What needs improvement with Microsoft Azure Key Vault?

Based on my three years of experience, I believe there have been no updates to Azure Key Vault. I think the product needs upgrades in terms of access control and certification improvements. While Azure Key Vault is highly recommended due to its availability and ability to store confidential information, improvements are needed regarding access permissions and certification management.

In terms of Azure Key Vault improvements, we have to compare the competitor. If we consider AWS, our bank has Microsoft PKI, which is a Microsoft product, for the entire digital certificate infrastructure. Even in the cloud, when it is AWS, the internal certificates are MS PKI. When we had a problem, users had to come to on-premise to get a certificate and import it to AWS Certificate Manager and assign it. We wondered why we could not issue the certificate directly from the cloud for cloud users. There was a simple way in AWS. They have a Private Certificate Authority (PCA) and Amazon Certificate Manager. Private Certificate Authority issues certificates to Amazon services. They also provide Amazon Certificate Manager to store and deploy certificates. These are two neat components - one is an issuer and another is storage and deployment solutions for certificates. With PCA, I can directly enable it and get certificates from AWS itself. AWS can issue SSL/TLS certificates if you enable it directly. If you consider Azure, it is not very clear. Even the naming convention, Key Vault, might not suggest that this is a PKI or certificate manager. You cannot issue certificates directly. They have app certificates and did not have a clear-cut certificate management solution in the cloud when I worked at that time. I am not sure whether they have updated Azure Key Vault as a full-fledged PKI solution now. From what I saw, it was not a full-fledged PKI solution. We are not majorly using Azure Key Vault because it is only for storing secrets. If some solutions can provide guidance on how we can maximize leverage, we can immediately look forward to doing that. We already have some business problems we want to solve. While our primary focus is AWS, many of the services such as ADO are running on Azure, and the secondary services are growing bigger.

The response time can be improved.

As of now, there are not any significant areas for improvement. I would suggest making the user interface a bit more friendly. I still use many commands and manage them through Terraform, subscription services, and similar methods. It would be beneficial for me to have a more robust desktop interface for Key Vault, similar to the interfaces provided by Azure Storage or Amazon S3 for managing storages.

When I made the support statement, it was about generic Azure support. In Azure, if I have an issue, I raise a case. That case initially goes to a common support bucket and then gets routed depending on the product after the first level of triage. Generally, that process is weak. The skill level of the support staff is also questionable.

I am not on the developer's end. I am primarily the main infrastructure person. I'm not sure what needs improvement. Sometimes, we face issues that the support team is not aware of, necessitating investigation from their end. For example, one of our certificates was not getting deployed, and during that time, the support team was unsure and had to connect with the back-end team for assistance. Improvements can be made in this area, however, it's understandable that not everything can be perfect.

The whole problem of password rotation could be improved. My security area wants to rotate passwords every day, every week, or every month, depending on the services. Password rotation related to QR needs enhancement, and I think this area could be more integrated. Currently, I use an external tool for password rotation, but it could be managed more internally.

Azure Key Vault has a lot of glitches. The solution's trial version should provide some more facilities so that people can try them and then decide whether to implement the tool in their project.

As of today, there is limited support for third-party vendors. You are forced to work with the vendors that Azure approves. Only a few and not all third-party vendors are supported on Azure Key Vault. It would be great if Azure allowed more third-party vendors into the ecosystem. Currently, the solution's pricing is based on the number of transactions, which is very high in some cases. The solution's pricing could also be reduced. Currently, dedicated Azure Key Vaults are not available in the UAE region. We are using a shared solution with other customers. There is a great need for certain customers who want dedicated hardware-based or physically segregated Azure Key Vault.

If I consider how some people complain that a solution to store information should be available at a low cost, I would say that Azure Key Vault's price should be made cheaper.

It would be great if it would integrate with other cloud solutions.

The product must provide AI features.

The solution could be cheaper.

Azure Key Vault is only available for Microsoft services, and it should be exposed to non-Microsoft cloud services, like GCP and Amazon.

Azure Key Vault takes time to fetch values while integrating it with the code written in .NET format.

The solution needs to improve reliability and protection.

The rotation of key needs improvement. It needs to offer dynamic secrets management.

There's room for improvement in cross-platform compatibility. It would be helpful if Azure Key Vault could be used with other cloud platforms besides Azure.

It is complicated to use different services and products along with Azure Key Vault. There should be a single vault for virtual servers, containers, and other services. It could be universal with the possibility to use all types of technologies.

While it is reliable, enhancing security and protection should always be the priority.

The solution needs to improve its cost.

The slow response from the support team is one of the shortcomings of the solution that needs to be improved.

It's currently very self-sufficient and doesn't need improvements. It's already a good service. We haven't faced any problems with the solution as such. The only issue we are facing is around the comparability with TerraForm, which we use to code the infrastructure. Sometimes there are issues there, even though it's not directly related to Microsoft. So far, it's served all of the client's purposes. We haven't come across a use case the solution could not handle. There are additional charges for data transfers. However, the pricing is mostly reasonable for the licensing overall.

They should add a key vault feature for the databases temporarily integrated into hybrid clouds. Also, they should make the key accessible once the databases migrate to another environment.

We can currently configure RBAC, Azure role-based access control, or a voucher access policy. The voucher access policy can be improved by configuring it based on groups, rather than just applications or users.

One of my previous clients was one of the big banks here in the Netherlands and the EU courts have stated that Microsoft Azure Key Vault is not, according to their perspective, secure due to the fact that Microsoft has access to Key Vault. If you cannot demonstrate that only you, as an organization, have access to your secrets, then you are not in control of your secrets. That is a concern. Also, a big issue is the configuration. It could be that the people working on the solution, the system engineers, might lack knowledge and not incorporate all the best practices from Microsoft. The way they've implemented it might not be the way Microsoft envisioned it. It's always back to who's implementing what for you as a solution.

Microsoft Azure Key Vault could improve by enhancing the security of credentials. Without the security or the use of key vaults, we would have to configure our credentials into the source code as plain text without the encryption or security.

It's too early for me to say with certainty, but what I'm seeing thus far is that Key Vault at face value is more of a secure store than it is a password manager. I suspect that we may be able to use logic apps to perform some actions that a password manager would, but a little more focus in this area would be beneficial.

If you check the capabilities of other key management services across Amazon, HashiCorp, and Google, there are features that Key Vault doesn't have. It could be the case that when you use Key Vault, you might be forced to use a third-party solution to get certain services. If those services could be included in Key Vault, there would be diminished reasons to go for a third-party key management system.

I would like more code examples.

Azure has great documentation, but I would like to see more use cases pertaining to specific industries. For example, case studies on how to use HIPAA compliant solutions in the healthcare industry or how to use PCI compliant data analytics solutions in the financial technology industry would be helpful.

The initial setup could be less complex for first-time users.

Azure needs to provide versions of Key Vault that are suitable for different sizes of companies. For example, we are not a big corporation that can afford corporate-level pricing. We have to strike a balance between the number of users and the volume of keys that are being used.

The solution could be improved by making it accessible to more people. The most significant additional feature I'd like to see would be the ability to access the system on the phone via my Microsoft login and to be able to manage the desktop file folders that way. That's something I look forward to.