You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/key-vault/general/developers-guide.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,7 +28,7 @@ Periodically, we release a public preview of a new Key Vault feature. Try out th
28
28
29
29
Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them. Managed identities for Azure resources makes solving this problem simpler by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having any credentials in your code.
30
30
31
-
For more information on managed identities for Azure resources, see [the managed identities overview](../../active-directory/managed-identities-azure-resources/overview.md). For more information on working with AAD, see [Integrating applications with Azure Active Directory](../../active-directory/develop/active-directory-integrating-applications.md).
31
+
For more information on managed identities for Azure resources, see [the managed identities overview](../../active-directory/managed-identities-azure-resources/overview.md). For more information on working with Azure AD, see [Integrating applications with Azure Active Directory](../../active-directory/develop/active-directory-integrating-applications.md).
32
32
33
33
Before working with keys, secrets or certificates in your key vault, you'll create and manage your key vault through CLI, PowerShell, Resource Manager Templates or REST, as described in the following articles:
Copy file name to clipboardExpand all lines: articles/key-vault/general/overview-throttling.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,7 +31,7 @@ Key Vault was originally created with the limits specified in [Azure Key Vault s
31
31
1. Cache the secrets you retrieve from Azure Key Vault in memory, and reuse from memory whenever possible. Re-read from Azure Key Vault only when the cached copy stops working (e.g. because it got rotated at the source).
32
32
1. Key Vault is designed for your own services secrets. If you are storing your customers' secrets (especially for high-throughput key storage scenarios), consider putting the keys in a database or storage account with encryption, and storing just the master key in Azure Key Vault.
33
33
1. Encrypt, wrap, and verify public-key operations can be performed with no access to Key Vault, which not only reduces risk of throttling, but also improves reliability (as long as you properly cache the public key material).
34
-
1. If you use Key Vault to store credentials for a service, check if that service supports AAD Authentication to authenticate directly. This reduces the load on Key Vault, improves reliability and simplifies your code since Key Vault can now use the AAD token. Many services have moved to using AAD Auth. See the current list at [Services that support managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-managed-identities-for-azure-resources).
34
+
1. If you use Key Vault to store credentials for a service, check if that service supports Azure AD Authentication to authenticate directly. This reduces the load on Key Vault, improves reliability and simplifies your code since Key Vault can now use the Azure AD token. Many services have moved to using Azure AD Auth. See the current list at [Services that support managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-managed-identities-for-azure-resources).
35
35
1. Consider staggering your load/deployment over a longer period of time to stay under the current RPS limits.
36
36
1. If your app comprises multiple nodes that need to read the same secret(s), then consider using a fan out pattern, where one entity reads the secret from Key Vault, and fans out to all nodes. Cache the retrieved secrets only in memory.
37
37
If you find that the above still does not meet your needs, please fill out the below table and contact us to determine what additional capacity can be added (example put below for illustrative purposes only).
Copy file name to clipboardExpand all lines: articles/key-vault/keys/about-keys.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -44,7 +44,7 @@ Refer to the JOSE specifications for relevant data types for keys, encryption, a
44
44
-**signature-value** - output of a signature algorithm, encoded using Base64URL
45
45
-**base64URL** - a Base64URL [RFC4648] encoded binary value
46
46
-**boolean** - either true or false
47
-
-**Identity** - an identity from Azure Active Directory (AAD).
47
+
-**Identity** - an identity from Azure Active Directory (Azure AD).
48
48
-**IntDate** - a JSON decimal value representing the number of seconds from 1970-01-01T0:0:0Z UTC until the specified UTC date/time. See RFC3339 for details regarding date/times, in general and UTC in particular.
