Encryption and key management in AWS (SEC304) | AWS re:Invent 2013


Published on

This session will discuss the options available for encrypting data at rest and key management in AWS. It will focus on two primary scenarios: (1) AWS manages encryption keys on behalf of the customer to provide automated server-side encryption; (2) the customer manages their own encryption keys using partner solutions and/or AWS CloudHSM. Real-world customer examples will be presented to demonstrate adoption drivers of specific encryption technologies in AWS. Netflix Jason Chan will provide an overview of how NetFlix uses CloudHSM for secure key storage.

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Encryption and key management in AWS (SEC304) | AWS re:Invent 2013

  1. 1. SEC 304: Encryption and Key Management in AWS Ken Beer, Identity and Access Management Todd Cignetti, AWS Security Jason Chan, Netflix November 15, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  2. 2. “Key” Questions to Consider • Where are the keys stored? • Where are the keys used? • Who has access to the keys?
  3. 3. Agenda • AWS encrypts data and manages the keys for you • You encrypt your data and manage your own keys – On your own – With AWS partner solutions – Using AWS CloudHSM • Netflix case study using AWS CloudHSM – Key management based on data classification
  4. 4. Envelope Encryption Primer Hardware/ Software Symmetric Data Key Plaintext Data ? Encrypted Data Encrypted Data in Storage ? Key Hierarchy Symmetric Data Key Key-Encrypting Key Encrypted Data Key
  5. 5. Server-Side Encryption AWS encrypts data and manages keys for you
  6. 6. Server-Side Encryption Your applications in your data center Your applications in Amazon EC2 HTTPS AWS Storage Services S3 Glacier Redshift RDS for Oracle RDS for MS-SQL
  7. 7. S3 Server Side Encryption
  8. 8. How AWS Protects Encryption Keys • AWS service generates unique 256-bit AES data key per object, archive, cluster or database • Service uses regularly rotated, regional 256-bit AES master keys to encrypt data keys • Your encrypted data key is stored with your encrypted data • Strict access controls on AWS employees who can access/manage regional master keys Service host with your plaintext data Service host with your stored data Encrypted Data Service hosts with regional master keys Encrypted data key
  9. 9. Client-Side Encryption You encrypt your data and manage your own keys
  10. 10. Client-Side Encryption Overview Your key management infrastructure Your application in Amazon EC2 Your key management infrastructure in EC2 Your applications in your data center … Your encryption client application Your Encrypted Data in AWS Services
  11. 11. Client-Side Encryption Amazon S3 Encryption Client with AWS SDKs Your key management infrastructure Your application in Amazon EC2 Your key management infrastructure in EC2 Your applications in your data center AWS SDK with Your encryption S3 Encryption Client client application Your Encrypted Data in Amazon S3
  12. 12. Client-Side Encryption Amazon S3 Encryption Client with AWS SDKs • Client creates dynamic 256-bit data key • You supply the key-encrypting key – Symmetric or asymmetric (public portion) • Uses JCE (can optionally configure crypto provider) • Encrypted data key stored with encrypted data in S3 as object metadata or instruction file • Available in Java, Ruby and .NET AWS SDKs
  13. 13. What About Key Management Infrastructure? Your key management infrastructure Your application in Amazon EC2 Your key management infrastructure in EC2 Your applications in your data center … Your encryption client application Your Encrypted Data in AWS Services
  14. 14. Key Management Infrastructure • Secure the usage of keys • Secure the storage of keys
  15. 15. Client-Side Encryption Using an AWS partner solution Solutions for EC2, EBS, S3, RDS, and EMR
  16. 16. Client-Side Encryption You encrypt your data and manage your own keys in AWS CloudHSM
  17. 17. HSM – Hardware Security Module • Hardware device for crypto operations and key storage • Provides strong protection of private keys – Physical device control does not grant access to the keys – Security officer controls access to the keys – Appliance administrator has no access to the keys • Certified by third parties to comply with security standards HSM
  18. 18. AWS CloudHSM • You receive dedicated access to HSM appliances • HSMs are located in AWS data centers • Managed & monitored by AWS • You control the keys • HSMs are inside your VPC – isolated from the rest of the network • Uses SafeNet Luna SA HSM appliances AWS Administrator – manages the appliance CloudHSM You – control keys and crypto operations Virtual Private Cloud
