Posted in AZ-500 Azure Security Engineer Associate, Azure Administrator, Azure Security Engineer, Azure Solutions Architect, MS Cyber Security Architect Expert, MS Security Operations Analyst

Azure Dedicated HSM

   November 2, 2024

Azure Dedicated HSM (Hardware Security Module) is a cloud-based, hardware-protected encryption solution that provides cryptographic key storage and management within Microsoft Azure. A Dedicated HSM is a single-tenant device dedicated solely to one customer, ensuring that only you can control and manage it. It’s particularly beneficial for organizations that require high levels of security, compliance with regulatory standards, and exclusive control over cryptographic keys.

In this guide, we’ll go over the key functions and features of Azure Dedicated HSM, including how to create, configure, manage, and monitor it with Entra ID integration. We’ll also discuss compliance standards and provide examples of usage.

1. Overview of Azure Dedicated HSM

What is Azure Dedicated HSM?

Azure Dedicated HSM is a physical, cloud-based Hardware Security Module provided as a service by Microsoft. Unlike Azure Key Vault, which is a multi-tenant service, Dedicated HSMs are physical devices assigned to a single customer, giving you full control over the HSM, including direct access to the hardware.

Key Benefits and Features

  • High Security and Control: Ensures that only you control and manage your encryption keys, with no Microsoft access.
  • Compliance: Meets strict industry and regulatory standards such as FIPS 140-2 Level 3.
  • Dedicated Hardware: Exclusive single-tenant device, reducing the risk of data leakage.
  • Scalability: Azure Dedicated HSM can scale with your organization’s security needs.
  • Integration with Azure Services: Easily integrates with Entra ID for secure authentication and access control.

2. Functions of Azure Dedicated HSM

Cryptographic Operations

Azure Dedicated HSM performs several cryptographic functions:

  • Key Generation: Generates cryptographic keys securely.
  • Encryption and Decryption: Protects data by encrypting and decrypting using stored keys.
  • Signing and Verification: Provides digital signature capabilities to verify authenticity.
  • Key Management: Allows you to create, delete, import, and manage cryptographic keys.

Integration with Entra ID for Authentication and Access Control

Using Entra ID, you can control which users and applications have access to the Dedicated HSM. Entra ID’s role-based access control (RBAC) ensures that only authorized personnel can access and manage the HSM device.

3. Standards and Compliance for Azure Dedicated HSM

Azure Dedicated HSM complies with a range of international security standards:

  • FIPS 140-2 Level 3: A stringent security standard for cryptographic modules, providing a high level of data protection.
  • Common Criteria EAL4+: A global standard for information security, ensuring the HSM meets security requirements for critical systems.
  • PCI-DSS Compliance: Useful for organizations handling payment card information as it meets Payment Card Industry standards.

These standards make Azure Dedicated HSM suitable for organizations in sectors with strict regulatory requirements, such as finance, healthcare, and government.

4. Setting Up and Configuring Azure Dedicated HSM

Prerequisites

  • Azure Subscription: An active Azure subscription.
  • Permissions: The necessary permissions to create and configure resources in the subscription.

Step 1: Create an Azure Dedicated HSM Instance

  1. Log into the Azure Portal:
  1. Create the HSM:
  • Navigate to Create a resource > Security + Identity > Dedicated HSM.
  • Configure the following:
    • Resource Group: Select an existing resource group or create a new one.
    • Region: Choose a geographic region.
    • HSM Device Name: Provide a unique name for the HSM instance.
  • Click Review + Create and then Create to deploy the HSM.
  1. Set Up Networking:
  • Azure Dedicated HSM requires a virtual network (VNet) configuration to restrict access. Configure your VNet to allow only trusted IP ranges to access the HSM.

Step 2: Configure Access with Entra ID

  1. Configure Role-Based Access Control (RBAC):
  • Go to Access control (IAM) in the Dedicated HSM instance.
  • Click + Add role assignment to assign roles to users or applications.
  • Choose a role (e.g., HSM Administrator or HSM Crypto User) and select the users or applications you want to grant access.
  1. Conditional Access (Optional):
  • In Entra ID > Security > Conditional Access, create policies to enforce additional access requirements (e.g., multi-factor authentication) for users accessing the HSM.

5. Managing and Using Azure Dedicated HSM

Key Management and Cryptographic Operations

With your HSM set up, you can start managing keys and performing cryptographic operations.

