Protect Your Critical Keys in the Cloud

Microsoft Azure Key Vault safeguards the critical cryptographic keys used in the cloud to keep your data secured

Deployed around the world in Azure data centers, Thales nShield hardware security modules safeguard and manage your keys in the cloud. To give you greater control, Thales enables you to create and transfer your own key for use with Azure Key Vault.

Download The Solution Brief
Lorem Ipsum dolor sit
In sodales imperdiet libero. Vivamus elit erat, dignissim nec fringilla in, aliquam eget mi. Nulla facilisi. Pellentesque porttitor sem at diam semper quis euismod lacus tristique.
currently not set

Use Azure Cloud Based Services on Your Terms

Control the critical keys securing your sensitive data in the cloud. When using Microsoft Azure, you don’t have to give up control of the key securing your data in the cloud. Azure Key Vault enables you to protect the keys in a Thales FISP 140-2 certified hardware security modules (HSMs) managed by Microsoft. For added assurance, a “bring your own key” (BYOK) capability is available that enables you can create and import your own keys from your own Thales HSM you keep at your premises. This ensures that keys are generated by you, they never leave the protected HSM boundary, and they are never visible to Microsoft.

Enhanced Security – Thales High Assurance for Azure Key Vault

Thales e-Security has an unparalleled 40-year history in delivering data protection solutions to security-conscious businesses, governments and technology vendors including critical key management solutions for some of the most demanding security organizations in the world. Thales solutions currently protect 19 of the 20 largest banks and 4 out of the top 5 aerospace companies. As experts in the field, Thales products and services provide high assurance security so customers can make effective use of cryptographic protection. Now Thales is facilitating how you retain control of your key when you use Microsoft Azure cloud.

What are Hardware Security Modules?

HSMs are high-performance cryptographic devices designed to generate, safeguard and manage sensitive key material. Thales nShield HSMs maintain your key securely locked and usable only within the protected boundary.  This enables you to maintain custody of your key and visibility over its use.

MS Azure Business App diagram

Why Use Thales nShield HSMs with Azure Cloud?

Thales nShield HSMs ensure that your key is always under your control and never visible. The capability neutralizes the perception that sensitive data maintained in the cloud is vulnerable because the cloud can only be a shared service with a shared security infrastructure.

Security Properties of Azure Key Vault

Azure Key Vault offers you multiple levels of control. The Key Vault server key becomes your key in Azure and you can trade off the level of control you desire versus cost and effort.

    • By default, Azure generates and manages the lifecycle of your key
    • As an option, a unique Bring Your Own Key (BYOK) capability lets you generate your key on premises
    • For additional levels of security, near-real time usage logs allow you to see exactly how and when your key is being used.

How it Works

Thales nShield HSMs create a locked cage protecting your key.  You can cache the key securely from your Thales nShield HSM in your possession to a Thales nShield HSM in Microsoft's Azure data center without leaving the FIPS compliant security boundary created by the HSMs. The key is protected while in Microsoft's data centers – secured within a carefully designed cryptographic boundary that employs robust access control mechanisms that let you enforce separation of duties to ensure the key is only used for its authorized purpose.

Bring Your Own Key

BYOK for Azure Key Vault allows you to generate your own key on your premises in accordance with your IT policies and transfer your key securely to the cloud-based Thales nShield HSM hosted by Microsoft.

BYOK diagram


Download our White Paper: "Security World"

Download our White Paper: "Hardware Key Management in the Cloud"

Hosted HSM Validation

To ensure that the hosted HSM is an authorized Thales nShield HSM, the BYOK facility provides you a mechanism to validate its certificate. The capability enables you to verify that the key encryption key used to secure the upload of your key was indeed generated in a Thales nShield HSM.

Key Usage Logs

To ensure that the hosted service is being used strictly on your terms, Azure allows you to sign up to receive near-real time usage logs.  The capability enables you to know exactly how and when your key is used by  Azure.  This gives you total visibility over the managed service.

About Thales e-Security

Thales e-Security is a leading global provider of data protection solutions with more than 40 year experience securing the world’s most sensitive information. Our customers – businesses, governments, and technology vendors with a broad range of challenges – use Thales products and services to improve the security of applications that rely on encryption and digital signatures. By protecting the confidentiality, integrity, and availability of sensitive information that flows through today’s traditional, virtualized, and cloud-based infrastructures, Thales is helping organizations reduce risk, demonstrate compliance, enhance agility, and pursue strategic goals with greater confidence.  Thales has helped secure Microsoft's footprint since 2003 as a Gold Partner.

MSMany Azure cloud-based applications employ cryptography to protect customer sensitive data. Securing the cryptographic keys used by these applications is critically important to provide a foundation of trust in the applications and the cloud.