Integration of Customer-Managed Keys with Azure Key Vault

Scope

Audience

This documentation is intended for cloud architects, security administrators, software engineers, IT managers, and compliance officers.

Use Cases

Use Case 1: Customer Key in ISV Azure Key Vault

Objective:
Integrate a customer-managed key that is hosted in the customer's Azure Key Vault, within the customer's tenant, with the ISV's Azure environment. The integration will support Thales CCKM.

Steps:

1. Service Provider Configuration:

   • Create a multitenant Microsoft Entra application in the ISV's tenant.

   • Create and configure a user-assigned managed identity.

   • Configure the managed identity as a federated identity credential on the multitenant application.

   • Share the application ID and managed identity details with the customer.

2. Customer Configuration:

   • Install the ISV's multitenant application in the customer tenant.

   • Create an Azure Key Vault and add a key (customer-managed key).

   • Assign Key Vault Crypto Officer and Key Vault Crypto Service Encryption User roles to the ISV's application.

   • Share the Key Vault URI and key details with the ISV.

3. Integration:

   • ISV configures their services to use the customer-managed key for encryption/decryption operations.

   • Validate the integration with Thales CCKM to ensure compatibility and key management operations.

Advantages:

• Control: Customer maintains control over their encryption keys.

• Security: The keys are not exposed to the ISV, enhancing security.

• Compliance: Meets regulatory requirements for key management.

Disadvantages:

• Complexity: Initial setup and configuration can be complex.

• Dependency: Requires customer cooperation and timely sharing of key information.

• Management: Ongoing management of the key vault and keys can be resource-intensive.

Use Case 2: Customer Key in Customer Azure Key Vault

Objective:
Host customer-managed keys in the customer's Azure Key Vault with the Thales CCKM platform and allow the ISV to access these keys for encryption purposes.

Steps:

1. Customer Configuration:

   • Create a new or use an existing Azure Key Vault in the customer tenant.

   • Add the customer-managed key to the Key Vault.

   • Assign the necessary roles (Key Vault Contributor and Key Vault Crypto Officer) to the user account managing the keys.

2. Service Provider Configuration:

   • Create a multitenant Microsoft Entra application in the ISV's tenant.

   • Generate a user-assigned managed identity and configure it as a federated identity credential.

   • Share the application ID and managed identity details with the customer.

3. Customer Authorization:

   • Install the ISV’s application in the customer’s tenant.

   • Grant the ISV’s application access to the Key Vault by assigning the Key Vault Crypto Service Encryption User role.

   • Provide the Key Vault URI and key information to the ISV.

4. Integration:

   • ISV integrates the customer-managed keys into their services, ensuring encryption and decryption processes are secure.

   • Validate the setup with Thales CCKM for proper key lifecycle management.

Advantages:

• Security: Customer's keys remain in their own tenant, enhancing security.

• Control: Customer has full control over key management and policies.

• Integration: Simplifies compliance with internal security policies and external regulations.

Disadvantages:

• Access Management: Requires precise configuration of roles and permissions.

• Dependency: ISV depends on customer to maintain and manage the key vault.

• Complexity: Both parties need to coordinate closely, which can increase complexity.

This document outlines the comprehensive steps for configuring and integrating customer-managed keys within an ISV's Azure environment, ensuring security and compliance with Thales CCKM.