How to Create an Azure Key Vault to Store Secrets

In my earlier post, I demonstrated how to back up my Windows 11 PC’s files using Azure Backup. Now, I am going to review how to create an Azure Key Vault to store that passphrase more safely and securely.

Prerequisites

  • An existing Azure subscription
  • A passphrase to save

Step 1: Create the Azure Key Vault

To create a key vault, you must log in to the Azure portal and search for “key vault”. Once done, you will see the above screen. Click “Create Key Vault” to continue.

In the above screen, you are asked to choose a resource group or create one. Again, in this case, I chose to create a new resource group. Then you are asked to create a unique key vault name and choose a region, and pricing tier. I chose the East US region and the standard pricing tier. There is no need to use the premium tier in this case. Once your choices are made, click “Review + Create” to create the key vault.

Step 2: Add Secret to Vault

Once the key vault has been deployed, click “Secrets” from the menu on the left side of the screen.

Now you can add the recovery services vault secret (or any secret for that matter) to the Key Vault. Be sure to label it something that makes sense and click “Create”

Finally, you should be able to see your secret in the recovery services vault.

Conclusion

This is a really simple way to start working with Azure Key Vault. Now you have your secret saved in a location that is not easily compromised or exposed to failure as your home PC.

IT Security Policies: Your First Line of Defense in Cybersecurity

This is a article that I originally wrote for my job. I am reposting it here with a few changes.

Technology Can’t do Everything

You walk into the office Monday morning, attempt to login to your desktop and realize that you can’t login because you’ve been hacked or there is a ransomware note ominously dominating your screen. The first thing you may think of is to look at logs and other use the other tools of the trade to figure out how this happened.

You find out later that this breach was caused by a phishing attack on an unsuspecting employee, this innocuous failure of operational security (OpSec) by one of your employees resulted in tremendous losses in man-hours, money, and reputation.

Often when we think of cybersecurity, the first thing that usually comes to mind are firewalls, endpoint protection, Security Information and Event Management (SIEM) solutions, and the like. While these products and solutions are a vital part of cybersecurity, they can only marginally influence human behavior. This is where policies are effective; they can bridge the divide between technology and employee behavior, complementing technology by outlining expectations and defining consequences for noncompliance.

What’s the purpose?

To better understand the role of IT security policies as a part of a cybersecurity strategy, we need to understand why we have them in the first place and what we are trying to accomplish. Put simply, we want to keep our organization’s information safe. We accomplish this by ensuring three things:

  • Confidentiality -information must not be made available or disclosed to unauthorized individuals, entities, or processes.
  • Integrity -data must not be altered or destroyed in an unauthorized manner, and accuracy and consistency must be preserved regardless of changes.
  • Availability -information must be accessible and usable on demand by authorized entities.

To that end we often must build a strategy that incorporates technological and policy solutions which balance information security with the needs of the organization.

The Human Side of Tech

Now that we have briefly gone over the purpose of IT security policies, we must look at how they should be implemented. Effective policies are policies that not only protect data and help the organization avoid liability, but also take into consideration the culture of the organization and its employees. For example, an organization with a large remote workforce should have Multi Factor Authentication (MFA) to login to applications, whereas a small organization with all employees working in one office could consider MFA optional.

Additionally, effective policy always reflects the following ideals:

  • Clear – vague policies leave confuse IT system users and leave room for bad actors to claim a plausible misunderstanding of the rules.
  • Consequential – policies without an enforcement mechanism with clear consequences for violations are not likely to be followed in large organizations.
  • Current – policies should be reviewed and modified periodically to reflect the technology and security posture of the organization as it is today.

Bottom Line

Until killer robots and rouge AI become our overlords, humans are going to be the center and the weakest link of any cybersecurity strategy. And while the technology used will always be a huge part of cybersecurity, implementing effective IT security policies must not be overlooked.