SlideShare una empresa de Scribd logo

Protecting Your Data With AWS KMS and AWS CloudHSM

Descargar como PPTX, PDF
Amazon Web Services
Amazon Web Services

Notes on the "Protecting Your Data With AWS KMS and AWS CloudHSM " presentation.

Tecnología
1 de 34
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Protecting Your Data With AWS KMS and AWS CloudHSM Camil Samaha
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Agenda • Overview of encryption options in AWS – Client-Side Encryption: You encrypt your data and manage your own keys; encryption is implemented in your code – Server-Side Encryption: AWS encrypts data and manages the keys for you; encryption is handled automatically • Key Management: – On your own* – AWS Key Management Service (KMS) – AWS CloudHSM – Partner solutions
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Encryption Primer Plaintext Data Hardware/ Software Encrypted Data Encrypted Data in Storage Encrypted Data Key Symmetric Data Key Master KeySymmetric Data Key ? Key Hierarchy ?
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 “Key” Questions to Consider • Where are the keys stored? • Where are the keys used? • Who has access to the keys?
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Encryption Models • Client-Side Encryption #1: You encrypt your data and manage your own keys • Client-Side Encryption #2: You encrypt your data but utilize cloud services (AWS KMS or AWS CloudHSM) to help manage your keys • Server-Side Encryption: AWS encrypts data automatically and manages the keys for you
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Client-Side Encryption You encrypt your data and send to AWS service
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Client-Side Encryption Your applications in your data center Your applications in Amazon EC2Encrypted Data AWS Storage Services S3 Glacier Redshift RDSEBS DynamoDB
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Client-Side Encryption Overview Your encryption client application Your key management infrastructure Your applications in your data center Your application in Amazon EC2 Your key management infrastructure in EC2 Your Encrypted Data in AWS Services …
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Server-Side Encryption AWS services encrypt data for you
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Server-Side Encryption HTTPS Your applications in your data center Your applications in Amazon EC2 AWS Storage Services S3 Glacier Redshift RDS for Oracle RDS for MS-SQL EBS
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Amazon S3 Server Side Encryption
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 How SSE-S3 with AWS Managed Keys Works Plaintext Data Encrypted Data Symmetric Data KeyS3 Web Server HTTPS Customer Data Encrypted Data Key Master KeySymmetric Data Key S3 Storage Fleet A master key managed by the S3 service and protected by systems internal to AWS
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 How SSE-C with Customer Provided Keys Works Plaintext Data Encrypted Data Customer Provided KeyS3 Web Server HTTPS Customer Data S3 Storage Fleet • Key is used at S3 Webserver, then deleted • Customer must provide same key when downloading to allow S3 to decrypt data Customer Provided Key
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 What About Key Management Infrastructure? Your encryption client application Your applications in your data center Your application in Amazon EC2 Your Encrypted Data in AWS Services … Your key management infrastructure in EC2 Your key management infrastructure
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Introducing AWS Key Management Service • A service that enables you to provision and use encryption keys to protect your data • Allows you to create, use, and manage encryption keys from within… – Your own applications via AWS SDK – Supported AWS services (S3, EBS, RDS, Redshift) • Available in all commercial regions
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 How AWS Key Management Service Works Crypto operations on customer master keys KMS Service Endpoint Client (Customer or AWS Service) Data Durable, Encrypted Key Store AWS Authorization Client AuthN and AuthZ 1 2 3 4 + Data Key Encrypted Data Key 1. Client makes authenticated request of KMS for data key 2. KMS generates data key 3. KMS pulls encrypted customer master key from durable storage; decrypts in the KMS crypto module 4. KMS encrypts data key with named customer master key and returns plaintext data key and encrypted data key 5. Client uses data key to encrypt data, stores encrypted data key. To decrypt: client submits encrypted data key to KMS for decryption; data key is needed to decrypt data KMS crypto module 5
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 How AWS Services Integrate with KMS • 2-tiered key hierarchy using envelope encryption • Data keys encrypt customer data • KMS master keys encrypt data keys • Benefits: • Limits blast radius of compromised resources and their keys • Better performance • Easier to manage a small number of master keys than billions of resource keys Master Key(s) Data Key 1 S3 Object EBS Volume RDS Instance Redshift Cluster Data encrypted Data Key 2 Data Key 3 Data Key 4 Data Key 5 Your Application Keys encrypted KMS
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Creating and managing keys in AWS KMS
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Amazon EBS encryption with AWS KMS
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS KMS gives you control You define who can… • Create a master key • Use a master key • Create and export a data key that is encrypted by a master key • Enable/disable master keys • Audit use of master keys in AWS CloudTrail
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS KMS secures your keys • Plaintext keys are never stored in persistent memory on runtime systems • Separation of duties – AWS service team operators (S3, EBS, RDS) can’t access KMS hosts that use master keys and KMS operators can’t access service team hosts that use data keys • Multi-party controls – Normal operations require signatures from two or more KMS operators on any API calls to an active host processing customer keys • Verified claims in SOC1 and public white papers
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Encryption and Key Management with AWS CloudHSM
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 HSM – Hardware Security Module • Hardware device for crypto ops and key storage • Strong protection of private keys – Physical device control does not grant access to the keys – Security officer controls access to the keys – Appliance administrator has no access to the keys • Certified by 3rd parties to comply with security standards HSM
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS CloudHSM • You receive dedicated access to HSM appliances • HSMs are located in AWS datacenters • Managed & monitored by AWS • Only you have access to your keys and operations on the keys • HSMs are inside your VPC – isolated from the rest of the network • Uses SafeNet Luna SA HSM appliances CloudHSM AWS Administrator – manages the appliance You – control keys and crypto operations Virtual Private Cloud
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS CloudHSM • Available in seven regions worldwide – N. Virginia, Oregon, Ireland, Frankfurt, Sydney, Singapore, and Tokyo – Easy to get started – AWS CloudFormation template – Application notes to help integrate with 3rd party software • Compliance – Included in AWS PCI DSS and Service Organization Control (SOC) compliance packages
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS CloudHSM • Command Line Interface (CLI) Tools – Easier automation and administration • Public API & SDK – Self-service provisioning and management – Appliance administrator operations • Auditing – CloudTrail – Syslog
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 SafeNet ProtectV Manager and Virtual KeySecure in Amazon EC2 Amazon EBS volume encryption • SafeNet ProtectV with Virtual KeySecure • AWS CloudHSM stores the master key SafeNet ProtectV Client AWS CloudHSM Your encrypted data in Amazon EBS Your applications in Amazon EC2 ProtectV Client • Encrypts I/O from Amazon EC2 instances to Amazon EBS volumes • Includes pre-boot authentication
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Comparing AWS CloudHSM with AWS KMS AWS CloudHSM • Dedicated access to HSM that complies with government standards (FIPS, CC) • You control your keys and the application software that uses them AWS KMS • Builds on the strong protections of an HSM foundation • Highly available and durable key storage, management, and auditing solution • Easily encrypt your data across AWS services and within your own applications based on policies you define
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Key Management Options Comparison On-Premises HSM AWS CloudHSM AWS Key Management Service Where keys are generated and stored Your network AWS AWS Where keys are used Your network or your EC2 instance AWS + your network AWS How to use keys Customer code Customer code + Safenet APIs Management Console, AWS SDKs Performance/Scale/HA responsibility You You AWS AWS Services Integration? No Redshift Yes Price $$$$ $$ $ Who controls key access Only You Only You You + AWS
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Alternate key management and encryption solutions
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Marketplace for security • Browse, test and buy security software • Pay-by-the-hour, monthly, or annual • Software fees added to AWS bill • Bring Your Own License
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Key management and client-side encryption using an AWS partner solution Solutions integrated with EC2, EBS, S3, and RDS
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Resources • AWS Key Management Service – https://aws.amazon.com/kms • AWS CloudHSM – https://aws.amazon.com/cloudhsm/ • Whitepaper on data-at-rest encryption and key management in AWS – https://aws.amazon.com/whitepapers/ • S3 Encryption Client – http://aws.amazon.com/articles/2850096021478074 • AWS Partner Network – http://www.aws-partner-directory.com/ • AWS Security Blog – http://blogs.aws.amazon.com/security
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Thank You. This presentation will be loaded to SlideShare the week following the Symposium. http://www.slideshare.net/AmazonWebServices AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015

