Fortanix Key Insight for Azure Concepts

1.0 Introduction

1.1 Purpose

The purpose of this guide is to describe the Fortanix Key Insight feature concepts for Azure. Fortanix Key Insight is a cloud service that enables you to apply uniform key lifecycle management policies and processes to cryptographic key management systems across multiple clouds.

1.2 Intended Audience

This guide is intended to be used by technical stakeholders of Fortanix Key Insight, such as the Chief Information Security Officer (CISO) who will use this feature to see compliance information or deficiencies at a very high level and is interested in trends and drift, and the Security Engineer, who will use this feature to find and fix issues with the implementation and management of cryptographic data protection.

2.0 Terminology References

2.1 Azure Terminology

CONCEPT DESCRIPTION
Azure Management Groups These are collections of subscriptions that allow organizations to apply governance controls, policies, and compliance across multiple subscriptions. They provide a way to manage access, policies, and compliance at scale. The subscriptions in a management group can be arranged in a hierarchical tree-like structure with the “root” at the top and the “management groups” and “subscriptions” nested under the “root”. Fortanix Key Insight scans an Azure management group as well as all of its subscriptions.
Azure Subscriptions An Azure subscription is an agreement that allows specific users to access resources. The users associated with a subscription, along with their permissions, are defined in Azure Active Directory. Fortanix Key Insight scans all the regions within an Azure subscription in an Azure management group.

Azure Scan

 

The act of making a connection with the Azure CSP and obtaining information about keys and services of interest for Fortanix Key Insight.

Azure Tenant

Azure AD tenant corresponds to a single instance of the directory service. An Azure AD tenant represents an IAM environment that's used by an organization or a single entity to manage user identities, authentication, and access to Azure resources and applications. Fortanix Key Insight uses the Tenant ID to onboard the management groups and subscriptions.

Refer to Azure Tenant for more details.

Azure Role

Azure Identity and Access Management (IAM) roles are entities you create and assign specific permissions to that allow trusted identities, such as workforce identities and applications, to perform actions in Azure. Fortanix Key Insight requires an Azure IAM user to have the Azure management groups and subscription permissions. For more details, refer to User Guide: Azure Configuration for Scanning Using Built-In Roles.

Microsoft Entra ID

It represents the identity and access management service provided by Azure. Each Azure AD tenant is a separate instance of Azure AD dedicated to a single organization. On Fortanix Key Insight, Azure AD manages identities, authentication, and access to Azure resources and other Microsoft services.

Service Principal

When an application in Azure AD is registered, a service principal is automatically created to represent the application. These are a security principal in Azure AD representing the application or service, and they can be assigned roles and permissions, similar to user accounts. On Fortanix Key Insight, the service principal access can be granted to Azure resources by assigning its roles using Azure RBAC (role-based access control).

Azure RBAC

Users and groups managed within an Azure AD tenant can be granted access to resources and management capabilities within the Azure environment using Role-Based Access Control (RBAC).
Basically, on Fortanix Key Insight, specific permissions like Reader, Key Vault Administrator, and so on. can be assigned to users and service principals. Once the permission is assigned to an entity, the role is assumed for all the child entities.

Azure Keys

Azure keys are the primary resource in Azure KMS, which are logical representations of cryptographic keys. Azure keys include a unique key identifier, or key ID. Fortanix Key Insight scans all the Azure subscriptions within an Azure management group and identifies the key compliance status across multiple Azure cloud regions.

Azure Services

Azure Services allows users to set up their IT infrastructure online. The most popular Azure services include Storage Accounts, SQL, Managed Disks, and so on.

NOTE
For now, Fortanix Key Insight scans only the Azure Storage Accounts, Managed Disks, and SQL Database services.
Azure Resource Groups

Azure Resource Groups are the logical containers that groups related resources together. They can include resources from multiple services and are used for management, billing, and access control. They are the child hierarchy under the individual Azure Subscriptions. Fortanix Key Insight scans all the Azure resource groups within an Azure subscription and identifies the key compliance status across multiple Azure cloud regions.

Azure Resources

Azure Resources allows users to set up their IT infrastructure online. Fortanix Key Insight scans all the Azure resources within an Azure resource group and identifies the key compliance status across multiple Azure cloud regions. In the context of Fortanix Key Insight, there are four services:

  • Azure Key Vault: Azure Key Vault is a cloud service provided by Azure, designed to securely store cryptographic keys, secrets, and certificates used by cloud applications and services. Fortanix Key Insight scans all the Azure subscriptions within an Azure management group and identifies the key compliance status across multiple Azure cloud regions.
  • Azure Storage Accounts: An Azure storage account serves as a centralized location for all the Azure Storage objects, including blobs, files, queues, and tables. It offers a distinctive namespace for the Azure Storage data, which can be accessed from anywhere in the world through HTTP or HTTPS. The data stored in a storage account is highly secure, durable, and available, as well as massively scalable.
  • Azure SQL Database Managed Instance: Azure SQL Database Managed Instance is a fully managed platform as a service offering Microsoft Azure, providing a scalable and highly available database service. Managed Instance offers compatibility with on-premises SQL Server.
  • Azure Managed Disks: Azure Managed Disk is a virtual hard disk (VHD) that is managed by Azure. It is a storage abstraction that simplifies the management and scaling of virtual machines (VMs) in Azure.

3.0 Key Insight Features - Azure

The Fortanix Key Insight for Azure has the following features:

  • It allows two types of cloud connections: Subscription and Management Groups
    • Connecting to the Management Group requires the Azure Client ID, Client Secret, Tenant ID, and Management Group ID.
    • Connecting to a Subscription requires the Azure Client ID, Client Secret, Tenant ID, and Subscription ID.
  • Generates reports on Azure non-compliant keys and services. For each region, the report shows:
    • Corresponding keys
    • Risk score
    • Top security issues
    • Storage Accounts that are unencrypted
    • Storage Accounts using non-compliant keys
    • Storage Accounts using shared keys
    • SQL that is unencrypted
    • SQL using non-compliant keys
    • SQL using shared keys
  • Provides a dashboard view of cryptographic key compliance status across multiple Azure cloud regions. The dashboard shows information such as:
    • Cloud Discovery Accounts
    • Assessment
    • Top Subscriptions That Need Attention
    • Top Subscriptions by Key Count and Status
    • Protected Services
    • Keys by Type, Service Tier, and Status
  • Allows users to download a report of the Azure keys’ primary parameters.
  • For every Azure key in a region,
    • Provides a tabular view that shows the key name, version, type, state, expiry date, created date, rotation date, key vault, and region.
    • Provides a map of the key compliance statuses.
  • For every Azure service for a region,
    • Provides a tabular view that shows the service name, service type, region, encryption status, Azure account ID, and so on.
  • Provides an assessment report that identifies vulnerabilities by providing a snapshot of your data security posture, and risk score, highlighting areas of strength, and pinpointing opportunities for improvement.
  • You can add a new Azure cloud connection to Fortanix Key Insight.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful