Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for High Security (SEC303)

3,258 views

Published on

AWS Key Management Service provides an easy and cost-effective way to secure your data in AWS. In this session, you learn about leveraging the latest features of the service to minimize risk for your data. We also review the recently released Import Key feature that gives you more control over the encryption process by letting you bring your own keys to AWS.

Published in: Technology
  • Settling for less on valentine's? Then you need VigRX pLUS! ➤➤ http://t.cn/Ai88iYkP
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • How will you feel when your Ex boyfriend is in bed with another woman? Don't let this happen. Get him back with ■■■ http://ow.ly/mOLD301xGxr
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for High Security (SEC303)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ken Beer, General Manager, AWS Key Management Service Cory Minkovich, Staff Software Engineer, Box Inc. SEC303 Get the Most from AWS KMS Architecting Applications for High Security November 29, 2016
  2. 2. What to expect from this short talk • How to approach secure application design • Best practices for using AWS KMS • New key management feature – Import Key • A partner shares their experience using AWS KMS
  3. 3. Confidentiality – only authorized users can access data Integrity – data can’t be changed without detection Availability – data is accessible when needed Goals for secure application design
  4. 4. • Access control on systems and/or data itself • Principal, Action, Resource, Condition • Encryption • Renders data inaccessible without a key • Authenticated encryption protects data from modification • Easier to tightly control access to a key than the data • Independent controls for keys and data Confidentiality
  5. 5. • Physical integrity • Replicate across independent systems • Mitigates risk of data corruption or code errors • Logical integrity • Checksum • Message authentication code (MAC) • Digital signature Integrity
  6. 6. • Ability to access ANY copy of the data • How much time can your users live with zero access? • Latency of access to primary copy of the data • How much time can your users wait for normal access? Availability
  7. 7. Sample application requirements 1. Retrieve multiple encrypted secrets and deploy to instance (e.g. database passwords, credentials to a 3rd-party service) 2. Decrypt material and provision plaintext secrets on the instance Implications for security… • C – Don’t store plaintext secrets on disk • C – Don’t decrypt secrets anywhere but the instance • I – Keep ciphertext of secrets in multiple locations • I – Ensure secrets haven’t changed since last used • A – If instance can launch, secrets should be accessible • A – Time to provision all secrets to instance < 1 minute
  8. 8. Mapping KMS features to requirements “Don’t store plaintext secret on disk” and “Don’t decrypt secret anywhere but the instance” Implies… • Encryption and decryption of secret should happen within your application code running on your instance – no server-side encryption • KMS-integrated client-side options: • AWS Encryption SDK • S3 Encryption Client • DynamoDB Encryption Client
  9. 9. Client integration with KMS Two-tiered key hierarchy using envelope encryption • Unique data key encrypts customer data • KMS master keys encrypt data keys Benefits • Limits risk of compromised data key • Better performance for encrypting large data • Easier to manage small number of master keys than millions of data keys • Centralized access and audit of key activity Customer master keys Data key 1 S3 object EBS volume Amazon Redshift cluster Data key 2 Data key 3 Data key 4 Custom application KMS
  10. 10. Mapping KMS features to requirements “Keep ciphertext of secrets in multiple locations” Implies… Use a redundant storage architecture - S3 is designed to provide 99.999999999% durability - Backup copy in DynamoDB (or vice versa)
  11. 11. Mapping KMS features to requirements “Ensure secrets haven’t changed since last used” Implies… • Use an authenticated encryption method (e.g. AES-GCM) • Use KMS Encryption Context as input for signing ciphertext: a string- string pair submitted with kms.Encrypt, kms.GenerateDataKey* and kms.Decrypt calls • KMS Encryption Context values can be enforced via policy and they show up in AWS CloudTrail logs “requestParameters": {“keyId”: “1234abcd-12ab-34cd-56ef-1234567890ab”, “encryptionContext":"volumeid-123abcd4”}
  12. 12. Mapping KMS features to requirements “If instance can launch, secrets should be accessible” and “Time to provision plaintext secrets to instance < 1 minute” Implies… • Use KMS endpoints in the same region as EC2 instance • Measure request latencies and decide whether to cache data keys in memory for faster encrypt/decrypt times • Note: Be very careful that you understand how/when keys are re-used
  13. 13. Best practices for client-side use of KMS • Encoding • If using AWS CLI – understand base64 behavior; AWS SDKs using KMS APIs assume raw bytes • Request rates • KMS throttles at 100 rps per calling account for encrypt/decrypt operations – we can make exceptions depending on your use case • Use key aliases instead of 32-char keyId • Enables you to re-use code in multiple regions, even with different KMS master keyIds across regions • Note: Aliases aren’t supported in KMS key or IAM policies
