SlideShare a Scribd company logo

(SEC401) Encryption Key Storage with AWS KMS at Okta

Amazon Web Services
Amazon Web Services

This document discusses Okta's use of AWS KMS for encryption key management. It provides background on Okta as a company and describes their requirements for encryption. It then details Okta's implementation of AWS KMS for encrypting user data, including how they structure encryption keys and handle failures. The document also addresses authorization, auditing, performance tuning and rollout considerations for using AWS KMS.

Technology
1 of 55
Download to read offline
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jon Todd – Sr. Software Architect, Okta October 2015 SEC401 Encryption Key Storage With AWS KMS at Okta
AWS technologies covered • AWS Key Management Service (AWS KMS) • AWS Identity and Access Management (IAM) • AWS CloudTrail • AWS SDK for Java • Amazon Elastic Compute Cloud (Amazon EC2)
Agenda • Background • What’s Okta? • Encryption use cases • Why use a key server? • Okta case study of KMS • Threat model KMS and Amazon EC2 • Failure mitigation • Authorization and auditing • Monitoring and tuning
What is an Okta? Author: Frasmacon - CC by SA 3.0 A. An 8 legged creature B. A unit of measure C. An abbreviation D. A made-up name for a company
What is Okta? Okta is the foundation for secure connections between people and technology.
One platform, many use cases Centralized management of every user, app, device www.okta.com IT Enterprise-grade security built directly into your cloud apps developer.okta.com Developers
More than 2000 customers Education, Non-ProfitFinanceTechnologyCloudHealth Services Manufacturing , Energy Media Consumer
Used in 185 countries globally
Encryption background
Encryption use cases • Fundamental • Confidentiality • Authenticity • Practical • Compliance • Least privilege principle
The problem with encryption Managing these 
Alternative approaches to confidentiality • Use cases for hashing instead of encryption • Authentication • Correlation • Use cases without needing keys • Homomorphic applications • Ordering, range query (for example, CryptDB) • Only require encrypt • Use asymmetric crypto • Trust No One (client encryption scenarios) • File storage or password vault
Why use a key server?
Example application Requirements: 1. Data in database is encrypted at rest and in memory 2. Encryption keys reside only in memory 3. Service has access to the plaintext data Client Service +
Where do we get the keys from? • At server startup • Environment variable • File • At run time • Over JMX + TLS • Over SSH • Key service
Key service • Separation of duties • Auditable • Easy rotation of master key • Data key in memory for very short period • Centralized master key never leaves key service + Client Service Master key Encrypt Key Service DB
Okta case study of AWS KMS
Encryption use cases • Privacy of user data • Protection of PII, PCI, PHI • Credential storage • SAML keys • OAuth tokens • Third-party application credentials
Requirements • Strong encryption  256 bit AES GCM  Strong random-number generator • Separation of duties  By design  Quorum management of servers • Support auto-scale through secure bootstrapping  Hypervisor bootstraps IAM keys • Auditability  Encryption context + CloudTrail
Threat model: AWS KMS and Amazon EC2
+ Client EC2 instance Master key Encrypt KMS DB Data key
Threat model: Amazon EC2 and IAM metadata service + Client EC2 instance Master key Encrypt KMS DB Data key
Getting IAM credentials for KMS • IAM roles for EC2 • Hypervisor provides a per-instance metadata service • Metadata service is accessible by all users • Credentials aren’t channel bound • Credentials are short lived
IAM credentials via metadata service curl http://169.254.169.254/latest/meta- data/iam/security-credentials/MyApp { "Code" : "Success", "LastUpdated" : "2015-08-20T21:17:41Z", "Type" : "AWS-HMAC", "AccessKeyId" : “SOME_ACCESS_ID", "SecretAccessKey" : ”SOME_SECRET_ACCESS_KEY", "Token" : “SOME_SIGNED_TOKEN", "Expiration" : "2015-08-21T03:22:28Z" }
IAM credential rotation • Credentials expire in ~ 6 hours • Credentials are rotated every ~ 1 hour Current Time: 2015-08-20T22:14:52Z LastUpdated: 2015-08-20T21:17:41Z Expiration: 2015-08-21T03:22:28Z Current Time: 2015-08-20T22:29:39Z LastUpdated: 2015-08-20T22:18:48Z Expiration: 2015-08-21T04:47:30Z
Threat model: KMS transport + Client EC2 instance Master key Encrypt KMS DB Data key
