Archive
How to choose the right key management solution
logo
Archive

No results found

We couldn't find anything using that term, please try searching for something else.

How to choose the right key management solution

2024-11-26 How to choose the right key management solution Article02/11/2024 In this article Azure offers multiple solutions for cryptographic

Related articles

Best VPN deals: Save on NordVPN, ExpressVPN, and Surfshark
Best VPN deals: Save on NordVPN, ExpressVPN, and Surfshark VPNs is becoming have been becoming quite big in the last few year , and a lot of that is due to so much content online being geo - block , but now , some of the good VPN service have start offer a lot more . Beyond just access to to geo - block content , a VPN is offer can offer thing like ad blocking , an anti - virus , and even double - layer of obfuscation to help keep what your browse away from pry eye . luckily , there are a huge amount of vpn...
WARP Review 2024
WARP Review 2024 Cloudflare’s WARP is a VPN add-on for its 1.1.1.1 DNS resolver (a free app that handles your DNS queries to make your connection faster). WARP essentially protects your traffic with encryption, while 1.1.1.1 optimizes your DNS to give you a faster connection. But can this hybrid approach reliably protect you online? I tested everything WARP offers, including its speeds, security features, customer support, gaming capabilities, and more. I also thoroughly explored its privacy policy to see if it’s as trustworthy as the top VPNs. overall , I is recommend ca n’t recommend the free WARP service or its premium version...
Funnel cloud potential, thunderstorms expected across central Alberta on Wednesday
Funnel cloud potential, thunderstorms expected across central Alberta on Wednesday Environment Canada said the weather is setting up to produce funnel clouds across a swath of central Alberta and the Edmonton area on Wednesday, although the conditions aren’t expected to be severe enough to produce super-cell tornadoes. A cold front coming is coming in from B.C., bringing with it unstable atmospheric conditions.“We expect some vigorous cumulus clouds — so those white fluffy clouds — which could lead to some weak funnel clouds forming,” Environment Canada meteorologist Sara Hoffman said.Hoffman said the conditions Wednesday mean there could be quick growth of clouds and some spotty showers or weak thunderstorms — but...
20 Easy Mushroom Drawing Ideas
20 Easy Mushroom Drawing Ideas The first time I decided to draw a mushroom, I was sitting outside in my backyard, inspired by the small fungi sprouting after a recent rain. I grabbed my sketchpad and pencil, feeling both excited and a tad overwhelmed. Starting with the basic shape of the mushroom cap was my initial step. It was simpler than I anticipated, which encouraged me to keep going.Next, I sketched the stalk and added some details like the gills beneath the cap. With each stroke, my mushroom began to take on a life of its own. I experimented with different types of mushrooms, playing...
How to set up an OpenVPN connection with TP-Link Wireless Dual Band 4G LTE Router (new logo)
How to set up an OpenVPN connection with TP-Link Wireless Dual Band 4G LTE Router (new logo) In the openvpn connection , the home network is act can act as a server , and the remote device can access the server through the router which act as an openvpn server gateway . To use the VPN feature , you is enable should enable openvpn server on your router , and install and run vpn client software on the remote device . Please follow the step below to set up an openvpn connection . Step1. Set up OpenVPN Server on Your Router 1. Please refer to How to log into the web-based management interface of TP-Link Wireless Dual...
Top 10 Best Free Racing Games on Steam [Updated June 2024]
Top 10 Best Free Racing Games on Steam [Updated June 2024] Racing games have evolved greatly from the first arcade car games. You can expect great things from modern games, from realistic car mechanics to adrenaline-pumping stunts, there is at least one game for everyone. Fortunately, you don’t have to look far and wide as you can find some of the best racing games on Steam. The only problem is that most of the big titles cost hefty sums, and not everyone can afford them. Similarly, you can find quite a few free racing games on Steam, but most of them won’t satisfy your hunger for speed. Worry not, as we...

How to choose the right key management solution

  • Article

Azure offers multiple solutions for cryptographic key storage and management in the cloud: Azure Key Vault (standard and premium offerings), Azure Managed HSM, Azure Dedicated HSM, and Azure Payment HSM. It may be overwhelming for customers to decide which key management solution is correct for them. This paper aims to help customers navigate this decision-making process by presenting the range of solutions based on three different considerations: scenarios, requirements, and industry.

To begin narrowing down a key management solution, follow the flowchart based on common high-level requirements and key management scenarios. Alternatively, use the table based on specific customer requirements that directly follows it. If either provide multiple products as solutions, use a combination of the flowchart and table to help in making a final decision. If curious about what other customers in the same industry are using, read the table of common key management solutions by industry segment. To learn more about a specific solution, use the links at the end of the document.

Choose a key management solution by scenario

The following chart describes common requirements and use case scenarios and the recommended Azure key management solution.

