Merge pull request #110089 from msmbaldwin/akv-cas

Restored deleted file

Author: v-shils

.openpublishing.redirection.json

@@ -32264,11 +32264,6 @@
       "redirect_url": "/azure/expressroute/expressroute-security-controls",
       "redirect_document_id": false
     },
-    {
-      "source_path": "articles/key-vault/key-vault-security-controls.md",
-      "redirect_url": "/azure/key-vault/security-baseline",
-      "redirect_document_id": false
-    },
     {
       "source_path": "articles/key-vault/automation-manage-key-vault.md",
       "redirect_url": "/azure/key-vault/",

articles/key-vault/key-vault-security-controls.md

@@ -0,0 +1,63 @@
+---
+title: Security controls for Azure Key Vault
+description: A checklist of security controls for evaluating Azure Key Vault
+services: key-vault
+author: msmbaldwin
+manager: rkarlin
+
+ms.service: key-vault
+ms.topic: conceptual
+ms.date: 04/16/2019
+ms.author: mbaldwin
+
+---
+# Security controls for Azure Key Vault
+
+This article documents the security controls built into Azure Key Vault. 
+
+[!INCLUDE [Security controls Header](../../includes/security-controls-header.md)]
+
+## Network
+
+| Security control | Yes/No | Notes |
+|---|---|--|
+| Service endpoint support| Yes | Using Virtual Network (VNet) service endpoints. |
+| VNet injection support| No |  |
+| Network isolation and firewalling support| Yes | Using VNet firewall rules. |
+| Forced tunneling support| No |  |
+
+## Monitoring & logging
+
+| Security control | Yes/No | Notes|
+|---|---|--|
+| Azure monitoring support (Log analytics, App insights, etc.)| Yes | Using Log Analytics. |
+| Control/Management plane Logging and Audit| Yes | Using Log Analytics. |
+| Data plane logging and audit| Yes | Using Log Analytics. |
+
+## Identity
+
+| Security control | Yes/No | Notes|
+|---|---|--|
+| Authentication| Yes | Authentication is through Azure Active Directory. |
+| Authorization| Yes | Using Key Vault Access Policy. |
+
+## Data protection
+
+| Security control | Yes/No | Notes |
+|---|---|--|
+| Server-side encryption at rest: Microsoft-managed keys | Yes | All objects are encrypted. |
+| Server-side encryption at rest: customer-managed keys (BYOK) | Yes | The customer controls all keys in their Key Vault. When hardware security module (HSM) backed keys are specified, a FIPS Level 2 HSM protects the key, certificate, or secret. |
+| Column level encryption (Azure Data Services)| N/A |  |
+| Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption)| Yes | All communication is via encrypted API calls |
+| API calls encrypted| Yes | Using HTTPS. |
+
+## Access controls
+
+| Security control | Yes/No | Notes|
+|---|---|--|
+| Control/Management plane access controls | Yes | Azure Resource Manager Role-Based Access Control (RBAC) |
+| Data plane access controls (At every service level) | Yes | Key Vault Access Policy |
+
+## Next steps
+
+- Learn more about the [built-in security controls across Azure services](../security/fundamentals/security-controls.md).

articles/key-vault/toc.yml

@@ -75,6 +75,8 @@
         href: overview-security.md
       - name: Security baseline
         href: security-baseline.md
+      - name: Built-In Security
+        href: key-vault-security-controls.md
       - name: Security worlds
         href: key-vault-ovw-security-worlds.md
       - name: Secure your key vault