Fortanix Key Insight for Azure Concepts

1.0 Introduction

1.1 Purpose

The purpose of this article is to describe the Fortanix Key Insight concepts for Azure. Fortanix Key Insight enables you to apply uniform key lifecycle management policies and processes to cryptographic key management systems across multiple clouds.

1.2 Intended Audience

This article is intended to be used by technical stakeholders of Fortanix Key Insight, such as the Chief Information Security Officer (CISO) who will use this feature to see compliance information or deficiencies at a very high level and is interested in trends and drift, and the Security Engineer, who will use this feature to find and fix issues with the implementation and management of cryptographic data protection.

2.0 Terminology References

2.1 Azure Terminology

CONCEPT

DESCRIPTION

Azure Management Groups

These are collections of subscriptions that allow organizations to apply governance controls, policies, and compliance across multiple subscriptions. They provide a way to manage access, policies, and compliance at scale. The subscriptions in a management group can be arranged in a hierarchical tree-like structure with the “root” at the top and the “management groups” and “subscriptions” nested under the “root”. Fortanix Key Insight scans an Azure management group as well as all of its subscriptions.

Azure Subscriptions

An Azure subscription is an agreement that allows specific users to access resources. The users associated with a subscription, along with their permissions, are defined in Azure Active Directory (AD). Fortanix Key Insight scans all the regions within an Azure subscription in an Azure management group.

Azure Scan

 

The act of making a connection with the Azure cloud service provider (CSP) and obtaining information about keys and services of interest for Fortanix Key Insight.

Azure Tenant

Azure AD tenant corresponds to a single instance of the directory service. An Azure AD tenant represents an Identity and Access Management (IAM) environment used by an organization or a single entity to manage user identities, authentication, and access to Azure resources and applications. Fortanix Key Insight uses the Tenant ID to onboard the management groups and subscriptions.

For more details, refer to Azure Tenant.

Azure Role

Azure IAM roles are entities you create and assign specific permissions to that allow trusted identities, such as workforce identities and applications, to perform actions in Azure. Fortanix Key Insight requires an Azure IAM user to have the Azure management groups and subscription permissions.

For more details, refer to User Guide: Azure Configuration for Scanning Using Built-In Roles.

Microsoft Entra ID

It represents the identity and access management service provided by Azure. Each Azure AD tenant is a separate instance of Azure AD dedicated to a single organization. On Fortanix Key Insight, Azure AD manages identities, authentication, and access to Azure resources and other Microsoft services.

Service Principal

When an application in Azure AD is registered, a service principal is automatically created to represent the application. These are security principals in Azure AD representing the application or service, and they can be assigned roles and permissions, similar to user accounts. On Fortanix Key Insight, the service principal access can be granted to Azure resources by assigning its roles using Azure role-based access control (RBAC).

Azure RBAC

Users and groups managed within an Azure AD tenant can be granted access to resources and management capabilities within the Azure environment using RBAC.
Basically, on Fortanix Key Insight, specific permissions, such as Reader, Key Vault Administrator, and so on, can be assigned to users and service principals. After the permission is assigned to an entity, the role is assumed for all the child entities.

Azure Keys

Azure keys are the primary resource in Azure KMS, which are logical representations of cryptographic keys. Azure keys include a unique key identifier or key ID. Fortanix Key Insight scans all the Azure subscriptions within an Azure management group and identifies the key compliance status across multiple Azure cloud regions.

Azure Services

Azure Services allows users to set up their IT infrastructure online. The most popular Azure services include Storage Accounts, Azure Structured Query Language (SQL), Managed Disks, and so on.

NOTE

For now, Fortanix Key Insight scans only the Azure Storage Accounts, Managed Disks, SQL Database, Azure Kubernetes Service (AKS), Azure Container Instances (ACI), Azure Blob Storage (ABS), and Cosmos DB services.

Azure Resource Groups

Azure Resource Groups are the logical containers that group related resources together. They can include resources from multiple services and are used for management, billing, and access control. They are the child hierarchy under the individual Azure subscriptions. Fortanix Key Insight scans all the Azure resource groups within an Azure subscription and identifies the key compliance status across multiple Azure cloud regions.

