Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Protecting Your Data With AWS KMS and AWS CloudHSM
1. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Protecting Your Data With AWS
KMS and AWS CloudHSM
Camil Samaha
2. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Agenda
• Overview of encryption options in AWS
– Client-Side Encryption: You encrypt your data and manage your
own keys; encryption is implemented in your code
– Server-Side Encryption: AWS encrypts data and manages the
keys for you; encryption is handled automatically
• Key Management:
– On your own*
– AWS Key Management Service (KMS)
– AWS CloudHSM
– Partner solutions
3. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Encryption Primer
Plaintext
Data
Hardware/
Software
Encrypted
Data
Encrypted
Data in Storage
Encrypted
Data Key
Symmetric
Data Key
Master KeySymmetric
Data Key
? Key Hierarchy
?
4. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
“Key” Questions to Consider
• Where are the keys stored?
• Where are the keys used?
• Who has access to the keys?
5. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Encryption Models
• Client-Side Encryption #1: You encrypt your data and
manage your own keys
• Client-Side Encryption #2: You encrypt your data but
utilize cloud services (AWS KMS or AWS CloudHSM) to
help manage your keys
• Server-Side Encryption: AWS encrypts data
automatically and manages the keys for you
6. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Client-Side Encryption
You encrypt your data and send to AWS service
7. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Client-Side Encryption
Your applications in your
data center
Your applications in
Amazon EC2Encrypted
Data
AWS Storage Services
S3 Glacier Redshift RDSEBS DynamoDB
8. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Client-Side Encryption
Overview
Your encryption
client application
Your key management
infrastructure
Your
applications
in your data
center
Your application in
Amazon EC2
Your key
management
infrastructure in EC2
Your Encrypted Data in AWS Services
…
9. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Server-Side Encryption
AWS services encrypt data for you
10. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Server-Side Encryption
HTTPS
Your applications in your
data center
Your applications in
Amazon EC2
AWS Storage Services
S3 Glacier Redshift RDS for
Oracle
RDS for
MS-SQL
EBS
11. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon S3 Server Side Encryption
12. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
How SSE-S3 with AWS Managed Keys Works
Plaintext
Data
Encrypted
Data
Symmetric
Data KeyS3 Web Server
HTTPS
Customer
Data
Encrypted
Data Key
Master KeySymmetric
Data Key
S3 Storage
Fleet
A master key managed by the S3 service and
protected by systems internal to AWS
13. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
How SSE-C with Customer Provided Keys Works
Plaintext
Data
Encrypted
Data
Customer
Provided KeyS3 Web Server
HTTPS
Customer
Data
S3 Storage
Fleet
• Key is used at S3 Webserver, then deleted
• Customer must provide same key when
downloading to allow S3 to decrypt data
Customer
Provided Key
14. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
What About Key Management Infrastructure?
Your encryption
client application
Your
applications
in your data
center
Your application in
Amazon EC2
Your Encrypted Data in AWS Services
…
Your key
management
infrastructure in EC2
Your key management
infrastructure
15. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Introducing AWS Key Management Service
• A service that enables you to provision and use encryption keys to protect
your data
• Allows you to create, use, and manage encryption keys from within…
– Your own applications via AWS SDK
– Supported AWS services (S3, EBS, RDS, Redshift)
• Available in all commercial regions
16. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
How AWS Key Management Service Works
Crypto
operations on
customer
master keys
KMS Service
Endpoint
Client
(Customer or
AWS Service)
