Audit and restructure secure-cloud-hsm.md to security horizontal standard

msmbaldwin · Copilot · msmbaldwin · commit 8af374001da5 · 2026-03-31T14:13:38.000-07:00
- Add Zero Trust banner (required for all security horizontal articles)
- Restructure to standard section ordering: Service-specific security,
  Network security, Identity and access management, Data protection,
  Logging and monitoring, Backup and recovery
- Remove prohibited [!IMPORTANT] and [!NOTE] callouts
- Add per-recommendation documentation links (See [Link] format)
- Fix typo: 'you longer need' → 'you no longer need'
- Fix broken link: just-in-time-access-usage → just-in-time-access-overview
- Align title (remove 'Microsoft' prefix for consistency)
- Update ms.topic to conceptual, ms.date to 03/31/2026
- Add missing content: managed identity, key caching, FIPS context
- Merge User management + Authentication into Identity and access management
- Merge Key management into Data protection
- Add Zero Trust guidance center to Related content

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/articles/cloud-hsm/secure-cloud-hsm.md b/articles/cloud-hsm/secure-cloud-hsm.md
@@ -1,10 +1,10 @@
 ---
-title: Best Practices for Securing Microsoft Azure Cloud HSM
-description: Learn the best practices for securing and managing Microsoft Azure Cloud HSM to help protect cryptographic keys and sensitive workloads.
+title: Secure your Azure Cloud HSM deployment
+description: Learn best practices for securing Azure Cloud HSM to help protect cryptographic keys and sensitive workloads.
 author: msmbaldwin
 ms.service: azure-cloud-hsm
-ms.topic: best-practice
-ms.date: 09/26/2025
+ms.topic: conceptual
+ms.date: 03/31/2026
 ai-usage: ai-assisted
 ms.custom: horz-security
 ms.author: mbaldwin
@@ -14,99 +14,87 @@ ms.author: mbaldwin
 
 # Secure your Azure Cloud HSM deployment
 
-Microsoft Azure Cloud HSM provides a high-assurance hardware security module (HSM) solution for protecting cryptographic keys and securing sensitive workloads in the cloud. Implementing security best practices is essential to prevent unauthorized access, maintain operational integrity, and optimize performance.
+Azure Cloud HSM provides a high-assurance hardware security module (HSM) solution for protecting cryptographic keys and securing sensitive workloads in the cloud. Implementing security best practices is essential to prevent unauthorized access, maintain operational integrity, and optimize performance.
 
-This article provides guidance on how to best secure your Cloud HSM deployment.
+This article provides security recommendations to help protect your Azure Cloud HSM deployment.
 
-## Security and compliance  
+[!INCLUDE [Security horizontal Zero Trust statement](~/reusable-content/ce-skilling/azure/includes/security/zero-trust-security-horizontal.md)]
 
-- **Protect root of trust**: We advise customers to limit access to the Partition Owner of the Application Partition (POTA) private key (`PO.key`). The Admin of the Application Partition (AOTA) and POTA private keys are equivalent to root access. They can reset passwords for cryptography officer (CO) users in a partition (AOTA for partition 0, POTA for user partitions).
+## Service-specific security
 
-  `PO.key` is unnecessary for HSM access during runtime. It's required only for the initial signing of Partition Owner Authentication Certificate (POAC) and CO password resets. We recommend storing `PO.key` offline and performing the initial POAC signing on an offline machine, if possible.
+Azure Cloud HSM is a single-tenant, FIPS 140-3 Level 3 validated service that grants customers complete administrative authority over their HSMs. Protecting the root of trust is critical to maintaining the security of your deployment.
 
-  > [!IMPORTANT]
-  > Customers are accountable for safeguarding their POTA private key. Losing the POTA private key results in the inability to recover CO passwords. We advise customers to securely store their POTA private key and maintain suitable backups.
+- **Restrict access to the Partition Owner private key**: Limit access to the Partition Owner of the Application Partition (POTA) private key (`PO.key`). The Admin of the Application Partition (AOTA) and POTA private keys are equivalent to root access and can reset passwords for cryptography officer (CO) users in a partition (AOTA for partition 0, POTA for user partitions). `PO.key` is unnecessary for HSM access during runtime. It's required only for the initial signing of Partition Owner Authentication Certificate (POAC) and CO password resets. Store `PO.key` offline and perform the initial POAC signing on an offline machine, if possible. Customers are accountable for safeguarding their POTA private key — losing it results in the inability to recover CO passwords. Securely store the POTA private key and maintain suitable backups. See [User management in Azure Cloud HSM](user-management.md).
 
