Users can access the Azure connection Overview page after adding an Azure cloud account. The Overview page summarizes the Azure keys and services for a CSP organization based on the applied Key Insight policy.
You can click any numerical value on the Overview page to view the list of corresponding Azure keys and services.
If you added an external key source during the Azure cloud connection onboarding, the Overview page will display the total key count, reflecting the correlated keys from the external key source after a successful scan.
The Overview page helps users get a summary of the Azure keys and services, as described in the following sections:
3.1 Cloud Discovery Accounts
This section summarizes the count of all the parameters for an Azure Management group. It shows the count of:
Total number of Azure subscriptions within the Azure management group
Total number of resource groups under all the Azure subscriptions
Total number of regions in the resource groups
Total number of keys in all the Azure cloud regions
Total number of services in all the Azure cloud regions
Figure 2: Cloud Discovery Accounts
NOTE
The total number of keys displayed in the Cloud Discover Accounts section is only the count of the “Current” key version for each key in the Azure Key Vault.
Clicking the Keys and Services labels in the Cloud Discovery Accounts section takes you to their list view.
3.2 Assessment Report
This section allows the user to view the Azure keys and services Assessment Report on the Assessment page. The report allows you to assess your key’s security posture to ensure the safety of your data.
Figure 3: Assessment
Click ASSESSMENT REPORT to go to the Assessment page.
This section gives you a quick overview of the Azure services map that shows the top accounts whose services are vulnerable due to either using shared keys or they are not encrypted.
Click the services map to go to the detailed view of the services map page.
Figure 4: Top Subscriptions that Need Attention
3.4 Top Subscriptions by Keys and Status
This section lists, in descending order, the top five subscriptions with the greatest number of keys since the last key scan operation. The count for each subscription includes both enabled and disabled keys.
Blue color indicators denote enabled keys, while orange color indicators denote disabled keys in each subscription.
Figure 5: Subscriptions with Top Keys
Click the Subscription ID to go to the list view of the subscription that shows all the keys in that subscription.
3.5 Protected Services
This section presents a summary of the comparison between the number of Microsoft managed keys, Customer managed keys, and Unencrypted services for Azure services.
Figure 6: Protected Services
The purple color cell indicates Microsoft managed keys.
The blue color cell indicates Customer managed keys.
The teal blue color cell indicates Unencrypted services.
Clicking each service takes you to the respective list view.
3.6 Keys by Type
This section provides a count of the key specifications in the Azure cloud subscriptions. For the Azure CSP, it shows the total number of RSA and EC keys that are present in all the Azure cloud subscriptions based on the applied policy.
Figure 7: Key Types
You can click each key type to access its corresponding list view.
3.7 Key Vaults by Service Tier
This section provides a summary of the number of key vaults in the Azure Premium Key Vault and Azure Standard Key Vault service tiers.
Figure 8: Key Vaults by Service Tier
3.8 Key by Status
This section summarizes the Azure keys by the following key status:
Enabled: The count of Azure keys that are enabled and are shared by multiple Azure services.
Disabled rotation: The count of Azure keys for which the rotation is disabled.
Not activated: The count of Azure keys that are not activated.
Figure 9: Key by Status
4.0 Azure Connection - Assessments
Users can access the Fortanix Key Insight Assessment menu after adding an Azure cloud subscription or management group.
The Assessment page shows:
The key security posture details for the Azure cloud subscriptions.
Violations that must be remediated to improve the security status.
Remediation advice to improve the security status.
Figure 10: Azure Assessment Report
NOTE
You can click any numerical value on the Assessment page to view the list of corresponding Azure keys and services.
If you added an external key source during the Azure cloud connection onboarding, the Assessment page will display the total key count, reflecting the correlated keys from the external key source after a successful scan.
These are described in detail in the following sections:
4.1 Risk Score
This section provides the overall risk score of the Azure keys and services. There are three types of risks:
High – A high score signifies the total number of shared keys, overly permissive (usage) keys, keys with rotation disabled, keys without expiry, and non-compliant keys in use.
Critical – A critical risk score indicates the total number of unencrypted cloud services detected that need attention.
Medium – A medium risk score indicates the total number of CSP-generated, service encrypted with soft deleted keys, and overly permissive (management) keys in use.
Figure 11: Risk Score
In the above example, the overall risk score is Critical. The priority of the overall risk score is based on the count of risks in the following order:
Critical
High
Medium
4.2 Service Violations
For an Azure CSP, this section provides insights into service violations across your Azure cloud environment.
