update

Author: msmbaldwin

articles/security/fundamentals/key-management-choose.md

@@ -12,9 +12,9 @@ ms.author: chenkaren
 
 # How to choose the right key management solution
 
-Azure offers multiple solutions for cryptographic key storage and management in the cloud: Azure Key Vault (standard and premium offerings), Azure Managed HSM, Azure Cloud HSM, Azure Dedicated HSM, and Azure Payment HSM. It may be overwhelming for customers to decide which key management solution is correct for them. This paper aims to help customers navigate this decision-making process by presenting the range of solutions based on three different considerations: scenarios, requirements, and industry.
+Azure offers several solutions for cryptographic key storage and management in the cloud: Azure Key Vault (standard and premium offerings), Azure Managed HSM, Azure Cloud HSM, Azure Dedicated HSM, and Azure Payment HSM. It might be overwhelming for customers to decide which key management solution is right for them. This article helps customers navigate this decision-making process by presenting the range of solutions based on three considerations: scenarios, requirements, and industry.
 
-To begin narrowing down a key management solution, follow the flowchart based on common high-level requirements and key management scenarios. Alternatively, use the table based on specific customer requirements that directly follows it. If either provide multiple products as solutions, or for additional reassurance about choosing the correct product, use a combination of the flowchart and table to help in making a final decision. If curious about what other customers in the same industry are using, read the table of common key management solutions by industry segment. To learn more about a specific solution, use the links at the end of the document.
+To narrow down a key management solution, follow the flowchart based on common high-level requirements and key management scenarios. Alternatively, use the table based on specific customer requirements that follows it. If either provides multiple products as solutions, or if you want reassurance about choosing the right product, use a combination of the flowchart and table to make a final decision. If you're curious about what other customers in the same industry use, read the table of common key management solutions by industry segment. To learn more about a specific solution, follow the links at the end of the document.
 
 ## Choose a key management solution by scenario
 
@@ -24,11 +24,11 @@ The chart refers to these common requirements:
 
 - _FIPS-140_ is a US government standard with different levels of security requirements. For more information, see [Federal Information Processing Standard (FIPS) 140](/azure/compliance/offerings/offering-fips-140-2).
 - _Key sovereignty_ is when the customer's organization has full and exclusive control of their keys, including control over what users and services can access the keys and key management policies.
-- _Single tenancy_ refers to a single dedicated instance of an application deployed for each customer, rather than a shared instance amongst multiple customers. The need for single tenant products is often found as an internal compliance requirement in financial service industries.
+- _Single tenancy_ refers to a single dedicated instance of an application deployed for each customer, rather than a shared instance among multiple customers. The need for single tenant products is often found as an internal compliance requirement in financial service industries.
 
 It also refers to these various key management use cases:
 
-- _Encryption at rest_ is typically enabled for Azure IaaS, PaaS, and SaaS models. Applications such as Microsoft O365; Microsoft Purview Information Protection; platform services in which the cloud is used for storage, analytics, and service bus functionality; and infrastructure services in which operating systems and applications are hosted and deployed in the cloud use encryption at rest. _Customer managed keys for encryption at rest_ is used with Azure Storage and Azure AD. For highest security, keys should be HSM-backed, 3k or 4k RSA keys. For more information about encryption at rest, see [Azure Data Encryption at Rest](encryption-atrest.md).
+- _Encryption at rest_ is typically enabled for Azure IaaS, PaaS, and SaaS models. Applications such as Microsoft 365; Microsoft Purview Information Protection; platform services in which the cloud is used for storage, analytics, and service bus functionality; and infrastructure services in which operating systems and applications are hosted and deployed in the cloud use encryption at rest. _Customer managed keys for encryption at rest_ is used with Azure Storage and Microsoft Entra. For highest security, keys should be HSM-backed, 3k or 4k RSA keys. For more information about encryption at rest, see [Azure Data Encryption at Rest](encryption-atrest.md).
 - _SSL/TLS Offload_ is supported on Azure Managed HSM, Azure Cloud HSM, and Azure Dedicated HSM. Customers have improved high availability, security, and best price point on Azure Managed HSM for F5 and Nginx.
 - _Lift and shift_ refer to scenarios where a PKCS11 application on-premises is migrated to Azure Virtual Machines and running software such as Oracle TDE in Azure Virtual Machines. Lift and shift requiring payment PIN processing is supported by Azure Payment HSM. All other scenarios are supported by Azure Cloud HSM and Azure Dedicated HSM. Legacy APIs and libraries such as PKCS11, JCA/JCE, and CNG/KSP are only supported by Azure Cloud HSM and Azure Dedicated HSM.
 - _Payment PIN processing_ includes allowing card and mobile payment authorization and 3D-Secure authentication; PIN generation, management, and validation; payment credential issuing for cards, wearables, and connected devices; securing keys and authentication data; and sensitive data protection for point-to-point encryption, security tokenization, and EMV payment tokenization. This also includes certifications such as PCI DSS, PCI 3DS, and PCI PIN. These are only supported by Azure Payment HSM.