-## Network security  
+## Network security
 
-Ensuring strong network security is essential when you're using Azure Cloud HSM. Properly configuring your network can help prevent unauthorized access and reduce exposure to external threats. For more information, see [Network security for Azure Cloud HSM](network-security.md).  
+Properly configuring your network can help prevent unauthorized access and reduce exposure to external threats.
 
-- **Use private endpoints**: Help secure your Azure Cloud HSM deployment by using private subnets and private endpoints to prevent exposure to the public internet. This action ensures that traffic remains within the Microsoft backbone network, which reduces the risk of unauthorized access.
+- **Use private endpoints**: Help secure your Azure Cloud HSM deployment by using private subnets and private endpoints to prevent exposure to the public internet. This approach ensures that traffic remains within the Microsoft backbone network, which reduces the risk of unauthorized access. See [Network security for Azure Cloud HSM](network-security.md).
 
-## User management  
+## Identity and access management
 
-Effective user management is crucial for maintaining the security and integrity of Azure Cloud HSM. Implementing proper controls for user identities, credentials, and permissions can help prevent unauthorized access and ensure operational continuity. For more information, see [User management in Azure Cloud HSM](user-management.md).  
+Effective user management and authentication controls are crucial for maintaining the security and integrity of Azure Cloud HSM. Implementing proper controls for user identities, credentials, and permissions can help prevent unauthorized access and ensure operational continuity.
 
-- **Use strong passwords**: Create unique, strong passwords for HSM users. Use at least 12 characters, including a mix of uppercase and lowercase letters, numbers, and special characters.
+- **Use strong passwords**: Create unique, strong passwords for HSM users. Use at least 12 characters, including a mix of uppercase and lowercase letters, numbers, and special characters. See [User management in Azure Cloud HSM](user-management.md#use-strong-passwords).
 
-- **Secure your HSM user credentials**: Protect your HSM user credentials carefully, because Microsoft can't recover them if they're lost.
+- **Secure your HSM user credentials**: Protect your HSM user credentials carefully, because Microsoft can't recover them if they're lost. See [User management in Azure Cloud HSM](user-management.md#secure-your-hsm-user-credentials).
 
-- **Implement secondary admins for lockout prevention**: Designate at least two administrators to prevent HSM lockout in case one password is lost.
+- **Implement secondary admins for lockout prevention**: Designate at least two administrators to prevent HSM lockout in case one password is lost. See [User management in Azure Cloud HSM](user-management.md#implement-secondary-admins-for-lockout-prevention).
 
-- **Establish multiple cryptography users (CUs) with restricted permissions**: Create multiple CUs with distinct responsibilities to prevent any single user from having full control.
+- **Establish multiple cryptography users (CUs) with restricted permissions**: Create multiple CUs with distinct responsibilities to prevent any single user from having full control. See [User management in Azure Cloud HSM](user-management.md#establish-multiple-cryptography-users-with-restricted-permissions).
 
-- **Limit the ability of CUs to export keys**: Restrict CUs from exporting key material by setting appropriate user attributes.
+- **Limit the ability of CUs to export keys**: Restrict CUs from exporting key material by setting appropriate user attributes. See [User management in Azure Cloud HSM](user-management.md#limit-the-ability-of-cryptography-users-to-export-keys).
 
-- **Limit CO control over CUs**: Use the `disableUserAccess` command to prevent CO users from managing specific CUs. However, CO users can bypass this command with older backups.
+- **Limit CO control over CUs**: Use the `disableUserAccess` command to prevent CO users from managing specific CUs. CO users can bypass this command with older backups. See [User management in Azure Cloud HSM](user-management.md#limit-cryptography-officer-control-over-cryptography-users).
 
-## Key management  
+- **Configure managed identities**: Establish user-assigned managed identities for backup and restore operations and for VMs that perform administrative actions. See [User management in Azure Cloud HSM](user-management.md#establish-a-user-managed-identity).
 
-Effective key management is critical for optimizing the performance, security, and efficiency of Azure Cloud HSM. Proper handling of key storage limits, key wrapping security, key attributes, and caching strategies can improve protection and performance. For more information, see [Key management in Azure Cloud HSM](key-management.md).  
+- **Securely store HSM credentials**: Protect stored credentials and avoid exposing them when they're not in use. Configure your environment to retrieve and set credentials automatically. See [Authentication in Azure Cloud HSM](authentication.md).
 
