Fortanix Key Insight User Interface Components - Azure

1.0 Introduction

1.1 Purpose

Welcome to the Fortanix Key Insight – User Interface Components Guide. The purpose of this guide is to describe the Fortanix Key Insight user interface (UI) features for Azure.

1.2 Intended Audience

This guide is intended to be used by technical stakeholders of Fortanix Key Insight, such as the Chief Information Security Officer (CISO) who will use this feature to see compliance information or deficiencies at a very high level and is interested in trends and drift, and the Security Engineer, who will use this feature to find and fix issues with the implementation and management of cryptographic data protection.

2.0 Terminology References

For Fortanix Key Insight - Azure terminologies, refer to Fortanix Key Insight - Azure Concepts Guide.

3.0 Key Insight Overview Menu

Users can access the Fortanix Key Insight Overview tab after adding an Azure cloud account. The Overview page summarizes the Azure keys and services for a CSP organization. The Overview page helps users get a summary of the Azure keys and services, as described in the following sections:

3.1 Cloud Discovery Accounts

This section summarizes the count of all the parameters for an Azure Management group. It shows the count of:

  • Total number of Azure subscriptions within the Azure management group
  • Total number of resource groups under all the Azure subscriptions
  • Total number of regions in the resource groups
  • Total number of keys in all the Azure cloud regions
  • Total number of services in all the Azure cloud regions

Cloud Discovery Accounts.png Figure 1: Cloud Discovery Accounts

NOTE
The total number of keys displayed in the Cloud Discover Accounts section is only the count of the “Current” key version for each key in the Azure Key Vault.

Clicking the Keys and Services labels in the Cloud Discovery Accounts section takes you to their list view.

Keys list view:

Click the GRAPH button to see the key map.

KI-Azure-KeysList-Graph.png Figure 2: Keys list view

Services list view:

The Services page has four tabs: STORAGE ACCOUNTS, MANAGED DISKS, SQL, and KEY VAULTS. Each of these tabs lists all the Azure storage accounts, Azure SQL databases, Azure managed disks, and Azure Key Vaults found within the Azure cloud organization, respectively.

Sevices List.png Figure 3: Dashboard detailed view

The Storage Accounts, Managed Disks, and SQL database tables have an ENCRYPTION column that tells whether an Azure Storage Account, Managed Disks, or SQL database service was encrypted.

3.2 Assessment Report

This section allows the user to view the Azure keys and services Assessment Report on the Assessment page. The report allows you to assess your key’s security posture to ensure the safety of your data.

Assessment Report.png Figure 5: Assessment

Click the ASSESSMENT REPORT button to go to the Assessment page. For more details about the Assessment page, refer to Section 4.0: Key Insight – Assessment Menu.

3.3 Top Subscriptions That Need Attention

This section gives you a quick overview of the Azure Services map that shows the top accounts whose services are vulnerable due to either using shared keys or they are not encrypted.
Click the Services map to go to the detailed view of the Services map page.

Top subscriptions that needs attention.png Figure 6: Top subscriptions that need attention

3.4 Top Subscriptions by Keys and Status

This section lists, in descending order, the top five subscriptions with the greatest number of keys since the last key scan operation. The count for each subscription includes both enabled and disabled keys.
Blue color indicators denote enabled keys, while orange color indicators denote disabled keys in each subscription.

Top subscriptions by key count and status.png Figure 7: Subscriptions with top keys

Click the Subscription ID to go to the list view of the subscription that shows all the keys in that subscription.

KI-Azure-SubscriptionIDDetailed.png Figure 8: Subscription detailed view

3.5 Protected Services

This section presents a summary of the comparison between the number of Microsoft Managed Keys, Customer Managed Keys, and Unencrypted Services for the three Azure services: Storage Accounts, Managed Disks, and SQL.

Protected Services.png Figure 9: Protected services

  • The purple color cell indicates Microsoft Managed keys.
  • The blue color cell indicates Customer Managed keys.
  • The teal blue color cell indicates Unencrypted Services.

Clicking Storage accounts, Managed Disks, or SQL takes you to the respective list view.

Services list View.png Figure 10: Storage account services

3.6 Keys by Type

This section provides a count of the key specifications in the Azure cloud subscriptions. For the Azure CSP, it shows the total number of RSA and EC keys that are present in all the Azure cloud subscriptions.

Keys by type.png Figure 11: Key types

You can also click the “key type” label to go to the tabular view of the key specification. For the selected “key type”, the table shows the key vault name, key version, key type, key state, key expiry date, key creation date, key rotation date, key vault type, and the Azure key vault region.