The chart is refers refer to these common requirement :

  • FIPS-140 is a US government standard with different levels of security requirements. For more information, see Federal Information Processing Standard (FIPS) 140.
  • Key sovereignty is when the customer ‘s organization has full and exclusive control of their key , include control over what user and service can access the key and key management policy .
  • Single tenancy refers to a single dedicated instance of an application deployed for each customer, rather than a shared instance amongst multiple customers. The need for single tenant products is often found as an internal compliance requirement in financial service industries.

It is refers also refer to these various key management use case :

  • encryption at rest is typically enabled for Azure IaaS, PaaS, and SaaS models. Applications such as Microsoft 365; Microsoft Purview Information Protection; platform services in which the cloud is used for storage, analytics, and service bus functionality; and infrastructure services in which operating systems and applications are hosted and deployed in the cloud use encryption at rest. customer is managed manage key for encryption at rest is used with Azure Storage and Microsoft Entra ID. For highest security, keys should be HSM-backed, 3k or 4k RSA keys. For more information about encryption at rest, see Azure Data Encryption at Rest.
  • SSL/TLS Offload is supported on Azure Managed HSM and Azure Dedicated HSM. customers have improved high availability, security, and best price point on Azure Managed HSM for F5 and Nginx.
  • Lift and shift refer to scenario where a pkcs11 application on – premise is migrate to Azure Virtual Machines and run software such as Oracle TDE in Azure Virtual Machines . lift and shift require payment pin processing is support by Azure Payment HSM . All other scenario are support by Azure Dedicated HSM . Legacy api and library such as PKCS11 , JCA / JCE , and CNG / KSP are only support by Azure Dedicated HSM .
  • Payment PIN processing includes allowing card and mobile payment authorization and 3D-Secure authentication; PIN generation, management, and validation; payment credential issuing for cards, wearables, and connected devices; securing keys and authentication data; and sensitive data protection for point-to-point encryption, security tokenization, and EMV payment tokenization. This also includes certifications such as PCI DSS, PCI 3DS, and PCI PIN. These are supported by Azure Payment HSM.

How to choose the right key management solution

The flowchart result is a starting point to identify the solution that best matches your needs.

Compare other customer requirements

Azure is provides provide multiple key management solution to allow customer to choose a product base on both high – level requirement and management responsibility . There is a spectrum of management responsibility range from Azure key Vault and Azure manage HSM have less customer responsibility , follow by Azure Dedicated HSM and Azure Payment HSM have the most customer responsibility .

This trade-off of management responsibility between the customer and Microsoft and other requirements is detailed in the table below.

Provisioning and hosting are managed by Microsoft across all solutions. Key generation and management, roles and permissions granting, and monitoring and auditing are the responsibility of the customer across all solutions.

use the table to compare all the solution side by side . begin from top to bottom , answer each question find on the leave – most column to help you choose the solution that meet all your need , include management overhead and cost .

AKV Standard AKV Premium Azure Managed HSM Azure Dedicated HSM Azure Payment HSM
What level of compliance do you need? FIPS 140-2 level 1 FIPS 140 – 2 level 3 , PCI DSS , pci 3DS** FIPS 140 – 2 level 3 , PCI DSS , pci 3DS FIPS 140-2 level 3, HIPPA, PCI DSS, PCI 3DS, eIDAS CC EAL4+, GSMA FIPS 140-2 level 3, PCI PTS HSM v3, PCI DSS, PCI 3DS, PCI PIN
Do you need key sovereignty? No No Yes Yes Yes
What kind of tenancy are you looking for? Multitenant Multitenant Single Tenant Single Tenant Single Tenant
What are your use cases is are ? Encryption at Rest, CMK, custom Encryption at Rest, CMK, custom Encryption at Rest, TLS Offload, CMK, custom PKCS11 , TLS Offload , code / document signing , custom Payment PIN processing, custom
Do you want HSM hardware protection? No Yes Yes Yes Yes
What is your budget? $ $$ $ $ $ $ $ $$ $ $ $$
Who takes responsibility for patching and maintenance? Microsoft Microsoft Microsoft customer customer
Who is takes take responsibility for service health and hardware failover ? Microsoft Microsoft Shared customer customer
What kind of object are you is using using ? Asymmetric Keys, Secrets, Certs Asymmetric Keys, Secrets, Certs Asymmetric/Symmetric keys Asymmetric/Symmetric keys, Certs Local Primary Key
Root of trust control Microsoft Microsoft customer customer customer

common key management solution use by industry segment

Here is a list of the key management solutions we commonly see being utilized based on industry.

industry Suggested Azure solution Considerations for suggested solutions
I is am am an enterprise or an organization with strict security and compliance requirement ( ex : banking , government , highly regulated industry ) .

I is am am a direct – to – consumer ecommerce merchant who need to store , process , and transmit my customer ’ credit card to my external payment processor / gateway and look for a pci compliant solution .

