This document discusses key management systems and cloud migration. It begins with an overview of encryption at rest using DoDAF and various AWS services like S3, EBS, RDS, and Redshift. It then provides details on the AWS Key Management Service (KMS), how it allows users to create and manage encryption keys to protect data on supported AWS services. KMS ensures keys are securely stored and accessible only by authorized users or services. The document also discusses how database encryption can be implemented using KMS and compares KMS to on-premises key management and CloudHSM. It concludes with topics on identity and access management policies, standards for archiving to Glacier, and server-side encryption options on S3

1. Key Management System - A Journey on Cloud
Migration
December 2016
Rasananda Behera
Elite Panel Speaker & Industry Leader in Cloud Topology, Cyber Security
Silicon Valley – Cloud Expo

2. A Journey

3. DoDAF – Defense in Depth
DoDAF

4. ENCRYPTION DATA @ REST
Encryption Data at REST
Volume Encryption
Object Encryption
Database Encryption
EBS encryption OS Tools
AWS marketplace/
partnr
S3 server side
encryption[sse]
S3 SSE w/ customer
provided keys
Client side encryption
RDS ORACLE
TDE HSM
RDS MSSQL
TDE
RDS MYSQL
KMS
RDSPostgreSQL
KMS
Anazon Redshift
encryption

5. AWS KEY MANAGEMENT SERVICE
Introducing AWS Key Management Service
• A Service that enables you to provide and use encryption keys to protect your data
• Allows you to create, use, and manage encryption keys from within
• Your own applications via AWS SDK
• Supported AWS services
• S3
• EBS
• RDS
• Redshift
 Available in all commercial regions

6. WHAT IS SERVER SIDE ENCRYPTION

7. SERVER SIDE ENCRYPTION [S3]

8. SERVER-SIDE ENCRYPTION SSE [S3]

9. S3 WEBSERVER

10. KMS INFRASTRUCTURE

11. AWS KMS CONCEPTS

12. AWS SERVICES INTEGRATE WITH KMS

13. S3 SERVER-SIDE ENCRYPTION WITH KMS

14. RDS ENCRYPTION WITH KMS

15. REDSHIFT

16. KMS Provisioning…
KMS GIVES YOU CONTROL
Define who can
• Create a master key
• Use a master key
• Create and export a data key that is encrypted by a master key
• Enable / disable master keys
• Audit use of master key in AWS Cloud Trail

17. SECURE YOUR KEYS
KMS SECURES YOUR KEYS
• Plaintext keys are never stored in persistent memory on runtime systems
• Separation of duties
• AWS service team operators
– S3
– EBS
– RDS
cannot access KMS hosts that use master keys
 KMS operators cannot access service team hosts that use data keys
• Multi-party controls
• Normal operations requires signatures from two or more KMS operatorson any API calls
to an active host processing customer keys
• Verified claims in SOC1 and public white papers

18. HARDWARE SECURITY MODULE (HSM)

20. DATABASE ENCRYPTION

21. EBS

22. REDSHFT

23. CloudHSM
CloudHSM: Custom Software Applications
An architectural building block to help you secure your own applications
• Use standard libraries, with backend HSM rather than software based crypto
• PKCS#11
• JCA/JCE
• Micosoft CAP/CNG
• Code examples and details in the CloudHSM Getting Started Guide make it easier to get
started
aws.amazon.com/cloudhsm

24. ANALYSIS

25. KMS On-Premises Vs. CloudHSM Vs. AWS KMS
COMPARISON OF KEY MANAGEMENT

26. KMS UNIQUENESS

27. S3 OPTIMIOSATION

28. IDENTITY & ACCESS MANAGEMENT
IAM Policies
Fine grained
Administer as part of role based access
Apply policies to S3 at
1. Role
2. User
3. Group Level
Allow
Actions
PutObject
Resources
arn:aws:s3:::mybucket/*
Rasa Behera

29. POLICY
Rasa Behera My Bucket

30. GRANTS & Permissions

31. ACL

32. POLICY

33. Standards to Glacier

34. SSE S3 KMS

35. SSE – CUSTOMER PROVIDED KEYS
With SSE- C,
• Amazon S3 will encrypt the data at rest using the custom encryption keys
• Amazon S3 does NOT store your encryption key anywhere
• The key is discarded after Amazon S3completes your requests

36. BACK UP Slides
?
QUESTIONS
Please send directly to rasananda.behera@va.gov

37. BACK UP Slides
PART II:
MICROSOFT AZURE
KMS
RELATED SLIDES in OUR NEXT SESSION
Thank you