Slipping in the Back Door: Azure Cryptography Protection Secrets.
Cryptography is nothing new, in fact it's been around for thousands of years. Kryptos, or Cryptography is the not only art of keeping your secrets away from prying eyes, but also ensuring that your information is incomprehensible to unauthorised persons, devices or applications. Sounds good I hear you say, so what's the problem. Secrets bring questions and it's human nature to wonder what and why these secrets are being Kept from me. After all you could be a spy, or a thief or just someone who is nosy and likes to feel powerful in the knowledge that they have access to secret information.
Behind the curtain of paranoia, there are of course many genuine reasons why an organisation may want to access to encrypted files. If an employee leaves the company for example. Perhaps they've been working on an important project. It's not therefore not unreasonable to assume that his or her successor may need access to those files. We call this Key escrow and it's a fundamental feature of most, if not all cryptographic systems. For example In Microsoft Windows Server an Administrator can take ownership of data and assign it to other users. It's also a vital tool in the fight against crime for law enforcement agencies. So Key escrow is nothing new. So it's safe to assume that it's elevation to the cloud would be an natural transition. For cloud admins however, this feature has in the past been tricky to find or even use. For example Microsoft 365 and Microsoft Azure have a cryptographic feature called Azure Information Protection, it combines classification labeling and rights management in one handy tool, all designed to protect data from loss but also ensure it's kept away from prying eyes, the keys themselves are stored in the Azure Key Vault.
So what if an employee leaves, how do I recover the data? The answer is that you invoke the little known feature called the SuperUser (Note you must be a member of the GlobalAdmins Group) to use this feature. Note: That if you have not yet installed the Windows PowerShell module for Azure Rights Management, you'll need to do that first. See this article Installing the AIPService PowerShell module. Once enabled you'll then have full access to all your users encrypted data for the purposes of recovery and troubleshooting. Now of course, with so much power, must come great responsibility. It's strongly recommended that should be limited to a handful of trustworthy individuals. By default, the feature is disabled, but can be enabled by using the Enable-AipServiceSuperUserFeature cmdlet. Once activated, you can then assign users or service accounts to manage the feature by using the Add-AipServiceSuperUser cmdlet or the Set-AipServiceSuperUserGroup cmdlet. To check who has permissions, you can use the Get-AipServiceSuperUser cmdlet. You can also add / remove users here. Security and careful planning are critical when using this feature as that it could be easily be misused by unscrupulous individuals. By adopting good security policies and best practices, you can avoid this. The Get-AipServiceAdminLog cmdlet is a great feature to see exactly who is decrypting files. Also a good tip is that this feature should be used only on a adhoc basis when needed. For security reasons I recommend disabling it when not required. You can do this with the Disable-AipServiceSuperUserFeature cmdlet. So their you have it, the superuser account and what it does. It's an incredibly powerful Key Escrow feature that should be well planned and deployed responsibly.
Please feel free to leave your comments or questions below and thanks for reading. Follow me on Twitter @AndyMalone
(c) Copyright 2019 Andy Malone