This session will discuss the options available for encrypting data at rest and key management in AWS. It will focus on two primary scenarios: (1) AWS manages encryption keys on behalf of the customer to provide automated server-side encryption; (2) the customer manages their own encryption keys using partner solutions and/or AWS CloudHSM. Real-world customer examples will be presented to demonstrate adoption drivers of specific encryption technologies in AWS. Netflix Jason Chan will provide an overview of how NetFlix uses CloudHSM for secure key storage.
2. “Key” Questions to Consider
• Where are the keys stored?
• Where are the keys used?
• Who has access to the keys?
3. Agenda
• AWS encrypts data and manages the keys for you
• You encrypt your data and manage your own keys
– On your own
– With AWS partner solutions
– Using AWS CloudHSM
• Netflix case study using AWS CloudHSM
– Key management based on data classification
6. Server-Side Encryption
Your applications in your
data center
Your applications in
Amazon EC2
HTTPS
AWS Storage Services
S3
Glacier
Redshift
RDS for
Oracle
RDS for
MS-SQL
8. How AWS Protects Encryption Keys
•
AWS service generates unique 256-bit
AES data key per object, archive, cluster or
database
•
Service uses regularly rotated, regional
256-bit AES master keys to encrypt
data keys
•
Your encrypted data key is stored with
your encrypted data
•
Strict access controls on AWS employees
who can access/manage regional
master keys
Service host with your
plaintext data
Service host with your
stored data
Encrypted
Data
Service hosts with
regional master keys
Encrypted data
key
10. Client-Side Encryption
Overview
Your key management
infrastructure
Your application in
Amazon EC2
Your key
management
infrastructure in EC2
Your
applications
in your data
center
…
Your encryption
client application
Your Encrypted Data in AWS Services
11. Client-Side Encryption
Amazon S3 Encryption Client with AWS SDKs
Your key management
infrastructure
Your application in
Amazon EC2
Your key
management
infrastructure in EC2
Your
applications
in your data
center
AWS SDK with
Your encryption
S3 Encryption Client
client application
Your Encrypted Data in Amazon S3
12. Client-Side Encryption
Amazon S3 Encryption Client with AWS SDKs
• Client creates dynamic 256-bit data key
• You supply the key-encrypting key
– Symmetric or asymmetric (public portion)
• Uses JCE (can optionally configure crypto provider)
• Encrypted data key stored with encrypted data in S3
as object metadata or instruction file
• Available in Java, Ruby and .NET
AWS SDKs
13. What About Key Management Infrastructure?
Your key management
infrastructure
Your application in
Amazon EC2
Your key
management
infrastructure in EC2
Your
applications
in your data
center
…
Your encryption
client application
Your Encrypted Data in AWS Services
17. HSM – Hardware Security Module
• Hardware device for crypto operations and key storage
• Provides strong protection of private keys
– Physical device control does not grant access to the keys
– Security officer controls access to the keys
– Appliance administrator has no access to the keys
• Certified by third parties to comply with security standards
HSM
18. AWS CloudHSM
• You receive dedicated access to HSM
appliances
• HSMs are located in AWS data centers
• Managed & monitored by AWS
• You control the keys
• HSMs are inside your VPC – isolated
from the rest of the network
• Uses SafeNet Luna SA HSM appliances
AWS Administrator –
manages the appliance
CloudHSM
You – control keys and
crypto operations
Virtual Private Cloud
19. AWS CloudHSM: What’s New
• Available in four regions worldwide
– US East (N. Virginia), US West (Oregon), EU (Ireland), and Asia
Pacific (Sydney)
• Easy to get started
– AWS CloudFormation template
– Application notes to help integrate with third-party software
• PCI DSS compliance
– CloudHSM added to AWS 2013 PCI DSS compliance package
20. Database Encryption
• Customer-managed databases in EC2
