Elaboration needed on Azure Key Soverignty

PUA Anthony 20 Reputation points
2024-10-16T12:06:11.64+00:00

Hello, we came across this key sovereignty notion on Azure page and would like more clarification on the statement "Key sovereignty means that a customer's organization has full and exclusive control over who can access keys and change key management policies, and over what Azure services consume these keys. After these decisions are made by the customer, Microsoft personnel are prevented through technical means from changing these decisions. The key management service code executes the customer's decisions until the customer tells it to do otherwise, and Microsoft personnel can't intervene."

Questions:

There is no key sovereignty in Azure Key Vault Premium. So based on the statement above, under what circumstances would Microsoft personnel intervene? The use case is for banking/financial industry and we are aware of Azure's recommendation of using Managed HSM for that use case, however that may not meet the same service availability requirement as AKV Premium. We would like to understand better the concept of key sovereignty so we could evaluate if Azure Key Vault Premium is good enough for our use case given that it does not have that.

Please assist.

Thank you.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,313 questions
{count} votes

Accepted answer
  1. Navya 12,405 Reputation points Microsoft Vendor
    2024-10-28T01:51:56.68+00:00

    Hi @PUA Anthony

    Thank you for posting this in Microsoft Q&A.

    I understand you are looking for clarification on the concept of "key sovereignty" as it relates to Azure services, specifically in the context of Azure Key Vault Premium versus Managed HSM.

    Key sovereignty is an important concept in cloud security, and it means that the customer has full control over their encryption keys and who can access them. In Azure Key Vault Premium, Microsoft personnel cannot intervene in the customer's key management decisions, and the key management service code executes the customer's decisions until the customer tells it to do otherwise.

    However, it's important to note that while Azure Key Vault Premium does not have key sovereignty, it still provides strong security and compliance features. For example, it supports role-based access control (RBAC) and audit logging, which can help you meet regulatory requirements.

    In terms of when Microsoft personnel might intervene, there are certain situations where they may need to access customer data or systems for support or troubleshooting purposes. However, in these cases, Microsoft personnel are subject to strict access controls and auditing requirements, and they must obtain customer consent before accessing any customer data or systems.

    Regarding your use case for the banking/financial industry, it's important to evaluate your specific security and compliance requirements to determine whether Azure Key Vault Premium meets your needs. If you require key sovereignty, you may want to consider using Azure Dedicated HSM or Azure Confidential Computing, which provide additional security features. However, if you don't require key sovereignty, Azure Key Vault Premium may be a good fit for your use case.

    For your reference: Infrastructure security

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.