-- **Implement key rotation**: Regularly rotate keys to replace older ones and free up storage while maintaining security.  
+- **Use implicit login for JCE authentication**: Whenever possible, use implicit login for Java Cryptography Extension (JCE) authentication to allow automatic credential management and reauthentication. See [Authentication in Azure Cloud HSM](authentication.md#jce-authentication).
 
-- **Use a key hierarchy**: Store fewer keys in the HSM by using master keys to encrypt other keys.  
+- **Avoid sharing sessions across threads**: For multithreaded applications, assign each thread its own session to prevent conflicts and security issues. See [Authentication in Azure Cloud HSM](authentication.md#multithreading-techniques).
 
-- **Share and reuse keys when feasible**: Reduce storage requirements by sharing or reusing keys across multiple sessions when appropriate.  
+- **Implement client-side retries**: Add retry logic for HSM operations to handle potential maintenance events or HSM replacements. See [Authentication in Azure Cloud HSM](authentication.md#retries-for-integration-of-hsm-operations).
 
-- **Securely delete unused keys**: Remove keys that you longer need, to prevent unnecessary storage consumption.  
+- **Manage HSM client sessions carefully**: Be aware that `azurecloudhsm_client` shares sessions across applications on the same host. Proper session management avoids conflicts. See [Authentication in Azure Cloud HSM](authentication.md#cloud-hsm-client-session-handling).
 
-- **Set keys as non-extractable when possible**: Use `EXTRACTABLE=0` to ensure that keys can't be exported outside the HSM.  
+## Data protection
 
-- **Enable trusted key wrapping**: Use `WRAP_WITH_TRUSTED=1` to restrict key wrapping to trusted keys. This action prevents unauthorized key exports.  
+Proper handling of key storage limits, key wrapping security, key attributes, and caching strategies can improve protection and performance.
 
-- **Use key attributes to restrict permissions**: Assign only necessary attributes when you're generating keys, to limit unintended operations.  
+- **Implement key rotation**: Regularly rotate keys to replace older ones and free up storage while maintaining security. See [Key management in Azure Cloud HSM](key-management.md#manage-the-key-storage-limit).
 
-## Authentication  
+- **Use a key hierarchy**: Store fewer keys in the HSM by using master keys to encrypt other keys. See [Key management in Azure Cloud HSM](key-management.md#manage-the-key-storage-limit).
 
-Authentication is a crucial aspect of securely accessing and operating within Azure Cloud HSM. Proper authentication methods help protect credentials and ensure secure access control. For more information, see [Authentication in Azure Cloud HSM](authentication.md).  
+- **Share and reuse keys when feasible**: Reduce storage requirements by sharing or reusing keys across multiple sessions when appropriate. See [Key management in Azure Cloud HSM](key-management.md#manage-the-key-storage-limit).
 
-- **Securely store HSM credentials**: Protect stored credentials and avoid exposing them when they're not in use. Configure your environment to retrieve and set credentials automatically.  
+- **Securely delete unused keys**: Remove keys that you no longer need, to prevent unnecessary storage consumption. See [Key management in Azure Cloud HSM](key-management.md#manage-the-key-storage-limit).
 
-- **Use implicit login for Java Cryptography Extension (JCE) authentication**: Whenever possible, use implicit login for JCE authentication to allow automatic credential management and reauthentication.  
+- **Set keys as nonextractable when possible**: Use `EXTRACTABLE=0` to ensure that keys can't be exported outside the HSM. See [Key management in Azure Cloud HSM](key-management.md#manage-key-wrapping).
 
-- **Avoid sharing sessions across threads**: For multithreaded applications, assign each thread its own session to prevent conflicts and security issues.  
+- **Enable trusted key wrapping**: Use `WRAP_WITH_TRUSTED=1` to restrict key wrapping to trusted keys. This action prevents unauthorized key exports. See [Key management in Azure Cloud HSM](key-management.md#manage-key-wrapping).
 
-- **Implement client-side retries**: Add retry logic for HSM operations to handle potential maintenance events or HSM replacements.  
+- **Use key attributes to restrict permissions**: Assign only necessary attributes when you're generating keys, to limit unintended operations. See [Key management in Azure Cloud HSM](key-management.md#employ-key-attributes-to-manage-key-permissions).
 
-- **Manage HSM client sessions carefully**: Be aware that `azurecloudhsm_client` shares sessions across applications on the same host. Proper session management avoids conflicts.  
+- **Cache key objects for performance**: Use key-finding commands only once during application startup and store the returned key object in application memory to reduce latency. See [Key management in Azure Cloud HSM](key-management.md#optimize-latency-by-caching-key-objects).
 
