Enhanced Security – Thales High Assurance for Microsoft Key Vault
Thales e-Security has an unparalleled 40-year history in delivering data protection solutions to security-conscious businesses, governments and technology vendors including critical key management solutions for some of the most demanding security organizations in the world. Thales solutions currently protect 19 of the 20 largest banks and 4 out of the top 5 aerospace companies. As experts in the field, Thales products and services provide high assurance security so customers can make effective use of cryptographic protection. Now Thales is facilitating how you retain control of your key when you use Microsoft Azure cloud.
What are Hardware Security Modules?
HSMs are high-performance cryptographic devices designed to generate, safeguard and manage sensitive key material. Thales nShield HSMs maintain your key securely locked and usable only within the HSM. This enables you to maintain custody of your key and visibility over its use.
Why Use Thales nShield HSMs with Azure Cloud?
Thales nShield HSMs ensure that your key is always under your control and never visible. The capability neutralizes the perception that sensitive data maintained in the cloud is vulnerable because the cloud can only be a shared service with a shared security infrastructure.
Security Properties of Azure Key Vault
Azure Key Vault offers you multiple levels of control. The Key Vault server key becomes your key in Azure and you can trade off the level of control you desire versus cost and effort.
By default, Azure generates and manages the lifecycle of your key
As an option, a unique Bring Your Own Key (BYOK) capability lets you generate your key on premises
For additional levels of security, near-real time usage logs allow you to see exactly how and when your key is being used.
How it Works
Thales nShield HSMs create a locked cage protecting your key. You can cache the key securely from your Thales nShield HSM in your possession to a Thales nShield HSM in Microsoft's Azure data center without leaving the FIPS compliant security boundary created by the HSMs. The key is protected while in Microsoft's data centers – secured within a carefully designed cryptographic boundary that employs robust access control mechanisms that let you enforce separation of duties to ensure the key is only used for its authorized purpose.
Bring Your Own Key
BYOK for Key Vault allows you to generate your own key on your premises in accordance with your IT policies and transfer your key securely to the cloud-based Thales nShield HSM hosted by Microsoft.
Azure AD RMS
Download our White Paper: "Security World"
Download our White Paper: "Hardware Key Management in the Cloud"
Hosted HSM Validation
To ensure that the hosted HSM is an authorized Thales nShield HSM, the BYOK facility provides you a mechanism to validate its certificate. The capability enables you to verify that the key encryption key used to secure the upload of your key was indeed generated in a Thales nShield HSM.
Key Usage Logs
To ensure that the hosted service is being used strictly on your terms, Azure allows you to sign up to receive near-real time usage logs. The capability enables you to know exactly how and when your key is used by Azure. This gives you total visibility over the managed service.
About Thales e-Security
Thales e-Security is a leading global provider of data protection solutions with more than 40 year experience securing the world’s most sensitive information. Our customers – businesses, governments, and technology vendors with a broad range of challenges – use Thales products and services to improve the security of applications that rely on encryption and digital signatures. By protecting the confidentiality, integrity, and availability of sensitive information that flows through today’s traditional, virtualized, and cloud-based infrastructures, Thales is helping organizations reduce risk, demonstrate compliance, enhance agility, and pursue strategic goals with greater confidence. Thales has helped secure Microsoft's footprint since 2003 as a Gold Partner.
|Many Azure cloud-based applications employ cryptography to protect customer sensitive data. Securing the cryptographic keys used by these applications is critically important to provide a foundation of trust in the applications and the cloud.