Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption

4,942 views

Published on

How do you protect your private information and customer PII in the cloud when you don’t control all the hardware or software components that might access that information? AWS allows you to offload many management and data-handling tasks, but how do you evaluate the risks to your data as it passes through these services? AWS offers many options for using encryption to protect your data in transit and at rest. A variety of features let you determine how much control you want over your encryption keys in order to meet your security goals. This webinar will help you understand which AWS encryption features are available, when to use them, and how to integrate them in your workloads. In this webinar, you will learn:

• Learn how to think about using encryption to protect your private information in the cloud • Learn how to evaluate key management architectures to determine whether they meet your needs • Learn how to use AWS encryption features to accomplish your data security goals

Who Should Attend: • Developers, DevOps Engineers, and IT Security Administrators

Published in: Technology
  • Be the first to comment

AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ken Beer Principal Product Manager, AWS Cryptography Services June 16, 2015 Protecting Your Data with AWS Encryption
  2. 2. Agenda Review the fundamentals of encryption and key management Overview of how AWS protects your data with encryption Learn how AWS Key Management Service simplifies encryption at a low price Understand alternatives like AWS CloudHSM and partner solutions
  3. 3. Plaintext data Hardware/ software Encrypted data Encrypted data in storage Encrypted data key Symmetric data key Master keySymmetric data key ? Key hierarchy ? Encryption Primer
  4. 4. Where are keys stored? • Hardware you own? • Hardware the cloud provider owns? Where are keys used? • Client software you control? • Server software cloud provider controls? Who can use the keys? • Users and applications that have permissions? • Cloud provider applications you give permissions? What assurances are their for proper keys usage? “Key” Questions to Consider With Any Solution
  5. 5. Server-side encryption • Amazon S3, Amazon EBS, Amazon RDS, Amazon Redshift, Amazon WorkMail, Amazon Elastic Transcoder • Will encrypt data on your behalf after API call received by service • Uses keys in your AWS account Client-side encryption • S3, Amazon EMR, Amazon DynamoDB • Encryption happens in application before data submitted service • You supply keys OR use keys in your AWS account AWS Encryption Models
  6. 6. Server-side encryption in AWS Amazon S3
  7. 7. Plaintext Data Encrypted Data Customer Provided KeyAmazon S3 Web Server HTTPS Customer Data Amazon S3 Storage Fleet Key is used at S3 webserver, then deleted Customer must provide same key when downloading to allow S3 to decrypt data Customer Provided Key Server-side encryption in AWS S3 Server-Side Encryption with Customer-Provided Keys (SSE-C)
  8. 8. Server-side encryption in AWS Amazon EBS
  9. 9. Server-side encryption in AWS Amazon Redshift
  10. 10. Your applications in your data center Your key management infrastructure in EC2 Your encryption client application Your key management infrastructure Your application in EC2 Your encrypted data in select AWS services Client-side encryption in AWS Amazon S3/EMRFS and Dynamo DB Encryption Clients in AWS SDKs
  11. 11. Managed service simplifies creation, control, rotation, and use of encryption keys in your applications Integrated with AWS Server-side encryption • Amazon S3, EBS, RDS, Redshift, WorkMail, and Elastic Transcoder Integrated with Client-side encryption • AWS SDKs, S3 Encryption Client, DynamoDB Encryption Client Integrated with AWS CloudTrail to provide auditable logs for regulatory and compliance activities Available in all commercial regions except China AWS Key Management Service
  12. 12. AWS Key Management Service Integrated with AWS IAM Console
  13. 13. How AWS Services Integrate with AWS Key Management Service Two-tiered key hierarchy using envelope encryption • Unique data key encrypts customer data • AWS KMS master keys encrypt data keys Benefits: • Limits risk of compromised data key • Better performance for encrypting large data • Easier to manage small number of master keys than millions of data keys • Centralized access and audit of key activity Customer Master Key(s) Data Key 1 S3 Object EBS Volume Amazon Redshift Cluster Data Key 2 Data Key 3 Data Key 4 Custom Application AWS KMS
