Configure Storage Service Encryption

Azure Storage encryption is enabled by default for all storage accounts regardless of performance or access tiers. This means you don’t have to modify code or applications for Azure Storage Encryption to be enabled. Data stored in Azure is transparently encrypted and decrypted using 256-bit AES encryption. You cannot disable Azure Storage encryption, and it isn’t necessary to alter code or applications to take advantage of Azure Storage encryption.

Any block blobs, append blobs, or page blobs written to Azure Storage since October 20, 2017, is subject to Azure Storage encryption. Microsoft has undertaken a process where all blobs created prior to this date are being retroactively encrypted. If you are concerned that a blob is not encrypted, you can view that blob’s encryption status using the following technique:

1. In the Azure portal, navigate to the storage account you want to check.

2. In the Containers section of the Storage account’s page, select Containers under Blob Storage and then locate the container that hosts the blob you are interested in checking. Open that container.

3. In the container you opened, select the blob you want to check.

4. On the Overview page, verify that the Server Encrypted setting is set to true, as shown in Figure 4-4.

You can check the encryption status of a blob using the following PowerShell code, substituting the values in the example code for the values of the blob that you want to check:

Click here to view code image

$account = Get-AzStorageAccount -ResourceGroupName <resource-group> '
    -Name <storage-account>
$blob = Get-AzStorageBlob -Context $account.Context '
    -Container <container> '
    -Blob <blob>
$blob.ICloudBlob.Properties.IsServerEncrypted

To check the encryption status of the blob using Azure CLI, use the following command substituting the values in the example code for the values of the blob that you want to check:

Click here to view code image

az storage blob show 
    --account-name <storage-account> 
    --container-name <container> 
    --name <blob> 
    --query "properties.serverEncrypted"

If you have a blob in Azure that was created prior to October 20, 2017, and which is not encrypted, you can simply rewrite the blob, which will force encryption to occur. One method of doing this is to download the blob to your local file system using AzCopy and then copying the blob back to Azure Storage.

Encryption Key Management

By default, Azure Storage accounts encrypt data stored using an encryption key managed by Microsoft. If having Microsoft managing Azure Storage account encryption keys is considered undesirable, you can manage encryption using your own keys, as shown in Figure 4-5.

When you choose the option of managing encryption with keys that you provide, you have the following options:

• Use a customer-managed key with Azure Key Vault In this scenario, you upload your encryption key to an Azure Key Vault or use Azure Key Vault APIs to generate keys. The storage account and the Key Vault need to be in the same Azure region and associated with the same Azure AD tenancy. The storage account and Key Vault do not need to be in the same subscription.

• Use a customer-provided key on Blob Storage operations In this scenario, encryption keys are provided on a per-request basis. Customer-provided keys can be stored in Azure Key Vault or in an alternate key store.

Infrastructure encryption

As you learned earlier in the chapter, Azure Storage automatically encrypts all data in an Azure Storage account using 265-bit AES encryption. When you enable infrastructure encryption, the data in the storage account will be encrypted twice. Data is first encrypted using one encryption algorithm and one key at the service level and then is encrypted at the infrastructure level using a separate encryption algorithm and encryption key. This double encryption protects data if one of the encryption algorithms or keys becomes compromised. While service-level encryption allows you to use either Microsoft-managed or customer-managed keys, infrastructure-level encryption only uses a Microsoft-managed key. Infrastructure encryption must be enabled during storage account creation. It is not possible to convert an existing storage account to support infrastructure encryption if it was not created with that option enabled.

Encryption Scopes

Azure Storage accounts use a single encryption key for all encryption operations across the storage account. Encryption scopes allow you to configure separate encryption keys at the container and blob levels. This allows for scenarios such as storing customer data from different customers in the same storage account while having each customer’s data protected by a different encryption key.

To create a new encryption scope, perform the following steps:

1. In the Azure portal, open the storage account for which you want to configure encryption scopes.

2. On the storage account’s page, select Encryption, as shown in Figure 4-6, and then select Encryption Scopes.

   

3. On the Encryption Scope page, click Add.

4. On the Create Encryption Scope page, provide an encryption scope name and then specify whether the encryption scope will use Microsoft-Managed Keys or Customer-Managed Keys, as shown in Figure 4-7.

Once you have encryption scopes present for a storage account, you can specify which encryption scope will be used for individual blobs when you create the blob or specify a default encryption scope when you create a container, as shown in Figure 4-8.

You can modify the encryption key for an encryption scope by performing the following steps:

1. In the Azure portal, open the storage account for which you want to configure encryption scopes.

2. On the storage account’s page, select Encryption > Encryption Scopes.

3. Select the More button next to the encryption scope for which you want to update the encryption key.

4. On the Edit Encryption Scope page shown in Figure 4-9, change the Encryption Type and click Save.

Microsoft Defender for Storage

Microsoft Defender for Storage (previously known as Advanced Threat Protection (ATP) for Azure Storage) allows you to detect unusual and malicious attempts to interact with Azure Storage accounts. When you enable Microsoft Defender for Storage, security alerts will trigger when Azure detects anomalous storage account activity. These detections are based on existing recognized patterns of malicious activity identified by Microsoft security researchers. These alerts are integrated with Microsoft Defender for Cloud and can also be forwarded by email to administrators of the subscription. The alert information will detail the nature of the suspicious activity as well as provide recommendations on how to further investigate and remediate these issues. Specifically, a Microsoft Defender for Storage alert will inform you of

• The nature of the anomaly

• Storage account name

• Event time

• Storage type

• Probable causes

• Investigation steps

• Remediation steps

Microsoft Defender for Storage is available for Blob Storage, Azure Files, and Azure Data Lake Storage Gen2. General-Purpose V2, block blob, and Blob Storage accounts support this service.

