1
00:00:00,820 --> 00:00:01,952
It's time to talk about

2
00:00:01,952 --> 00:00:05,400
"Managing Identities, Keys, and Secrets".

3
00:00:05,400 --> 00:00:07,140
In this lesson, we are going to explore

4
00:00:07,140 --> 00:00:08,680
the basics of Key Vault.

5
00:00:08,680 --> 00:00:10,010
In addition, we're going to jump in

6
00:00:10,010 --> 00:00:12,380
and see it live in the portal.

7
00:00:12,380 --> 00:00:15,920
So let's get started by talking about what Key Vault is.

8
00:00:15,920 --> 00:00:19,040
Key Vault is just a place that allows us to securely store

9
00:00:19,040 --> 00:00:23,620
and access tokens, passwords, certificates, and API keys.

10
00:00:23,620 --> 00:00:26,370
It provides us a way that we can centrally store

11
00:00:26,370 --> 00:00:28,310
all of that information.

12
00:00:28,310 --> 00:00:30,440
Now, that centralization is important

13
00:00:30,440 --> 00:00:32,680
because it provides us better management

14
00:00:32,680 --> 00:00:35,380
and better security of the environment.

15
00:00:35,380 --> 00:00:38,260
And, before we move on, let's talk about what a secret is.

16
00:00:38,260 --> 00:00:40,910
A secret's just anything that you want to control access to.

17
00:00:40,910 --> 00:00:43,783
So a password might be a secret, right?

18
00:00:44,630 --> 00:00:47,660
The third thing about Key Vault is it allows us to monitor

19
00:00:47,660 --> 00:00:49,600
access. So we can set up auditing

20
00:00:49,600 --> 00:00:51,950
and we can see exactly who's using keys,

21
00:00:51,950 --> 00:00:55,463
which is very important in controlling our environment.

22
00:00:56,850 --> 00:00:58,680
So now, let's go ahead and talk about

23
00:00:58,680 --> 00:01:00,350
Key Vault with an example.

24
00:01:00,350 --> 00:01:02,990
So let's say we have a database analyst,

25
00:01:02,990 --> 00:01:06,400
and she needs to access a SQL Database.

26
00:01:06,400 --> 00:01:08,370
And it doesn't have to be a SQL Database,

27
00:01:08,370 --> 00:01:11,560
it could be an Azure Blob Storage or something else.

28
00:01:11,560 --> 00:01:13,130
And in our case, in the portal,

29
00:01:13,130 --> 00:01:14,990
I'm actually going to show you a storage account.

30
00:01:14,990 --> 00:01:18,560
But for this case, let's just say it's a SQL Database.

31
00:01:18,560 --> 00:01:19,840
Now to start off with,

32
00:01:19,840 --> 00:01:21,950
she's going to have to be authenticated

33
00:01:21,950 --> 00:01:24,840
through Azure Active Directory via RBAC.

34
00:01:24,840 --> 00:01:28,010
We've talked about RBAC and identity access management,

35
00:01:28,010 --> 00:01:30,740
but that's the first step to her getting access.

36
00:01:30,740 --> 00:01:31,970
Once she's been authenticated,

37
00:01:31,970 --> 00:01:34,910
we need to decrypt the data that's in the database.

38
00:01:34,910 --> 00:01:38,070
To do that, we need a key.

39
00:01:38,070 --> 00:01:42,260
Now, we access Azure Key Vault to decrypt the data,

40
00:01:42,260 --> 00:01:45,590
and we do so using a data encryption key

41
00:01:45,590 --> 00:01:48,080
or this DEK that you see here.

42
00:01:48,080 --> 00:01:50,020
And there's 2 different types of keys.

43
00:01:50,020 --> 00:01:53,310
There's a data encryption key, and that data encryption key

44
00:01:53,310 --> 00:01:55,400
just encrypts or decrypts the data

45
00:01:55,400 --> 00:01:57,430
that we're trying to access.

46
00:01:57,430 --> 00:02:00,080
And then we have a key encryption key.

47
00:02:00,080 --> 00:02:03,210
Now the key encryption key is very special,

48
00:02:03,210 --> 00:02:05,400
and it never leaves the Key Vault.

49
00:02:05,400 --> 00:02:08,950
The key encryption key basically gives us a way

50
00:02:08,950 --> 00:02:13,950
to encrypt or decrypt that data encryption key.

51
00:02:14,150 --> 00:02:17,320
So we have our master key, and, from that, we can make

52
00:02:17,320 --> 00:02:20,890
additional keys that we can use to unlock the data.

53
00:02:20,890 --> 00:02:23,410
The good news is if we ever need to control access

54
00:02:23,410 --> 00:02:26,160
to those data encryption keys, we can just remove

55
00:02:26,160 --> 00:02:28,900
that key encryption key, and without that,

56
00:02:28,900 --> 00:02:31,420
the data encryption keys are rendered useless,

57
00:02:31,420 --> 00:02:33,643
because we can't decrypt the data.

58
00:02:35,220 --> 00:02:39,100
Now, in addition to that, we can have separation of duties.

59
00:02:39,100 --> 00:02:40,920
So we have our database analyst,

60
00:02:40,920 --> 00:02:42,640
and she can access the data.

61
00:02:42,640 --> 00:02:45,320
And let's say that we have our security guy here,

62
00:02:45,320 --> 00:02:47,830
and he can access the Azure Key Vault.

63
00:02:47,830 --> 00:02:50,050
He doesn't have access to the SQL Database,

64
00:02:50,050 --> 00:02:51,790
because he's not authenticated

65
00:02:51,790 --> 00:02:53,880
through Azure Active Directory.

