1.0 Introduction
1.1 Purpose
The purpose of this article is to describe the Fortanix Key Insight concepts for Azure. Fortanix Key Insight enables you to apply uniform key lifecycle management policies and processes to cryptographic key management systems across multiple clouds.
1.2 Intended Audience
This article is intended to be used by technical stakeholders of Fortanix Key Insight, such as the Chief Information Security Officer (CISO) who will use this feature to see compliance information or deficiencies at a very high level and is interested in trends and drift, and the Security Engineer, who will use this feature to find and fix issues with the implementation and management of cryptographic data protection.
2.0 Terminology References
2.1 Azure Terminology
CONCEPT | DESCRIPTION |
---|---|
Azure Management Groups | These are collections of subscriptions that allow organizations to apply governance controls, policies, and compliance across multiple subscriptions. They provide a way to manage access, policies, and compliance at scale. The subscriptions in a management group can be arranged in a hierarchical tree-like structure with the “root” at the top and the “management groups” and “subscriptions” nested under the “root”. Fortanix Key Insight scans an Azure management group as well as all of its subscriptions. |
Azure Subscriptions | An Azure subscription is an agreement that allows specific users to access resources. The users associated with a subscription, along with their permissions, are defined in Azure Active Directory (AD). Fortanix Key Insight scans all the regions within an Azure subscription in an Azure management group. |
Azure Scan
| The act of making a connection with the Azure cloud service provider (CSP) and obtaining information about keys and services of interest for Fortanix Key Insight. |
Azure Tenant | Azure AD tenant corresponds to a single instance of the directory service. An Azure AD tenant represents an Identity and Access Management (IAM) environment used by an organization or a single entity to manage user identities, authentication, and access to Azure resources and applications. Fortanix Key Insight uses the Tenant ID to onboard the management groups and subscriptions. For more details, refer to Azure Tenant. |
Azure Role | Azure IAM roles are entities you create and assign specific permissions to that allow trusted identities, such as workforce identities and applications, to perform actions in Azure. Fortanix Key Insight requires an Azure IAM user to have the Azure management groups and subscription permissions. For more details, refer to User Guide: Azure Configuration for Scanning Using Built-In Roles. |
Microsoft Entra ID | It represents the identity and access management service provided by Azure. Each Azure AD tenant is a separate instance of Azure AD dedicated to a single organization. On Fortanix Key Insight, Azure AD manages identities, authentication, and access to Azure resources and other Microsoft services. |
Service Principal | When an application in Azure AD is registered, a service principal is automatically created to represent the application. These are security principals in Azure AD representing the application or service, and they can be assigned roles and permissions, similar to user accounts. On Fortanix Key Insight, the service principal access can be granted to Azure resources by assigning its roles using Azure role-based access control (RBAC). |
Azure RBAC | Users and groups managed within an Azure AD tenant can be granted access to resources and management capabilities within the Azure environment using RBAC. |
Azure Keys | Azure keys are the primary resource in Azure KMS, which are logical representations of cryptographic keys. Azure keys include a unique key identifier or key ID. Fortanix Key Insight scans all the Azure subscriptions within an Azure management group and identifies the key compliance status across multiple Azure cloud regions. |
Azure Services | Azure Services allows users to set up their IT infrastructure online. The most popular Azure services include Storage Accounts, Azure Structured Query Language (SQL), Managed Disks, and so on.
|
Azure Resource Groups | Azure Resource Groups are the logical containers that group related resources together. They can include resources from multiple services and are used for management, billing, and access control. They are the child hierarchy under the individual Azure subscriptions. Fortanix Key Insight scans all the Azure resource groups within an Azure subscription and identifies the key compliance status across multiple Azure cloud regions. |
Azure Resources | Azure Resources allows users to set up their IT infrastructure online. Fortanix Key Insight scans all the Azure resources within an Azure resource group and identifies the key compliance status across multiple Azure cloud regions. In the context of Fortanix Key Insight, there are four services:
|
3.0 Fortanix Key Insight Features - Azure
The Fortanix Key Insight for Azure has the following features:
It allows two types of cloud connections: Subscription and Management Groups
Connecting to the Management Group requires the Azure Client ID, Client Secret, Tenant ID, and Management Group ID.
Connecting to a Subscription requires the Azure Client ID, Client Secret, Tenant ID, and Subscription ID.
Generates reports on Azure non-compliant keys and services. For each region, the report shows:
Corresponding keys
Risk score
Top security issues
Violations for each service
Provides a dashboard view of cryptographic key compliance status across multiple Azure cloud regions. The dashboard shows information such as:
Cloud Discovery Accounts
Assessment
Top Subscriptions That Need Attention
Top Subscriptions by Key Count and Status
Protected Services
Keys by Type, Service Tier, and Status
Allows users to download a report of the Azure keys’ primary parameters.
For every Azure key in a region,
Provides a tabular view that shows the key name, version, type, state, expiry date, created date, rotation date, key vault, and region.
Provides a map of the key compliance statuses.
Detects non-compliant keys based on the applied policy and issues vulnerability alerts according to NIST standards.
Provides essential information such as key properties, key owner(s), rotation, service mapping, and related violations.
For every Azure service for a region,
Displays a comprehensive overview that allows you to filter services by type, violations, subscriptions, and region. You can click on each service to view a detailed list of associated vulnerabilities, if applicable.
Provides a tabular view that shows the service name, service type, region, encryption status, Azure account ID, and so on.
Provides detailed insights into service configurations and any violations associated with each service, helping you to understand potential issues and compliance gaps.
Allows users to export all scanned key and service data in comma-separated values (CSV) format and provides the ability to track export activities.
Allows users to optionally select pre-configured Fortanix DSM (SaaS) app credentials for keys correlation when onboarding an Azure cloud connection. This enables Fortanix Key Insight to determine if the scanned keys originate from Fortanix DSM (SaaS) after the scan is initiated.
Enables users to automatically retrieve the crypto policies configured in Fortanix DSM and apply them to scans and assessments, ensuring that Fortanix Key Insight remains aligned with any updates in Fortanix DSM.
Provides an assessment report that identifies vulnerabilities by providing a snapshot of your data security posture and risk score, highlighting areas of strength, and pinpointing opportunities for improvement.
You can add a new Azure cloud connection to Fortanix Key Insight.