Data
Durable, Encrypted Key Store
AWS
Authorization
Client AuthN
and AuthZ
1
2
3
4 +
Data Key Encrypted Data Key
1. Client makes authenticated request of KMS for data key
2. KMS generates data key
3. KMS pulls encrypted customer master key from durable storage; decrypts in the KMS
crypto module
4. KMS encrypts data key with named customer master key and returns plaintext data key
and encrypted data key
5. Client uses data key to encrypt data, stores encrypted data key.
To decrypt: client submits encrypted data key to KMS for decryption; data key is needed to
decrypt data
KMS crypto module
5
17. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
How AWS Services Integrate with KMS
• 2-tiered key hierarchy using envelope
encryption
• Data keys encrypt customer data
• KMS master keys encrypt data keys
• Benefits:
• Limits blast radius of compromised
resources and their keys
• Better performance
• Easier to manage a small number of master
keys than billions of resource keys
Master Key(s)
Data Key 1
S3 Object EBS Volume RDS Instance Redshift
Cluster
Data encrypted
Data Key 2 Data Key 3 Data Key 4 Data Key 5
Your
Application
Keys encrypted
KMS
18. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Creating and managing keys in AWS KMS
19. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon EBS encryption with AWS KMS
20. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS KMS gives you control
You define who can…
• Create a master key
• Use a master key
• Create and export a data key that is
encrypted by a master key
• Enable/disable master keys
• Audit use of master keys in AWS CloudTrail
21. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS KMS secures your keys
• Plaintext keys are never stored in persistent memory on
runtime systems
• Separation of duties
– AWS service team operators (S3, EBS, RDS) can’t access KMS
hosts that use master keys and KMS operators can’t access
service team hosts that use data keys
• Multi-party controls
– Normal operations require signatures from two or more KMS
operators on any API calls to an active host processing customer
keys
• Verified claims in SOC1 and public white papers
22. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Encryption and Key Management
with AWS CloudHSM
23. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
HSM – Hardware Security Module
• Hardware device for crypto ops and key storage
• Strong protection of private keys
– Physical device control does not grant access to the keys
– Security officer controls access to the keys
– Appliance administrator has no access to the keys
• Certified by 3rd parties to comply with security standards
HSM
24. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS CloudHSM
• You receive dedicated access to HSM
appliances
• HSMs are located in AWS datacenters
• Managed & monitored by AWS
• Only you have access to your keys and
operations on the keys
• HSMs are inside your VPC – isolated
from the rest of the network
• Uses SafeNet Luna SA HSM appliances
CloudHSM
AWS Administrator –
manages the appliance
You – control keys and
crypto operations
Virtual Private Cloud
25. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS CloudHSM
• Available in seven regions worldwide
– N. Virginia, Oregon, Ireland, Frankfurt, Sydney, Singapore,
and Tokyo
– Easy to get started
– AWS CloudFormation template
– Application notes to help integrate with 3rd party software
• Compliance
– Included in AWS PCI DSS and Service Organization
Control (SOC) compliance packages
26. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS CloudHSM
• Command Line Interface (CLI) Tools
– Easier automation and administration
• Public API & SDK
– Self-service provisioning and management
– Appliance administrator operations
• Auditing
– CloudTrail
– Syslog
27. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
SafeNet ProtectV Manager
and Virtual KeySecure
in Amazon EC2
Amazon EBS volume encryption
• SafeNet ProtectV with Virtual KeySecure
• AWS CloudHSM stores the master key
SafeNet
ProtectV
Client
AWS
CloudHSM
Your encrypted data
in Amazon EBS
Your applications
in Amazon EC2
ProtectV Client
• Encrypts I/O from
Amazon EC2 instances
to Amazon EBS volumes
• Includes pre-boot
authentication
28. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Comparing AWS CloudHSM with AWS KMS
AWS CloudHSM
• Dedicated access to HSM that
complies with government
standards (FIPS, CC)
• You control your keys and the
application software that uses
them
AWS KMS
• Builds on the strong protections
of an HSM foundation
• Highly available and durable key
storage, management, and
auditing solution
• Easily encrypt your data across
AWS services and within your
own applications based on
policies you define
29. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Key Management Options Comparison
On-Premises HSM AWS CloudHSM AWS Key
Management Service
Where keys are generated
and stored
Your network AWS AWS
Where keys are used Your network or your
EC2 instance
AWS + your network AWS
How to use keys Customer code Customer code +
Safenet APIs
Management Console,
AWS SDKs
Performance/Scale/HA
responsibility
You You AWS
AWS Services Integration? No Redshift Yes
Price $$$$ $$ $
Who controls key access Only You Only You You + AWS
30. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Alternate key management and
encryption solutions
31. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Marketplace for security
• Browse, test and buy security
software
• Pay-by-the-hour, monthly, or
annual
• Software fees added to AWS
bill
• Bring Your Own License
32. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Key management and client-side encryption
using an AWS partner solution
Solutions integrated with EC2, EBS, S3, and RDS
33. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Resources
• AWS Key Management Service
– https://aws.amazon.com/kms
• AWS CloudHSM
– https://aws.amazon.com/cloudhsm/
• Whitepaper on data-at-rest encryption and key management in AWS
– https://aws.amazon.com/whitepapers/
• S3 Encryption Client
– http://aws.amazon.com/articles/2850096021478074
• AWS Partner Network
– http://www.aws-partner-directory.com/
• AWS Security Blog
– http://blogs.aws.amazon.com/security
34. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Thank You.
This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices
AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Notas del editor
In this session I will first cover encryption features within AWS services that allow you to encrypt your data at rest and you control some or all of the key management operations.
Next I’ll talk about encryption features within AWS services that automatically encrypts your data at rest with no key management responsibilities on your part.
Then I’ll address available options for managing the encryption keys.
*There are several dimensions here
1. Entirely in your code, on your own.
2. In your code but with help from CloudHSM.
3. In your code, but with help from KMS.
4. Automatically via CloudHSM (RedShift, RDS).
5. Automatically via KMS (...)
6. Partner solutions.
Before we discuss specific encryption and key management functions in AWS, let’s review how data encryption and key management is typically implemented.