You can view the total number of cloud accounts and their associated services, along with specific violations tied to each service. These violations may result from the use of shared, deleted, or soon-to-be-deleted keys, excessive permissions, non-compliant configurations, or unencrypted keys. This data will help you identify which services are at risk, enabling you to implement unique, compliant, and encrypted keys for enhanced security.
Also,
You can view risk levels for each service that are color-coded for easy identification.
Select VIEW ALL to navigate to the Services page and explore individual key violations for each service.
Figure 12: Service Violations
You can click any service to view a detailed list of the top 10 key violations associated with it, sorted by severity. Click each violation type to navigate to the corresponding list view.
Click BACK to navigate to the service violations card view.
Figure 13: Service Violations List View
4.3 Top Security Issues
This section provides the following information about the keys:
Shared Keys: This section shows the total number of keys in the Azure cloud subscription shared by two or more services for encrypting the services. This information will help you determine which keys are at risk so that you can use unique encryption keys for better security.
Cryptographic Policy: This section shows the total number of keys in the Azure cloud subscription that are violating the cryptographic policy that is set for a Fortanix key Insight account. This information will help you determine which keys are non-compliant with the Key Insight account Cryptographic policy so that you can generate new keys to encrypt the Azure services.
Any key that utilizes the following algorithm and key size combinations is considered Non-Compliant in Fortanix Key Insight, according to the National Institute of Standards and Technology (NIST) 800-57 standard:
AES: Any key size less than 192 bits.
3DES: Keys with size 112 bits and 168 bits.
DES: Keys with size 56 bits.
RSA: Keys with size less than 2048 bits.
DSA: Keys with size less than 2048 bits.
ECC: Keys with size less than 224 bits.
The non-compliant keys increase the data security risk. They will be flagged as vulnerabilities on the Keys page.
Fortanix Key Insight recommends using stronger key algorithms and ensuring that the key strength aligns with your defined policies and NIST standards.
Expired Keys: This section shows the number of expired Azure keys. This information helps you review these expired keys and delete them.
Exportable Keys: This section shows the number of Azure keys marked as exportable. Exportable keys are high-risk keys and vulnerable. This information will help in marking these high-risk keys as non-exportable.
Quantum-vulnerable keys: For an Azure CSP, this is the total number of keys in the Azure cloud subscription that utilizes Quantum-vulnerable algorithms. These are asymmetric keys such as RSA, EC, and so on. This information will help you determine what data are encrypted using Quantum-vulnerable keys.
Unused keys: This section shows the total number of Azure keys that remain unused for encryption in the scanned data and supported services. You can use this information to identify and remove unused keys for enhanced security.
NOTE
Fortanix Key Insight recommends removing any unused keys from your cloud as a best practice.
Overly permissive keys [Usage]: This section displays the total number of Azure keys with excessive usage permissions. These keys can potentially cause service violations and carry a high-risk score. This information helps analyze key usage to improve security.
The overly permissive keys (usage) analyze the associated Role Assignments of a key, listing all granted service principals and corresponding Role Definitions, to determine if more than one Azure service principal can perform cryptographic operations on a key. It analyzes DataActions and NotDataActions of a corresponding role definition to ascertain the authorization of assigned service principals for cryptographic operations.
Overly permissive keys [Management]: This section displays the total number of Azure keys with excessive management permissions. Keys with overly permissive management permissions can lead to service violations and are assigned a medium risk score. This information helps analyze key usage to enhance security.
The overly permissive keys (management) analyze the associated Role Assignments of a key, listing all granted service principals and corresponding Role Definitions, to determine if more than two Azure service principals are authorized for management action operations. It analyzes Actions and NotActions of a corresponding role definition to ascertain the authorization of assigned service principals for management action operations.
NOTE
Fortanix Key Insight recommends reviewing and revalidating the Azure key policies as a best practice to avoid overly usage and management permissions.
Figure 14: Top Security Issues
4.4 Download Report
Click DOWNLOAD REPORT on the top-right corner of the Assessment page to view the Data Security Assessment Report for the Azure subscription in PDF format.
Figure 15: Download the Assessment Report
5.0 Rescan an Azure Connection
Click RESCAN on the Overview page to perform a rescan and verify if any keys have been added, deleted, or updated in the Azure CSP organization.
NOTE
The RESCAN option is accessible only to users with the Account Administrator and Group Administrator roles.
Figure 16: Scan Again
If you click RESCAN and start the scan, you can monitor the progress bar while running.