Recomendados

Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trailzekeLabs Technologies
 
AWS 101
AWS 101AWS 101
AWS 101Amazon Web Services
 
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
 
AWS VPC & Networking basic concepts
AWS VPC & Networking basic conceptsAWS VPC & Networking basic concepts
AWS VPC & Networking basic conceptsAbhinav Kumar
 

Recomendados

Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trailzekeLabs Technologies
 
AWS 101
AWS 101AWS 101
AWS 101Amazon Web Services
 
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
 
AWS VPC & Networking basic concepts
AWS VPC & Networking basic conceptsAWS VPC & Networking basic concepts
AWS VPC & Networking basic conceptsAbhinav Kumar
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon InspectorAmazon Web Services
 
AWS Security Hub Deep Dive
AWS Security Hub Deep DiveAWS Security Hub Deep Dive
AWS Security Hub Deep DiveNagesh Ramamoorthy
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
Amazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon Web Services
 
(CMP201) All You Need To Know About Auto Scaling
(CMP201) All You Need To Know About Auto Scaling(CMP201) All You Need To Know About Auto Scaling
(CMP201) All You Need To Know About Auto ScalingAmazon Web Services
 
AWS EC2
AWS EC2AWS EC2
AWS EC2Mahesh Raj
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMSRicardo Schmidt
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubAmazon Web Services
 
AWS Cloud Watch
AWS Cloud WatchAWS Cloud Watch
AWS Cloud WatchzekeLabs Technologies
 
Amazon EKS로 간단한 웹 애플리케이션 구축하기 - 김주영 (AWS) :: AWS Community Day Online 2021
Amazon EKS로 간단한 웹 애플리케이션 구축하기 - 김주영 (AWS) :: AWS Community Day Online 2021Amazon EKS로 간단한 웹 애플리케이션 구축하기 - 김주영 (AWS) :: AWS Community Day Online 2021
Amazon EKS로 간단한 웹 애플리케이션 구축하기 - 김주영 (AWS) :: AWS Community Day Online 2021AWSKRUG - AWS한국사용자모임
 
AWS Lambda
AWS LambdaAWS Lambda
AWS LambdaAndrew Dixon
 
Intro to Amazon S3
Intro to Amazon S3Intro to Amazon S3
Intro to Amazon S3Yu Lun Teo
 
COSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustCOSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustFrans Sauermann
 
ABCs of AWS: S3
ABCs of AWS: S3ABCs of AWS: S3
ABCs of AWS: S3Mark Cohen
 
AWS January 2016 Webinar Series - Getting Started with Big Data on AWS
AWS January 2016 Webinar Series - Getting Started with Big Data on AWSAWS January 2016 Webinar Series - Getting Started with Big Data on AWS
AWS January 2016 Webinar Series - Getting Started with Big Data on AWSAmazon Web Services
 
Continuous Delivery with AWS Lambda - AWS April 2016 Webinar Series
Continuous Delivery with AWS Lambda - AWS April 2016 Webinar SeriesContinuous Delivery with AWS Lambda - AWS April 2016 Webinar Series
Continuous Delivery with AWS Lambda - AWS April 2016 Webinar SeriesAmazon Web Services
 

Más contenido relacionado

La actualidad más candente

Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon InspectorAmazon Web Services
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
Amazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon Web Services
 