View storage account access keys

Viewing a storage account access key requires Service Administrator, Owner, Contributor, or Storage account Key Operator Service roles on the storage account the key is associated with. You can also access the key if you have been assigned an RBAC role that includes the Microsoft.Storage/storageAccounts/listkeys/action permission on a scope that includes the Storage account.

To view a storage account’s storage account keys in the Azure portal, perform the following steps:

1. In the Azure portal, navigate to the storage account for which you are interested in learning the storage account access key details.

2. On the Storage account page, select Access Keys under Settings, as shown in Figure 4-10.

   

3. On the Access Keys page shown in Figure 4-11, you can view and copy the first and second keys.

To view the storage account access keys using PowerShell, use the following PowerShell command:

Click here to view code image

$storageAccountKey = '
    (Get-AzStorageAccountKey '
    -ResourceGroupName <resource-group> '
    -Name <storage-account>).Value[0]

To view the storage account access keys via Azure CLI, use the following command:

Click here to view code image

az storage account keys list 
  --resource-group <resource-group> 
  --account-name <storage-account>

Manually rotating storage account access keys

The best practice is to rotate storage account access keys periodically. You should only use one storage account key at a time. Using only one key at a time will allow you to switch any application to the second storage account key of the pair before rotating the first. As discussed earlier, after some time has passed, you repeat the process, switching the application to the newly rotated storage account key before then regenerating the second key in the pair. To manually rotate your storage account access keys using the Azure portal, perform the following steps:

1. Ensure that you have updated the connection strings in any application code that reference the storage account access key you will be replacing.

2. Navigate to the Access Keys page for the storage account.

3. To regenerate the key, select the regenerate icon shown in Figure 4-12. This will generate a new storage account access key and connection string. (The regenerate icon appears as a pair of curved arrows.)

To regenerate the storage account key using PowerShell, use the following command, substituting resource group name and storage account name and either key1 or key2, as appropriate.

Click here to view code image

New-AzStorageAccountKey -ResourceGroupName <resource-group> '
  -Name <storage-account> '
  -KeyName key1

To regenerate the storage account key using Azure CLI, use the following command, substituting resource group name and storage account name and specifying whether the key you want to regenerate is either the primary or secondary key.

Click here to view code image

az storage account keys renew 
  --resource-group <resource-group> 
  --account-name <storage-account>
  --key primary

There are mechanisms that allow you to automate the rotation of storage account access keys. You will learn about these mechanisms later in this chapter.

Configure Azure AD Domain Services authentication for Azure Files

When you enable AD DS authentication for Azure Files, your Active Directory Domain Services (AD DS) domain-joined computers can mount Azure File shares using AD DS user credentials. Access occurs over an encrypted Server Message Block (SMB) protocol connection. You can secure Azure Files using identity-based authentication over Server Message Block (SMB) where either Azure AD DS or an on-premises Active Directory Domain Services Domain (AD DS) functions as the identity provider. Azure AD Domain Services authentication for Azure Files currently supports the following scenarios:

• If you are using AD DS as your identity provider, you must use Azure AD Connect to synchronize identities to Azure AD.

• If you are using AD DS as your identity provider, you can access the file share using a computer that is a member of an AD DS domain. You cannot access the file share using a computer that is joined to the Azure AD DS domain.

• If you are using Azure AD DS as an identity provider, you will need to access the file share using a computer that is a member of the Azure AD DS domain.

• When enabled, this form of authentication supports Azure file shares that are integrated with Azure File Sync.

• This form of authentication supports single sign-on.

• This form of authentication only supports access from accounts in the AD DS forest in which the storage account is registered unless a specially configured forest trust is present.

Your first step when enabling AD authentication for Azure file shares is to create a storage account that is in a proximate region to the users who will access the files stored in the file share on that storage account. You should do this simply because accessing a storage account that is closer to you will provide a much better user experience than trying to open and save files to a file share located on the other side of the world. At the start of the process, you won’t need to create any file shares from the storage account. Before creating the file shares, you’ll need to enable Active Directory authentication at the storage account level rather than at the individual file shares level.

Enabling AD DS authentication

When enabling AD DS authentication, the first step is to create an identity to represent the storage account in your on-premises Active Directory instance. To do this, first create a new Kerberos key for the storage account using the following Azure PowerShell commands from Cloud Shell:

Click here to view code image

$ResourceGroupName = "<resource-group-name-here>"
$StorageAccountName = "<storage-account-name-here>"
New-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName
-KeyName kerb1
Get-AzStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName
-ListKerbKey | where-object{$_.Keyname -contains "kerb1"}

Once the key has been generated, create a service account in your on-premises domain and configure the account with the following service principal name (SPN): "cifs/your-storage-account-name-here.file.core.windows.net" using the setspn.exe command. Set the account password to the Kerberos key, configure the account’s password to never expire, and note the account security identifier (SID). You can use the Get-AdUser PowerShell cmdlet to determine the SID of a user account.