  19. 19. AWS CloudHSM: What’s New • Available in four regions worldwide – US East (N. Virginia), US West (Oregon), EU (Ireland), and Asia Pacific (Sydney) • Easy to get started – AWS CloudFormation template – Application notes to help integrate with third-party software • PCI DSS compliance – CloudHSM added to AWS 2013 PCI DSS compliance package
  20. 20. Database Encryption • Customer-managed databases in EC2 – Oracle Database 11g TDE (Transparent Data Encryption) – Microsoft SQL Server 2008 and 2012 TDE – Master key in CloudHSM CloudHSM Master key is created in the HSM and never leaves Your database Your applications with TDE in EC2 in EC2
  21. 21. EBS Volume Encryption • • SafeNet ProtectV with Virtual KeySecure CloudHSM stores the master key SafeNet ProtectV Manager and Virtual KeySecure in EC2 Your applications in EC2 SafeNet ProtectV Client CloudHSM Your encrypted data in Amazon EBS ProtectV Client • Encrypts I/O from EC2 instances to EBS volumes • Includes pre-boot authentication
  22. 22. S3 Encryption Encryption of S3 objects using master keys in CloudHSM Your applications in EC2 Safenet ProtectApp with AWS S3 Encryption Client CloudHSM SafeNet virtual KeySecure in EC2 Your encrypted data in an S3 bucket
  23. 23. Amazon Redshift Encryption • Cluster master key in on-premises SafeNet HSM or CloudHSM • No special client software required CloudHSM Redshift Cluster Your encrypted data in Redshift Your applications in EC2
  24. 24. CloudHSM: Custom Software Applications An architectural building block to help you secure your own applications • Use standard libraries, with back-end HSM rather than softwarebased crypto – PKCS#11, JCA/JCE, Microsoft CAPI/CNG • Code examples and details in the CloudHSM Getting Started Guide make it easier to get started (aws.amazon.com/cloudhsm)
  25. 25. Customer Stories
  26. 26. Entersekt: Securing Financial Transactions • Custom application using CloudHSM – – – – – Authenticate financial transactions using a mobile device Based on digital certificates (PKI) Stores private signing keys in CloudHSM appliances Private keys used for cert-based auth. (vs. SMS or passwords) CloudHSM generates random numbers (instead of mobile device RNG) • Migrated application infrastructure to AWS while enhancing security
  27. 27. Netflix Key Management with CloudHSM Jason Chan Engineering Director, Cloud Security
  28. 28. vs. • No injuries playing paintball – But, you’ll lose • Bomb technicians don’t wear paintball suits – Even if they are easier to work in
  29. 29. Netflix Key Management Lots of use cases for keying material How do we handle key management? • • • • • It depends Password reset tokens Data encryption DRM Hash/verify – Paintballs or pipe bombs? • What are the throughput requirements? • What happens if we lose a key? – Inconvenient or catastrophic
  30. 30. Key Management: Sensitivity Levels • Low: Key is provided to end instance – High throughput, resistant to backend outages • Medium: Key lives on crypto proxy/scale-out layer – Each crypto operation is a REST call • High: Key lives in AWS CloudHSM – Crypto proxy layer implements call on behalf of originating client
  31. 31. Why Netflix needs strong security: CloudHSM Use Cases • Proxy layer key database encryption/decryption – HSM-based key to handle database of low and medium sensitivity keys • Hardware root of trust for internal CA • Device activation – The process of binding devices (NRDs) to accounts • Currently analyzing uses cases for PCI in the cloud
  32. 32. Goals • Remove data center dependencies and complexity • Increase reliability • Increase performance
  33. 33. Approach • HSMs per region/environment • Updated our crypto client and proxy (migrated from SafeNet DataSecure in the data center to Luna in the cloud) • Migrated keys • Decommissioned data center configuration
  34. 34. Results • Using AWS CloudHSM with HSM appliances in US-East, US-West, and EU-West • Lower latency and high security Application SSL • Eliminate on-premises data center-based HSM/KM • Saves money – 33% savings over original projections CloudHSM HSM Client VPC Instance Virtual Private Cloud AWS
  35. 35. Resources • Whitepaper on data-at-rest encryption and key management in AWS – https://aws.amazon.com/whitepapers/ • S3 Encryption Client – http://aws.amazon.com/articles/2850096021478074 • AWS CloudHSM – https://aws.amazon.com/cloudhsm/ • AWS Partner Network – http://www.aws-partner-directory.com/ • AWS Security Blog – http://blogs.aws.amazon.com/security
  36. 36. Please give us your feedback on this presentation SEC304 As a thank you, we will select prize winners daily for completed surveys!