(CMP201) All You Need To Know About Auto Scaling
(CMP201) All You Need To Know About Auto Scaling(CMP201) All You Need To Know About Auto Scaling
(CMP201) All You Need To Know About Auto ScalingAmazon Web Services
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
Amazon EKS로 간단한 웹 애플리케이션 구축하기 - 김주영 (AWS) :: AWS Community Day Online 2021
Amazon EKS로 간단한 웹 애플리케이션 구축하기 - 김주영 (AWS) :: AWS Community Day Online 2021Amazon EKS로 간단한 웹 애플리케이션 구축하기 - 김주영 (AWS) :: AWS Community Day Online 2021
Amazon EKS로 간단한 웹 애플리케이션 구축하기 - 김주영 (AWS) :: AWS Community Day Online 2021AWSKRUG - AWS한국사용자모임
 
Intro to Amazon S3
Intro to Amazon S3Intro to Amazon S3
Intro to Amazon S3Yu Lun Teo
 
COSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustCOSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustFrans Sauermann
 
ABCs of AWS: S3
ABCs of AWS: S3ABCs of AWS: S3
ABCs of AWS: S3Mark Cohen
 

La actualidad más candente (20)

Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon Inspector
 
AWS Security Hub Deep Dive
AWS Security Hub Deep DiveAWS Security Hub Deep Dive
AWS Security Hub Deep Dive
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and security
 
Amazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for KubernetesAmazon EKS - Elastic Container Service for Kubernetes
Amazon EKS - Elastic Container Service for Kubernetes
 
(CMP201) All You Need To Know About Auto Scaling
(CMP201) All You Need To Know About Auto Scaling(CMP201) All You Need To Know About Auto Scaling
(CMP201) All You Need To Know About Auto Scaling
 
AWS EC2
AWS EC2AWS EC2
AWS EC2
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
 
Introduction of AWS KMS
Introduction of AWS KMSIntroduction of AWS KMS
Introduction of AWS KMS
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 
AWS Cloud Watch
AWS Cloud WatchAWS Cloud Watch
AWS Cloud Watch
 
Amazon EKS로 간단한 웹 애플리케이션 구축하기 - 김주영 (AWS) :: AWS Community Day Online 2021
Amazon EKS로 간단한 웹 애플리케이션 구축하기 - 김주영 (AWS) :: AWS Community Day Online 2021Amazon EKS로 간단한 웹 애플리케이션 구축하기 - 김주영 (AWS) :: AWS Community Day Online 2021
Amazon EKS로 간단한 웹 애플리케이션 구축하기 - 김주영 (AWS) :: AWS Community Day Online 2021
 
AWS Lambda
AWS LambdaAWS Lambda
AWS Lambda
 
Intro to Amazon S3
Intro to Amazon S3Intro to Amazon S3
Intro to Amazon S3
 
COSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustCOSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero Trust
 
ABCs of AWS: S3
ABCs of AWS: S3ABCs of AWS: S3
ABCs of AWS: S3
 

Destacado

AWS January 2016 Webinar Series - Getting Started with Big Data on AWS
AWS January 2016 Webinar Series - Getting Started with Big Data on AWSAWS January 2016 Webinar Series - Getting Started with Big Data on AWS
AWS January 2016 Webinar Series - Getting Started with Big Data on AWSAmazon Web Services
 
Continuous Delivery with AWS Lambda - AWS April 2016 Webinar Series
Continuous Delivery with AWS Lambda - AWS April 2016 Webinar SeriesContinuous Delivery with AWS Lambda - AWS April 2016 Webinar Series
Continuous Delivery with AWS Lambda - AWS April 2016 Webinar SeriesAmazon Web Services
 
AWS re:Invent 2016: Development Workflow with Docker and Amazon ECS (CON302)
AWS re:Invent 2016: Development Workflow with Docker and Amazon ECS (CON302)AWS re:Invent 2016: Development Workflow with Docker and Amazon ECS (CON302)
AWS re:Invent 2016: Development Workflow with Docker and Amazon ECS (CON302)Amazon Web Services
 
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...Amazon Web Services
 
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...Amazon Web Services
 
AWS Batch: Simplifying Batch Computing in the Cloud
AWS Batch: Simplifying Batch Computing in the CloudAWS Batch: Simplifying Batch Computing in the Cloud
AWS Batch: Simplifying Batch Computing in the CloudAmazon Web Services
 
AWS re:Invent 2016: Infrastructure Continuous Delivery Using AWS CloudFormati...
AWS re:Invent 2016: Infrastructure Continuous Delivery Using AWS CloudFormati...AWS re:Invent 2016: Infrastructure Continuous Delivery Using AWS CloudFormati...
AWS re:Invent 2016: Infrastructure Continuous Delivery Using AWS CloudFormati...Amazon Web Services
 
AWS re:Invent 2016: Automated DevOps and Continuous Delivery (DEV211)
AWS re:Invent 2016: Automated DevOps and Continuous Delivery (DEV211)AWS re:Invent 2016: Automated DevOps and Continuous Delivery (DEV211)
AWS re:Invent 2016: Automated DevOps and Continuous Delivery (DEV211)Amazon Web Services
 
Managing Your Infrastructure as Code
Managing Your Infrastructure as CodeManaging Your Infrastructure as Code
Managing Your Infrastructure as CodeAmazon Web Services
 
AWS re:Invent 2016: State of the Union: Containers (CON316)
AWS re:Invent 2016: State of the Union: Containers (CON316)AWS re:Invent 2016: State of the Union: Containers (CON316)
AWS re:Invent 2016: State of the Union: Containers (CON316)Amazon Web Services
 
Continuous Delivery to Amazon EC2 Container Service
Continuous Delivery to Amazon EC2 Container ServiceContinuous Delivery to Amazon EC2 Container Service
Continuous Delivery to Amazon EC2 Container ServiceAmazon Web Services
 
AWS re:Invent 2016: From EC2 to ECS: How Capital One uses Application Load Ba...
AWS re:Invent 2016: From EC2 to ECS: How Capital One uses Application Load Ba...AWS re:Invent 2016: From EC2 to ECS: How Capital One uses Application Load Ba...
AWS re:Invent 2016: From EC2 to ECS: How Capital One uses Application Load Ba...Amazon Web Services
 