The next step is to use Azure PowerShell to enable Active Directory authentication. You can do this with the following command, substituting the appropriate values:

Click here to view code image

Set-AzStorageAccount '
        -ResourceGroupName "<your-resource-group-name-here>" '
        -Name "<your-storage-account-name-here>" '
        -EnableActiveDirectoryDomainServicesForFile $true '
        -ActiveDirectoryDomainName "<your-domain-name-here>" '
        -ActiveDirectoryNetBiosDomainName "<your-netbios-domain-name-here>" '
        -ActiveDirectoryForestName "<your-forest-name-here>" '
        -ActiveDirectoryDomainGuid "<your-guid-here>" '
        -ActiveDirectoryDomainsid "<your-domain-sid-here>" '
        -ActiveDirectoryAzureStorageSid "<your-storage-account-sid>"

You also have the option of using the AzFilesHybrid PowerShell module to perform steps similar to these. Using the AzFilesHybrid PowerShell module involves downloading the most recent version of the module from Microsoft’s website, installing it on a domain-joined computer, and performing the following steps:

1. First, change the execution policy to allow the AzFilesHybrid PowerShell module to be imported:

   Click here to view code image

   Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

2. Switch to the directory where AzFilesHybrid has been decompressed and copy the files into your path so that the files can be called directly:

   .CopyToPSPath.ps1

3. Import the module into the current PowerShell session:

   Click here to view code image

   Import-Module -Name AzFilesHybrid

4. Initiate a session to your Azure subscription using an Azure AD credential that has either storage account–owner or contributor access to the storage account you created to host the Azure file share instance:

   Connect-AzAccount

5. Populate the PowerShell session with the appropriate parameter values and then select the appropriate subscription if your account is associated with multiple subscriptions:

   Click here to view code image

   $SubscriptionId = "<your-subscription-id-here>"
   $ResourceGroupName = "<resource-group-name-here>"
   $StorageAccountName = "<storage-account-name-here>"
   Select-AzSubscription -SubscriptionId $SubscriptionId

6. The next step involves registering the target storage account with your on-premises AD environment. You should choose an appropriate OU. Use the Get-ADOrganizationalUnit cmdlet to determine the name and DistinguishedName of the OU that you want to host the registered account:

   Click here to view code image

   Join-AzStorageAccountForAuth '
           -ResourceGroupName $ResourceGroupName '
           -StorageAccountName $StorageAccountName '
           -DomainAccountType "<ComputerAccount|ServiceLogonAccount>" '
           -OrganizationalUnitDistinguishedName "<ou-distinguishedname-here>" # If
           you don't provide the OU name as an input parameter, the AD identity that
           represents the storage account is created under the root directory.

The Debug-AzStorageAccountAuth cmdlet allows you to conduct a set of basic checks on your AD configuration with the logged-in AD user once you have performed account registration:

Click here to view code image

Debug-AzStorageAccountAuth -StorageAccountName $StorageAccountName -ResourceGroupName
$ResourceGroupName -Verbose

If you are unable to configure the on-premises service account so that its password does not expire, you’ll need to use the Update-AzStorageAccountADOjbectPassword cmdlet to update the Azure Storage account each time your on-premises service account password changes. This cmdlet is a part of the AzFilesHybrid module and must be run on a computer in the on-premises AD DS-joined environment with an account that has permissions within AD DS and owner permissions to the storage account. The following command—with appropriate variable substitutions—acquires the second storage account key and updates the password of the service account registered in AD DS:

Click here to view code image

# Update the password of the AD DS account registered for the storage account
# You may use either kerb1 or kerb2
Update-AzStorageAccountADObjectPassword '
        -RotateToKerbKey kerb2 '
        -ResourceGroupName "<your-resource-group-name-here>" '
        -StorageAccountName "<your-storage-account-name-here>"

Configuring share-level permissions

You configure share-level permission by assigning RBAC roles at the Azure file share. The following three roles are available for assigning file share permissions:

• Storage File Data SMB Share Reader This role provides read access to Azure file shares over SMB to users who have this role.

• Storage File Data SMB Share Contributor This role allows users who hold it read, write, and delete access to the Azure Storage file shares over SMB.

• Storage File Data SMB Share Elevated Contributor This role allows read, write, and delete access, as well as the ability to modify Windows Access Control Lists (ACLs) of Azure Storage File shares over SMB.

When multiple roles are assigned, permissions are cumulative. The exception to this rule is when a deny permission applies; in this case, the deny permission overrides any allow permissions. While it is possible to assign RBAC roles and therefore, configure share-level permissions at the storage account level, you should instead assign RBAC roles at the individual file share-level. Full administrative control of file shares, which includes the ability to take ownership of files, currently requires the storage account key. You cannot take ownership of a file using Azure AD credentials.

Configuring file and folder permissions

Once you have assigned share-level permissions to an Azure File share using RBAC, you should then configure file and folder permissions on the contents of the share. When reading the Azure documentation, most Windows Server administrators will recognize that NTFS permissions are referred to as Windows ACLs.

You can configure file and folder permissions using the Set-ACL PowerShell cmdlet, using the icacls.exe command, or using Windows File Explorer if you have mounted the shared folder on a computer running a Windows Client or Windows Server operating system.

Azure AD DS authentication

Earlier in the chapter, you learned about using on-premises AD DS authentication to secure Azure File shares. Also, you can use Azure AD Domain Services to configure authentication for SMB connections to Azure File shares. Azure AD Domain Services is an Azure service that works with Azure AD to provide the functionality of domain controllers on an Azure subnet. When you enable Azure AD DS, you can domain join a Windows client or server VM that is hosted on an Azure subnet without having to deploy VMs that function as domain controllers. You can’t use on-premises Active Directory authentication and Azure AD DS authentication on the same storage account or file shares.

