Azure Key Vault

Has somebody been peeking on my X-mas list?

Indeed, one of the weakness of the current Azure Paas solution I pointed out last year was that on non-trivial solutions you end up with plenty of secrets (e.g. user-name / password, SAS, account keys, etc.) stored insecurely in your web.config (or similar store).

I was suggesting, as a solution, to create a Secret Gateway between your application and a secret vault.

Essentially, Azure Key Vault fulfils the secret vault part and a part of the Secret Gateway too.

Azure Key Vault, a new Azure Service currently (as of early February 2015) in Preview mode, allows you to store keys and other secret in a vault.

One of the interesting feature of Azure Key Vault is that, as a consumer, you authenticate as an Azure Active Directory (AAD) application to access the vault and are given authorization as the application. You can therefore easily foresee scenarios where the only secret stored in your configuration is your AAD application credentials.

The vault also allows you to perform some cryptographic operation on your behalf, e.g. encrypting data using a key stored in the vault. This enables scenarios where the consuming application never knows about the encrypting keys. This is why I say that Azure Key Vault performs some functions I described for the Secret Gateway.

I see many advantages of using Azure Key Vault. Here are the ones that come on the top of my head:

  • Limit the amount of secrets stored in your application configuration file
  • Centralize the management of secrets: a key is compromised and you want to change it, no more need to chase the config files storing it, simply change it in one place in the vault.
  • Put secrets at the right place: what is unique to your application? Your application itself, i.e. AAD application credentials. That is in your app config file, everything else is in the vault.
  • Audit secret access
  • Easy to revoke access to secrets
  • Etc.

I think to be air tight, the Secret Gateway would still be interesting, i.e. an agent that authenticates on your behalf and return you a token only. This way if your application is compromised, only temporary tokens are leaked, not the master keys.

But with Azure Key Vault, even if you do not have a Secret Gateway, if you compromise your master keys you can centrally rotate them (i.e. change them) without touching N applications.

I’m looking forward to see where this service is going to grow and certainly will consider it in future Paas Architecture.

Twenty Years of Machine Learning at Microsoft

Machine Learning is the new kid on the block.

This is of special interest to me since I specialized in that field 15 years ago to “unspecialized” three years later after being discouraged by the lack of real market of the discipline. Back then (early 2000’s) ML applications were always academically inspired with little true business value delivered. I could see the potential of the field, but I experienced hands-on the difficulties of truly implementing ML in business.

The tide seems to have turned with a few critical success behind us (e.g. descent voice recognition, handwriting recognition, automatic translation & more recently self-driven cars). One of the key success factor is the scale of data being able to be processed by modern capacity.

But like many new buzz Machine Learning has simply been steadily improving and just crossed a critical mass barrier.

One way to see this is to look at Microsoft’s history with the field of Machine learning. That article relates the beginnings, in 1992 at Microsoft Research, and the constant impact it had on Microsoft products: content-based spam detector, SQL Server Data Mining, Kinect and the rest. The most recent impact on Microsoft Products has of course been Microsoft Azure ML.

(A visible absent in the line-up of course is Clippy, Microsoft Office’s 1997 assistant I remember reading as the first true productization of ML at Microsoft)

As you go through this historic, you’ll realise the recent buzz truly is simply a line in the sand that has been crossed while progress had been constant if accelerated.

The limits of DocumentDB Preview Release

I was looking for the limits of DocumentDB Standard Tier, the only tier available during the preview release.  It wasn’t all too trivial to find so here it is:

Among the limits that may constrain your solution:

  • Only 3 collections per Capacity Unit (but 100 Databases, the container of collections, per account)
  • 25 stored procs (or UDFs or triggers) per collection
  • Maximum request size for documents & attachments:  256 KB
  • Maximum response size:  1Mb
  • Maximum AND (and OR) per query:  5

As you can see, the current limits of DocumentDB are quite aggressive.  The NoSQL database is highly performing and it seems that those performance comes at a cost.

We can expect those limits to be loosen in the near future though.  This is typical for Preview release to have sandboxed solution.  The same way we can expect the product to be available in more regions.

Gamification / Habit-Forming Products

I found this very informative introduction article on how addiction works in products such as Facebook or Candycrush on Wired.

I’ve been exposed to the concepts in the recent years thanks to a friend of mine who became an expert on gamification. It turns out that the mechanics used to get you hooks on different video games were extracted and are now used to get you hooked on different products.

To GIT or not To GIT

GIT, the one that vanquish them all. Gee… I can’t get my head around that product!

I spent an entire 5 months project using it and I still don’t get it. True, I used it with the proverbial 10 feet pole, with the minimal subset of features and with no integration into Visual Studio (thanks to a weird Network setup of the project).

Anyway… since then I keep wearing my paper bag on my head when people talk about GIT eloquently. But soon, I won’t. Jacob Gube has published a post with not one but three ways to learn GIT.

So if you are like me, a social renegade because of your ignorance, consult that post and together we might emerge from the darkness that has been our lives for the last couple of years J