Set up customer-managed keys (CMK)

Transcript

All right, let’s talk about customer managed keys. Customer managed keys was created to meet the needs of the security architect. This feature empowers Adobe Experience Platform customers to manage data-at-rest encryption by providing access to key management.

Customer managed keys is a premium feature for privacy and security shield, as well as healthcare shield. Adobe Experience Platform provides out of the box data in transit and data-at-rest encryption. This feature allows the customer to encrypt data using their keys, providing them control over the encryption of their data. In addition, the management of the key is completely controlled by the customer. It provides them a single management service to de-authorize access to data covered by the key, meaning that a customer, for example, could rework the key and Adobe wouldn’t be able to perform any operations on that data.

For this feature, the customer would need to license, configure and manage their key vault within Azure. Adobe Experience Platform provides a customer with the CMK app. This CMK application is an Azure Active Directory application. Once this application is installed within the customer key vault with the appropriate permission, it provides Adobe Experience Platform access to the customers key vault.

The enable process is a one-time setup and can be broken down into four steps that spans across the customer’s Azure instance and Adobe Experience Platform. Step one, the customer would configure their key vault and key as per their internal policies. There’ll be some recommendation on the key vault setup in our Experience League documentation as well. Step two, the CMK app can be retrieved using Adobe Experience Platform APIs. Once the customer has the CMK application information, they’ll be able to register the CMK app within their key vault with the appropriate user roles. Step three, provide Adobe Experience Platform the key identifier by making a post call to provision the IMS Org with CMK. Step four, verify the customer IMS Org has been provisioned with CMK. Now let’s dive into the demo to look at these four steps. For the purposes of this demo, I have logged in as a customer to illustrate the steps within Azure. The first step involves configuring the key vault and key within Azure. Let’s go ahead and create a key vault.

The next couple of steps are pretty straightforward and can be configured per the customer’s internal security policies. Let’s go ahead and create this key vault. In the interest of time, I’ve gone ahead and created a key within the key vault. This key identifier will be shared with Adobe Experience Platform in the later steps. For the purposes of this demo, I have retrieved the information regarding the CMK app using Adobe Experience Platform APIs, and registered the CMK app within the key vault. As you can see on the screen, I’ll be providing the CMK app the ability to read metadata of the keys and perform wrap and unwrap operations. Let’s go ahead and set this up.

Now the CMK app has a necessary permission. This marks the completion of the key vault set up and the CMK app within Azure. The next step is to provision the IMS Org with the key identifier using Adobe Experience Platform APIs. I have jumped into Postman. My Postman environment has been set up to make API calls to AP customer mirror IMS Org.

In this post call, I’ll be configuring the AP customer mirror IMS Org with the key provisioned in the earlier steps.

Let’s go ahead and make this post call.

After we receive a 202 response, further get calls can be made to verify that the AP customer mirror IMS Org has been provisioned with CMK. This marks the end of this demo as well as the presentation. Thank you. -