Transport Security • TLS for confidentiality and authentication of server • “A” rating on Qualys SSL Labs • Disallowed protocols SSL2 & SSL3 • Supported protocols TLS 1.0, 1.1, 1.2 • Forward secrecy required • Verisign root CA • IAM Signature V4 for authN and authZ of client
Threat model: KMS + Client EC2 instance Master key Encrypt KMS DB Data key
KMS key hierarchy • CMK – Customer master key • HSA – Hardened security appliance • EKT – Exported key token • HBK – HSA backing key • CDK – Customer data key • CT – Customer token Source: KMS Cryptographic Details
Threat model – final comparison Low Risk Low Cost High Cost High Risk DIY KMS Cloud HSM • AWS CloudHSM • HSM at cost of managing High Availability (HA) • DIY • Roll your own credential management and rotation • Separate operational team • Quorum-based management • Run high-availability service • No access to hardware/TPM
Implementing KMS
Implementation goals • Multiregion support for disaster recovery (DR) • Mitigate total KMS failure • Avoid vendor lock-in • Minimal performance impact • Operational tools for key rotation
Mapping KMS key hierarchy to Okta key hierarchy • Region master key • Provided to service at run time by operator • Unique per region • Encrypts tenant master key • Tenant master key • Unique per tenant • Encrypts tenant data key • Tenant data key • Encrypts data
Tradeoffs of an extended key hierarchy Pros • Adoptions of KMS is easier and incremental • KMS data keys are enumerable, allowing rotation • Local encryption provides more control • Fewer calls to KMS for encryption Cons • Local encryption requires more responsibility • Sharing ciphertext across services is complex
Failure mitigation
Multiregion encryption and decryption • Encrypt & store tenant key encrypted by each region key • Decrypt talks to closest KMS region • RSA public key used for encrypt only • Private key provided to service only in event of KMS outage Service KMS East KMS West Region master keyRegion master key Tenant master key RSA Key Region master key DB
September 20th KMS increased error rate
Okta failed-over automatically KMS requests by region https://trust.okta.com
Authorization and auditing
Encryption context • Features: • Additional authenticated data (AAD) via AES GCM • Logging – Understand why the key was accessed • Authorization – Fine-grained access control to data keys • Okta’s implementation • Type: <ServiceName>.<EntityName> • Id: <EntityId> • A good encryption context identifies or classifies • Think carefully about mutability and storage of context • Encryption context shouldn’t contain sensitive data
Granular decryption policy { "Effect":"Allow”, "Principal":{"AWS":"arn:...:DirectoryAppRole"}, "Action":"kms:Decrypt", "Condition":{ "StringEquals”:{ "kms:EncryptionContext:type": ”DirectoryService:SensitiveObject” } } }
CloudTrail
Auditing Correlate CloudTrail logs with service logs to detect events not triggered by the service
Rollout and tuning
Rollout and TTL tuning TuningGradual rollout
Performance
Region failovers • ~ 0.001% failure rate without tuning HttpClient retries • At retry value of 3, failure rate is negligible
SDK client tuning kmsClientConfig = new ClientConfiguration() .withSocketTimeout(3000) // 3 seconds .withConnectionTimeout(3000) // 3 seconds .withConnectionTTL(60000) // 1 minute .withMaxErrorRetry(3); client = new AWSKMSClient(kmsClientConfig);
Final thoughts
Feature requests for KMS • Support for multiregion encryption • Security enhancements • Transport encryption in addition to TLS • Tighter access control for IAM credentials in EC2 metadata service • Bind IAM credentials to EC2 instance/hypervisor • PKI features • KMS storage and rotation for asymmetric keys • Certificate authority as a service
KMS takeaways Low Risk Low Cost High Cost High Risk DIY KMS Cloud HSM • It’s highly available • It’s simple to get up and running • Enables separation of duties • Enables secure scaling automatically • Orders of magnitude cheaper
Implementation recommendations • You may not need encryption or keys for confidentiality • Put thought into encryption context • Reconcile CloudTrail logs with application logs • Tune the SDK for timeout and retries • Consider an extended key hierarchy
Reference • User-Based and Resource-Based Permissions – http://docs.aws.amazon.com/IAM/latest/UserGuide/polici es_permissions.html#TypesPermissions • AWS Key Management Service Cryptographic Details – https://d0.awsstatic.com/whitepapers/KMS- Cryptographic-Details.pdf • KMS Developer Guide – http://docs.aws.amazon.com/kms/latest/developerguide/ kms-dg.pdf
Remember to complete your evaluations!
Thank you! Follow me on twitter www.okta.com@JonToddDotCom Learn more about Okta

