iCompaas Support

Description: 

Azure Key Vault Managed HSM (Hardware Security Module) is a fully managed, highly available, single-tenant HSM offering in Azure that allows you to protect cryptographic keys and secrets using FIPS 140-2 Level 3 validated hardware. Managed HSM provides strong key protection, with compliance for industry standards like FIPS 140-2, and is intended for workloads that require high levels of security, such as financial, healthcare, or governmental applications.

When sensitive data or high-assurance applications require enhanced key protection, Azure Key Vault Managed HSM should be used in place of standard Azure Key Vault services to store and manage cryptographic keys.

Rationale: 

Using Azure Key Vault Managed HSM is critical for scenarios that require the highest level of key management security. It is particularly valuable for workloads that demand FIPS 140-2 Level 3 compliance, which includes cryptographic operations performed within hardware modules that are validated to meet government and industry security standards. This ensures that the keys are stored in an isolated, highly secure environment, preventing potential security threats from exposing cryptographic materials.

Impact:

 Enabling Azure Key Vault Managed HSM provides additional security for key management by ensuring keys are stored in hardware devices designed to resist tampering. However, Managed HSM requires higher operational costs and configuration compared to standard Azure Key Vault, as it is intended for higher-security workloads.

It also requires proper planning to ensure the correct workloads and applications are configured to use Managed HSM instead of the standard Key Vault. Misconfigurations can lead to issues with key access or unnecessary usage of Managed HSM resources.

Default Value: 

By default, Azure Key Vault is used for key management. Azure Key Vault Managed HSM needs to be explicitly configured when higher security requirements are needed.

Pre-requisites:

• Azure account: Ensure you have the necessary permissions to deploy and manage Azure Key Vault Managed HSM.
  
  

• Azure Key Vault: Ensure the appropriate Azure Key Vault instance is available and that key management requirements are identified.
  
  

• Compliance Needs: You should be aware of the regulatory or compliance requirements (such as FIPS 140-2 Level 3) that dictate the need for using Managed HSM.
  
  

Remediation:

Manual Implementation Steps:

1. Sign in to the Azure portal using an account with appropriate permissions.
   
   

2. Navigate to Azure Key Vault:
   
   

   • In the Azure portal, go to Key Vault and ensure that you are creating or modifying a Managed HSM instance.
     
     

3. Check for Managed HSM usage:
   
   

   • Review the use case for Key Vault and determine if it meets the compliance/security standards that require Managed HSM.
     
     

   • If required, consider creating a Managed HSM instance by navigating to Create a resource > Security + Identity > Azure Key Vault > Create a Managed HSM.
     
     

4. Configure Managed HSM:
   
   

   • When creating a Managed HSM, ensure that you select Azure Key Vault Managed HSM as the key management option.
     
     

   • Follow the on-screen prompts to configure the HSM with necessary options, including region, network settings, and access policies.
     
     

5. Reconfigure applications to use Managed HSM:
   
   

   • If existing applications were using Azure Key Vault without HSM, reconfigure them to point to the Managed HSM instance for key management operations.
     
     

   • Update access policies to ensure that the necessary services or identities have the required permissions for key management in the Managed HSM instance.
     
     

Best Practices:

• Evaluate Key Requirements: Ensure that the keys requiring Managed HSM are identified as high-value or high-assurance keys, such as those used in financial, healthcare, or sensitive government applications.
  
  

• Review Compliance and Regulatory Standards: Confirm that FIPS 140-2 Level 3 or equivalent compliance is required, which mandates the use of Managed HSM.
  
  

• Plan for Cost: Managed HSM is typically more expensive than standard Key Vault services, so it is crucial to ensure it is used where it provides a clear security benefit.
  
  

Backout Plan:

To revert back to using Standard Azure Key Vault:

1. Sign in to the Azure portal with appropriate permissions.
   
   

2. Navigate to Azure Key Vault:
   
   

   • In the Key Vault settings, ensure that keys are no longer stored in the Managed HSM instance.
     
     

3. Create or Use Standard Key Vault:
   
   

   • If required, create a new Key Vault without Managed HSM enabled.
     
     

   • Migrate the keys and secrets from the Managed HSM to the standard Key Vault.
     
     

4. Update applications to use standard Key Vault:
   
   

   • Modify application settings to use the Standard Key Vault for key management.
     
     

References:

• Azure Key Vault Managed HSM Overview
  
  

• FIPS 140-2 Compliance with Azure Key Vault
  
  

• Azure Key Vault Managed HSM Security