Over a million developers have joined DZone.

Azure Vault Key Security Pattern: Cloud Design Patterns, Part I

DZone's Guide to

Azure Vault Key Security Pattern: Cloud Design Patterns, Part I

A discussion of how proper design patterns can lead to increased security, and the benefits that Azure Vault Key brings in terms of cloud security.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

With this post, I am starting a series of posts on Cloud design patterns. These patterns are mostly generic and can be used with any cloud provider, but, in this series, I will mainly focus on Azure.

Let us first look at some of the basic pieces of information about these design patterns.

What Is a Software Design Pattern?

As per Wikipedia:

  • "In software engineering, a software design pattern is a general, reusable solution to a commonly occurring problem within a given context in software design."
  • "It is not a finished design that can be transformed directly into the source or machine code."
  • "It is a description or template for how to solve a problem that can be used in many different situations."
  • "Design patterns are formalized best practices that the programmer can use to solve common problems when designing an application or system."

In other words:

  • When we start creating an application or module from scratch, we face some softwaredesign problems.
  • We want to implement the best solution for our product.
  • The solution to common software design problems is called the design pattern.
  • Design patterns are really useful when you are working on a system's architecture.

What Is a Cloud Design Pattern?

  • The concepts of design patterns apply here as well, but, instead of software, we work for the best solution for the cloud.
  • We should use some of the solutions which have proven to be thebest solutions for the cloud; these solutions are known as cloud design patterns.

As security is my favorite topic, let us start with a design pattern for security in the cloud.

Vault Key Design Pattern

Let us understand this with a simple example:

  • Imagine you have an application in whichthe client can upload or download various files and these files are managed in a cloud storage system.
  • To perform these upload/download operations, the application needs to fetch the files from the cloud storage system and give the data back to the client or get the file from the client and send it to the cloud.
  • Web applications might use streams or different operations to achieve the above process.
  • Here, your web application is handling many things, like all the upload/download operations required, along with the security mechanisms required to connect to the cloud storage system.
  • But, we should understand that cloud storage has that capability to manage the upload/download process. 
  • In such cases, the web application should offload some of the work to the cloud storage system and should allow the client to directly deal with cloud storage.
  • But, in such cases, security is a big concern because you are directly allowing the client to access your cloud storage.
  • To deal with this situation, we need a pattern to help.

Introducing the Vault-Key Pattern in Azure

  • One of the solutions to the situation we discussed above would be to provide a runtime generated key/token to the client, thus allowing the client tp access the storage using that key/token.
  • As you can see above, whenever the client wants to perform upload/download operations with the cloud storage system, the web application will provide the token to the client.
  • The client can use this token to access the cloud storage.
  • Note that these keys become invalid after a set amount of time.

As per the Microsoft documentation on Valet Keys:

  • "Use a token or key that provides clients with restricted, direct access to a specific resource or service in order to offload data transfer operations from the application code."
  • "This pattern is particularly useful in applications that use cloud-hosted storage systems or queues, and can minimize cost and maximize scalability and performance."

So if your client needs to upload the file then they need to write below code in the client:

// Make sure the endpoint matches with the web role's endpoint.
var tokenServiceEndpoint = ConfigurationManager.AppSettings["serviceEndpointUrl"];

try {
 var blobSas = GetBlobSas(new Uri(tokenServiceEndpoint)).Result;

 // Create storage credentials object based on SAS
 var credentials = new StorageCredentials(blobSas.Credentials);

 // Using the returned SAS credentials and BLOB Uri create a block blob instance to upload
 var blob = new CloudBlockBlob(blobSas.BlobUri, credentials);

 using(var stream = GetFileToUpload(10)) {
  blob.UploadFromStream(stream); ////

 Console.WriteLine("Blob uploaded successful: {0}", blobSas.Name);
} catch (Exception ex) {

Note - I have used sample code from the mspnp project. This is just one piece of code, the whole code base can be found here.

Some important points to consider when you are going to use the Vault Key design pattern:

  • Validate the upload/download operations because a hacker can misuse the keys.
  • Enable logging for all the operations related to Vault Key.
  • Use HTTPS to deliver the keys securely to the client.
  • Allow only specific permissions to the client; keys can be configured accordingly.
  • The key should be disabled after a specific time to make the process more secure; the time frame should not be too short or too long.
  • The client should always notify the application when they are done with the operations required by cloud storage.

Some of the benefits of the Vault Key pattern:

  • Maximize the performance and scalability of the application by offloading the work which can be handled by the cloud storage system.
  • Minimize the cost by redirecting the clients to the cloud storage system.
  • It's very helpful for large upload/download operations.
  • It's useful when the data is stored in different data centers.

If you are more interested in the AWS cloud, then there is a Key Management System (KMS) in AWS which is the alternative to Azure Vault Key. More details can be found here.

If you want to know more about Vault Key coding, I have forked the code from the Microsoft samples for this pattern, which you can find here.

Hope this helps!

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

security ,cloud security ,azure cloud management ,data security ,software design

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}