  14. 14. Your Application or AWS Service + Data Key Encrypted Data Key Encrypted Data Master Key(s) in Customer’s Account AWS Key Management Service 1. Application requests encryption key to use to encrypt data, passes reference to master key in account. 2. Client request authenticated based on master key permissions. 3. New data encryption key created - copy encrypted under master key. 4. Plaintext and encrypted data key returned to the client. 5. Plaintext data key used to encrypt data and then deleted. 6. Encrypted data key stored for later use and sent back to AWS KMS for when decryption occurs. AWS Key Management Service How Keys are Used to Protect Your Data
  15. 15. create-volume [--dry-run | --no-dry-run] [--size <value>] [--snapshot-id <value>] --availability-zone <value> [--volume-type <value>] [--iops <value>] [--encrypted | --no-encrypted] [--kms-key-id <value>] [--cli-input-json <value>] [--generate-cli-skeleton] Console CLI/SDK AWS Key Management Service Interfaces to Select Keys in AWS Services
  16. 16. AWS Key Management Service You control how and when your keys can be used and by whom Sample permissions on a key: • Managed only by this group of users • Used for encryption and decryption by this group of users and applications • Used by application A to encrypt data, but used by application B to decrypt data • Used to decrypt data if the application also includes additional parameters unique to the data Fully integrated with AWS Identity and Access Management
  17. 17. AWS Key Management Service Auditability of key usage through AWS CloudTrail "EventName":"DecryptResult", This KMS API was called… "EventTiime":"2014-08-18T18:13:07Z", ….at this time "RequestParameters": "{"keyId":"2b42x313-1911-4e2a-8321-6b67324025eb”}”, …in reference to this key “EncryptionContext":"volumeid-23657", …to protect this AWS resource "SourceIPAddress":"46.23.143.114 ", …from this IP address "UserIdentity": “{"arn":"arn:aws:iam::957787256530:user/User123“} …by this AWS user in this account
  18. 18. AWS Key Management Service APIs to build your own applications Example Management APIs • CreateKey, CreateAlias • DisableKey • EnableKeyRotation • PutPolicy • ListKeys, DescribeKey Example Data APIs • Encrypt • Decrypt • ReEncrypt • GenerateDataKey 26 APIs and growing http://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html
  19. 19. • Plaintext keys never stored in persistent memory on runtime systems • Separation of duties between systems that use master keys and ones that use data keys • Multiparty controls for all maintenance of KMS systems that use your master keys • See public white papers and Service Organization Control (SOC 1) compliance package for details AWS Key Management Service Assurance Why should you trust AWS with your keys?
  20. 20. Pricing for KMS $1/key version/month $0.03 per 10,000 API requests • 20,000 free requests per month
  21. 21. Alternatives to KMS In order to have more control over the physical security of your keys AWS CloudHSM AWS Partner Solutions Do it yourself
  22. 22. AWS CloudHSM • You receive dedicated access to HSM appliances • HSMs located in AWS datacenters • Managed and monitored by AWS • Only you have access to your keys and operations on the keys • HSMs are inside your Amazon VPC – isolated from the rest of the network • Uses SafeNet Luna SA HSM appliances CloudHSM AWS Administrator – manages the appliance You – control keys and crypto operations Amazon Virtual Private Cloud
  23. 23. AWS CloudHSM Available in seven regions worldwide • US East (N. Virginia), US West (Oregon), EU (Ireland), EU (Frankfurt) and Asia Pacific (Sydney, Tokyo, Singapore) Compliance • Included in AWS PCI DSS and Service Organization Control (SOC) compliance packages Typical use cases • Use with Amazon Redshift, RDS for Oracle • Integrate with third-party software (Oracle, SQL Server, Apache, SafeNet) • Build your own custom applications
  24. 24. SafeNet ProtectV Manager and Virtual KeySecure in EC2 Amazon EBS Volume Encryption with CloudHSM and SafeNet Software SafeNet ProtectV with Virtual KeySecure AWS CloudHSM stores the master key SafeNet ProtectV Client CloudHSM Your encrypted data in EBS Your applications in EC2 ProtectV Client • Encrypts I/O from EC2 instances to EBS volumes • Includes preboot authentication
  25. 25. Pricing for CloudHSM HSM provisioned in any region has a $5,000 one-time charge Starting at $1.88/hour metered charge after setup • Hourly rate varies by region As low as $21,500 in year one; $16,500 in subsequent years Requests not billed; limited only by the device capacity • Varies depending on algorithm and key size