Once you have enabled Azure AD DS on a subscription, you can enable identity-based access through AD DS when creating the storage account by selecting the Azure Active Directory Domain Services (Azure AD DS) identity option. You can also enable this option on the Configuration page of the storage account, as shown in Figure 4-13.

You can also use the Set-AzStorageAccount PowerShell cmdlet with the EnableAzureActiveDirectoryDomainServicesForFile parameter to enable Azure AD DS authentication for an Azure file share. For example, to enable Azure AD DS authentication for the Azure file share named tailwind-files stored in the resource group FilesRG, run this PowerShell command:

Click here to view code image

Set-AzStorageAccount -ResourceGroupName "FilesRG" '
    -Name "tailwind-files" '
    -EnableAzureActiveDirectoryDomainServicesForFile $true

You can use the az storage account update Azure CLI command with the --enable-files-adds option to enable Azure AD DS authentication for an Azure file share. For example, to enable Azure AD DS authentication for the Azure file share named tailwind-files stored in the resource group FilesRG, run the Azure CLI command:

Click here to view code image

az storage account update -n tailwind-files -g FilesRG --enable-files-adds $true

Once Azure AD DS authentication has been enabled on the storage account, you can use the Access Control (IAM) page of the storage account’s properties to assign one of the Storage File Share RBAC roles discussed earlier in this chapter as a share-level permission. Figure 4-14 shows that the Tailwind-Engineers Azure AD group has assigned the Storage File Data SMB Share Contributor role to the tailwind-share Azure File share.

The process for configuring NTFS permissions on files and folders is the same as it is when you enable authentication for on-premises AD DS accounts. You first mount the file share on a Windows client or server computer, and then you use tools such as Windows File Explorer, PowerShell, or the icacls.exe utility to configure the permissions.

Create user delegation SAS

To create a user delegation SAS for a storage container using PowerShell, first create a storage context object by substituting the appropriate values into the following PowerShell code:

Click here to view code image

$ctx = New-AzStorageContext -StorageAccountName <storage-account> -UseConnectedAccount

Create a user delegation SAS token by substituting the appropriate values in the following PowerShell code:

Click here to view code image

New-AzStorageContainerSASToken -Context $ctx '
    -Name <container> '
    -Permission racwdl '
    -ExpiryTime <date-time>

To create a user delegation SAS for a blob, substitute the appropriate values in the following PowerShell code:

Click here to view code image

New-AzStorageBlobSASToken -Context $ctx '
    -Container <container> '
    -Blob <blob> '
    -Permission racwd '
    -ExpiryTime <date-time>
    -FullUri

You can revoke a user delegation SAS using the Revoke-AzStorageAccountUser DelegationKeys command. For example, use the following PowerShell code, substituting the appropriate values where necessary:

Click here to view code image

Revoke-AzStorageAccountUserDelegationKeys -ResourceGroupName <resource-group> '
    -StorageAccountName <storage-account>

To create a user delegation SAS for a storage container using Azure CLI, run the following Azure CLI command, substituting the appropriate values where necessary:

Click here to view code image

az storage container generate-sas 
    --account-name <storage-account> 
    --name <container> 
    --permissions acdlrw 
    --expiry <date-time> 
    --auth-mode login 
    --as-user

To create a user delegation SAS for a blob using Azure CLI, run the following Azure CLI command, substituting the appropriate values where necessary:

Click here to view code image

az storage blob generate-sas 
    --account-name <storage-account> 
    --container-name <container> 
    --name <blob> 
    --permissions acdrw 
    --expiry <date-time> 
    --auth-mode login 
    --as-user
    --full-uri

To revoke a user delegation SAS using Azure CLI, run the following command, substituting the appropriate values where necessary:

Click here to view code image

az storage account revoke-delegation-keys 
    --name <storage-account> 
    --resource-group <resource-group>

It is important to note is that because Azure Storage caches user delegation keys and Azure role assignments, the revocation process might not occur immediately.

Create an account SAS

The first step when creating an account SAS is creating an Account SAS URI. The Account SAS URI includes the URI of the storage resource to which the SAS provides access and the SAS token. SAS tokens are special query strings that include the data used to authorize resource requests and determine the service, resource, and access permissions. SAS tokens also include the period for which the signature will be valid.

Table 4-2 lists the required and optional parameters for the SAS token:

To construct the signature string, you need to encode the string as UTF-8 that you want to sign from the fields included in the request and compute the signature using the HMAC-SHA256 algorithm.

Stored Access Policies

Stored access policies allow you to specifically control service-level shared access signatures. You can configure stored access policies for blob containers, file shares, queues, and tables. Stored access policies consist of the start time, expiry time, and permissions for an SAS. Each of these parameters can be specified on the signature URI rather than in a stored access policy. You can also specify all these parameters on the stored access policy or use a combination of the two. It is important to note that it is not possible to specify the same parameter on both the SAS token and the stored access policy without problems occurring.

