3

I'm building a service where I will allow users to use different Identity Providers. Once a user authenticates with the provider, I need to store the token so that I can make calls on their behalf.

My question is about securely storing this token in Azure.

I believe the best candidates are:

  1. Store token in Azure SQL with Always Encrypted. Store encryption key in Azure Key Vault.
  2. Store token in Azure Key Vault under secrets.

Am I forgetting any other options to securely store the token? Any recommendations on which approach is better?

Andy T
  • 10,223
  • 5
  • 53
  • 95

3 Answers3

3

What about Azure SQL Information Protection? Managable from the Azure Portal and has much flexibility. You are even able to monitor your table and give specific permissions to a table: https://azure.microsoft.com/nl-nl/blog/information-security-policy-in-asc/

However for your scenario, I think using the key vault is the best option because it's build for that purpose.

Erjen Rijnders
  • 248
  • 1
  • 4
  • 10
2

You'll reduce the attack surface by storing the token directly in Key Vault as a secret.

You may also have other applications which access the SQL instance which don't need access to Key Vault, and so Key Vault network access may be locked down more tightly than your SQL server.

Architect Jamie
  • 1,621
  • 4
  • 18
1

It's worth bearing in mind the service limits for KeyVault:

Secrets, managed storage account keys, and vault transactions: 2,000 Maximum transactions allowed in 10 seconds, per vault per region

A subscription-wide limit for all transaction types is five times per key vault limit. For example, HSM-other transactions per subscription are limited to 5,000 transactions in 10 seconds per subscription.

The specifics can be found here: Azure Key Vault service limits

Depending upon your scalability targets you may also wish to consider Cosmos DB:

Cosmos DB isn't cheap, but it is very scalable and supports encryption at rest.

Encryption at rest is a phrase that commonly refers to the encryption of data on nonvolatile storage devices, such as solid state drives (SSDs) and hard disk drives (HDDs). Cosmos DB stores its primary databases on SSDs. Its media attachments and backups are stored in Azure Blob storage, which is generally backed up by HDDs. With the release of encryption at rest for Cosmos DB, all your databases, media attachments, and backups are encrypted. Your data is now encrypted in transit (over the network) and at rest (nonvolatile storage), giving you end-to-end encryption.

As a PaaS service, Cosmos DB is very easy to use. Because all user data stored in Cosmos DB is encrypted at rest and in transport, you don't have to take any action. Another way to put this is that encryption at rest is "on" by default. There are no controls to turn it off or on. Azure Cosmos DB uses AES-256 encryption on all regions where the account is running. We provide this feature while we continue to meet our availability and performance SLAs.

https://learn.microsoft.com/en-us/azure/cosmos-db/database-encryption-at-rest

Alex KeySmith
  • 16,657
  • 11
  • 74
  • 152