KI-Azure-SpecificationDetails.png Figure 12: Key specification details

3.7 Key Vaults by Service Tier

This section provides a summary of the number of key vaults in the Azure Premium Key Vault and Azure Standard Key Vault service tiers.

Key Vaults by service Tier.png Figure 13: Key vaults by service tier

3.8 Key by Status

This section summarizes the Azure keys by the following key status:

  • Used for Multiple Resources: The count of Azure keys that are shared by multiple Azure services.
  • Rotation Disabled: The count of Azure keys for which the rotation is disabled.
  • Not Activated: The count of Azure keys that are not activated.

Key by Status.png Figure 14: Key by status

3.9 Rescan

Perform a re-scan operation by clicking this option to check if any new keys were added, deleted, or updated in the Azure CSP organization.

KI-Azure-Rescan.png Figure 15: Scan again

If you click RESCAN and start the scan, you can monitor the progress bar while the scan is running.

After the scan is completed successfully,

  • The Last updated label will be updated with the date and time of the completion.
  • The Overview page will reflect the new state of the CSP keys and services.

4.0 Key Insight - Assessment Menu

Users can access the Fortanix Key Insight Assessment menu after adding an Azure cloud subscription or management group. The Assessment page shows:

  • How good or bad the key security posture is for the Azure cloud subscriptions?
  • Violations that must be remediated to improve the security status.
  • Remediation advice to improve the security status.

These are described in detail in the following sections:

4.1 Risk Score

This section provides the overall risk score of the Azure keys and services. There are three types of risks:

  • High – A high score signifies the total number of shared keys or non-compliant keys in use.
  • Critical – A critical risk score indicates the total number of unencrypted cloud services detected that need attention.
  • Medium – A medium risk score indicates the total number of CSP-generated keys in use.

Risk Score.png Figure 16: Risk score

In the above example, the overall risk score is Critical. The priority of the overall risk score is based on the count of risks in the following order:

  • Critical
  • High
  • Medium

4.2 Service Violations

For an Azure CSP, this section will provide information on the service violations. The following data points are shown:

This section shows the total number of services in the Azure cloud subscription that are vulnerable since they are using shared, non-compliant keys, or unencrypted keys. This information will help you determine which services are at risk so that you can use unique, compliant, and encrypted keys for better security. Click the STORAGE ACCOUNTS, MANAGED DISKS, and SQL tabs to see the count of vulnerable keys.

NOTE
For STORAGE ACCOUNTS, MANAGED DISKS, and SQL, the count of Non-Compliant keys will always be 0 since all keys are compliant by default.

Service Violations.png Figure 17: Violations

4.3 Top Security Issues

This section provides the following information about the keys:

  • Shared Keys: This section shows the total number of keys in the Azure cloud subscription that are shared by two or more services for encrypting the services. This information will help you determine which keys are at risk so that you can use unique encryption keys for better security.
  • Cryptographic Policy: This section shows the total number of keys in the Azure cloud subscription that are violating the cryptographic policy that is set for a Fortanix Data Security Manager account. These non-compliant keys increase the data security risk. This information will help you determine which keys are non-compliant with the DSM account Cryptographic policy so that you can generate new keys that are compliant with the DSM Cryptographic policy to encrypt the Azure services.
  • Expired Keys: This section shows the number of Azure keys that have expired. This information helps you review these expired keys and delete them.
  • Exportable Keys: This section shows the number of Azure keys that are marked as exportable. Exportable keys are high-risk keys and vulnerable. This information will help in marking these high-risk keys as non-exportable.
  • Quantum-vulnerable keys: For an Azure CSP, this is the total number of keys in the Azure cloud subscription that utilizes Quantum-vulnerable algorithms. These are asymmetric keys such as RSA, EC, and so on. This information will help you determine what data are encrypted using Quantum-vulnerable keys.

Top security issues.png Figure 18: Observations

5.0 Download Report

Click the DOWNLOAD REPORT button on the top-right corner of the Assessment page to view the Data Security Assessment Report for the Azure subscription.

Download report.png Figure 19: Download assessment report

5.1 Rescan

Perform a re-scan operation by clicking this option to check if any new keys were added, deleted, or updated in the Azure subscription or management group.

Rescan.png Figure 20: Scan again

After the scan is completed, the Assessment page will reflect the new state of the Azure keys and services.