Recommended

AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CAAmazon Web Services
 
(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNsAmazon Web Services
 
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridExploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridCloudVillage
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
GCP IAM.pptx
GCP IAM.pptxGCP IAM.pptx
GCP IAM.pptxMohitBabbar6
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 

Recommended

AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CAAmazon Web Services
 
(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNsAmazon Web Services
 
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridExploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Exploiting IAM in the google cloud platform - dani_goland_mohsan_faridCloudVillage
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
GCP IAM.pptx
GCP IAM.pptxGCP IAM.pptx
GCP IAM.pptxMohitBabbar6
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security Tom Laszewski
 
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...Morgan Simonsen
 
Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Web Services
 
Secure and Streamline Access to Your AWS Management Console with Okta PPT
Secure and Streamline Access to Your AWS Management Console with Okta PPTSecure and Streamline Access to Your AWS Management Console with Okta PPT
Secure and Streamline Access to Your AWS Management Console with Okta PPTAmazon Web Services
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWSAmazon Web Services
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting StartedTaswar Bhatti
 
Breaking Down the Economics and TCO of Migrating to AWS
Breaking Down the Economics and TCO of Migrating to AWSBreaking Down the Economics and TCO of Migrating to AWS
Breaking Down the Economics and TCO of Migrating to AWSAmazon Web Services
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security ChecklistAmazon Web Services
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
Amazon ECS
Amazon ECSAmazon ECS
Amazon ECSAmazon Web Services
 
Why a Multi-cloud Strategy is Essential
Why a Multi-cloud Strategy is EssentialWhy a Multi-cloud Strategy is Essential
Why a Multi-cloud Strategy is EssentialAlibaba Cloud
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM IntroductionAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWSAmazon Web Services
 
Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Atlanta ...
Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Atlanta ...Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Atlanta ...
Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Atlanta ...Amazon Web Services
 
Amazon RDS Deep Dive
Amazon RDS Deep DiveAmazon RDS Deep Dive
Amazon RDS Deep DiveAmazon Web Services
 
Messaging Systems on AWS
Messaging Systems on AWSMessaging Systems on AWS
Messaging Systems on AWSAmazon Web Services
 
Best Practices for Architecting in the Cloud - Jeff Barr
Best Practices for Architecting in the Cloud - Jeff BarrBest Practices for Architecting in the Cloud - Jeff Barr
Best Practices for Architecting in the Cloud - Jeff BarrAmazon Web Services
 
KMS at Okta - Intermediate Level
KMS at Okta - Intermediate LevelKMS at Okta - Intermediate Level
KMS at Okta - Intermediate LevelJon Todd
 
Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSAmazon Web Services
 

More Related Content

What's hot

AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security Tom Laszewski
 
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...Morgan Simonsen
 
Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Web Services
 
Secure and Streamline Access to Your AWS Management Console with Okta PPT
Secure and Streamline Access to Your AWS Management Console with Okta PPTSecure and Streamline Access to Your AWS Management Console with Okta PPT
Secure and Streamline Access to Your AWS Management Console with Okta PPTAmazon Web Services
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting StartedTaswar Bhatti
 
Breaking Down the Economics and TCO of Migrating to AWS
Breaking Down the Economics and TCO of Migrating to AWSBreaking Down the Economics and TCO of Migrating to AWS
Breaking Down the Economics and TCO of Migrating to AWSAmazon Web Services
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
Why a Multi-cloud Strategy is Essential
Why a Multi-cloud Strategy is EssentialWhy a Multi-cloud Strategy is Essential
Why a Multi-cloud Strategy is EssentialAlibaba Cloud
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Atlanta ...
Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Atlanta ...Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Atlanta ...
Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Atlanta ...Amazon Web Services
 
Best Practices for Architecting in the Cloud - Jeff Barr
Best Practices for Architecting in the Cloud - Jeff BarrBest Practices for Architecting in the Cloud - Jeff Barr
Best Practices for Architecting in the Cloud - Jeff BarrAmazon Web Services
 

What's hot (20)

AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security Cloud Migration, Application Modernization, and Security
Cloud Migration, Application Modernization, and Security
 
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
Massive Lift & Shift Migrations to Microsoft Azure with the Microsoft Migrati...
 
Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)
 
Secure and Streamline Access to Your AWS Management Console with Okta PPT
Secure and Streamline Access to Your AWS Management Console with Okta PPTSecure and Streamline Access to Your AWS Management Console with Okta PPT
Secure and Streamline Access to Your AWS Management Console with Okta PPT
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting Started
 
Breaking Down the Economics and TCO of Migrating to AWS
Breaking Down the Economics and TCO of Migrating to AWSBreaking Down the Economics and TCO of Migrating to AWS
Breaking Down the Economics and TCO of Migrating to AWS
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security Checklist
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
 
Amazon ECS
Amazon ECSAmazon ECS
Amazon ECS
 
Why a Multi-cloud Strategy is Essential
Why a Multi-cloud Strategy is EssentialWhy a Multi-cloud Strategy is Essential
Why a Multi-cloud Strategy is Essential
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
 
Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Atlanta ...
Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Atlanta ...Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Atlanta ...
Migrating Databases to the Cloud: Introduction to AWS DMS - SRV215 - Atlanta ...
 
Amazon RDS Deep Dive
Amazon RDS Deep DiveAmazon RDS Deep Dive
Amazon RDS Deep Dive
 
Messaging Systems on AWS
Messaging Systems on AWSMessaging Systems on AWS
Messaging Systems on AWS
 
Best Practices for Architecting in the Cloud - Jeff Barr
Best Practices for Architecting in the Cloud - Jeff BarrBest Practices for Architecting in the Cloud - Jeff Barr
Best Practices for Architecting in the Cloud - Jeff Barr
 

Similar to (SEC401) Encryption Key Storage with AWS KMS at Okta

KMS at Okta - Intermediate Level
KMS at Okta - Intermediate LevelKMS at Okta - Intermediate Level
KMS at Okta - Intermediate LevelJon Todd
 
Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSAmazon Web Services
 
(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWSAmazon Web Services
 
Protecting your data in aws - Toronto
Protecting your data in aws - TorontoProtecting your data in aws - Toronto
Protecting your data in aws - TorontoAmazon Web Services
 
Protecting your data in AWS
Protecting your data in AWS Protecting your data in AWS
Protecting your data in AWS Dinah Barrett
 
Secrets management with EC2 Systems Manager Parameter Store
Secrets management with EC2 Systems Manager Parameter StoreSecrets management with EC2 Systems Manager Parameter Store
Secrets management with EC2 Systems Manager Parameter StoreAlex Mattson
 
AWS re:Invent 2016: Advanced Techniques for Managing Sensitive Data in the Cl...
AWS re:Invent 2016: Advanced Techniques for Managing Sensitive Data in the Cl...AWS re:Invent 2016: Advanced Techniques for Managing Sensitive Data in the Cl...
AWS re:Invent 2016: Advanced Techniques for Managing Sensitive Data in the Cl...Amazon Web Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)Julien SIMON
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Amazon Web Services
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAmazon Web Services
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAmazon Web Services
 

Similar to (SEC401) Encryption Key Storage with AWS KMS at Okta (20)

KMS at Okta - Intermediate Level
KMS at Okta - Intermediate LevelKMS at Okta - Intermediate Level
KMS at Okta - Intermediate Level
 
Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWS
 
(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS
 
Protecting Your Data in AWS
Protecting Your Data in AWS Protecting Your Data in AWS
Protecting Your Data in AWS
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
protecting your data in aws
protecting your data in aws protecting your data in aws
protecting your data in aws
 
Protecting Your Data in AWS
Protecting Your Data in AWS Protecting Your Data in AWS
Protecting Your Data in AWS
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Protecting your data in aws - Toronto
Protecting your data in aws - TorontoProtecting your data in aws - Toronto
Protecting your data in aws - Toronto
 
Protecting your data in AWS
Protecting your data in AWS Protecting your data in AWS
Protecting your data in AWS
 
Secrets management with EC2 Systems Manager Parameter Store
Secrets management with EC2 Systems Manager Parameter StoreSecrets management with EC2 Systems Manager Parameter Store
Secrets management with EC2 Systems Manager Parameter Store
 
AWS re:Invent 2016: Advanced Techniques for Managing Sensitive Data in the Cl...
AWS re:Invent 2016: Advanced Techniques for Managing Sensitive Data in the Cl...AWS re:Invent 2016: Advanced Techniques for Managing Sensitive Data in the Cl...
AWS re:Invent 2016: Advanced Techniques for Managing Sensitive Data in the Cl...
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Recently uploaded (20)