  14. 14. Authorization logic in KMS • Key Policy is King! • You can choose delegate to IAM policies • KMS grants are policy objects designed to be programmatically created and revoked as resources are placed “in use” and “at rest” • IAM policies must reference the KMS keyId • Don’t expect to use aliases • Avoid using Resource: “*” this gives permission to use ALL keys in your account 1. KMS Key Policy IAM Policy referencing this keyId? 2. KMS Grants Is this user/group/role allowed to perform this action on this master key?
  15. 15. Key management options
  16. 16. Comparison of key management options KMS CloudHSM AWS Marketplace Partner Solutions DIY Where keys are generated and stored AWS, or imported by you In AWS, on a 3rd party HSM that you control Your network or in EC2 instance Your network or in EC2 instance Where keys are used AWS services or your applications AWS or your applications Your network or your EC2 instance Your network or your EC2 instance How to control key use Policy you define; enforced by AWS SafeNet-specific access controls Vendor-specific access controls You implement access controls Responsibility for performance/scale AWS You You You Integration with AWS services? Yes Limited Limited Limited Pricing model Per master key + usage Up front + per hour Variable Variable
  17. 17. Comparison of key management options KMS CloudHSM AWS Marketplace Partner Solutions DIY Where keys are generated and stored AWS, or imported by you In AWS, on a 3rd party HSM that you control Your network or in EC2 instance Your network or in EC2 instance Where keys are used AWS services or your applications AWS or your applications Your network or your EC2 instance Your network or your EC2 instance How to control key use Policy you define; enforced by AWS SafeNet-specific access controls Vendor-specific access controls You implement access controls Responsibility for performance/scale AWS You You You Integration with AWS services? Yes Limited Limited Limited Pricing model Per master key + usage Up front + per hour Variable Variable
  18. 18. Comparison of key management options KMS CloudHSM AWS Marketplace Partner Solutions DIY Where keys are generated and stored AWS, or imported by you In AWS, on a 3rd party HSM that you control Your network or in EC2 instance Your network or in EC2 instance Where keys are used AWS services or your applications AWS or your applications Your network or your EC2 instance Your network or your EC2 instance How to control key use Policy you define; enforced by AWS SafeNet-specific access controls Vendor-specific access controls You implement access controls Responsibility for performance/scale AWS You You You Integration with AWS services? Yes Limited Limited Limited Pricing model Per master key + usage Up front + per hour Variable Variable
  19. 19. Comparison of key management options KMS CloudHSM AWS Marketplace Partner Solutions DIY Where keys are generated and stored AWS, or imported by you In AWS, on a 3rd party HSM that you control Your network or in EC2 instance Your network or in EC2 instance Where keys are used AWS services or your applications AWS or your applications Your network or your EC2 instance Your network or your EC2 instance How to control key use Policy you define; enforced by AWS SafeNet-specific access controls Vendor-specific access controls You implement access controls Responsibility for performance/scale AWS You You You Integration with AWS services? Yes Limited Limited Limited Pricing model Per master key + usage Up front + per hour Variable Variable
  20. 20. Comparison of key management options KMS CloudHSM AWS Marketplace Partner Solutions DIY Where keys are generated and stored AWS, or imported by you In AWS, on a 3rd party HSM that you control Your network or in EC2 instance Your network or in EC2 instance Where keys are used AWS services or your applications AWS or your applications Your network or your EC2 instance Your network or your EC2 instance How to control key use Policy you define; enforced by AWS SafeNet-specific access controls Vendor-specific access controls You implement access controls Responsibility for performance/scale AWS You You You Integration with AWS services? Yes Limited Limited Limited Pricing model Per master key + usage Up front + per hour Variable Variable
  21. 21. Comparison of key management options KMS CloudHSM AWS Marketplace Partner Solutions DIY Where keys are generated and stored AWS, or imported by you In AWS, on a 3rd party HSM that you control Your network or in EC2 instance Your network or in EC2 instance Where keys are used AWS services or your applications AWS or your applications Your network or your EC2 instance Your network or your EC2 instance How to control key use Policy you define; enforced by AWS SafeNet-specific access controls Vendor-specific access controls You implement access controls Responsibility for performance/scale AWS You You You Integration with AWS services? Yes Limited Limited Limited Pricing model Per master key + usage Up front + per hour Variable Variable
  22. 22. KMS Import Key – giving you more control • You control how master keys are generated • You store the master copy of the keys • You import the key into KMS and set an optional expiration time • You use imported keys with all KMS-integrated services and SDKs • You can delete and re-import the key at any time to control when you or AWS can use it to encrypt/decrypt data on your behalf • Works with standards-based key management infrastructure, including SafeNet Gemalto and Thales e-Security
