locked
Question on benefits of Key Vault RRS feed

  • Question

  • The scenario is a SaaS asp.net web app service where the subscribers do not need access to Key Vault.

    Key Vault is used to store certain sensitive values needed for code operation.

    Putting those values in key vault versus app config or DB (combined with other measures) has these benefits :

    1) Closes door on FTP type access to app config

    2) Closes door on DB type access to "Master Data" table

    However

    3) Key vault values cannot be hidden from developers because they can see them in debug.

    > Removing that access would required having a separate key vault for staging/testing, which would not work since the key vault values are critical to application operation, and it would be complicated to separate all the uses of those values into some kind of separately testable/deployable subsystem.

    So I guess the solution is:

    3a) Trust the developers

    3b) Ask/train them to follow good security practice (e.g. personal key vaults, 2-factor authentication at Github, local PC security, etc.)

    Any guidance or suggestions about to further secure Key Vault values would be appreciated.

    Thanks!



    • Edited by codequestor Monday, September 10, 2018 8:25 PM
    • Moved by MohitGarg_MSFT Monday, September 10, 2018 11:40 PM Related to Key Vault
    Monday, September 10, 2018 8:25 PM

Answers

  • No - One of the reasons Key Vault exists is for the same reason. That said it is also about what roles your developer plays. If a dev is also your administrator then some of it might hold true.

    That said, there is no reason why a dev needs to be debugging an application running in your production. You would basically have multiple key vaults, each per environment and give a dev access to his local and development environment. Here is a longer explanation of a possible way to do that in a Real World Application

    Let know if that helps or if you need any further help.


    Please mark posts as answers/helpful if it answers your query. This would be helpful for others facing the same kind of problem

    • Marked as answer by codequestor Wednesday, September 12, 2018 2:49 AM
    Tuesday, September 11, 2018 6:25 PM

All replies

  • Access to a key vault is controlled through two separate interfaces: management plane and data plane. For both planes proper authentication and authorization is required before a caller (a user or an application) can get access to key vault. Authentication establishes the identity of the caller, while authorization determines what operations the caller is allowed to perform.

    For authentication both management plane and data plane use Azure Active Directory. For authorization, management plane uses role-based access control (RBAC) while data plane uses key vault access policy.

    Please refer to this document for full details - Secure your key vault



    Mohit Garg

    • Proposed as answer by MohitGarg_MSFT Tuesday, September 11, 2018 12:36 AM
    Monday, September 10, 2018 11:43 PM
  • Thanks for the response. I probably did not state my concern clearly.

    I'm looking for a way to allow key vault access from my web application, but deny visibility to the key vault values to the developer who work on the application.   I believe the developers will have that visibility in debug mode, and it would be complicated to deny them that visibility.  

    Is that likely to be the case?  Or is there some way to keep the developers from seeing the key vault values in debug mode?

    Tuesday, September 11, 2018 12:54 AM
  • No - One of the reasons Key Vault exists is for the same reason. That said it is also about what roles your developer plays. If a dev is also your administrator then some of it might hold true.

    That said, there is no reason why a dev needs to be debugging an application running in your production. You would basically have multiple key vaults, each per environment and give a dev access to his local and development environment. Here is a longer explanation of a possible way to do that in a Real World Application

    Let know if that helps or if you need any further help.


    Please mark posts as answers/helpful if it answers your query. This would be helpful for others facing the same kind of problem

    • Marked as answer by codequestor Wednesday, September 12, 2018 2:49 AM
    Tuesday, September 11, 2018 6:25 PM
  • Thanks, that's very helpful in giving me a clearer picture of what is going on.




    • Edited by codequestor Wednesday, September 12, 2018 2:49 AM
    Wednesday, September 12, 2018 1:15 AM