AWS re:Invent 2016: Elastic Load Balancing Deep Dive and Best Practices (NET403)
AWS re:Invent 2016: Elastic Load Balancing Deep Dive and Best Practices (NET403)AWS re:Invent 2016: Elastic Load Balancing Deep Dive and Best Practices (NET403)
AWS re:Invent 2016: Elastic Load Balancing Deep Dive and Best Practices (NET403)Amazon Web Services
 
AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)
AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)
AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)Amazon Web Services
 
AWS re:Invent 2016: Building the Future of DevOps with Amazon Web Services (D...
AWS re:Invent 2016: Building the Future of DevOps with Amazon Web Services (D...AWS re:Invent 2016: Building the Future of DevOps with Amazon Web Services (D...
AWS re:Invent 2016: Building the Future of DevOps with Amazon Web Services (D...Amazon Web Services
 
AWS January 2016 Webinar Series - Introduction to Docker on AWS
AWS January 2016 Webinar Series - Introduction to Docker on AWSAWS January 2016 Webinar Series - Introduction to Docker on AWS
AWS January 2016 Webinar Series - Introduction to Docker on AWSAmazon Web Services
 
AWS January 2016 Webinar Series - Introduction to Deploying Applications on AWS
AWS January 2016 Webinar Series - Introduction to Deploying Applications on AWSAWS January 2016 Webinar Series - Introduction to Deploying Applications on AWS
AWS January 2016 Webinar Series - Introduction to Deploying Applications on AWSAmazon Web Services
 
AWS Lambda: Event-driven Code for Devices and the Cloud
AWS Lambda: Event-driven Code for Devices and the CloudAWS Lambda: Event-driven Code for Devices and the Cloud
AWS Lambda: Event-driven Code for Devices and the CloudAmazon Web Services
 
AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...
AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...
AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...Amazon Web Services
 
AWS Infrastructure as Code - September 2016 Webinar Series
AWS Infrastructure as Code - September 2016 Webinar SeriesAWS Infrastructure as Code - September 2016 Webinar Series
AWS Infrastructure as Code - September 2016 Webinar SeriesAmazon Web Services
 

Destacado (20)

AWS January 2016 Webinar Series - Getting Started with Big Data on AWS
AWS January 2016 Webinar Series - Getting Started with Big Data on AWSAWS January 2016 Webinar Series - Getting Started with Big Data on AWS
AWS January 2016 Webinar Series - Getting Started with Big Data on AWS
 
Continuous Delivery with AWS Lambda - AWS April 2016 Webinar Series
Continuous Delivery with AWS Lambda - AWS April 2016 Webinar SeriesContinuous Delivery with AWS Lambda - AWS April 2016 Webinar Series
Continuous Delivery with AWS Lambda - AWS April 2016 Webinar Series
 
AWS re:Invent 2016: Development Workflow with Docker and Amazon ECS (CON302)
AWS re:Invent 2016: Development Workflow with Docker and Amazon ECS (CON302)AWS re:Invent 2016: Development Workflow with Docker and Amazon ECS (CON302)
AWS re:Invent 2016: Development Workflow with Docker and Amazon ECS (CON302)
 
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
 
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
 
AWS Batch: Simplifying Batch Computing in the Cloud
AWS Batch: Simplifying Batch Computing in the CloudAWS Batch: Simplifying Batch Computing in the Cloud
AWS Batch: Simplifying Batch Computing in the Cloud
 
AWS re:Invent 2016: Infrastructure Continuous Delivery Using AWS CloudFormati...
AWS re:Invent 2016: Infrastructure Continuous Delivery Using AWS CloudFormati...AWS re:Invent 2016: Infrastructure Continuous Delivery Using AWS CloudFormati...
AWS re:Invent 2016: Infrastructure Continuous Delivery Using AWS CloudFormati...
 
AWS re:Invent 2016: Automated DevOps and Continuous Delivery (DEV211)
AWS re:Invent 2016: Automated DevOps and Continuous Delivery (DEV211)AWS re:Invent 2016: Automated DevOps and Continuous Delivery (DEV211)
AWS re:Invent 2016: Automated DevOps and Continuous Delivery (DEV211)
 
Managing Your Infrastructure as Code
Managing Your Infrastructure as CodeManaging Your Infrastructure as Code
Managing Your Infrastructure as Code
 
AWS re:Invent 2016: State of the Union: Containers (CON316)
AWS re:Invent 2016: State of the Union: Containers (CON316)AWS re:Invent 2016: State of the Union: Containers (CON316)
AWS re:Invent 2016: State of the Union: Containers (CON316)
 
Continuous Delivery to Amazon EC2 Container Service
Continuous Delivery to Amazon EC2 Container ServiceContinuous Delivery to Amazon EC2 Container Service
Continuous Delivery to Amazon EC2 Container Service
 
AWS re:Invent 2016: From EC2 to ECS: How Capital One uses Application Load Ba...
AWS re:Invent 2016: From EC2 to ECS: How Capital One uses Application Load Ba...AWS re:Invent 2016: From EC2 to ECS: How Capital One uses Application Load Ba...
AWS re:Invent 2016: From EC2 to ECS: How Capital One uses Application Load Ba...
 
AWS re:Invent 2016: Elastic Load Balancing Deep Dive and Best Practices (NET403)
AWS re:Invent 2016: Elastic Load Balancing Deep Dive and Best Practices (NET403)AWS re:Invent 2016: Elastic Load Balancing Deep Dive and Best Practices (NET403)
AWS re:Invent 2016: Elastic Load Balancing Deep Dive and Best Practices (NET403)
 
AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)
AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)
AWS re:Invent 2016: Running Batch Jobs on Amazon ECS (CON310)
 
AWS re:Invent 2016: Building the Future of DevOps with Amazon Web Services (D...
AWS re:Invent 2016: Building the Future of DevOps with Amazon Web Services (D...AWS re:Invent 2016: Building the Future of DevOps with Amazon Web Services (D...
AWS re:Invent 2016: Building the Future of DevOps with Amazon Web Services (D...
 