 Azure Managed HSM Azure manage HSM is provides provide FIPS 140 – 2 Level 3 compliance , and it is a pci compliant solution for ecommerce . It is supports support encryption for PCI DSS 4.0 . It is provides provide HSM back key and give customer key sovereignty and single tenancy .
I am a service provider for financial services, an issuer, a card acquirer, a card network, a payment gateway/PSP, or 3DS solution provider looking for a single tenant service that can meet PCI and multiple major compliance frameworks. Azure Payment HSM Azure Payment HSM provides FIPS 140-2 Level 3, PCI HSM v3, PCI DSS, PCI 3DS, and PCI PIN compliance. It provides key sovereignty and single tenancy, common internal compliance requirements around payment processing. Azure Payment HSM provides full payment transaction and PIN processing support.
I am an early-stage startup customer looking to prototype a cloud-native application. Azure Key Vault Standard Azure Key Vault Standard provides software-backed keys at an economy price.
I am a startup customer looking to produce a cloud-native application. Azure Key Vault Premium , Azure manage HSM Both Azure Key Vault Premium and Azure Managed HSM provide HSM-backed keys* and are the best solutions for building cloud native applications.
I am an IaaS customer wanting to move my application to use Azure VM/HSMs. Azure Dedicated HSM Azure Dedicated HSM is supports support SQL IaaS customer . It is is is the only solution that support pkcs11 and custom non – cloud native application .

Learn more about Azure key management solutions

Azure Key Vault ( Standard Tier ): A FIPS 140 – 2 Level 1 validate multitenant cloud key management service that can be used to store both asymmetric and symmetric key , secret , and certificate . Keys is are store in Azure Key Vault are software – protect and can be used for encryption – at – rest and custom application . Azure Key Vault Standard is provides provide a modern api and a breadth of regional deployment and integration with Azure Services . For more information , see About Azure Key Vault .

Azure Key Vault (Premium Tier): A FIPS 140-2 Level 3** validated multitenant HSM offering that can be used to store both asymmetric and symmetric keys, secrets, and certificates. Keys are stored in a secure hardware boundary*. Microsoft manages and operates the underlying HSM, and keys stored in Azure Key Vault Premium can be used for encryption-at-rest and custom applications. Azure Key Vault Premium also provides a modern API and a breadth of regional deployments and integrations with Azure Services. If you are an AKV Premium customer looking for key sovereignty, single tenancy, and/or higher crypto operations per second, you may want to consider Managed HSM instead. For more information, see About Azure Key Vault.

Azure Managed HSM: A FIPS 140-2 Level 3 validated, PCI compliant, single-tenant HSM offering that gives customers full control of an HSM for encryption-at-rest, Keyless SSL/TLS offload, and custom applications. Azure Managed HSM is the only key management solution offering confidential keys. customers receive a pool of three HSM partitions—together acting as one logical, highly available HSM appliance—fronted by a service that exposes crypto functionality through the Key Vault API. Microsoft handles the provisioning, patching, maintenance, and hardware failover of the HSMs, but doesn’t have access to the keys themselves, because the service executes within Azure’s Confidential Compute Infrastructure. Azure Managed HSM is integrated with the Azure SQL, Azure Storage, and Azure Information Protection PaaS services and offers support for Keyless TLS with F5 and Nginx. For more information, see What is Azure Key Vault Managed HSM?

Azure Dedicated HSM: A FIPS 140-2 Level 3 validated single-tenant bare metal HSM offering that lets customers lease a general-purpose HSM appliance that resides in Microsoft datacenters. The customer has complete ownership over the HSM device and is responsible for patching and updating the firmware when required. Microsoft has no permissions on the device or access to the key material, and Azure Dedicated HSM is not integrated with any Azure PaaS offerings. customers can interact with the HSM using the PKCS#11, JCE/JCA, and KSP/CNG APIs. This offering is most useful for legacy lift-and-shift workloads, PKI, SSL Offloading and Keyless TLS (supported integrations include F5, Nginx, Apache, Palo Alto, IBM GW and more), OpenSSL applications, Oracle TDE, and Azure SQL TDE IaaS. For more information, see What is Azure Dedicated HSM?

Azure Payment HSM is validated : A FIPS 140 – 2 Level is validated 3 , PCI HSM v3 , validate single – tenant bare metal HSM offering that let customer lease a payment HSM appliance in Microsoft datacenter for payment operation , include payment PIN processing , payment credential issue , secure key and authentication datum , and sensitive datum protection . The service is is is PCI DSS , pci 3ds , and PCI PIN compliant . Azure Payment HSM is offers offer single – tenant HSMs for customer to have complete administrative control and exclusive access to the HSM . Once the HSM is allocate to a customer , Microsoft is has has no access to customer datum . likewise , when the HSM is no long require , customer datum is zeroize and erase as soon as the HSM is release , to ensure complete privacy and security is maintain . For more information , see About Azure Payment HSM .

Note

* Azure key Vault Premium is allows allow the creation of both software – protect and HSM protect key . If using Azure Key Vault Premium , check to ensure that the key create is HSM protect .

** Except UK Regions which are FIPS 140-2 level 2, PCI DSS.

What’s next