Azure allows you to set a maximum of five concurrent access policies on individual containers, tables, queues, or shares. To create or modify a stored access policy, you need to call the Set ACL operation for the resource you want to protect with the request body of the call that lists the terms of the access policy. The following is a template that you can use for the request body where you substitute your own start time, expiry time, abbreviated permission list, and a unique signed identifier of your choosing:

Click here to view code image

<?xml version="1.0" encoding="utf-8"?>
<SignedIdentifiers>
  <SignedIdentifier>
    <Id>unique-64-char-value</Id>
    <AccessPolicy>
      <Start>start-time</Start>
      <Expiry>expiry-time</Expiry>
      <Permission>abbreviated-permission-list</Permission>
    </AccessPolicy>
  </SignedIdentifier>
</SignedIdentifiers>

To change the existing stored access policy parameters, call the access control list operation for the resource type and specify new parameters while ensuring that the unique ID field remains the same. To remove all access policies from a storage resource, call the Set ACL operation with an empty request policy.

Implement Azure SQL Database Always Encrypted

Always Encrypted is a technology available for Azure SQL that allows you to protect specific types of sensitive data that has a known recognizable pattern, such as passport numbers, tax file identification numbers, and credit card numbers. When Always Encrypted is enabled, clients interacting with the database server will encrypt the sensitive data inside the client applications and will not forward the encryption keys used to decrypt that data to the database server that will store that data. This ensures that administrators who manage Azure SQL servers cannot view sensitive data protected by Always Encrypted.

Deterministic or Randomized Encryption

Always Encrypted supports two forms of encryption: deterministic encryption and randomized encryption:

• Deterministic encryption When you use deterministic encryption, the same encrypted value will always be generated for the same plain text value, though this value will be unique to each database. Implementing deterministic encryption will allow you to perform point lookups, equality joins, grouping, and indexing on encrypted columns. It may, however, allow unauthorized users to guess information about encrypted values by looking for patterns in encrypted columns. This is especially true if there are a small set of possible values. Deterministic encryption requires that the column collation is configured with a binary2 sort order for character columns.

• Randomized encryption When you configure randomized encryption, data is encrypted less predictably. While randomized encryption is more secure than deterministic encryption, enabling randomized encryption prevents searching, grouping, indexing, and performing joins on encrypted columns.

In general, you should plan to use deterministic encryption if columns will be used for searchers or where you will be grouping parameters. An example of this is where you need to search for a specific passport number. The client will be able to perform the hash of the query value and then locate values within the database that match that encrypted hash. You should use randomized encryption if your database has information that isn’t grouped with other records and isn’t used to join tables, such as medical notes.

Configuring Always Encrypted

Configuring Always Encrypted is an activity that requires the use of client-side tools. You can’t use Transact SQL statements to configure Always Encrypted; instead, you must configure Always Encrypted using SQL Server Management Studio or PowerShell. Configuring Always Encrypted requires performing the following tasks:

• Provisioning column master keys, column encryption keys, and encrypted column encryption keys with corresponding column master keys

• Creating key metadata in the database

• Creating new tables with encrypted columns

• Encrypting existing data in selected database columns

Always Encrypted is not supported for columns that have the following characteristics:

• Columns with xml, timestamp/rowversion, image, ntext, text, sql_variant, hierarchyid, geography, geometry, alias, and types or user-defined types

• FILESTREAM columns

• Columns with the IDENTITY property

• Columns with ROWGUIDCOL property

• String columns with non-bin2 collections

• Columns that are keys for clustered and non-clustered indexes (if you are using randomized encryption)

• Columns that are keys for full-text indexes (if you are using randomized encryption)

• Computed columns

• Columns referenced by computed columns

• Sparse column set

• Columns referenced by statistics (if you are using randomized encryption)

• Columns using alias types

• Partitioning columns

• Columns with default constraints

• Columns referenced by unique constraints (if you are using randomized encryption)

• Primary key columns (if you are using randomized encryption)

• Referencing columns in foreign key constraints

• Columns referenced by check constraints

• Columns tracked using change data capture

• Primary key columns on tables that have change tracking enabled

• Columns masked using Dynamic Data Masking

• Columns in Stretch Database Tables

To configure Always Encrypted on an Azure SQL database using SQL Server Management Studio, perform the following steps:

1. Connect to the database that hosts the tables with columns you want to encrypt using Object Explorer in SQL Server Management Studio. If the database does not already exist, you can create the database and then create the tables that you will configure to use Always Encrypted.

2. Right-click the database and select Tasks > Encrypt Columns. This will open the Always Encrypted Wizard. Click Next.

3. On the Column Selection page, expand the database tables, and then select the columns that you want to encrypt.

4. For each column selected, you will need to set the Encryption Type attribute to Deterministic or Randomized.

5. For each column selected, you will need to choose an Encryption Key. If you do not already have an encryption key, you can have one automatically generated.

6. On the Master Key Configuration page, choose a location to store the key. You will then need to select a master key source.

7. On the Validation page, select whether you want to run the script immediately or use a PowerShell script later.

8. On the Summary page, review the selected option and click Finish.

Service endpoints

Virtual network service endpoints provide access to Azure services over the Azure backbone networks. You can use virtual network service endpoints to allow private IP addresses on a specific virtual network to reach a specific service without requiring the hosts on the virtual network to have a public IP address. Virtual network service endpoints are supported for the following Azure services:

• Azure Storage

• Azure SQL Database

• Azure Synapse Analytics

• Azure Database for PostgreSQL server

• Azure Database for MySQL server

• Azure Database for MariaDB

• Azure Cosmos DB

• Azure Key Vault

• Azure Service Bus

• Azure Event Hubs

• Azure Data Lake Store Gen 1

• Azure App Service

• Azure Cognitive Services

• Azure Container Registry

Azure Service Endpoints allow access to the service but don’t limit access to a specific instance of that service. For example, if you configure a service endpoint to Azure SQL Database, a host on the configured virtual network will be able to connect to all SQL database instances rather than a specific instance.