66
00:02:53,880 --> 00:02:56,900
Likewise, our database analyst can't access

67
00:02:56,900 --> 00:03:00,240
the Azure Key Vault, she can only access the database.

68
00:03:00,240 --> 00:03:03,450
So we have some separation there, that's really good.

69
00:03:03,450 --> 00:03:06,460
In addition to that, we can also have an auditor,

70
00:03:06,460 --> 00:03:09,440
and this auditor can use Azure Monitor,

71
00:03:09,440 --> 00:03:13,320
and he can actually audit event logs in Azure Key Vault,

72
00:03:13,320 --> 00:03:17,220
so we can see how those data encryption keys are being used,

73
00:03:17,220 --> 00:03:19,660
and we can see how those key encryption keys

74
00:03:19,660 --> 00:03:23,040
are being used by the security team.

75
00:03:23,040 --> 00:03:25,770
So we have multiple layers of individual people

76
00:03:25,770 --> 00:03:28,660
that only have access to their specific portion.

77
00:03:28,660 --> 00:03:31,200
So that separation gives us defense in depth

78
00:03:31,200 --> 00:03:32,943
and gives us additional security.

79
00:03:34,550 --> 00:03:36,750
All right, so let's go ahead and jump into the portal

80
00:03:36,750 --> 00:03:38,850
and see what this looks like.

81
00:03:38,850 --> 00:03:41,130
So here we are in Key Vault,

82
00:03:41,130 --> 00:03:43,350
and you can see on the left, at a high level,

83
00:03:43,350 --> 00:03:46,670
I have my Keys, I have my Secrets, my Certificates,

84
00:03:46,670 --> 00:03:49,790
and I can create keys or secrets as I want.

85
00:03:49,790 --> 00:03:51,580
So let's just say that I want to go in here

86
00:03:51,580 --> 00:03:55,355
and generate a key. And we'll call this

87
00:03:55,355 --> 00:03:57,370
dp203sample.

88
00:03:57,370 --> 00:03:59,570
And I can set all kinds of different features here,

89
00:03:59,570 --> 00:04:03,300
but for now, let's just go ahead and create a sample key.

90
00:04:03,300 --> 00:04:07,910
So that quick, I have created a dp203sample key.

91
00:04:07,910 --> 00:04:11,490
Now, that key is being stored in my Key Vault.

92
00:04:11,490 --> 00:04:14,380
Now let's say that I jump over to my storage account,

93
00:04:14,380 --> 00:04:17,140
and I go down to my Encryption setting.

94
00:04:17,140 --> 00:04:20,300
You can see here that I can choose to either use

95
00:04:20,300 --> 00:04:24,510
Microsoft-managed keys or I can use customer-managed keys.

96
00:04:24,510 --> 00:04:26,570
Those are the keys that I'm creating.

97
00:04:26,570 --> 00:04:28,310
And so let's say that I want to do that,

98
00:04:28,310 --> 00:04:31,820
and I want to select a key from the Key Vault that I had.

99
00:04:31,820 --> 00:04:35,723
So I can click on that. I can choose my Key Vault.

100
00:04:37,830 --> 00:04:42,230
And now you can see, here is the key that we just created.

101
00:04:42,230 --> 00:04:46,380
So with that, I can click on that, and now I have enabled

102
00:04:46,380 --> 00:04:49,720
or I can enable a Key Vault key that I've created

103
00:04:49,720 --> 00:04:52,823
rather than using the standard Microsoft-managed keys.

104
00:04:53,970 --> 00:04:56,790
Now with that, let's go ahead and wrap up our lesson

105
00:04:56,790 --> 00:04:58,350
with a few key points.

106
00:04:58,350 --> 00:05:01,950
First, use the Key Vault. Don't hardcode passwords.

107
00:05:01,950 --> 00:05:03,600
I've said this a couple of times.

108
00:05:03,600 --> 00:05:07,380
The Key Vault is a fantastic way to store the information

109
00:05:07,380 --> 00:05:10,050
of keys and certificates that we need.

110
00:05:10,050 --> 00:05:13,050
It's also really helpful as your environment grows.

111
00:05:13,050 --> 00:05:15,300
If you have just 1 SQL Database, yeah,

112
00:05:15,300 --> 00:05:17,410
you can probably get away with just managing

113
00:05:17,410 --> 00:05:19,270
through that SQL Database.

114
00:05:19,270 --> 00:05:23,270
As it grows into a series of resources,

115
00:05:23,270 --> 00:05:24,750
you're going to need to use something more,

116
00:05:24,750 --> 00:05:26,640
and Key Vault's really helpful here,

117
00:05:26,640 --> 00:05:30,220
because you can create that separation between security

118
00:05:30,220 --> 00:05:33,090
and the people that are trying to access your data,

119
00:05:33,090 --> 00:05:36,720
and even your data engineers. So very, very helpful.

120
00:05:36,720 --> 00:05:39,400
In addition to that, hey, don't forget to set up auditing.

121
00:05:39,400 --> 00:05:42,260
You should be periodically auditing your environment

122
00:05:42,260 --> 00:05:44,110
to help keep your environment secure.

123
00:05:44,110 --> 00:05:45,850
And so with that, we're actually ready

124
00:05:45,850 --> 00:05:47,230
to wrap up this lesson.

125
00:05:47,230 --> 00:05:49,000
Don't forget what Key Vault is.

126
00:05:49,000 --> 00:05:51,220
Don't forget that it's a central place that stores

127
00:05:51,220 --> 00:05:54,060
our keys, and secrets, and certificates.

128
00:05:54,060 --> 00:05:56,340
With that, that's the end of this lesson.

129
00:05:56,340 --> 00:05:57,540
I'll see you in the next.