AWS January 2016 Webinar Series - Introduction to Docker on AWS
AWS January 2016 Webinar Series - Introduction to Docker on AWSAWS January 2016 Webinar Series - Introduction to Docker on AWS
AWS January 2016 Webinar Series - Introduction to Docker on AWS
 
AWS January 2016 Webinar Series - Introduction to Deploying Applications on AWS
AWS January 2016 Webinar Series - Introduction to Deploying Applications on AWSAWS January 2016 Webinar Series - Introduction to Deploying Applications on AWS
AWS January 2016 Webinar Series - Introduction to Deploying Applications on AWS
 
AWS Lambda: Event-driven Code for Devices and the Cloud
AWS Lambda: Event-driven Code for Devices and the CloudAWS Lambda: Event-driven Code for Devices and the Cloud
AWS Lambda: Event-driven Code for Devices and the Cloud
 
AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...
AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...
AWS re:Invent 2016: Netflix: Container Scheduling, Execution, and Integration...
 
AWS Infrastructure as Code - September 2016 Webinar Series
AWS Infrastructure as Code - September 2016 Webinar SeriesAWS Infrastructure as Code - September 2016 Webinar Series
AWS Infrastructure as Code - September 2016 Webinar Series
 

Similar a Protecting Your Data With AWS KMS and AWS CloudHSM

Enhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSEnhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSAmazon Web Services
 
Running Microsoft Workloads on AWS
Running Microsoft Workloads on AWSRunning Microsoft Workloads on AWS
Running Microsoft Workloads on AWSAmazon Web Services
 
Practical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWSPractical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWSAmazon Web Services
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAmazon Web Services
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAmazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWS Encryption and Key Management in AWS
Encryption and Key Management in AWS Amazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
Modern IT Governance Through Transparency and Automation
Modern IT Governance Through Transparency and Automation Modern IT Governance Through Transparency and Automation
Modern IT Governance Through Transparency and Automation Amazon Web Services
 
C2S Tech Tips: Rapid Prototyping
C2S Tech Tips: Rapid PrototypingC2S Tech Tips: Rapid Prototyping
C2S Tech Tips: Rapid PrototypingAmazon Web Services
 
ModernizationAWS.pdf
ModernizationAWS.pdfModernizationAWS.pdf
ModernizationAWS.pdfIsmailCassiem
 
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도Amazon Web Services Korea
 
Transparency and Control with AWS CloudTrail and AWS Config
Transparency and Control with AWS CloudTrail and AWS ConfigTransparency and Control with AWS CloudTrail and AWS Config
Transparency and Control with AWS CloudTrail and AWS ConfigAmazon Web Services
 
Using AWS Services to Go “All In” on AWS
Using AWS Services to Go “All In” on AWSUsing AWS Services to Go “All In” on AWS
Using AWS Services to Go “All In” on AWSAmazon Web Services
 
Protecting your data in aws - Toronto
Protecting your data in aws - TorontoProtecting your data in aws - Toronto
Protecting your data in aws - TorontoAmazon Web Services
 

Similar a Protecting Your Data With AWS KMS and AWS CloudHSM (20)

Enhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWSEnhanced Security and Compliance with AWS
Enhanced Security and Compliance with AWS
 
Running Microsoft Workloads on AWS
Running Microsoft Workloads on AWSRunning Microsoft Workloads on AWS
Running Microsoft Workloads on AWS
 
Practical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWSPractical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWS
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
 
Big Data and Analytics on AWS
Big Data and Analytics on AWS Big Data and Analytics on AWS
Big Data and Analytics on AWS
 
Encryption and Key Management in AWS
Encryption and Key Management in AWS Encryption and Key Management in AWS
Encryption and Key Management in AWS
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
Modern IT Governance Through Transparency and Automation
Modern IT Governance Through Transparency and Automation Modern IT Governance Through Transparency and Automation
Modern IT Governance Through Transparency and Automation
 
C2S Tech Tips: Rapid Prototyping
C2S Tech Tips: Rapid PrototypingC2S Tech Tips: Rapid Prototyping
C2S Tech Tips: Rapid Prototyping
 
ModernizationAWS.pdf
ModernizationAWS.pdfModernizationAWS.pdf
ModernizationAWS.pdf
 
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
 
Transparency and Control with AWS CloudTrail and AWS Config
Transparency and Control with AWS CloudTrail and AWS ConfigTransparency and Control with AWS CloudTrail and AWS Config
Transparency and Control with AWS CloudTrail and AWS Config
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Using AWS Services to Go “All In” on AWS
Using AWS Services to Go “All In” on AWSUsing AWS Services to Go “All In” on AWS
Using AWS Services to Go “All In” on AWS
 
Protecting your data in aws - Toronto
Protecting your data in aws - TorontoProtecting your data in aws - Toronto
Protecting your data in aws - Toronto
 
protecting your data in aws
protecting your data in aws protecting your data in aws
protecting your data in aws
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Protecting Your Data in AWS
Protecting Your Data in AWS Protecting Your Data in AWS
Protecting Your Data in AWS
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 

Más de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Más de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Último

Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 

Último (20)

Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 

Protecting Your Data With AWS KMS and AWS CloudHSM

  • 1. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Protecting Your Data With AWS KMS and AWS CloudHSM Camil Samaha
  • 2. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Agenda • Overview of encryption options in AWS – Client-Side Encryption: You encrypt your data and manage your own keys; encryption is implemented in your code – Server-Side Encryption: AWS encrypts data and manages the keys for you; encryption is handled automatically • Key Management: – On your own* – AWS Key Management Service (KMS) – AWS CloudHSM – Partner solutions
  • 3. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Encryption Primer Plaintext Data Hardware/ Software Encrypted Data Encrypted Data in Storage Encrypted Data Key Symmetric Data Key Master KeySymmetric Data Key ? Key Hierarchy ?
  • 4. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 “Key” Questions to Consider • Where are the keys stored? • Where are the keys used? • Who has access to the keys?
  • 5. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Encryption Models • Client-Side Encryption #1: You encrypt your data and manage your own keys • Client-Side Encryption #2: You encrypt your data but utilize cloud services (AWS KMS or AWS CloudHSM) to help manage your keys • Server-Side Encryption: AWS encrypts data automatically and manages the keys for you
  • 6. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Client-Side Encryption You encrypt your data and send to AWS service
  • 7. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Client-Side Encryption Your applications in your data center Your applications in Amazon EC2Encrypted Data AWS Storage Services S3 Glacier Redshift RDSEBS DynamoDB
  • 8. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Client-Side Encryption Overview Your encryption client application Your key management infrastructure Your applications in your data center Your application in Amazon EC2 Your key management infrastructure in EC2 Your Encrypted Data in AWS Services …
  • 9. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Server-Side Encryption AWS services encrypt data for you
  • 10. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Server-Side Encryption HTTPS Your applications in your data center Your applications in Amazon EC2 AWS Storage Services S3 Glacier Redshift RDS for Oracle RDS for MS-SQL EBS
  • 11. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Amazon S3 Server Side Encryption
  • 12. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 How SSE-S3 with AWS Managed Keys Works Plaintext Data Encrypted Data Symmetric Data KeyS3 Web Server HTTPS Customer Data Encrypted Data Key Master KeySymmetric Data Key S3 Storage Fleet A master key managed by the S3 service and protected by systems internal to AWS
  • 13. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 How SSE-C with Customer Provided Keys Works Plaintext Data Encrypted Data Customer Provided KeyS3 Web Server HTTPS Customer Data S3 Storage Fleet • Key is used at S3 Webserver, then deleted • Customer must provide same key when downloading to allow S3 to decrypt data Customer Provided Key
  • 14. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 What About Key Management Infrastructure? Your encryption client application Your applications in your data center Your application in Amazon EC2 Your Encrypted Data in AWS Services … Your key management infrastructure in EC2 Your key management infrastructure
  • 15. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Introducing AWS Key Management Service • A service that enables you to provision and use encryption keys to protect your data • Allows you to create, use, and manage encryption keys from within… – Your own applications via AWS SDK – Supported AWS services (S3, EBS, RDS, Redshift) • Available in all commercial regions
  • 16. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 How AWS Key Management Service Works Crypto operations on customer master keys KMS Service Endpoint Client (Customer or AWS Service) Data Durable, Encrypted Key Store AWS Authorization Client AuthN and AuthZ 1 2 3 4 + Data Key Encrypted Data Key 1. Client makes authenticated request of KMS for data key 2. KMS generates data key 3. KMS pulls encrypted customer master key from durable storage; decrypts in the KMS crypto module 4. KMS encrypts data key with named customer master key and returns plaintext data key and encrypted data key 5. Client uses data key to encrypt data, stores encrypted data key. To decrypt: client submits encrypted data key to KMS for decryption; data key is needed to decrypt data KMS crypto module 5
  • 17. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 How AWS Services Integrate with KMS • 2-tiered key hierarchy using envelope encryption • Data keys encrypt customer data • KMS master keys encrypt data keys • Benefits: • Limits blast radius of compromised resources and their keys • Better performance • Easier to manage a small number of master keys than billions of resource keys Master Key(s) Data Key 1 S3 Object EBS Volume RDS Instance Redshift Cluster Data encrypted Data Key 2 Data Key 3 Data Key 4 Data Key 5 Your Application Keys encrypted KMS
  • 18. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Creating and managing keys in AWS KMS
  • 19. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Amazon EBS encryption with AWS KMS
  • 20. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS KMS gives you control You define who can… • Create a master key • Use a master key • Create and export a data key that is encrypted by a master key • Enable/disable master keys • Audit use of master keys in AWS CloudTrail
  • 21. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS KMS secures your keys • Plaintext keys are never stored in persistent memory on runtime systems • Separation of duties – AWS service team operators (S3, EBS, RDS) can’t access KMS hosts that use master keys and KMS operators can’t access service team hosts that use data keys • Multi-party controls – Normal operations require signatures from two or more KMS operators on any API calls to an active host processing customer keys • Verified claims in SOC1 and public white papers
  • 22. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Encryption and Key Management with AWS CloudHSM
  • 23. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 HSM – Hardware Security Module • Hardware device for crypto ops and key storage • Strong protection of private keys – Physical device control does not grant access to the keys – Security officer controls access to the keys – Appliance administrator has no access to the keys • Certified by 3rd parties to comply with security standards HSM
  • 24. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS CloudHSM • You receive dedicated access to HSM appliances • HSMs are located in AWS datacenters • Managed & monitored by AWS • Only you have access to your keys and operations on the keys • HSMs are inside your VPC – isolated from the rest of the network • Uses SafeNet Luna SA HSM appliances CloudHSM AWS Administrator – manages the appliance You – control keys and crypto operations Virtual Private Cloud
  • 25. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS CloudHSM • Available in seven regions worldwide – N. Virginia, Oregon, Ireland, Frankfurt, Sydney, Singapore, and Tokyo – Easy to get started – AWS CloudFormation template – Application notes to help integrate with 3rd party software • Compliance – Included in AWS PCI DSS and Service Organization Control (SOC) compliance packages
  • 26. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS CloudHSM • Command Line Interface (CLI) Tools – Easier automation and administration • Public API & SDK – Self-service provisioning and management – Appliance administrator operations • Auditing – CloudTrail – Syslog
  • 27. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 SafeNet ProtectV Manager and Virtual KeySecure in Amazon EC2 Amazon EBS volume encryption • SafeNet ProtectV with Virtual KeySecure • AWS CloudHSM stores the master key SafeNet ProtectV Client AWS CloudHSM Your encrypted data in Amazon EBS Your applications in Amazon EC2 ProtectV Client • Encrypts I/O from Amazon EC2 instances to Amazon EBS volumes • Includes pre-boot authentication
  • 28. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Comparing AWS CloudHSM with AWS KMS AWS CloudHSM • Dedicated access to HSM that complies with government standards (FIPS, CC) • You control your keys and the application software that uses them AWS KMS • Builds on the strong protections of an HSM foundation • Highly available and durable key storage, management, and auditing solution • Easily encrypt your data across AWS services and within your own applications based on policies you define
  • 29. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Key Management Options Comparison On-Premises HSM AWS CloudHSM AWS Key Management Service Where keys are generated and stored Your network AWS AWS Where keys are used Your network or your EC2 instance AWS + your network AWS How to use keys Customer code Customer code + Safenet APIs Management Console, AWS SDKs Performance/Scale/HA responsibility You You AWS AWS Services Integration? No Redshift Yes Price $$$$ $$ $ Who controls key access Only You Only You You + AWS
  • 30. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Alternate key management and encryption solutions
  • 31. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Marketplace for security • Browse, test and buy security software • Pay-by-the-hour, monthly, or annual • Software fees added to AWS bill • Bring Your Own License
  • 32. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Key management and client-side encryption using an AWS partner solution Solutions integrated with EC2, EBS, S3, and RDS
  • 33. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Resources • AWS Key Management Service – https://aws.amazon.com/kms • AWS CloudHSM – https://aws.amazon.com/cloudhsm/ • Whitepaper on data-at-rest encryption and key management in AWS – https://aws.amazon.com/whitepapers/ • S3 Encryption Client – http://aws.amazon.com/articles/2850096021478074 • AWS Partner Network – http://www.aws-partner-directory.com/ • AWS Security Blog – http://blogs.aws.amazon.com/security
  • 34. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Thank You. This presentation will be loaded to SlideShare the week following the Symposium. http://www.slideshare.net/AmazonWebServices AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015

