Now that you're familiar with the basic components of Azure Key Vault, let's look at some of its common uses. There are three key elements to Azure Key Vault; secrets, keys, and certificates. With these three elements, Azure Key Vault addresses the following issues. Azure Key Vault can securely store with HSMs and tightly control access to tokens, passwords, certificates, API keys, and other secrets. Azure Key Vault is a cloud-based key management solution. It makes it easier to create and control the encryption keys used to encrypt your data. Azure services, such as App Service, integrate directly with Azure Key Vault and can decrypt secrets without knowledge of the encryption keys. With Azure Key Vault, you can also provision, manage, and deploy public and private SSL, TLS certificates. These certificates can be used with Azure and your internal connected resources. Finally, the Vault can also request and renew TLS certificates through partnerships with certificate authorities. This provides a robust solution for certificate lifecycle management. Finally, take note of the following important points in relation to Azure Key Vaults. The Key Vault is designed to store configuration secrets for server applications. It's not intended for storing data belonging to your app's users, and it shouldn't be used in the client-side part of an app. This is reflected in its performance characteristics, API, and cost model. User data should be stored elsewhere, such as in an Azure SQL database with transparent data encryption. It can also be held in a storage account with storage service encryption. Secrets used by your application to access those data stores can be kept in Key Vault. Finally, let's review some Azure Key Vault best practices. Grant access to users, groups and applications at a specific scope, control what users have access to, store certificates in your Key Vault, and finally, ensure that you can recover Key Vault or Key Vault objectives if they are accidentally deleted. Use role-based access control or RBAC predefined roles. For example, to grant access to a user to manage Key Vault. To do this, you would assign the predefined role, Key Vault contributor, to this user at a specific scope. The scope, in this case, would be a subscription, a resource group, or just a specific Key Vault. If the predefined roles don't fit your needs, you can define your own roles. Access to a Key Vault is controlled through two separate interfaces, management plane and data plane. The management plane and data plane access controls work independently. Use RBAC to control what users have access to. For example, if you want to grant an application the rights to use keys in a Key Vault, you only need to grant data plane access permissions using Key Vault access policies, no management plane access is needed for this application. Conversely, you might want a user to be able to read Vault properties and tags but not have any access to keys, secrets, or certificates. By using RBAC, you can grant read access to the management plane. No access to the data plane is required. Now that you know how to control user access, take a closer look at storing certificates. Azure Resource Manager can securely deploy certificates stored in Azure Key Vault to Azure VMs when the VMs are deployed. By setting appropriate access policies for the Key Vault, you also control who gets access to your certificate. Another benefit is that you manage all your certificates in one place in Azure Key Vault. Deletion of Key Vaults or Key Vault objects can be either inadvertent or malicious. Enable the soft delete and purge protection features of Key Vault, particularly for keys that are used to encrypt data at rest. Deletion of these keys is equivalent to data loss, so you can recover deleted Vaults and Vault objects if needed. Practice Key Vault recovery operations regularly. Finally, some users have contributor permissions or RBAC to a Key Vault management plane. This means that they can grant themselves access to the data plane by setting a Key Vault access policy, and it's recommended that you tightly control who has contributor access to your Key Vaults. This is to ensure that only authorized persons can access and manage your Key Vaults, keys, secrets, and certificates. You should now be familiar with common use cases of key components in Azure Key Vault. In the next video, we'll look at how to manage these components.