  1. Generate a Key:
  • Using the HSM management client or command-line interface, connect to your Dedicated HSM instance and generate a new key.
  • Example (using PowerShell with HSM client tools): # Connect to the HSM $session = Connect-AzDedicatedHsm -ResourceId "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.HardwareSecurityModules/dedicatedHSMs/{hsm-name}" # Generate an RSA key New-AzDedicatedHsmKey -KeyName "myRSAKey" -KeySize 2048 -KeyUsage "encrypt,decrypt"
  1. Encrypt Data:
  • Use the HSM-generated key for encryption.
  • Example (Python with HSM SDK): from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient from azure.keyvault.keys.crypto import CryptographyClient, EncryptionAlgorithm credential = DefaultAzureCredential() hsm_name = "https://<your-hsm-name>.managedhsm.azure.net" key_client = KeyClient(vault_url=hsm_name, credential=credential) key = key_client.get_key("myRSAKey") # Perform encryption crypto_client = CryptographyClient(key, credential=credential) plaintext = b"Sensitive information" encrypt_result = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext) print("Encrypted data:", encrypt_result.ciphertext)
  1. Signing and Verification:
  • Sign messages or documents to ensure their authenticity, or verify signatures with the HSM-stored keys.
  1. Key Deletion and Rotation:
  • Delete unused keys or configure policies to rotate keys periodically.

Managing HSM Devices

  1. Backup and Restore:
  • Azure Dedicated HSM allows you to back up and restore keys securely, helping you ensure business continuity.
  1. Health Monitoring:
  • Use Azure Monitor to monitor HSM activity. Set up alerts to notify you of unauthorized access attempts, device health issues, or key usage statistics.
  1. Audit Logs:
  • View logs for each operation performed on the HSM, helping with security auditing and compliance.

6. Monitoring Azure Dedicated HSM

Enable Monitoring with Azure Monitor

  1. Configure Diagnostics:
  • Go to Azure Monitor > Diagnostics settings.
  • Enable diagnostics for your HSM and choose where to send logs (e.g., Log Analytics, Event Hubs).
  1. Set Up Alerts:
  • In Azure Monitor, set up alerts for specific activities (e.g., unauthorized access attempts, key deletion).
  • Notifications can be sent via email, SMS, or integrated with other security systems.

Accessing and Reviewing Logs

Use Azure Monitor and Log Analytics to analyze logs:

  • Track each access attempt and cryptographic operation.
  • Set up queries in Log Analytics to view patterns and detect unusual access.

7. Usage Example: Securely Storing and Using a Signing Key

Suppose you need to securely store a signing key in Dedicated HSM for document verification.

  1. Generate the Signing Key:
  • Create a signing key in the Dedicated HSM using the HSM client or SDK.
  1. Sign a Document:
  • Use the key stored in Dedicated HSM to sign a document or message.
  1. Verify the Signature:
  • Use the signing key to verify the authenticity of documents or messages sent to clients.

Example in Python (simplified):

from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
from azure.keyvault.keys.crypto import CryptographyClient, SignatureAlgorithm

vault_url = "https://<your-hsm-name>.managedhsm.azure.net"
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url=vault_url, credential=credential)
key = key_client.get_key("mySigningKey")

crypto_client = CryptographyClient(key, credential=credential)

# Signing
message = b"Important document"
sign_result = crypto_client.sign(SignatureAlgorithm.rs256, message)
print("Signature:", sign_result.signature)

# Verification
verify_result = crypto_client.verify(SignatureAlgorithm.rs256, message, sign_result.signature)
print("Signature valid:", verify_result.is_valid)

Summary of Azure Dedicated HSM

Azure Dedicated HSM provides a highly secure and compliant solution for managing encryption keys in the cloud. It gives you exclusive control over a hardware-protected module with full integration into Azure’s identity and access management features. By using Dedicated HSM, you can meet strict security standards, keep cryptographic operations safe, and monitor key usage effectively.

Key Points:

  • Dedicated Control: Exclusive single-tenant hardware for secure key management

.

  • Standards Compliance: FIPS 140-2 Level 3 and Common Criteria EAL4+ for regulatory adherence.
  • Integration with Entra ID: Securely controls access using Azure’s identity and access features.
  • Monitoring and Auditing: Comprehensive logging and alerting capabilities to track and secure access.

Azure Dedicated HSM is ideal for organizations with stringent security requirements, offering robust key protection and control in the cloud.

Share: XFacebookPinterestLinkedin
Author: tonyhughes