Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Securing sensitive information in Azure Cloud Service Configuration

Tags:

security

azure

azure-cloud-services

We are using Cloud Service configuration to store app settings. But we would like to secure few appsettings like User Credentials,database connection string etc. What is the recommended way to do that?

We are reading this configuration from both web and worker role. Hence using aspnet_regiis utility is not an option as this is not available in worker role since iis is not installed in worker role.

We also considered using Key vault, but we end up in the same situation of securing the key vault key.

Unfortunately, Azure cloud service does not support managed service indentities

like image 485
Rockstart Avatar asked Sep 18 '18 09:09

Rockstart

People also ask

What Azure service is used to securely store sensitive information?

By default, Microsoft-managed keys protect your data, and Azure Key Vault helps ensure that encryption keys are properly secured. Azure key management also includes server-side encryption that uses service-managed keys, customer-managed keys in Azure Key Vault, or customer-managed keys on customer-controlled hardware.

How do I secure my Azure cloud data?

Use Azure Storage Service Encryption to automatically encrypt data at rest in Azure Storage. Encryption, decryption, and key management are totally transparent to users. Data can also be secured in transit by using client-side encryption with Azure Key Vault.

Which Azure service should you use to communicate securely within Azure resources?

Azure virtual network enables Azure resources to securely communicate with each other, the internet, and on-premises networks.

How do I secure my Azure app services?

Use network security groups to secure your Azure App Service Environment by blocking inbound and outbound traffic to resources in your virtual network, or to restrict access to apps in an App Service Environment.

1 Answers

We also considered using Key vault, but we end up in the same situation of securing the key vault key.

Problem Statement

Even though you can move out all sensitive information to Azure Key Vault, but to access the Azure Key Vault you need clientID and client Secret key (to establish the identity of your cloud service and Key Vault to know that who is accessing it).

This means your application's client secret key will be sitting in cloud service configuration, which is almost equivalent to all sensitive information sitting in cloud service configuration in the first place :).

Solution Approach

Managed Service Identity would have been the way to go to access Azure Key Vault and avoid keeping client Secret key in cloud service configuration.

In absence of managed service identities for classic cloud services, you can use Certificate Credentials for application authentication to help establish application identity and get access to key vault for reading keys, secrets etc.

Details and Sample Code

  1. You register an Azure AD application to represent your cloud service.
  2. Give appropriate access (ability to get keys/secrets etc.) to this Azure AD application in Key Vault's access policies.
  3. Now instead of generating a regular client secret, you follow the steps in Certificate credentials for application authentication, to associate the certificate credential with the client application in Azure AD.
  4. Ensure that this certificate gets deployed with all your cloud service instances by including it in the service definition file (CSDEF)
  5. Use your application's client ID and this certificate to acquire token and start reading sensitive information from Azure Key Vault.

Sample Code is available here: Authenticating to Azure AD in daemon apps with certificates

Just the important code pieces

// Initialize the Certificate Credential to be used by ADAL.
X509Certificate2 cert = ReadCertificateFromStore(certName);

// Then create the certificate credential client assertion.
certCred = new ClientAssertionCertificate(clientId, cert);

// Acquire Auth token for talking to Azure KeyVault..
result = await authContext.AcquireTokenAsync(todoListResourceId, certCred);
like image 189
Rohit Saigal Avatar answered Oct 21 '22 08:10

Rohit Saigal
Sign in to Comment

Related questions

Datetime.UtcNow in Entity Framework query evaluated different than DateTime.UtcNow in C# IL
Azure ExpiredAuthenticationToken during New-AzureRmResourceGroupDeployment when deploying resources via Visual Studio
Uploading async to Azure Blob Storage never returns
How to do Async in Azure WebJob function
How to remote desktop to Azure App?
Implementing an Azure Service Bus listener application
How can I limit azure app service access to specific Google users only?
HostingEnviornment.QueueBackgroundWorkItem is not working in azure worker role
SSIS steps to load CSV from Azure blob to Azure SQL
AuthenticationContext does not contain the definition AcquireToken?
Howto add Azure AD as AWS Cognito Federated IdP
Azure Logic Apps not able to establish a connection
How to turn on/off Azure virtual machine via Azure management api (rest)
Azure AD Claims mapping requires custom signing key
How to configure a manually provisioned Azure Managed Disk to use as a Kubernetes persistent volume?
Is it Possible to Debug Azure Functions Locally with Azure Active Directory Authentication?
Azure metric graph legend
Only Fan-out (and forget) in Durable Functions
Create filtered Service Bus subscription using .NET Core SDKs
How get Azure Function URL directly by code in Azure Function Apps?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!