  26. 26. Comparing CloudHSM with AWS KMS AWS CloudHSM • Dedicated access to HSM that complies with government standards (e.g. FIPS 140-2, Common Criteria) • You control your keys and the application software that uses them • Supported applications: • Your custom software • Third-party software • Symmetric or asymmetric encryption • Amazon Redshift, RDS for Oracle AWS KMS • Highly available and durable key storage, management, and auditable solution • Easily encrypt your data across AWS services and within your own applications based on policies you define • Supported applications: • Your custom software (AWS SDK) • Symmetric encryption • AWS services (S3, EBS, RDS, Amazon Redshift, WorkMail, Elastic Transcoder)
  27. 27. Partner Solutions in AWS Marketplace Browse, test, and buy security software Pay-by-the-hour, monthly, or annual Software fees added to AWS bill Bring Your Own License
  28. 28. Your encryption client application Your key management infrastructure Your applications in your data center Your application in EC2 Your key management infrastructure in EC2 Your encrypted data in AWS services … DIY Key Management in AWS Encrypt data client-side and send ciphertext to AWS storage services
  29. 29. AWS Key Management Service AWS CloudHSM AWS Marketplace Partner Solutions DIY Where keys are generated and stored AWS In AWS, on an HSM that you control Your network or in AWS Your network or in AWS Where keys are used AWS services or your applications AWS or your applications Your network or your EC2 instance Your network or your EC2 instance How to control key use Policy you define; enforced in AWS Customer code + SafeNet APIs Vendor-specific management Config files, vendor- specific management Responsibility for performance/scale AWS You You You Integration with AWS services? Yes Limited Limited Limited Pricing model Per key/usage Per hour Per hour/per year Variable Comparison of Key Management Options
  30. 30. AWS Key Management Service AWS CloudHSM AWS Marketplace Partner Solutions DIY Where keys are generated and stored AWS In AWS, on an HSM that you control Your network or in AWS Your network or in AWS Where keys are used AWS services or your applications AWS or your applications Your network or your EC2 instance Your network or your EC2 instance How to control key use Policy you define; enforced in AWS Customer code + SafeNet APIs Vendor-specific management Config files, vendor- specific management Responsibility for performance/scale AWS You You You Integration with AWS services? Yes Limited Limited Limited Pricing model Per key/usage Per hour Per hour/per year Variable Comparison of Key Management Options
  31. 31. AWS Key Management Service AWS CloudHSM AWS Marketplace Partner Solutions DIY Where keys are generated and stored AWS In AWS, on an HSM that you control Your network or in AWS Your network or in AWS Where keys are used AWS services or your applications AWS or your applications Your network or your EC2 instance Your network or your EC2 instance How to control key use Policy you define; enforced in AWS Customer code + SafeNet APIs Vendor-specific management Config files, vendor- specific management Responsibility for performance/scale AWS You You You Integration with AWS services? Yes Limited Limited Limited Pricing model Per key/usage Per hour Per hour/per year Variable Comparison of Key Management Options
  32. 32. AWS Key Management Service AWS CloudHSM AWS Marketplace Partner Solutions DIY Where keys are generated and stored AWS In AWS, on an HSM that you control Your network or in AWS Your network or in AWS Where keys are used AWS services or your applications AWS or your applications Your network or your EC2 instance Your network or your EC2 instance How to control key use Policy you define; enforced in AWS Customer code + SafeNet APIs Vendor-specific management Config files, vendor- specific management Responsibility for performance/scale AWS You You You Integration with AWS services? Yes Limited Limited Limited Pricing model Per key/usage Per hour Per hour/per year Variable Comparison of Key Management Options
  33. 33. Resources AWS Key Management Service • https://aws.amazon.com/kms Whitepaper on AWS Key Management Service Cryptographic Details • https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf AWS CloudHSM • https://aws.amazon.com/cloudhsm/ Whitepaper on data-at-rest encryption and key management in AWS • https://aws.amazon.com/whitepapers/ Amazon S3 Encryption Client • http://aws.amazon.com/articles/2850096021478074 AWS Partner Network • http://www.aws-partner-directory.com/ AWS Security Blog • http://blogs.aws.amazon.com/security
  34. 34. Thank You!
  35. 35. AWS Summit – Chicago: An exciting, free cloud conference designed to educate and inform new customers about the AWS platform, best practices and new cloud services. Details • July 1, 2015 • Chicago, Illinois • @ McCormick Place Featuring • New product launches • 36+ sessions, labs, and bootcamps • Executive and partner networking Registration is now open • Come and see what AWS and the cloud can do for you. • Click here to register: http://amzn.to/1RooPPL

×