Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Atlassian's Solution for Multi-Region Encryption and Decryption - AWS Summit Sydney

57 visualizaciones

Publicado el

Atlassian runs a global SaaS platform where security and customer privacy are critical. This talk focuses on the solution they built using KMS and IAM to provide resilient cross-region encryption and decryption, optimised for performance. Come and learn how Atlassian approached this challenge, and built a solution using a combination of AWS services and the AWS Encryption SDK.

  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Atlassian's Solution for Multi-Region Encryption and Decryption - AWS Summit Sydney

  1. 1. S U M M I T SYDNEY
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Atlassian's Solution for Multi-Region Encryption and Decryption Tom Knight Developer Atlassian Martien Verbruggen Architect Atlassian
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Atlassian creates products for customers
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Atlassian creates customerscloud products for
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Atlassian creates more customerscloud products for
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Atlassian creates more customerscloud products for
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Atlassian cloud products for more customerscreates more
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Atlassian’s Platform as a Service µ Micros
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Micros, our PaaS µ Micros Developers Services Resources
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Micros, our PaaS µ Micros Developers Services Resources
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Region 1 Cryptor use case: database credentials Application Region 2 Application Region X DB Manager config config 1 - create database 2 - store credentials 3 - get credentials4 - connect
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Region 4 Cryptor use case: confidential messages Not a Consumer Region 1 Producer MessagesMessages Region 4 Consumer Messages Region 2 Consumer Messages
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Cryptor optimises for Security Resilience Performance Ease of use
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Cryptor optimises for Security Resilience Performance Ease of use Manage keys and authorisation
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Cryptor optimises for Security Resilience Performance Ease of use Manage keys and authorisation Never™ fail
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Cryptor optimises for Security Resilience Performance Ease of use Manage keys and authorisation Never™ fail Deal with latency and scale
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Cryptor optimises for Security Resilience Performance Ease of use Manage keys and authorisation Never™ fail Deal with latency and scale Simple API, standard metrics, multi- region
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why not just use KMS? Single-region Performance Resilience Trusted Secure Powerful authZ
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Region 1 Solution: Use the SDK and customise Region 2 Region 3 Any region KMS 3KMS 2KMS 1 TTL based cache encryption envelope Application
  20. 20. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Encryption SDK example val cache = LocalCryptoMaterialsCache(KMS_MAX_CACHE_SIZE) val keyProvider = MultipleProviderFactory.buildMultiProvider(KmsMasterKey::class.java, keys) val cmm = CachingCryptoMaterialsManager .newBuilder() .withMasterKeyProvider(keyProvider) .withCache(cache) .withMaxAge(KMS_MAX_CACHE_AGE, TimeUnit.SECONDS) .build()
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Multi-region Fault tolerance Performance Implementation
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Solution: Encryption Multiple regions Quorum: 2 out of 3 regions - configurable Bespoke encryption context Improve datakey reusage Encryption pooling Pre fetch data keys Usage and TTL
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Encryption context Meta data Extra layer of security
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Solution: Encryption Multiple regions Quorum: 2 out of 3 regions - configurable Bespoke encryption context Improve datakey reusage Encryption pooling Pre fetch data keys Usage and TTL
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Solution: Decryption Decryption caching Latency-based selection of KMS Fetch keys in parallel Datakeys are decrypted in parallel
  26. 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Solution: Integration Java library Most widely used language in Atlassian Sidecar Docker container with 2 API endpoints Java library with Spring Boot
  27. 27. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sample code for library call // Setup val cryptorClient = CryptorClientFactory.build(keyAliasList, config) // Values val originalPlainText = "Encrypt Me" val encryptionContext = mapOf("CustomerId" to "123456") // Encrypt and Decrypt val cipherText = cryptorClient.encrypt(keyAlias, originalPlainText, encryptionContext) val plainText = cryptorClient.decrypt(cipherText, encryptionContext)
  28. 28. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sample REST call
  29. 29. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Solution: service descriptor name: encrypting-service organization: foo ... resources: - type: cryptor name: secret-key decryptors: - secret-reader - secret-checker - audit-agent µ
  30. 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Cryptor account Micros account Solution: PaaS and resource provider Keys Roles Policies AWS IAM AWS KMS setup(@roles, key-alias) µ Micros Cryptor provider
  31. 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Solution: Operational Standard metrics and logs from sidecar Visible to service owners, security and central team Standard configuration Standardised cache configurations Multi-region configurations
  32. 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Metrics dashboard
  33. 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Summary Security Resilience Performance Ease of use
  34. 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Summary Security Resilience Performance Ease of use
  35. 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Summary Security Resilience Performance Ease of use
  36. 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Summary Security Resilience Performance Ease of use
  37. 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Summary Security Resilience Performance Ease of use
  38. 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Open source Announcement when we ship it, at https://www.atlassian.com/blog/technology
  39. 39. Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Tom Knight Martien Verbruggen

×