-## Monitoring and logging
+## Logging and monitoring
 
-- **Monitor audit and operations logs**: We recommend that you configure operation event logging. Operation event logging is vital for HSM security. It provides an immutable record of access and operations for accountability, traceability, and regulatory compliance. It helps detect unauthorized access, investigate incidents, and identify anomalies, to help ensure the integrity and confidentiality of cryptographic operations.  
+- **Configure operation event logging**: Operation event logging is vital for HSM security. It provides an immutable record of access and operations for accountability, traceability, and regulatory compliance. It helps detect unauthorized access, investigate incidents, and identify anomalies, to help ensure the integrity and confidentiality of cryptographic operations. To maintain security and privacy, logs exclude sensitive data (such as key IDs, key names, and user details). They capture HSM operations, timestamps, and metadata, but they can't determine success or failure because the HSM operation occurs within the inner TLS channel. See [Tutorial: Operation event logging in Azure Cloud HSM](tutorial-operation-event-logging.md).
 
-  To maintain security and privacy, logs exclude sensitive data (such as key IDs, key names, and user details). They capture HSM operations, time stamps, and metadata, but they can't determine success or failure. They can only log the fact that the operation was executed. This limitation exists because the HSM operation occurs within the inner TLS channel, which is not exposed outside that boundary.  
+## Backup and recovery
 
-## Business continuity and disaster recovery
+Azure Cloud HSM provides high availability through clustered HSMs that synchronize keys and policies while automatically migrating workloads during failures.
 
-- **Implement robust backup and disaster recovery**: Azure Cloud HSM provides high availability through clustered HSMs that synchronize keys and policies while automatically migrating workloads during failures. The service supports comprehensive backup and restore operations that preserve all keys, attributes, and role assignments. Backups are secured by HSM-derived keys that Microsoft can't access.
+- **Implement robust backup and disaster recovery**: The service supports comprehensive backup and restore operations that preserve all keys, attributes, and role assignments. Backups are secured by HSM-derived keys that Microsoft can't access. Azure Cloud HSM doesn't support restoring to already activated HSMs. For business continuity, use managed identities for authentication, store backups in private Azure Blob Storage, implement minimal role-based access control (RBAC) permissions, and disable shared key access. Additional recovery options include using `extractMaskedObject` to extract keys as encrypted blobs, storing them securely, and importing them with `insertMaskedObject` as needed. Deploy in two regions for failover capability. See [Back up and restore Azure Cloud HSM resources](backup-restore.md).
 
-  For business continuity and disaster recovery (BCDR):
-
-  - Use managed identities for authentication.
-  - Store backups in private Azure Blob Storage.
-  - Implement minimal role-based access control (RBAC) permissions.
-  - Disable shared key access.
-
-  > [!NOTE]
-  > Azure Cloud HSM doesn't support restoring to already activated HSMs.
-
-  For detailed implementation instructions and additional recovery options, see [Backup and restore in Azure Cloud HSM](backup-restore.md). Additional recovery options include using `extractMaskedObject` to extract keys as encrypted blobs, storing them securely, and importing them with `insertMaskedObject` as needed. A BCDR best practice is to deploy in two regions for failover capability.
-
-- **Verify user and key synchronization across all nodes**: Azure Cloud HSM operates as a cluster of three nodes. During service events such as self-healing or upgrades, users or keys might not be replicated to all nodes. If you experience intermittent authentication or operation failures, verify that all users and keys exist on every node. For verification and remediation steps, see [Synchronize users and keys across Azure Cloud HSM nodes](synchronize-users-keys.md).
+- **Verify user and key synchronization across all nodes**: Azure Cloud HSM operates as a cluster of three nodes. During service events such as self-healing or upgrades, users or keys might not be replicated to all nodes. If you experience intermittent authentication or operation failures, verify that all users and keys exist on every node. See [Synchronize users and keys across Azure Cloud HSM nodes](synchronize-users-keys.md).
 
 ## Related content
 
 - [Security best practices for IaaS workloads in Azure](/azure/security/fundamentals/iaas)
-- [Enable just-in-time access to virtual machines](/azure/defender-for-cloud/just-in-time-access-usage)
+- [Enable just-in-time access to virtual machines](/azure/defender-for-cloud/just-in-time-access-overview)
 - [Adopt a Zero Trust approach](/azure/security/fundamentals/network-best-practices#adopt-a-zero-trust-approach)
+- [Zero Trust guidance center](/security/zero-trust/zero-trust-overview)