After the scan is completed successfully,
The Last scanned label will be updated with the date and time of completion.
The Overview page will reflect the new state of the Azure CSP keys and services.
You can also click RESCAN on the Assessment page to perform the rescan. After the scan is completed, the Assessment page will reflect the new state of the Azure CSP keys and services.
Figure 17: Scan Again
6.0 Keys
After the Azure subscription is onboarded, click the Keys menu in the Fortanix Key Insight left navigation bar.
Clicking the Keys menu will take you to the Keys page that shows a map of all the Azure subscriptions.
On the Keys page, you can toggle between the GRAPH and LIST views using on the top left corner. The GRAPH view is set as the default.
6.1 Keys Graph View
The graph view shows the following information:
For every Azure subscription, it shows the Azure Key Vault names and resource groups that it belongs to, and for each Key Vault, it shows the map of all the keys in that account that are used to encrypt the Azure services.
Each key displays the services encrypted by it.
If a key is used by more than one Azure service, is non-compliant, and has over-usage or management permissions, then it shows a vulnerability warning. Key Insight recommends proceeding with the appropriate action items to minimize those warnings.
The keys display the non-compliance vulnerabilities based on the configured key sizes and types, per the National Institute of Standards and Technology (NIST) standards specified in the applied Key Insight policy,
Figure 18: Key Vulnerability
You can click various points in the keymap to go to the tabular view of that entity.
Figure 19: Clickable Points in the Map
For example, click the key vault icon for the Azure subscription to go to the tabular view of the key vault.
6.1.1 Filter Keys - Graph View
In the key graph view, you can filter the keys by Subscriptions, Resource group name, Key name, Key version, Vulnerabilities, and Services on the key map.
To apply the filter on the key graph:
Click the Services drop down menu to select or search keys by a service. For example, select SQL.
Click SEARCH.
Figure 20: Filter Keys by Service Type
You will see that the key map displays only the keys that encrypt the SQL.
Figure 21: Filter Applied
You can further filter the keys by selecting the following other filter options:
Subscriptions: Filter the keys by Azure subscription.
Resource group name: Filter the keys by the resource group.
Key name: Filter the keys by the key name.
Key version: Filter the keys by the key UUID.
Vulnerabilities: Filter the keys by the vulnerability types - Non-compliant keys, Shared keys, and Overly permissive keys.
NOTE
A key encrypting multiple ABS services from the same storage account do not contribute to Shared keys vulnerability.
Services: Filter the keys by the Azure services – SQL, Storage Accounts, Managed Disks,Azure Kubernetes Service(AKS), Azure Container Instances(ACI), Azure Blob Storage(ABS),and Cosmos DB.
6.2 Keys List View
The keys list view displays all keys in a table, along with details such as key name, version, state, violations, owners, usage description, type, creation date, expiration date, rotation date, key vault, and region.
To modify the Keys table column display in the list view:
Click .
On the Customize Columns dialog box, select a maximum of Six columns that you want to display in the table.
Click APPLY to view only those columns on the table.
Click RESET TO DEFAULT to display the default columns if needed.
Figure 24: Customize Keys Table
6.2.4 Add Key Details
After an Azure connection is onboarded to Fortanix Key Insight, you can assign owners to the scanned keys to enhance key management, simplify tracking, and improve remediation workflows.
To add the key(s) details,
Select key(s) in the list.
Click ADD DETAILS on the top right corner.
NOTE
If your Azure connection was last scanned before the KI 25.03 release and a new scan was not performed, clicking the ADD DETAILS option will show a Rescan Required to Add Details dialog box. To ensure your key details are correctly added, you must rescan the Azure connection and then add the key details.
On the Add Details dialog box, enter the following details:
Primary owner: Enter the primary owner’s name or employee ID.
Email ID: Enter the primary owner’s valid email ID.
Click ADD SECONDARY OWNER to add the secondary owner’s details, if required.
Description (Optional): Enter an optional description.
Click ADD to add the ownership details to the selected key(s).
NOTE
To add ownership details, specifying a primary owner is mandatory before adding a secondary owner.
On the Keys page, the primary and secondary owners’ name or employee ID and email address will appear in the OWNERS column, and the description will appear in the USAGEDESCRIPTION column.
Figure 25: Add Key Details
NOTE
Only users with Account Administrator permissions can add or edit key details.
6.2.5 Edit Key Details
You can modify the details of the selected key(s).