A symmetric data key is generated from either software or hardware. Symmetric keys are preferable to asymmetric keys when you want to encryption data of an arbitrary size and have it be fast.
The key is used along with an encryption algorithm (like AES) and the resulting ciphertext is stored.
But what about the symmetric key you just used? You can’t store it with the encrypted data, that’s called “encraption”. You have to protect that key somehow.
The best practice is to encrypt the data key with yet another key, called a key-encrypting key. This key can be symmetric or asymmetric, but it needs to be derived and stored in a separate system than the one you’re processing your data in.
After you encrypt the data key with the key-encrypting key, you can then store the resulting ciphertext along with the encrypted data.
But what about the key-encrypting key? How do you protect that? You can iterate on the process of enveloping this key with additional keys as many times as you want; creating a key hierarchy. At some point, you’re going to need to be able to access a plaintext key that starts the “unwrapping” process to be able to derive the final data key to decrypt the data. The location and access controls around this key should be distinct from the ones used with the original data.
As you’re planning a strategy for encrypting data in AWS, there are three questions to consider.
Where are keys stored? On systems in your data center or in AWS storage services? What are the durability and availability implications of where your keys are stored?
Where are the keys used? Is it happening in code you control? On hosts you control? Or is it happening on your behalf in code or on hosts that AWS controls?
Who has direct access to the keys? Who has the authorization to use the keys, even if they don’t have direct access to the data?
Let’s talk about alternative methods that let you encrypt the data before you send it to the AWS service for storage. We call this method “client-side encryption” and you manage the keys used.
Let’s start with the case where all the encryption happens in your datacenter on systems you control. The code that performs the encryption has to get keys from somewhere – we’ll call that system your key management infrastructure.
Alternatively, your data and the code that performs the encryption may be in an EC2 instance. This code may call back to key management infrastructure in your datacenter or to a solution running on another EC2 instance.
After the data is encrypted by YOU with YOUT KEYS, it’s sent to whatever AWS service ultimately will store it. Note that decryption of this data can only happen in your code using keys under your control.
Your source data comes from either systems in your data center, or an EC2 instance. You can upload that data over a secure HTTPS connection to any of five AWS services that support automatic server-side encryption. The service endpoint will handle the encryption and key management processes for you.
With S3 and Redshift, encryption is an optional step you determine at the time you upload your data to the service.
With Glacier, all data is encrypted by default.
RDS for Oracle and Microsoft SQL use a feature specific to those database packages called Transparent Data Encryption, or TDE. TDE uses keys created in the database application along with keys created by AWS to protect your data.
This screenshot shows how you can choose to have server-side encryption applied to an object you upload through the console. Because this feature is controlled via API, 3rd party solutions that facilitate uploading data to S3 can expose this option as well. For those of you who use Cloudberry, you might be familiar with this option.
We’ve shown how AWS can help in terms of simplifying the process of actually encrypting data as a part of a PUT or GET call to an S3 bucket. But what about these two boxes on the screen labeled “Your key management infrastructure?” How do we help here?
First, let’s back up and talk about what is a hardware security module, or HSM.
An HSM is a purpose built device that is designed from the ground up to perform secure key storage and cryptographic operations. It is designed to protect the key material that is stored inside it. It is designed with physical and logical mechanisms to protect the keys. The physical protections include tamper detection and tamper response. When a tampering event is detected the HSM is designed to securely destroy the keys rather than risking compromise.
The logical protections include role based access controls that provide separation of duties and allow the “Appliance administrator” to manage the device, for example connecting it to the network and provisioning the IP address, SNMP and syslog destinations. A separate role for the security officer, controls access to and use of the keys and cryptographic operations on the keys. The security model that I’m explaining now is specific to the SafeNet Luna SA HSM, which is the HSM that we use today for the CloudHSM service, but HSMs generally have these properties.
Certification and validation by third parties, such as FIPS 140-2 and Common Criteria provide assurance by a third party that the HSM vendor designed and built the HSM securely.
Physical control of the device does not grant access to the keys
Tamper resistance/evidence
Separate roles for appliance administrator and security officer
Certified by 3rd parties to comply with security standards
FIPS 140-2
Common Criteria EAL4+
The AWS CloudHSM service provides dedicated access to HSM (Hardware Security Module) appliances.
The HSMs are located in AWS datacenters – physically near your workloads and accessible with minimal network latency.
The most important part about the CloudHSM service is that you and only you control the keys stored on the HSM. Because of the properties of the HSM that we discussed earlier, separation of duties and physical protection of the keys, and third party validation, you can trust that the HSM is securely storing your keys so that you and only you have access to the keys.
