General Availability: Key Attestation for Azure Managed HSM
We are excited to announce the General Availability of Key attestation for Azure Key Vault Managed HSM. Key attestation for Azure Managed HSM enables a way to validate the origin and integrity of cryptographic keys generated and stored within a trusted, FIPS 140-3 Level 3 certified HSM. This thereby enhances trust in key management processes by offering transparency and further enables compliance with strict security standards. This feature is especially valuable in scenarios where customers need assurance that their keys are protected from unauthorized access, even from cloud providers. The key attestation process has four steps: Downloading or cloning the open source Python scripts and requirements from our Github repository Setting up a virtual environment and installing the required Python packages Retrieving key attestation data from the HSM via CLI Verifying the key’s authenticity and the attestation data file, and viewing parsed attributes of the attestation binary via the open source Python script. When running the script in verbose mode, you can see how we establish a certificate chain validation and which certificates are used to verify the integrity of the attestation blob. You can validate the certificates we use in /src/vendor/marvell/marvell_validate_key_attestation.py. To learn more and try it out yourself, see the Key attestation product documentation.Azure Managed HSM and Azure Key Vault Premium HSM Devices Certified for eIDAS Compliance
Azure Managed HSM and Azure Key Vault Premium are now eIDAS compliant under A-SIT. We have been working with our vendor Marvell to validate the Marvell LiquidSecurity HSM adapters utilized in our services to meet the European Union’s electronic identification, authentication, and trust services (eIDAS) regulations. The HSM for both Azure Managed HSM and Azure Key Vault Premium has received eIDAS (Austrian Scheme) certification as a Qualified Signature Creation Device (QSCD). Why are these certifications important for Azure Managed HSM and Azure Key Vault Premium customers? These new certifications to Azure Managed HSM and Azure Key Vault Premium provide Trust Service Providers and others that provide time stamping, website authentication, certificate issuance, electronic registered delivery, electronic seal, and electronic signature services the ability to utilize Azure Managed HSM and Azure Key Vault Premium as part of their eIDAS-compliant solution. What is eIDAS? The regulation of electronic IDentification, Authentication, and trust Services for Electronic Transactions (eIDAS) is a European regulation aimed at creating a framework for cross-border electronic identification and transactions across EU member countries. What is a Qualified Signature Creation Device (QSCD)? A Qualified Signature Creation Device (QSCD) is a secure and special hardware such as an HSM designed to generate and protect digital signatures in compliance with eIDAS regulation (EU Regulation No. 910/2014). A QSCD is critical for generating qualified electronic signatures that have the same legal holding as handwritten signatures under EU law. Azure Managed HSM and Azure Key Vault Premium provide the highest levels of assurance and compliance, now meeting FIPS 140-3 Level 3, PCI DSS, PCI 3DS, and eIDAS compliance.Azure Managed HSM and Azure Key Vault Premium are now FIPS 140-3 Level 3
We are excited to announce that the HSM firmware for both Azure Managed HSM and Azure Key Vault Premium are officially upgraded to a modern version validated to FIPS 140-3 Level 3 standard in all Azure public cloud regions. This upgrade represents a significant step forward in our commitment to providing best-in-class security to safeguard your valuable data. Key Improvements With the upgraded firmware, Azure Managed HSM and Azure Key Vault Premium users can benefit from: FIPS 140-3 Level 3 Validation: The Azure Key Vault Managed HSM and Azure Key Vault Premium firmware update ensure compliance with the rigorous standards set forth by FIPS 140-3 Level 3. This transition from FIPS 140-2 to FIPS 140-3 demonstrates our dedication to adhering to the highest security standards and industry best practices, giving you peace of mind knowing that your data is handled with the utmost care and security. Improved Compliance: In addition to bolstering security, the updated firmware also enhances compliance capabilities. Whether you're subject to industry regulations or internal compliance policies, this firmware ensures that your HSMs meet or exceed the required standards, helping you maintain regulatory compliance effortlessly. As we continue to innovate and enhance our services, our commitment to delivering the highest standards of security remains unwavering. We are confident this upgrade to FIPS 140-3 Level 3 improves the security and compliance posture of your infrastructure, allowing you to focus on your core business activities with confidence. For more information on FIPS 140-3, see Security Requirements for Cryptographic Modules, and Cryptographic Module Validation Program | CSRCPublic Preview: Key Attestation for Azure Managed HSM
We are excited to announce the Public Preview of Key attestation for Azure Key Vault Managed HSM. This feature allows you to validate the authenticity of cryptographic keys stored within the hardware security module (HSM) thereby enhancing trust in key management processes and further enabling compliance with stringent security standards. This feature is especially valuable in scenarios where customers need assurance that their keys are protected from unauthorized access, even from cloud providers. The key attestation process has four steps: Downloading or cloning the Python scripts and requirements from our Github repository Setting up a virtual environment and installing the required Python packages Retrieving key attestation data from the HSM Verifying the key’s authenticity and the attestation data file, and viewing parsed attributes of the attestation binary To learn more and try it out yourself, see the Key attestation product documentation.General Availability: Monitoring and Logging for Azure Managed HSM in Azure Portal
Monitoring in Azure portal For each managed HSM you can navigate to the Metrics tab in the left-hand sidebar, under Monitoring, in the Azure portal to view the following metrics: Overall service API latency Overall service availability Total service API hits Customers can also analyze monitoring data in the Azure Monitor Logs / Log Analytics store using the Kusto query language (KQL). By writing custom queries, customers can get details on their logs about operations and errors important for auditing as well as troubleshooting purposes. Some example queries are: Are there any slow requests? Are there any failures? How active has this Managed HSM been? Who is calling this Managed HSM? Azure Monitor also provides Alerts for proactively fixing any issues before there is an impact. With Alert rules, customers can get notified whenever a metric crosses a threshold. Azure Advisor alerts allow customers to create alerts for specific recommendations such as creating a backup of an HSM within a given amount of time. To learn more about this feature, refer to: Monitor Azure Managed HSM Configure Managed HSM alerts Setting up Microsoft Sentinel for Azure Managed HSM