Notas del editor

  1. In this session I will first cover encryption features within AWS services that allow you to encrypt your data at rest and you control some or all of the key management operations. Next I’ll talk about encryption features within AWS services that automatically encrypts your data at rest with no key management responsibilities on your part. Then I’ll address available options for managing the encryption keys. *There are several dimensions here 1. Entirely in your code, on your own. 2. In your code but with help from CloudHSM. 3. In your code, but with help from KMS. 4. Automatically via CloudHSM (RedShift, RDS). 5. Automatically via KMS (...) 6. Partner solutions.
  2. Before we discuss specific encryption and key management functions in AWS, let’s review how data encryption and key management is typically implemented. A symmetric data key is generated from either software or hardware. Symmetric keys are preferable to asymmetric keys when you want to encryption data of an arbitrary size and have it be fast. The key is used along with an encryption algorithm (like AES) and the resulting ciphertext is stored. But what about the symmetric key you just used? You can’t store it with the encrypted data, that’s called “encraption”. You have to protect that key somehow. The best practice is to encrypt the data key with yet another key, called a key-encrypting key. This key can be symmetric or asymmetric, but it needs to be derived and stored in a separate system than the one you’re processing your data in. After you encrypt the data key with the key-encrypting key, you can then store the resulting ciphertext along with the encrypted data. But what about the key-encrypting key? How do you protect that? You can iterate on the process of enveloping this key with additional keys as many times as you want; creating a key hierarchy. At some point, you’re going to need to be able to access a plaintext key that starts the “unwrapping” process to be able to derive the final data key to decrypt the data. The location and access controls around this key should be distinct from the ones used with the original data.
  3. As you’re planning a strategy for encrypting data in AWS, there are three questions to consider. Where are keys stored? On systems in your data center or in AWS storage services? What are the durability and availability implications of where your keys are stored? Where are the keys used? Is it happening in code you control? On hosts you control? Or is it happening on your behalf in code or on hosts that AWS controls? Who has direct access to the keys? Who has the authorization to use the keys, even if they don’t have direct access to the data?
  4. Let’s talk about alternative methods that let you encrypt the data before you send it to the AWS service for storage. We call this method “client-side encryption” and you manage the keys used.
  5. Let’s start with the case where all the encryption happens in your datacenter on systems you control. The code that performs the encryption has to get keys from somewhere – we’ll call that system your key management infrastructure. Alternatively, your data and the code that performs the encryption may be in an EC2 instance. This code may call back to key management infrastructure in your datacenter or to a solution running on another EC2 instance. After the data is encrypted by YOU with YOUT KEYS, it’s sent to whatever AWS service ultimately will store it. Note that decryption of this data can only happen in your code using keys under your control.
  6. Your source data comes from either systems in your data center, or an EC2 instance. You can upload that data over a secure HTTPS connection to any of five AWS services that support automatic server-side encryption. The service endpoint will handle the encryption and key management processes for you. With S3 and Redshift, encryption is an optional step you determine at the time you upload your data to the service. With Glacier, all data is encrypted by default. RDS for Oracle and Microsoft SQL use a feature specific to those database packages called Transparent Data Encryption, or TDE. TDE uses keys created in the database application along with keys created by AWS to protect your data.
  7. This screenshot shows how you can choose to have server-side encryption applied to an object you upload through the console. Because this feature is controlled via API, 3rd party solutions that facilitate uploading data to S3 can expose this option as well. For those of you who use Cloudberry, you might be familiar with this option.
  8. We’ve shown how AWS can help in terms of simplifying the process of actually encrypting data as a part of a PUT or GET call to an S3 bucket. But what about these two boxes on the screen labeled “Your key management infrastructure?” How do we help here?
  9. First, let’s back up and talk about what is a hardware security module, or HSM. An HSM is a purpose built device that is designed from the ground up to perform secure key storage and cryptographic operations. It is designed to protect the key material that is stored inside it. It is designed with physical and logical mechanisms to protect the keys. The physical protections include tamper detection and tamper response. When a tampering event is detected the HSM is designed to securely destroy the keys rather than risking compromise. The logical protections include role based access controls that provide separation of duties and allow the “Appliance administrator” to manage the device, for example connecting it to the network and provisioning the IP address, SNMP and syslog destinations. A separate role for the security officer, controls access to and use of the keys and cryptographic operations on the keys. The security model that I’m explaining now is specific to the SafeNet Luna SA HSM, which is the HSM that we use today for the CloudHSM service, but HSMs generally have these properties. Certification and validation by third parties, such as FIPS 140-2 and Common Criteria provide assurance by a third party that the HSM vendor designed and built the HSM securely. Physical control of the device does not grant access to the keys Tamper resistance/evidence Separate roles for appliance administrator and security officer Certified by 3rd parties to comply with security standards FIPS 140-2 Common Criteria EAL4+
