Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
•
12 recomendaciones•17,357 vistas
This session will discuss the options available for encrypting data at rest and key management in AWS. It will focus on two primary scenarios: (1) AWS manages encryption keys on behalf of the customer to provide automated server-side encryption; (2) the customer manages their own encryption keys using partner solutions and/or AWS CloudHSM. Real-world customer examples will be presented to demonstrate adoption drivers of specific encryption technologies in AWS. Netflix Jason Chan will provide an overview of how NetFlix uses CloudHSM for secure key storage.
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Destacado
Similar a Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Similar a Encryption and key management in AWS (SEC304) | AWS re:Invent 2013 (20)
Más de Amazon Web Services
Más de Amazon Web Services (20)
Último
Último (20)
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
- 1. SEC 304: Encryption and Key Management in AWS Ken Beer, Identity and Access Management Todd Cignetti, AWS Security Jason Chan, Netflix November 15, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
- 2. “Key” Questions to Consider • Where are the keys stored? • Where are the keys used? • Who has access to the keys?
- 3. Agenda • AWS encrypts data and manages the keys for you • You encrypt your data and manage your own keys – On your own – With AWS partner solutions – Using AWS CloudHSM • Netflix case study using AWS CloudHSM – Key management based on data classification
- 4. Envelope Encryption Primer Hardware/ Software Symmetric Data Key Plaintext Data ? Encrypted Data Encrypted Data in Storage ? Key Hierarchy Symmetric Data Key Key-Encrypting Key Encrypted Data Key
- 5. Server-Side Encryption AWS encrypts data and manages keys for you
- 6. Server-Side Encryption Your applications in your data center Your applications in Amazon EC2 HTTPS AWS Storage Services S3 Glacier Redshift RDS for Oracle RDS for MS-SQL
- 7. S3 Server Side Encryption
- 8. How AWS Protects Encryption Keys • AWS service generates unique 256-bit AES data key per object, archive, cluster or database • Service uses regularly rotated, regional 256-bit AES master keys to encrypt data keys • Your encrypted data key is stored with your encrypted data • Strict access controls on AWS employees who can access/manage regional master keys Service host with your plaintext data Service host with your stored data Encrypted Data Service hosts with regional master keys Encrypted data key
- 9. Client-Side Encryption You encrypt your data and manage your own keys
- 10. Client-Side Encryption Overview Your key management infrastructure Your application in Amazon EC2 Your key management infrastructure in EC2 Your applications in your data center … Your encryption client application Your Encrypted Data in AWS Services
- 11. Client-Side Encryption Amazon S3 Encryption Client with AWS SDKs Your key management infrastructure Your application in Amazon EC2 Your key management infrastructure in EC2 Your applications in your data center AWS SDK with Your encryption S3 Encryption Client client application Your Encrypted Data in Amazon S3
- 12. Client-Side Encryption Amazon S3 Encryption Client with AWS SDKs • Client creates dynamic 256-bit data key • You supply the key-encrypting key – Symmetric or asymmetric (public portion) • Uses JCE (can optionally configure crypto provider) • Encrypted data key stored with encrypted data in S3 as object metadata or instruction file • Available in Java, Ruby and .NET AWS SDKs
- 13. What About Key Management Infrastructure? Your key management infrastructure Your application in Amazon EC2 Your key management infrastructure in EC2 Your applications in your data center … Your encryption client application Your Encrypted Data in AWS Services
- 14. Key Management Infrastructure • Secure the usage of keys • Secure the storage of keys
- 15. Client-Side Encryption Using an AWS partner solution Solutions for EC2, EBS, S3, RDS, and EMR
- 16. Client-Side Encryption You encrypt your data and manage your own keys in AWS CloudHSM
- 17. HSM – Hardware Security Module • Hardware device for crypto operations and key storage • Provides strong protection of private keys – Physical device control does not grant access to the keys – Security officer controls access to the keys – Appliance administrator has no access to the keys • Certified by third parties to comply with security standards HSM
- 18. AWS CloudHSM • You receive dedicated access to HSM appliances • HSMs are located in AWS data centers • Managed & monitored by AWS • You control the keys • HSMs are inside your VPC – isolated from the rest of the network • Uses SafeNet Luna SA HSM appliances AWS Administrator – manages the appliance CloudHSM You – control keys and crypto operations Virtual Private Cloud