To edit the key(s) details,
Select key(s) in the list.
Click EDIT DETAILS on the top right corner.
On the Edit Details dialog box,
Update the primary owner’s name or employee ID and email ID.
Update the secondary owner’s name or employee ID and email ID.
Update the description if required.
Click UPDATE to save the details to the selected key(s).
You can also update the details while viewing the key details. For more details, refer to the Section 6.2.6: View Key Details.
6.2.6 View Key Details
Click any key in the Keys list to view the key's properties, rotation history, associated violations, and service mappings.
The KEY DETAILS tab includes the following:
Key Properties: This section displays key specifications, such as key ID, state, version, version ID, creation date, expiration date, region, key type, key vault, and so on.
Ownership: This section is available if owner details have been added to the key. It displays the primary and secondary owner's name or employee ID, email ID, and description.
Automatic Key Rotation Policy: This section includes key rotation details, such as the rotation status, next scheduled rotation, last rotation time, and so on.
Figure 26: Access Key Details View
NOTE
The Key Correlation section is only visible if you have configured an external key source (DSM SaaS) for the Fortanix Key Insight Azure cloud connection. For the selected correlated key, it displays details such as the key source, key source type, last correlated date, and source key ID. You can click Key Id to navigate to Fortanix DSM SaaS to view the key details.
You can filter these keys by Key Name to access the relevant details.
Figure 27: Access Key Correlation Section
The VIOLATIONS tab displays any violations linked to the key. These violations may include issues such as shared keys, overly usage or management permissions, key expiration, and so on.
Figure 28: View Key Violations
The SERVICE MAPPING tab displays the mapping between the key and Azure service(s), if any. You can view the details of the key and its associated services through Legends.
Figure 29: Key and Service Mapping
7.0 Services
After the Azure subscription is onboarded, click the Services menu in the Fortanix Key Insight left navigation bar.
Clicking the Services menu will take you to the Services page, which shows a map of all the Azure services (Azure Storage Accounts, Managed Disks, SQL, AKS, ACI, ABS, and Cosmos DB grouped by the Azure subscription.
NOTE
Fortanix Key Insight currently supports scanning all Azure Cosmos DB cloud resources, if they are "single deployments". For clustered variants, it supports scanning only the Cosmos DB for MongoDB cluster.
On the Services page, you can toggle between the GRAPH and LIST views using on the top left corner. The GRAPH view is set as the default.
7.1 Services Graph View
In the services graph view, the services are grouped into the following categories, and you can also view the total counts for services, violations, subscriptions, and regions within each category:
Service Type: Selecting this category allows you to view all services grouped by typeand their corresponding risk levels. The color of each service indicates its associated risk level. This category is selected by default.
Figure 30: Access Services Graph View
Click any service to view the types of violations for that service and the count for each violation, sorted by severity, if applicable.
Clicking a specific violation in the list will take you to the corresponding service list view, filtered accordingly.
Figure 31: Select and View Azure Service Details
Violation Type: Selecting this category allows you to view all services grouped by violation type, along with their corresponding risk levels.
Figure 32: Azure Services by Violation Types
Click any violation to view the types of services that share the violation and the count for each service type, if applicable.
Clicking a specific service type in the list will take you to the corresponding service list view, filtered accordingly.
Figure 33: Select and View Azure Service Violations Details
Subscriptions and Regions: Selecting this category allows you to view all services grouped by different subscriptions and regions, along with their associated risk levels.
Figure 34: Azure Services by Subscriptions and Regions
Click any subscription and region to view the associated resource groups and services that share the same subscription and region.
Click any resource group to view each service's regions and service count, if applicable.
Click any service to view the types of violations and the count for each violation, sorted by severity, if applicable.
Clicking a specific service type in the list will take you to the corresponding service list view, filtered accordingly.
Figure 35: Azure Service Subscription Details
7.1.1 Filter Services - Graph View
In the service graph view, you can filter the services by Subscription, Resource Group, Region, Service Type, and Vulnerability for each category explained in Section 7.1: Services Graph View.
For example, to filter services by Region,
Select the category. For example, Service Type.
Click the Region drop down menu to select the region. For example, east-us.
Click APPLY.
Figure 36: Filter Azure Service by Regions
The Services page will display only the services for the selected region. Additionally, the count for the total number of services, violations, regions, and accounts shown in the top bar will be updated accordingly.
Figure 37: Services Filter Applied
You can further filter the services by selecting the following other filter options:
Service Type: Filter the keys by the Azure services – SQL, Managed Disks, Storage Accounts, AKS, ACI,ABS, and Cosmos DB.