Copy file name to clipboardExpand all lines: articles/security/benchmarks/security-control-data-protection.md
+47-33Lines changed: 47 additions & 33 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,17 +1,21 @@
1
1
---
2
2
title: Azure Security Control - Data Protection
3
-
description: Azure Security Control Data Protection
3
+
description: Security Control Data Protection
4
4
author: msmbaldwin
5
+
manager: rkarlin
6
+
5
7
ms.service: security
6
8
ms.topic: conceptual
7
-
ms.date: 04/03/2020
9
+
ms.date: 12/30/2019
8
10
ms.author: mbaldwin
9
-
ms.custom: security-benchmark
11
+
ms.custom: security-recommendations
10
12
11
13
---
12
14
13
15
# Security Control: Data Protection
14
16
17
+
Data protection recommendations focus on addressing issues related to encryption, access control lists, identity-based access control, and audit logging for data access.
18
+
15
19
## 4.1: Maintain an inventory of sensitive Information
Implement separate subscriptions and/or management groups for development, test, and production. Resources should be separated by VNet/Subnet, tagged appropriately, and secured by an NSG or Azure Firewall. Resources storing or processing sensitive data should be sufficiently isolated. For Virtual Machines storing or processing sensitive data, implement policy and procedure(s) to turn them off when not in use.
Implement isolation using separate subscriptions and management groups for individual security domains such as environment type and data sensitivity level. You can restrict the level of access to your Azure resources that your applications and enterprise environments demand. You can control access to Azure resources via Azure Active Directory role-based access control.
## 4.3: Monitor and block unauthorized transfer of sensitive information
42
68
43
69
| Azure ID | CIS IDs | Responsibility |
44
70
|--|--|--|
45
-
| 4.3 | 13.3 |Shared|
71
+
| 4.3 | 13.3 |Customer|
46
72
47
73
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.
48
74
49
-
For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and
When no feature is available for your specific service in Azure, use a third-party active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located on-site, or at a remote service provider, and update the organization's sensitive information inventory.
77
96
78
97
Use Azure Information Protection for identifying sensitive information within Office 365 documents.
79
98
80
99
Use Azure SQL Information Protection to assist in the classification and labeling of information stored in Azure SQL Databases.
81
100
82
-
For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and
If required for compliance on compute resources, implement a third-party tool, such as an automated host-based Data Loss Prevention solution, to enforce access controls to data even when data is copied off a system.
116
-
117
-
For the underlying platform which is managed by Microsoft, Microsoft treats all customer content as sensitive and goes to great lengths to guard against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.
Implement a third-party tool, such as an automated host-based Data Loss Prevention solution, to enforce access controls to data even when data is copied off a system.
122
132
123
133
## 4.8: Encrypt sensitive information at rest
124
134
@@ -133,6 +143,7 @@ Understand encryption at rest in Azure:
Ensure ability to periodically perform data restoration of content within Azure Backup. Test restoration of backed up customer managed keys.
53
+
Ensure ability to periodically perform data restoration of content within Azure Backup. If necessary, test restore to an isolated VLAN. Test restoration of backed up customer managed keys.
54
+
55
+
How to recover files from Azure Virtual Machine backup:
47
56
48
-
How to recover files from Azure Virtual Machine backup: https://docs.microsoft.com/azure/backup/backup-azure-restore-files-from-vm
## 9.4: Ensure protection of backups and customer managed keys
53
64
54
65
| Azure ID | CIS IDs | Responsibility |
55
66
|--|--|--|
56
67
| 9.4 | 10.4 | Customer |
57
68
58
-
For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure. For Azure VMs, data is encrypted-at-rest using Storage Service Encryption (SSE). Use role-based access control to protect backups and customer managed keys.
59
-
60
-
Enable Soft-Delete and purge protection in Key Vault to protect keys against accidental or malicious deletion. If Azure Storage is used to store backups, enable soft delete to save and recover your data when blobs or blob snapshots are deleted.
69
+
For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure. For Azure VMs, data is encrypted-at-rest using Storage Service Encryption (SSE). You may enable Soft-Delete in Key Vault to protect keys against accidental or malicious deletion.
0 commit comments