IP Firewall rules

Most Azure services allow access to authenticated connections from any host on the Internet, with unauthenticated connections automatically dropped. Using IP firewall rules, organizations that want to go further can limit access to a specific known range of IP addresses used by the organization. IP firewall rules can be used in conjunction with other technologies such as Azure Service Endpoints or Azure Private Link. IP firewall rules limit traffic based on IP address. When configuring IP firewall rules for an Azure data source, you don’t configure rules to include a port or protocol. Firewall rules can be configured on the Networking section of the Azure service’s properties.

Azure Private Link

Azure Private link allows you to connect a data solution such as Azure Synapse Analytics or Azure Cosmos DB to a private endpoint. Private endpoints are collections of private IP addresses in a subnet in a virtual network. When you use Private Link you can limit access to the data solution so that it can only be accessed by hosts that use those specific private IP addresses. You can combine Private Link with network security group rules. Private link can be used to limit access so that it can only occur from a specific virtual network or any peered virtual network as long as the IP addresses on that virtual network or peered virtual network are specified when configuring the private endpoint.

Azure Private Link provides the following benefits:

• Private access to Azure services. Allows you to connect virtual networks to services without requiring a public IP address at the source or destination. Communication occurs over the Azure backbone network.

• Access to on-premises and peered networks. Private Link can be configured to allow access from on-premises networks connected to a configured virtual network through ExpressRoute private peering, VPN tunnels, and peered virtual networks.

• Data leakage protection. You map private endpoints to a specific Azure Cosmos DB, Azure Synapse Analytics, or Azure PaaS instance. This means that connections using the Private Link can only access that specific instance of the data service, not all data services such as the case that occurs when you use a service endpoint.

Manage permissions to secrets, certificates, and keys

You use Key Vault access control policies to manage permissions to secrets, certificates, and keys at the data plane level. Each Key Vault access control policy includes entries specifying what access the designated security principal has to keys, secrets, and certificates. Each Key Vault supports a maximum of 1,024 access policy entries.

An access policy entry grants a distinct set of permissions to a security principal. A security principal can be a user, service principal, managed identity, or group. Microsoft recommends assigning permissions to groups and then adding and removing users, service principals, and managed identities to and from those groups as a way of granting or revoking permissions.

You can configure the permissions for the keys, secrets, and certificates outlined in Table 4-3.

Key Vault access policies don’t allow you to configure granular access to specific keys, secrets, or certificates. You can only assign a set of permissions at the keys, secrets, or certificates levels if you need to allow a specific security principal access to only some and not all keys, secrets, or certificates. Instead, you should store those keys, secrets, or certificates in separate Key Vaults. For example, if there are three secrets that you need to protect using Key Vault, and one user should only have access to two of those secrets, you’ll need to store the third of those secrets in a separate Key Vault from the first two.

You use the Set-AzKeyVaultAccessPolicy Azure PowerShell to configure a Key Vault policy using Azure PowerShell. When using this cmdlet, the important parameters are the vault name, the resource group name, the security principal identifier, which can be UserPrincipalName, ObjectID, ServicePrincipalName, and then the parameters that define permissions to Keys, Secrets, and Certificates. The Set-AzKeyVaultACcessPolicy cmdlet has the following format:

Click here to view code image

Set-AzKeyVaultAccessPolicy -VaultName <your-key-vault-name> -PermissionsToKeys
<permissions-to-keys> -PermissionsToSecrets <permissions-to-secrets>
-PermissionsToCertificates <permissions-to-certificates> -ObjectId <Id>

If you prefer Azure CLI, you can use the az keyvault set-policy command to configure access policies to Key Vault Items. The az keyvault set-policy command has the following format:

Click here to view code image

az keyvault set-policy -n <your-unique-keyvault-name> --spn <ApplicationID-of-your-
service-principal> --secret-permissions <secret-permissions> --key-
permissions <key-permissions> --certificate-permissions <certificate-permissions>

Configure RBAC usage in Azure Key Vault

RBAC allows you to secure Azure Key Vault at the management plane. In mid-2020, Microsoft introduced a new set of RBAC roles that provide a simplified way of assigning permissions to the contents of Key Vaults. Going forward, you should only configure access policies when you need to configure complex permissions that are not covered by the new RBAC roles. You assign Key Vault RBAC roles on the Access Control (IAM) page of a Key Vault’s properties, as shown in Figure 4-30. While you can also assign Key Vault RBAC roles at the resource group, subscription, and management group level, security best practice is to assign roles with the narrowest-possible scope.

The RBAC roles for Azure Key Vault are as follows:

• Key Vault Administrator Can perform any action on secrets, certificates, and keys in a Key Vault, except managing permissions

• Key Vault Certificates Officer Can perform any actions on Key Vault certificates, except managing permissions

• Key Vault Contributor Allows for the management of Key Vault but does not allow access to the items within a Key Vault

• Key Vault Crypto Officer Can perform any actions on Key Vault keys, except managing permissions

• Key Vault Crypto Service Encryption Has read access to key metadata and can perform wrap and unwrap operations

• Key Vault Crypto User Can perform cryptographic operations on keys and certificates

• Key Vault Reader Can read Key Vault item metadata but not Key Vault item contents

• Key Vault Secrets Officer Can perform all actions on Key Vault secrets except managing permissions

• Key Vault Secrets User Can read the contents of secrets

Key Vault Firewalls and Virtual Networks

The Networking page of a Key Vault’s properties page, shown in Figure 4-31, allows you to configure the network locations from which a specific Key Vault can be accessed. You can configure the Key Vault to be accessible from all networks or specific virtual networks and sets of IPv4 address ranges.