Azure Resources

Azure Resources allows users to set up their IT infrastructure online. Fortanix Key Insight scans all the Azure resources within an Azure resource group and identifies the key compliance status across multiple Azure cloud regions. In the context of Fortanix Key Insight, there are four services:

  • Azure Key Vault: Azure Key Vault is a cloud service provided by Azure, designed to securely store cryptographic keys, secrets, and certificates used by cloud applications and services. Fortanix Key Insight scans all the Azure subscriptions within an Azure management group and identifies the key compliance status across multiple Azure cloud regions.

  • Azure Storage Accounts: An Azure storage account serves as a centralized location for all the Azure Storage objects, including blobs, files, queues, and tables. It offers a distinctive namespace for the Azure Storage data, which can be accessed from anywhere in the world through HTTP or HTTPS. The data stored in a storage account is highly secure, durable, and available, as well as massively scalable.

  • Azure SQL Database Managed Instance: Azure SQL Database Managed Instance is a fully managed platform as a service offering Microsoft Azure, providing a scalable and highly available database service. Managed Instance offers compatibility with on-premises SQL Server.

  • Azure Managed Disks: Azure Managed Disk is a virtual hard disk (VHD) that is managed by Azure. It is a storage abstraction that simplifies the management and scaling of virtual machines (VMs) in Azure.

3.0 Fortanix Key Insight Features - Azure

The Fortanix Key Insight for Azure has the following features:

  • It allows two types of cloud connections: Subscription and Management Groups

    • Connecting to the Management Group requires the Azure Client ID, Client Secret, Tenant ID, and Management Group ID.

    • Connecting to a Subscription requires the Azure Client ID, Client Secret, Tenant ID, and Subscription ID.

  • Generates reports on Azure non-compliant keys and services. For each region, the report shows:

    • Corresponding keys

    • Risk score

    • Top security issues

    • Violations for each service

  • Provides a dashboard view of cryptographic key compliance status across multiple Azure cloud regions. The dashboard shows information such as:

    • Cloud Discovery Accounts

    • Assessment

    • Top Subscriptions That Need Attention

    • Top Subscriptions by Key Count and Status

    • Protected Services

    • Keys by Type, Service Tier, and Status

  • Allows users to download a report of the Azure keys’ primary parameters.

  • For every Azure key in a region,

    • Provides a tabular view that shows the key name, version, type, state, expiry date, created date, rotation date, key vault, and region.

    • Provides a map of the key compliance statuses.

    • Detects non-compliant keys based on the applied policy and issues vulnerability alerts according to NIST standards.

    • Provides essential information such as key properties, key owner(s), rotation, service mapping, and related violations.

  • For every Azure service for a region,

    • Displays a comprehensive overview that allows you to filter services by type, violations, subscriptions, and region. You can click on each service to view a detailed list of associated vulnerabilities, if applicable.

    • Provides a tabular view that shows the service name, service type, region, encryption status, Azure account ID, and so on.

    • Provides detailed insights into service configurations and any violations associated with each service, helping you to understand potential issues and compliance gaps.

  • Allows users to export all scanned key and service data in comma-separated values (CSV) format and provides the ability to track export activities.

  • Allows users to optionally select pre-configured Fortanix DSM (SaaS) app credentials for keys correlation when onboarding an Azure cloud connection. This enables Fortanix Key Insight to determine if the scanned keys originate from Fortanix DSM (SaaS) after the scan is initiated.

  • Enables users to automatically retrieve the crypto policies configured in Fortanix DSM and apply them to scans and assessments, ensuring that Fortanix Key Insight remains aligned with any updates in Fortanix DSM.

  • Provides an assessment report that identifies vulnerabilities by providing a snapshot of your data security posture and risk score, highlighting areas of strength, and pinpointing opportunities for improvement.

  • You can add a new Azure cloud connection to Fortanix Key Insight.