– Oracle Database 11g TDE (Transparent Data Encryption)
– Microsoft SQL Server 2008 and 2012 TDE
– Master key in CloudHSM
CloudHSM
Master key is created in
the HSM and never
leaves
Your database Your applications
with TDE in EC2
in EC2
21. EBS Volume Encryption
•
•
SafeNet ProtectV with Virtual KeySecure
CloudHSM stores the master key
SafeNet ProtectV Manager
and Virtual KeySecure
in EC2
Your applications
in EC2
SafeNet
ProtectV
Client
CloudHSM
Your encrypted data
in Amazon EBS
ProtectV Client
• Encrypts I/O from EC2
instances to EBS
volumes
• Includes pre-boot
authentication
22. S3 Encryption
Encryption of S3 objects using master keys in CloudHSM
Your applications
in EC2
Safenet
ProtectApp with AWS
S3 Encryption Client
CloudHSM
SafeNet virtual
KeySecure
in EC2
Your encrypted data
in an S3 bucket
23. Amazon Redshift Encryption
• Cluster master key in on-premises SafeNet HSM or
CloudHSM
• No special client software required
CloudHSM
Redshift Cluster
Your encrypted data
in Redshift
Your
applications
in EC2
24. CloudHSM: Custom Software Applications
An architectural building block to help you secure your own
applications
• Use standard libraries, with back-end HSM rather than softwarebased crypto
– PKCS#11, JCA/JCE, Microsoft CAPI/CNG
• Code examples and details in the CloudHSM Getting Started Guide
make it easier to get started (aws.amazon.com/cloudhsm)
26. Entersekt:
Securing Financial Transactions
• Custom application using CloudHSM
–
–
–
–
–
Authenticate financial transactions using a mobile device
Based on digital certificates (PKI)
Stores private signing keys in CloudHSM appliances
Private keys used for cert-based auth. (vs. SMS or passwords)
CloudHSM generates random numbers (instead of mobile
device RNG)
• Migrated application infrastructure to AWS while
enhancing security
28. vs.
• No injuries playing
paintball
– But, you’ll lose
• Bomb technicians don’t
wear paintball suits
– Even if they are easier to
work in
29. Netflix Key Management
Lots of use cases for keying material
How do we handle key management?
•
•
•
•
• It depends
Password reset tokens
Data encryption
DRM
Hash/verify
– Paintballs or pipe bombs?
• What are the throughput
requirements?
• What happens if we lose
a key?
– Inconvenient or
catastrophic
30. Key Management: Sensitivity Levels
• Low: Key is provided to end instance
– High throughput, resistant to backend outages
• Medium: Key lives on crypto proxy/scale-out
layer
– Each crypto operation is a REST call
• High: Key lives in AWS CloudHSM
– Crypto proxy layer implements call on behalf of originating client
31. Why Netflix needs strong security:
CloudHSM Use Cases
• Proxy layer key database encryption/decryption
– HSM-based key to handle database of low and medium
sensitivity keys
• Hardware root of trust for internal CA
• Device activation
– The process of binding devices (NRDs) to accounts
• Currently analyzing uses cases for PCI in the
cloud
32. Goals
• Remove data center dependencies and
complexity
• Increase reliability
• Increase performance
33. Approach
• HSMs per region/environment
• Updated our crypto client and proxy (migrated
from SafeNet DataSecure in the data center to
Luna in the cloud)
• Migrated keys
• Decommissioned data center configuration
34. Results
• Using AWS CloudHSM with
HSM appliances in US-East,
US-West, and EU-West
• Lower latency and high security
Application
SSL
• Eliminate on-premises data
center-based HSM/KM
• Saves money – 33% savings
over original projections
CloudHSM
HSM Client
VPC Instance
Virtual Private Cloud
AWS
35. Resources
• Whitepaper on data-at-rest encryption and key management in AWS
–
https://aws.amazon.com/whitepapers/
• S3 Encryption Client
–
http://aws.amazon.com/articles/2850096021478074
• AWS CloudHSM
–
https://aws.amazon.com/cloudhsm/
• AWS Partner Network
–
http://www.aws-partner-directory.com/
• AWS Security Blog
–
http://blogs.aws.amazon.com/security
36. Please give us your feedback on this
presentation
SEC304
As a thank you, we will select prize
winners daily for completed surveys!