  23. 23. Import Key workflow Import encrypted key material under the KMS CMK keyId; set optional expiration period Import Your key material protected in KMS Download a public wrapping key KMS Download RSA Public Key Create customer master key (CMK) container Empty CMK container with unique keyId KMS Creates Export your key material encrypted under the public wrapping key Your key management infrastructure Export Your 256-bit key material encrypted under KMS public Key
  24. 24. Getting the most from KMS • Identify your C-I-A requirements up front • Use envelope encryption as a way to limit blast radius of any single data key • Think carefully about data key re-use when trying to improve performance • Use Encryption Context where practical • Use Import Key for more control (if you have existing key management infrastructure) • Verify that AWS CloudTrail logs tell you what you need
  25. 25. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cory Minkovich Staff Software Engineer, Box Inc. November 29, 2016 Box KeySafe How KMS saved us from managing HSMs
  26. 26. Box is a modern content management platform that transforms how organizations work and collaborate to achieve results faster.
  27. 27. Box is a Content Platform for the Modern Enterprise • Built for cloud and mobile • Connects to all your business apps • Centralized security controls • Comes with unlimited storage for users
  28. 28. Powering digital transformation in every industry Healthcare Provider Content Management Collaboration Advanced Security Custom Application Patients
  29. 29. Customer-managed encryption is hard Historically the choice was between… Client-side agent Works well for basic storage, but not collaborative cloud services or multiple devices (ex: nCrypted Cloud, Microsoft RMS) Proxy-based Works well for selective encryption, but breaks many cloud applications (ex: most CASBs) API – after upload Also best suited for selective encryption and also breaks cloud apps (ex: most CASBs)
  30. 30. Drawbacks of historic solutions Productivity & Ease of Use Governance Controls Incentive for Shadow IT • Breaks file preview • Breaks mobile access • Breaks 3rd -party app integrations Overall Security • Breaks antivirus • Breaks DLP tools • Blocks file preview as a security feature • eDiscovery not possible/difficult • Content workflow will be limited • Complicates UX • Encourages adoption of unsanctioned tools
  31. 31. • Secure, reliable, on-demand • Software-based approach • Simple, configurable in 30 minutes Introducing Box KeySafe for customer-managed encryption
  32. 32. How Box Encryption works A comparison of approaches
  33. 33. CUSTOMER File Uploaded 1 DEK Unique DEK Generated 2 File Encrypted with DEK 3 DEK Encrypted with Box KEK 5 DEK Encrypted DEK Stored 6 Encrypted File Stored 4 NativeBoxEncryption
  34. 34. CUSTOMER Backup HSM Amazon Web Services File Uploaded1 LOG KeySafewith AWSCloudHSM Gemalto Safenet HSM File encrypted with Box Key 2 Box Key encrypted with Customer Key (includes Audit Params) 3 Audit Logs Updated 3
  35. 35. CUSTOMER Backup HSM Amazon Web Services File Uploaded1 LOG KeySafewithAWSKMS File encrypted with Box Key 2 Box Key encrypted with Customer Key (includes Audit Params) 3 Audit Logs Updated 3 KMS
  36. 36. AWS CloudHSM vs. AWS KMS CloudHSM KMS Request Rate (crypto + audit logging) Audit logging increases latency Default limit is 100 rps but can be increased Audit Logging Separate requests (higher latency) Same request Reliability Customer must manage patching and HA Box must support every HSM version No observed problems so far Durability Back up HSM + possible multi-region setup Trust Amazon or import own key to KMS Integration Complexity 1k lines + SDK + multiple RPMs 200 lines + SDK
  37. 37. Code architecture
  38. 38. HSM 1KeySafeArchitecture HSM 2 HSM 3 Customer1 HSM Connector Customer 1 HSM Connector Customer 2 HSM 1 HSM 2 HSM 3 Customer2 Key Encryption Decryption Service (KEDS) AWS KMS
  39. 39. KMS code samples – health checking
  40. 40. KMS code samples – CloudTrail logging annotation: { box-req: "50F8B0EA6BF3F", box-oid: "file_345678", box-uid: "12345", box-eid: "67890" } AWS CloudTrail Log
  41. 41. KMS challenges
  42. 42. Key rotation concerns • Native key rotation is supported, but… • Only yearly supported natively • Some customers want quarterly rotation • Changing the master key quarterly is really cumbersome • Some compliance schemes require re-encrypt after rotation • Bulk re-encrypt operations are problematic • Only CloudTrail knows if key rotation happens • No way to know if encrypted blob was created before or after key rotation • Only way to be safe is to re-encrypt all the data keys every year
  43. 43. Key availability concerns • KMS keys are regionally isolated • HA within region but no customer backup • Some customers want more control • Key import supports multi-region • Same key material can be imported to multiple regions, but each region’s key has unique keyId • Lack of multiple imported key versions breaks simple key rotation, and requires creation of multiple master keyIds • Not easy to automate on customer side or Box side
  44. 44. KeySafe summary • Integrating with AWS CloudHSM and KMS allows Box • Guaranteed audit trail • Ultimate access control delegated to customers • Easy to incorporate into envelope encryption • Tradeoffs • Minor latency increase • Availability surface area increase
  45. 45. Thank you! Email me at keds@box.com with any questions!
  46. 46. Remember to complete your evaluations! Remember to complete your evaluations!

×