6.0 Keys

After the Azure subscription is onboarded, click the Keys menu in the Fortanix Key Insight left navigation bar.

Clicking the Keys menu will take you to the Keys page that shows a map of all the Azure subscriptions. The key map shows the following information:

  • For every Azure subscription, it shows the Azure Key Vault names and resource groups that it belongs to, and for each Key Vault, it shows the map of all the keys in that account that are used to encrypt the Azure services.
  • Each key displays the Storage Account and SQL database service encrypted by it.
  • If a key is used by more than one Azure service (Storage Account and SQL), then it shows a vulnerability warning to indicate that the key is used with multiple services, and Key Insight recommends using a unique key per service.

KI-Azure-KeyVulnerability.png Figure 21: Key vulnerability

KI-Azure-SharedKeyVulnerability.png Figure 22: Shared key vulnerability

You can click on various points in the key map to go to the tabular view of that entity.

KI-Azure-KeysClickablePoints.png Figure 23: Clickable points in the map

For example, click the key vault icon for the Azure subscription to go to the tabular view of the key vault.

KI-Azure-KVTable.png Figure 24: Tabular view of Azure Key Vault

6.1 Keys Filter

You can also filter the keys by Subscriptions, Resource Group, Key Name, Key Version, Vulnerability, and Service on the key map.

To apply the filter on the key map:

  1. Click the Services drop down menu to select or search keys by a service. For Azure the services are Storage Accounts, Managed Disks, and Databases.
  2. Click SEARCH.

    KI-Azure-keyfilter.png Figure 25: Filter keys by service type

    You will see that the key map displays only the keys that encrypt the database service.KI-Azure-keyfilterApplied.png Figure 26: Filter applied

You can further filter the keys by selecting the following other filter options:

  • Subscriptions: Filter the keys by Azure subscription.
  • Resource group: Filter the keys by the resource group.
  • Key Name: Filter the keys by the key name.
  • Key Version: Filter the keys by the key UUID.
  • Vulnerability: Filter the keys by the vulnerability types - Non-compliant keys and Shared keys.
  • Service: Filter the keys by the Azure services – Databases, Storage Accounts, and Managed Disks.

You can use a combination of the above filter options to display the key map with specific results.

7.0 Services

After the Azure subscription is onboarded, click the Services menu in the Fortanix Key Insight left navigation bar.

Clicking the Services menu will take you to the Services page, which shows a map of all the Azure services (Storage Accounts, Managed Disks, and SQL) grouped by the Azure subscription. The service map shows the following information:

  • For every Azure subscription represented as big grey circles, it shows the Azure resource groups represented as dark purple circles, and for each Azure resource group, it shows the regions for that resource group, and for each region, it shows the storage accounts and SQL database services in that region.
  • For every region in an Azure subscription, it shows the encryption status of the storage accounts, managed disks, and SQL database services.
  • If an Azure service (storage accounts, managed disks, and SQL database services) is not encrypted, it shows a vulnerability warning that recommends adding an encryption key for that service or disabling that service.

KI-Azure-ServiceMap.png Figure 27: Service map

KI-Azure-ServiceVulnerability.png Figure 28: Service Vulnerability

KI-Azure-DatabaseVulnerability.png Figure 29: Service Vulnerability

You can click on various points in the service map to go to the tabular view of that entity.

KI-Azure-ServicesClickablePoints.png Figure 30: Clickable points in the service map

For example, click the Storage Account icon under the east_us region circle to go to the tabular view of that storage bucket.

Managed Disks Service.png Figure 31: Tabular view of storage account by region

Clicking anywhere other than the storage account or database icons expands the circles and shows the region names.

KI-Azure-Servicesmapregions.png Figure 32: Service region names

7.1 Services Filter

You can also filter the AWS services by Subscriptions, Resource Group, Regions, and Services on the Azure services map.

To apply a filter on the key map:

  1. Click the Subscriptions drop down menu to select or search services by the Azure subscription.
  2. Click SEARCH.

KI-Azure-serviceFilter.png Figure 33: Filter services by subscriptions

You will see that the service map displays only the services for the selected Azure subscription.KI-Azure-ServicefilterApplied.png Figure 34: Filter applied

You can further filter the services by selecting the following other filter options:

  • Resource group: Filter the services by the resource group.
  • Region: Filter the services by the Azure region.
  • Services: Filter the keys by the Azure services – Databases, Managed Disks, and Storage Accounts.

You can use a combination of the above filter options to display the service map with specific results.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful