration of those key management processes in a single operations team. Several strategies can be used to delegate key management responsibilities closer to application and infrastructure teams.
Managed certificates
Public-facing websites that require certificates from a public certificate authority can take advantage of managed certificates in Azure PaaS services, such as Azure App Service or Azure Front Door. Certificates from integrated certificate authorities can also be created, managed, and rotated in Azure Key Vault. For more information, see the following resources:
- Custom domains and certificates in Azure App Service
- Custom domains in Azure Front Door
- Integrating Key Vault with DigiCert certificate authority
Automating certificate issuance in CI/CD Pipelines
Organizations that adopt the Dev/Ops processes can automate the issuance of certificates as part of their CI/CD pipelines. This approach delegates some certificate management responsibilities to application teams, and allows them to provision their own certificates using native Azure services, such as Azure DNS, Azure App Service, and Azure Key Vault.
Managing endpoint certificates
Endpoint certificates are used in IaaS workloads, where servers and services use certificates for authentication. Since this scenario is associated with virtual machines, organizations can manage these certificates using the same configuration management tools or build automation tools that are used to manage the virtual machine configurations.