iCompaas Support

Profile Applicability:

• Level 2

Description:
 Customer Managed Keys (CMK) allow organizations to control the encryption keys used to protect critical data stored in Azure services. By using CMKs, keys are stored in Azure Key Vault or managed Hardware Security Modules (HSMs), enabling organizations to manage key lifecycle, rotation, and access policies independently from Microsoft.

Rationale:
 Encrypting critical data with CMKs enhances security and compliance by providing organizations with control over key management. This enables auditability, enforces separation of duties, and allows organizations to meet strict regulatory requirements for data protection.

Impact:

Pros:

• Full control over key management, including rotation and revocation.
  

• Improved compliance and audit support.
  

• Enables separation of duties between key custodians and data owners.
  

Cons:

• Increased operational complexity and responsibility.
  

• Requires careful management to prevent key loss or misconfiguration.
  

• Possible additional costs for Key Vault and HSM usage.
  

Default Value:
 Many Azure services encrypt data at rest using Microsoft Managed Keys by default unless CMKs are configured.

Pre-requisites:

• Azure Key Vault or Managed HSM set up with customer-managed keys.
  

• Proper access control and permissions configured for key usage.
  

• Administrative rights to configure encryption settings on Azure resources.
  

Remediation

Test Plan:

Using Azure Portal:

1. Sign in to https://portal.azure.com.
   

2. Open the Azure resource storing critical data (e.g., Storage Account, SQL Database).
   

3. Review Encryption settings to verify the use of Customer Managed Keys.
   

4. Confirm Key Vault key URI and access policies are properly configured.
   

Using Azure CLI:

1. Check encryption key source for storage account:
   

   az storage account show --name --resource-group --query encryption.keySource

2. Confirm the output is Microsoft.Keyvault or equivalent indicating CMK use.
   

Implementation Plan

Using Azure Portal:

1. Create or select an existing Key Vault with CMKs.
   

2. Assign necessary access policies to the Azure resource identity.
   

3. Configure the resource’s encryption settings to use CMKs.
   

4. Save and validate the configuration.
   

Using Azure CLI:

Assign Key Vault permissions:

az keyvault set-policy --name --object-id --key-permissions get wrapKey unwrapKey

Update encryption key source:

az storage account update --name --resource-group --set encryption.keySource=Microsoft.Keyvault --encryption-key-vault-uri

Backout Plan

Using Azure Portal:

1. Switch encryption back to Microsoft Managed Keys if necessary.
   

2. Adjust Key Vault access policies accordingly.
   

Using Azure CLI:

Revert encryption key source:

az storage account update --name --resource-group --set encryption.keySource=Microsoft.Storage

References:

• Azure Storage Encryption with Customer-Managed Keys