- 19. AWS CloudHSM: What’s New • Available in four regions worldwide – US East (N. Virginia), US West (Oregon), EU (Ireland), and Asia Pacific (Sydney) • Easy to get started – AWS CloudFormation template – Application notes to help integrate with third-party software • PCI DSS compliance – CloudHSM added to AWS 2013 PCI DSS compliance package
- 20. Database Encryption • Customer-managed databases in EC2 – Oracle Database 11g TDE (Transparent Data Encryption) – Microsoft SQL Server 2008 and 2012 TDE – Master key in CloudHSM CloudHSM Master key is created in the HSM and never leaves Your database Your applications with TDE in EC2 in EC2
- 21. EBS Volume Encryption • • SafeNet ProtectV with Virtual KeySecure CloudHSM stores the master key SafeNet ProtectV Manager and Virtual KeySecure in EC2 Your applications in EC2 SafeNet ProtectV Client CloudHSM Your encrypted data in Amazon EBS ProtectV Client • Encrypts I/O from EC2 instances to EBS volumes • Includes pre-boot authentication
- 22. S3 Encryption Encryption of S3 objects using master keys in CloudHSM Your applications in EC2 Safenet ProtectApp with AWS S3 Encryption Client CloudHSM SafeNet virtual KeySecure in EC2 Your encrypted data in an S3 bucket
- 23. Amazon Redshift Encryption • Cluster master key in on-premises SafeNet HSM or CloudHSM • No special client software required CloudHSM Redshift Cluster Your encrypted data in Redshift Your applications in EC2
- 24. CloudHSM: Custom Software Applications An architectural building block to help you secure your own applications • Use standard libraries, with back-end HSM rather than softwarebased crypto – PKCS#11, JCA/JCE, Microsoft CAPI/CNG • Code examples and details in the CloudHSM Getting Started Guide make it easier to get started (aws.amazon.com/cloudhsm)
- 25. Customer Stories
- 26. Entersekt: Securing Financial Transactions • Custom application using CloudHSM – – – – – Authenticate financial transactions using a mobile device Based on digital certificates (PKI) Stores private signing keys in CloudHSM appliances Private keys used for cert-based auth. (vs. SMS or passwords) CloudHSM generates random numbers (instead of mobile device RNG) • Migrated application infrastructure to AWS while enhancing security
- 27. Netflix Key Management with CloudHSM Jason Chan Engineering Director, Cloud Security
- 28. vs. • No injuries playing paintball – But, you’ll lose • Bomb technicians don’t wear paintball suits – Even if they are easier to work in
- 29. Netflix Key Management Lots of use cases for keying material How do we handle key management? • • • • • It depends Password reset tokens Data encryption DRM Hash/verify – Paintballs or pipe bombs? • What are the throughput requirements? • What happens if we lose a key? – Inconvenient or catastrophic
- 30. Key Management: Sensitivity Levels • Low: Key is provided to end instance – High throughput, resistant to backend outages • Medium: Key lives on crypto proxy/scale-out layer – Each crypto operation is a REST call • High: Key lives in AWS CloudHSM – Crypto proxy layer implements call on behalf of originating client
- 31. Why Netflix needs strong security: CloudHSM Use Cases • Proxy layer key database encryption/decryption – HSM-based key to handle database of low and medium sensitivity keys • Hardware root of trust for internal CA • Device activation – The process of binding devices (NRDs) to accounts • Currently analyzing uses cases for PCI in the cloud
- 32. Goals • Remove data center dependencies and complexity • Increase reliability • Increase performance
- 33. Approach • HSMs per region/environment • Updated our crypto client and proxy (migrated from SafeNet DataSecure in the data center to Luna in the cloud) • Migrated keys • Decommissioned data center configuration
- 34. Results • Using AWS CloudHSM with HSM appliances in US-East, US-West, and EU-West • Lower latency and high security Application SSL • Eliminate on-premises data center-based HSM/KM • Saves money – 33% savings over original projections CloudHSM HSM Client VPC Instance Virtual Private Cloud AWS
- 35. Resources • Whitepaper on data-at-rest encryption and key management in AWS – https://aws.amazon.com/whitepapers/ • S3 Encryption Client – http://aws.amazon.com/articles/2850096021478074 • AWS CloudHSM – https://aws.amazon.com/cloudhsm/ • AWS Partner Network – http://www.aws-partner-directory.com/ • AWS Security Blog – http://blogs.aws.amazon.com/security
- 36. Please give us your feedback on this presentation SEC304 As a thank you, we will select prize winners daily for completed surveys!