When configuring network access rules for Azure Key Vault, keep the following in mind:

• Each Key Vault can be configured with a maximum of 127 virtual network rules and 127 IPv4 rules.

• /31 and /32 CIDR subnet masks are not supported. Instead of individual IP addresses, rules should be allowed when allowing access from these subnets.

• IP network rules can only be configured for public IP address ranges. You should use virtual network rules for private IP address ranges.

• IPv6 addresses are not presently supported by Azure Key Vault firewall rules.

You can configure Key Vault firewalls and virtual networks in the Azure portal by performing the following steps:

1. In the Azure portal, open the Key Vault that you want to configure.

2. Under Settings, select Networking. On the Networking page, select Firewalls And Virtual Networks.

3. By default, the Key Vault will be accessible from all networks. Select the Private Endpoint And Selected Networks option. When you enable this option, trusted Microsoft services can bypass the firewall. You can disable access from trusted Microsoft services if you choose.

4. To add an existing virtual network or a new virtual network, click the Add Existing Virtual Networks or Add New Virtual Networks items, as shown in Figure 4-32.

   

5. When you add a virtual network, you must select the subscription, virtual network, and subnets that you want to grant access to the Key Vault, as shown in Figure 4-33. If a service endpoint isn’t present on the virtual network subnet, you can enable one.

   

6. To add an IPv4 address range, enter the IPv4 address or CIDR range, as shown in Figure 4-34.

   

7. Click Save to save the Firewall And Virtual Networks configuration.

You can use the Private Endpoint Connections tab to add private endpoint access to a specific Key Vault. An Azure Private Endpoint is a network interface that allows a private and secure connection to a service using an Azure Private Link. Azure Private Link allows access to Azure PaaS Services, such as an Azure Key Vault over a private connection on the Microsoft network backbone. No traffic that traverses a private link passes across the public Internet.

Creating and importing certificates

You can add certificates to Key Vault by importing them or generating them using the Key Vault. When generating certificates, you can have the certificate self-signed or have it be generated as part of a trust chain from a trusted CA provider.

To create a self-signed certificate using the Azure portal, perform the following steps:

1. In the Azure portal, open the Key Vault properties page and click Certificates, as shown in Figure 4-35.

   

2. Select Generate/Import. On the Create A Certificate page shown in Figure 4-36, set the Method Of Certificate Creation as Generate. You can also set this to Import An Existing Certificate, which you will learn about later in this chapter. Ensure that Type Of Certificate Authority (CA) is set to Self-Signed Certificate. Provide a Certificate Name, a Subject, and any DNS Names, and then click Create.

You can use Azure Key Vault to create TLS/SSL certificates that leverage a trust chain from a trusted CA provider after you have performed the following steps to create an issuer object:

1. Performed the onboarding process with your chosen Certificate Authority (CA) provider. At present, DigiCert and GlobalSign are partnered with Microsoft to support TLS/SSL certificate generation. Certificates generated in this manner will be trusted by third-party clients.

2. The chosen CA provider will provide credentials that can be used by Key Vault to enroll, renew, and implement TLS/SSL certificates. You can enter these credentials on the Create A Certificate Authority page in the Azure portal, as shown in Figure 4-37. You get to this page by selecting Certificate Authorities on the Certificates page of Key Vault and then clicking Add.

   

3. Add the certificate issuer resource to the Key Vault.

4. Configure Certificate Contacts for notifications. This step isn’t required, but it is recommended. You can do this on the Certificate Contacts page, available through the Certificates page, as shown in Figure 4-38.

Once you have configured the relationship with the issuing CA, you will be able to create TLS/SSL certificates using the portal or by creating a request using JSON code similar to the following. (This requires the CertificateIssuer resource created earlier, and this example assumes a partnership with DigiCert.)

Click here to view code image

{
  "policy": {
    "x509_props": {
      "subject": "CN=TailwindCertSubject1"
    },
    "issuer": {
      "name": "mydigicert",
      "cty": "OV-SSL",
    }
  }
}

The POST method to send this request URI is similar to the following, with your Key Vault’s address substituted where appropriate: https://mykeyvault.vault.azure.net/certificates/mycert1/create?api-version={api-version}.

To create a Key Vault certificate manually instead of relying on the partner certificate authority provider, use the same method as outlined above, but don’t include the issuer field. As an alternative, you can create a self-signed certificate by setting the issuer name to "Self" in the certificate policy, as shown here:

"issuer": {
       "name": "Self"
    }

You can import an x509 certificate into Key Vault that has been issued by another provider, as long as you have the certificate in PEM or PFX format and you have the certificate’s private key. You can perform an import through the Azure portal, as shown in Figure 4-39, by using the az certificate import Azure CLI command or by using the Import- AzKeyVaultCertificate PowerShell cmdlet.