AWS manages and monitors the HSM appliances, but does not have access to the keys. In fact, if you lose the access to your credentials, AWS can’t help you recover your key material. You can recover from your own backup if you have a backup with the required credentials.
The CloudHSM appliances are inside your VPC, so you can use familiar network security groups and ACLs to limit access to the HSM.
We use SafeNet Luna SA HSMs with the service today.
CloudHSM customers are using it to protect master keys for database encryption such as Oracle TDE or MS SQL Server TDE, With Apache to protect the private key used to set up SSL connections, for Digital Rights Management (DRM), and for document signing.
You can find out more about CloudHSM at aws.amazon.com/cloudhsm
There are a couple new things with CloudHSM that I’d like to tell you about.
Existing regions are US East (Northern Virginia) and EU West (Ireland)
CloudFormation template configures a VPC, subnets, Security Groups and an EC2-VPC instance with SafeNet client software pre-installed
Application notes provide step-by-step instructions for integrating CloudHSM with third party application software
Application notes are authored by SafeNet and are linked from the AWS CloudHSM Getting Started Guide
Oracle Database
Microsoft SQL Server
SafeNet ProtectV and virtual KeySecure for EBS volume encryption
Apache – SSL session termination with private key stored in the HSM
Oracle Database and Microsoft SQL Server – you might want to mention that the customer has to stand up the database server him/herself – this is not the CloudHSM/RDS integration (our own SAs intially thought this meant RDS when I presented it to them at the Security SA meeting, so it bears clarification)
Apache – the Apache web server can terminate SSL sessions without ever exposing the customer’s private key. The server can use the private key stored in the HSM to authenticate itself to the browser, but it does so using crypto operations and keys within the HSM. The HSM is only used during the session setup phase, after which a shared symmetric encryption key is used to encrypt the bulk SSL traffic between the client browser and the Apache server. The performance may be limited by the HSM, so this solution may not be appropriate for all customers, but it does provide a solution for customers who do not want to give their private key to AWS. I [Todd] will be discussing this application with Trusteer, who is planning to test it, in the next week or two, so I should have more details about performance. SafeNet has told me that several of their customers are using this application.
PCI DSS compliance
CloudHSM added to 2013 PCI DSS Compliance package
May help with PCI key management requirements 3.5 and 3.6.
CloudTrail:
Track resource changes
Audit activities for security and compliance purposes
Review all CloudHSM API calls
Syslog
Audit operations on the HSM appliance
Send syslog to customer collector
ProtectV Client is installed on your instances in EC2 VPC - Encrypts all I/O from EC2 & VPC Instances and EBS Storage Volumes—Includes Pre-boot Authentication
For EBS Volume Encryption, ProtectV manages the instances. It uses KeySecure as its scalable protected key store. KeySecure in turn uses CloudHSM to anchor it in the cloud by ensuring all its internally stored keys are encrypted under a hierarchy rooted by an HSM-protected master key.
Endpoints (ProtectApp or ProtectV manager/client) authenticate to KeySecure and request keys. KeySecure uses its internal hierarchy to decrypt the requested key and deliver it to the endpoint through its secure connection.
ProtectV Manager is a virtual machine that runs as an AMI in EC2 VPC (Available in AWS Marketplace)
virtual KeySecure is a high-assurance enterprise key management solution in a virtualized platform. (KeySecure in AWS Marketplace in Oct 2013)
ProtectV Manager -Encrypted Instance – AES 256; Pre-launch Authentication; Centralized Policy & Key Management; Capable of managing up to 500 servers; Active/Passive High Availability
CloudHSM: FIPS 140-2 Level 3 validated
CloudHSM: Common Criteria EAL-4 validated
KMS: symmetric encryption only
We intend to take the cryptographic module in KMS through FIPS 140-2 (with Level 3 physical security). No timeline.
Spring 2015 SOC-1 report mentions “the systems that manger master keys for encryption in EBS, S3, RDS, and Redshift”. That’s KMS… will be part of the Fall 2015 report
Customer can read the KMS Cryptographic Details whitepaper to make determination for themselves on the soundness of the crypto design of the service
We have several AWS partners that provide secure key usage and key storage solutions to encrypt your data in EC2, EBS, S3, RDS and EMR. More details on these and other vendors who offer encryption and key management solutions can be found on the Amazon Partner Network site (a link will be provided at the end of this presentation). The one common security characteristic these vendors’ solutions offer is that you have complete control over who can use your encryption keys. Many of these vendors give you choices as to where the encryption keys that define your root of trust are stored; either in your data center or in a SaaS offering from the vendor. What if you want to store your root of trust in AWS and enjoy the high availability and low latency that it might offer your applications that need to use the keys? Is that even possible to do in a way where you still control the keys? It is with AWS CloudHSM.