What other advantages does using Azure Key Vault have over on-prem?

Question

For four months I've been developing a proof-of-concept console app, which uses Azure Key Vault for storing secrets. I've got it working fine. I also like the fact that Key Vault can be used for other things, such as keys and certificates. I believe that using Key Vault is the approach we should take, in removing secrets out of our repos and putting those secrets in a safe, secure place which can be managed in one location. And I think the price is quite reasonable.

However, another team has come up with what is an interesting alternative that's all on-prem. For a web app that runs on-prem, but is public facing, they've put all the developers into an Active Directory Group, so they could do development and testing. The really clever step they took next is they put the account that runs in the application pool on our server, and is used for connecting to the database, into the same AD Group. I've got to admit that this does get around using Azure for anything, which plays very well to our management who are very afraid of using the Cloud for anything. And it plays well with the development team, who have people on it that don't want to go to the Cloud for anything, too.

Soon, I'd like to demonstrate my app to all of IT. And when that time comes, I'm sure that people on this other team will pipe up and say that they've got a working solution that costs nothing at all. (There's a common misconception frequently used here that the electricity, infrastructure, and personnel that feed and maintain the server are somehow free.) I am going to argue that using Key Vault makes it possible for us to host the web app either on-prem or in a VM in the Cloud or an Azure App Service. That even if we did migrate this web app to the Cloud, to duplicate what they've done, would mean we would have to run it in a VM, since we'd have to have access to IIS in the VM, so we could put the account in the IIS application pool into the same AD Group. First question, is my reasoning correct?

Secondly, I'd like to know if there are any other advantages that Key Vault has, over the solution that the other team has come up with?

Answer 1

Hi there Falanga, Rod, DOH

Thats a good question Thanks for using QandA platform

Comparing Key Vault to the on-prem

Key Vault ensures that secrets are not tied to a specific environment, enabling deployment in the cloud, on-premises, or in a hybrid setup without the hassle of managing secrets separately for each environment.

With Key Vault, you can seamlessly scale your secrets management as your application grows, leveraging Azure's high availability and reliability features to handle increased demand.

Key Vault benefits from Azure's robust security infrastructure, including encryption at rest, RBAC), and hardware security modules , ensuring enhanced protection of cryptographic keys.

While there may be initial costs associated with Azure services, the pay-as-you-go pricing model means you only pay for what you use. Additionally, the time and effort saved in managing on-premises infrastructure can lead to long-term cost savings.

If this helps kindly accept the answer thanks much.