Vulnerability: Filter the services by the vulnerability types – Unencrypted services, Using deleted keys, Using non-compliant keys, Using overly permissive usage keys, Using overly permissive management keys, Using shared keys, Using keys scheduled for deletion, Using quantum vulnerable keys, Using expired keys, and Using exportable keys.
Subscription: Filter the services by a selected subscription.
Resource Group: Filter the services by a selected resource group.
You can use a combination of the above filter options to display the service map with specific results.
Click RESET to clear all filters or select the All (Default) option from the dropdown in the desired filter to reset that specific filter.
7.2 Services List View
The services list view displays all services in a table, along with details such as name, type, encryption, violations, resource group, region, and subscription.
Figure 38: Azure Services List View
Click ENCRYPTION column values to check whether the service was encrypted.
Click in the VIOLATIONS column to view detailed information about the associated vulnerabilities.
7.2.1 Filter Services - List View
In the list view, you can filter the keys using the Search field with the following criteria and available values:
You can click any Azure service in the Services list to view its configuration details and associated violations.
The SERVICE DETAILS tab includes the following:
Service Configurations: This section displays service configurations such as service ID, type, encryption status, account region, subscription, resource group name, key ID, DB variant, and key type.
Key Data: This section provides details of the associated key, including the key ID, version, and type, for the encrypted service. If the service is not encrypted, if the encrypted service has a deleted key, or if the cryptographic key details are inaccessible, the appropriate messages will appear.
Figure 40: Access Services Details View
NOTE
The Key Correlation section is visible only when the selected service is encrypted and associated with a correlated key from an external key source connection. It displays details such as the key source, key source type, last correlated date, and source key ID.
You can click Key Id to navigate to Fortanix DSM SaaS to view the corresponding key details.
Figure 41: Key Correlation in Azure Service Details Page
The VIOLATIONS tab displays any violations linked to the service. These violations may include issues such as shared keys, overly usage or management permissions, key expiration, and so on.
Figure 42: View Service Violations
8.0 Scanned Data Export
This feature allows you to export the Azure scanned key and service-related data from Fortanix Key Insight in Comma-Separated Values (CSV) format. Also, it provides flexibility, enabling you to download data for detailed analysis, audits, or reporting, and to access real-time status.
In the Azure Keys and Services list view, you can click EXPORT to export the scanned data using any of the available options:
Figure 43: Access Data Export Feature
Export current page: Use this option to export all column data from the current page in CSV format.
NOTE
You can download a maximum of 100 items at a time, based on the settings specified in the Items per page drop down menu.
Export all raw data: Use this option toexport all scanned data shown in the keys and services tables in CSV format. If you select this option, you can read the details on the Export All Raw Data dialog box and click PROCEED to export all the data.
After the export process begins, you can track its progress. The export status will be logged with a message under the Activities tab in Fortanix Key Insight. For more details, refer to Section 8.1: Manage Export Activities.
Export selected rows: This option is disabled by default. You can select the required rows on the current page and then use this option to export them in CSV format.
NOTE
Users with the Account Administrator and Group Administrator roles can only perform the scanned data export.
Within the same account, you can have multiple exports running simultaneously from different cloud, on-premises, and external key source connections.
8.1 Manage Export Activities
After you initiate the export process using Export all raw data, you can monitor the export status on the Activities tab.
You can see the following details for each export:
Name of the activity. For example, the activity would be named Export_all_keys_vaults if you had exported all the Azure keys.
Name of the file. For example, Key Vaults.csv.
Activity status: This indicates the current state of the data export. This can be,
Completed: The data export has been successful, and the CSV file will automatically download to the location specified on your local machine.
In Progress: The data export is in progress, and you can cancel it using if required.
Cancelled: The data export has been canceled due to switching accounts or manually canceling it while it was in progress.
Failed: The data export was not completed and failed due to errors.
Name of the connection
Export creation date and time
Figure 44: Access Export Activities
NOTE
If you switch to a different account during export, the export will be cancelled and logged in the Activities tab.
If you navigate to a different solution (for example, Identity and Access Management), the export will continue, but no logs will appear in the Activities tab. The export status will be confirmed using toast a message.
If you refresh the web page during the export, the confirmation dialog box will appear. If you refresh, the export will be cancelled, and all entries in the Activities tab will be removed. Therefore, it is recommended not to refresh the page during the export.
Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era.