You can use the PowerShell cmdlets in Table 4-4 to manage Azure Key Vault certificates:

If you prefer to use Azure CLI to manage certificates in Azure Key Vault, you can use the commands shown in Table 4-5:

Manage secrets

Secrets, in the context of Azure Key Vault, allow you to securely store items such as passwords and database connection strings. Key Vault automatically encrypts all stored secrets. This encryption is transparent. The Key Vault will encrypt a secret when you add it, and it decrypts the secret when an authorized user accesses the secret from the vault. Each Key Vault encryption key is unique to an Azure Key Vault.

Key Vault secrets are stored with an identifier and the secret itself. When you want to retrieve the secret, you specify the identifier in the request to the Key Vault. You can add a secret to a Key Vault using the az keyvault secret set command. For example, to add a secret to the Key Vault named TailwindKV where the secret identifier name is Alpha and the value of the secret is Omega, you would run this command:

Click here to view code image

az keyvault secret set 
    --name Alpha 
    --value Omega 
    --vault-name TailwindKV

You can view a secret using the azure keyvault secret show Azure CLI command, and you can delete a secret using the azure keyvault secret delete Azure CLI command. To add the same secret to the same Azure Key Vault used in the example above using PowerShell, run the command:

Click here to view code image

$secretvalue = ConvertTo-SecureString 'Omega' -AsPlainText -Force
$secret = Set-AzKeyVaultSecret -VaultName 'TailwindKV' -Name 'Omega' -SecretValue
$secretvalue

You can view an Azure Key Vault Secret with the Get-AzureKeyVaultSecret cmdlet. You can modify an existing Azure Key Vault secret with the Update-AzureKeyVaultSecret Azure PowerShell cmdlet, and you can delete an Azure Key Vault secret with the Remove- AzureKeyVaultSecret cmdlet.

You can manage secrets using the Azure portal from the Secrets section of a Key Vault’s properties page, as shown in Figure 4-40.

Beyond the secret ID and the secret itself, you can configure the following attributes for Azure Key Vault secrets.

• Expiration time (exp) Allows you to specify a specific time after which the secret should not be retrieved from the Key Vault. Using this attribute does not block the use of the secret, just as the expiration date on food doesn’t stop you from eating it after that date has passed. The expiration time attribute simply provides the secret keeper with a method of recommending that a secret is beyond its use-by date.

• Not before (nbf) Similar to the expiration time attribute, the not before attribute allows the secret keeper to specify the time at which a secret becomes valid. For example, you could store a secret in a Key Vault and set the not before attribute to 2030, which would inform anyone retrieving the secret that the secret information itself won’t be useful until 2030.

• Enabled Allows you to specify whether secret data is retrievable. This attribute is used in conjunction with the exp and nbf attributes. Any operation that involves the Enabled attribute that doesn’t include the exp or nbf attributes will be disallowed.

You can use the Azure PowerShell cmdlets in Table 4-6 to manage secrets in Azure Key Vault.

You can use the Azure CLI commands in Table 4-7 to manage Key Vault Secrets.

Manage Keys

Cryptographic keys stored in an Azure Key Vault are stored as JSON Web Key (JWK) objects. Azure Key Vault supports RSA and Elliptic Curve (EC) keys only. Azure Key Vault supports two types of protection for keys, software protection, and hardware secure module (HSM) protection. These differences manifest in the following manner:

• Software-protected keys The key is processed in software by Azure Key Vault. The key is protected using encryption at rest, with the system key stored in an Azure HSM. RSA or EC keys can be imported into an Azure Key Vault configured for software protection. You can also configure Azure Key Vault to create a key that uses these algorithms.

• HSM-protected keys The key is stored in a specially allocated HSM. Clients can import RSA or EC keys from a software protected source or from a compatible HSM device. You can also use the Azure management plane to request that Key Vault generate a key using these algorithms. When you use HSM-protected keys, the key_hsm attribute is appended to the JWK.

Azure Key Vault allows the following operations to be performed on key objects:

• Create This operation allows a security principal to create a key. The key value will be generated by Key Vault and stored in the vault. Key Vault supports the creation of asymmetric keys.

• Import Allows the security principal to import an existing key into Key Vault. Key Vault supports the importation of asymmetric keys.

• Update Allows a security principal to modify key attributes (metadata) associated with a key that is stored within Key Vault.

• Delete Allows a security principal to remove a key from Key Vault.

• List Allows a security principal to list all keys in a Key Vault.

• List versions Allows a security principal to view all versions of a specific key in a Key Vault.

• Get Allows a security principal to view the public elements of a specific key stored in a Key Vault.

• Backup Exports a key from the Key Vault in a protected form.

• Restore Imports a previously exported Key Vault key.

You can use keys that are stored within an Azure Key Vault to perform the following cryptographic operations:

• Sign and Verify

• Key Encryption / Wrapping

• Encrypt and Decrypt

You can manage Key Vault keys using Azure portal by navigating to the Key Vault and selecting Keys under Settings, as shown in Figure 4-41.

To create a key using Azure Key Vault in the Azure portal, perform the following steps:

1. In the Azure portal, open the Key Vault that you want to create the key in and navigate to Keys in the Settings section.

2. On the Keys page, click Generate/Import. This will open the Create A Key page.

3. On the Create A Key page, make sure that the Options drop-down menu is set to Generate. Provide a name for the key, specify the key properties, specify whether the key has an activation or expiration date, and specify whether the key is enabled. Azure Key Vault will generate the key when you click Create.

You can use the Azure PowerShell cmdlets in Table 4-8 to manage Azure Key Vault keys:

You can use the Azure CLI commands in Table 4-9 to manage Azure Key Vault keys.