  10. The AWS CloudHSM service provides dedicated access to HSM (Hardware Security Module) appliances. The HSMs are located in AWS datacenters – physically near your workloads and accessible with minimal network latency. The most important part about the CloudHSM service is that you and only you control the keys stored on the HSM. Because of the properties of the HSM that we discussed earlier, separation of duties and physical protection of the keys, and third party validation, you can trust that the HSM is securely storing your keys so that you and only you have access to the keys. AWS manages and monitors the HSM appliances, but does not have access to the keys. In fact, if you lose the access to your credentials, AWS can’t help you recover your key material. You can recover from your own backup if you have a backup with the required credentials. The CloudHSM appliances are inside your VPC, so you can use familiar network security groups and ACLs to limit access to the HSM. We use SafeNet Luna SA HSMs with the service today. CloudHSM customers are using it to protect master keys for database encryption such as Oracle TDE or MS SQL Server TDE, With Apache to protect the private key used to set up SSL connections, for Digital Rights Management (DRM), and for document signing. You can find out more about CloudHSM at aws.amazon.com/cloudhsm
  11. There are a couple new things with CloudHSM that I’d like to tell you about. Existing regions are US East (Northern Virginia) and EU West (Ireland) CloudFormation template configures a VPC, subnets, Security Groups and an EC2-VPC instance with SafeNet client software pre-installed Application notes provide step-by-step instructions for integrating CloudHSM with third party application software Application notes are authored by SafeNet and are linked from the AWS CloudHSM Getting Started Guide Oracle Database Microsoft SQL Server SafeNet ProtectV and virtual KeySecure for EBS volume encryption Apache – SSL session termination with private key stored in the HSM Oracle Database and Microsoft SQL Server – you might want to mention that the customer has to stand up the database server him/herself – this is not the CloudHSM/RDS integration (our own SAs intially thought this meant RDS when I presented it to them at the Security SA meeting, so it bears clarification) Apache – the Apache web server can terminate SSL sessions without ever exposing the customer’s private key. The server can use the private key stored in the HSM to authenticate itself to the browser, but it does so using crypto operations and keys within the HSM. The HSM is only used during the session setup phase, after which a shared symmetric encryption key is used to encrypt the bulk SSL traffic between the client browser and the Apache server. The performance may be limited by the HSM, so this solution may not be appropriate for all customers, but it does provide a solution for customers who do not want to give their private key to AWS. I [Todd] will be discussing this application with Trusteer, who is planning to test it, in the next week or two, so I should have more details about performance. SafeNet has told me that several of their customers are using this application. PCI DSS compliance CloudHSM added to 2013 PCI DSS Compliance package May help with PCI key management requirements 3.5 and 3.6.
  12. CloudTrail: Track resource changes Audit activities for security and compliance purposes Review all CloudHSM API calls Syslog Audit operations on the HSM appliance Send syslog to customer collector
  13. ProtectV Client is installed on your instances in EC2 VPC - Encrypts all I/O from EC2 & VPC Instances and EBS Storage Volumes—Includes Pre-boot Authentication For EBS Volume Encryption, ProtectV manages the instances. It uses KeySecure as its scalable protected key store. KeySecure in turn uses CloudHSM to anchor it in the cloud by ensuring all its internally stored keys are encrypted under a hierarchy rooted by an HSM-protected master key.    Endpoints (ProtectApp or ProtectV manager/client) authenticate to KeySecure and request keys. KeySecure uses its internal hierarchy to decrypt the requested key and deliver it to the endpoint through its secure connection. ProtectV Manager is a virtual machine that runs as an AMI in EC2 VPC (Available in AWS Marketplace) virtual KeySecure is a high-assurance enterprise key management solution in a virtualized platform. (KeySecure in AWS Marketplace in Oct 2013) ProtectV Manager -Encrypted Instance – AES 256; Pre-launch Authentication; Centralized Policy & Key Management; Capable of managing up to 500 servers; Active/Passive High Availability
  14. CloudHSM: FIPS 140-2 Level 3 validated CloudHSM: Common Criteria EAL-4 validated KMS: symmetric encryption only We intend to take the cryptographic module in KMS through FIPS 140-2 (with Level 3 physical security). No timeline. Spring 2015 SOC-1 report mentions “the systems that manger master keys for encryption in EBS, S3, RDS, and Redshift”. That’s KMS… will be part of the Fall 2015 report Customer can read the KMS Cryptographic Details whitepaper to make determination for themselves on the soundness of the crypto design of the service
  15. We have several AWS partners that provide secure key usage and key storage solutions to encrypt your data in EC2, EBS, S3, RDS and EMR. More details on these and other vendors who offer encryption and key management solutions can be found on the Amazon Partner Network site (a link will be provided at the end of this presentation). The one common security characteristic these vendors’ solutions offer is that you have complete control over who can use your encryption keys. Many of these vendors give you choices as to where the encryption keys that define your root of trust are stored; either in your data center or in a SaaS offering from the vendor. What if you want to store your root of trust in AWS and enjoy the high availability and low latency that it might offer your applications that need to use the keys? Is that even possible to do in a way where you still control the keys? It is with AWS CloudHSM.