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 

(SEC401) Encryption Key Storage with AWS KMS at Okta

  • 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jon Todd – Sr. Software Architect, Okta October 2015 SEC401 Encryption Key Storage With AWS KMS at Okta
  • 2. AWS technologies covered • AWS Key Management Service (AWS KMS) • AWS Identity and Access Management (IAM) • AWS CloudTrail • AWS SDK for Java • Amazon Elastic Compute Cloud (Amazon EC2)
  • 3. Agenda • Background • What’s Okta? • Encryption use cases • Why use a key server? • Okta case study of KMS • Threat model KMS and Amazon EC2 • Failure mitigation • Authorization and auditing • Monitoring and tuning
  • 4. What is an Okta? Author: Frasmacon - CC by SA 3.0 A. An 8 legged creature B. A unit of measure C. An abbreviation D. A made-up name for a company
  • 5. What is Okta? Okta is the foundation for secure connections between people and technology.
  • 6. One platform, many use cases Centralized management of every user, app, device www.okta.com IT Enterprise-grade security built directly into your cloud apps developer.okta.com Developers
  • 7. More than 2000 customers Education, Non-ProfitFinanceTechnologyCloudHealth Services Manufacturing , Energy Media Consumer
  • 8. Used in 185 countries globally
  • 10. Encryption use cases • Fundamental • Confidentiality • Authenticity • Practical • Compliance • Least privilege principle
  • 11. The problem with encryption Managing these 
  • 12. Alternative approaches to confidentiality • Use cases for hashing instead of encryption • Authentication • Correlation • Use cases without needing keys • Homomorphic applications • Ordering, range query (for example, CryptDB) • Only require encrypt • Use asymmetric crypto • Trust No One (client encryption scenarios) • File storage or password vault
  • 13. Why use a key server?
  • 14. Example application Requirements: 1. Data in database is encrypted at rest and in memory 2. Encryption keys reside only in memory 3. Service has access to the plaintext data Client Service +
  • 15. Where do we get the keys from? • At server startup • Environment variable • File • At run time • Over JMX + TLS • Over SSH • Key service
  • 16. Key service • Separation of duties • Auditable • Easy rotation of master key • Data key in memory for very short period • Centralized master key never leaves key service + Client Service Master key Encrypt Key Service DB
  • 17. Okta case study of AWS KMS
  • 18. Encryption use cases • Privacy of user data • Protection of PII, PCI, PHI • Credential storage • SAML keys • OAuth tokens • Third-party application credentials
  • 19. Requirements • Strong encryption  256 bit AES GCM  Strong random-number generator • Separation of duties  By design  Quorum management of servers • Support auto-scale through secure bootstrapping  Hypervisor bootstraps IAM keys • Auditability  Encryption context + CloudTrail
  • 20. Threat model: AWS KMS and Amazon EC2
  • 21. + Client EC2 instance Master key Encrypt KMS DB Data key
  • 22. Threat model: Amazon EC2 and IAM metadata service + Client EC2 instance Master key Encrypt KMS DB Data key
  • 23. Getting IAM credentials for KMS • IAM roles for EC2 • Hypervisor provides a per-instance metadata service • Metadata service is accessible by all users • Credentials aren’t channel bound • Credentials are short lived
  • 24. IAM credentials via metadata service curl http://169.254.169.254/latest/meta- data/iam/security-credentials/MyApp { "Code" : "Success", "LastUpdated" : "2015-08-20T21:17:41Z", "Type" : "AWS-HMAC", "AccessKeyId" : “SOME_ACCESS_ID", "SecretAccessKey" : ”SOME_SECRET_ACCESS_KEY", "Token" : “SOME_SIGNED_TOKEN", "Expiration" : "2015-08-21T03:22:28Z" }
  • 25. IAM credential rotation • Credentials expire in ~ 6 hours • Credentials are rotated every ~ 1 hour Current Time: 2015-08-20T22:14:52Z LastUpdated: 2015-08-20T21:17:41Z Expiration: 2015-08-21T03:22:28Z Current Time: 2015-08-20T22:29:39Z LastUpdated: 2015-08-20T22:18:48Z Expiration: 2015-08-21T04:47:30Z
  • 26. Threat model: KMS transport + Client EC2 instance Master key Encrypt KMS DB Data key
  • 27. Transport Security • TLS for confidentiality and authentication of server • “A” rating on Qualys SSL Labs • Disallowed protocols SSL2 & SSL3 • Supported protocols TLS 1.0, 1.1, 1.2 • Forward secrecy required • Verisign root CA • IAM Signature V4 for authN and authZ of client
  • 28. Threat model: KMS + Client EC2 instance Master key Encrypt KMS DB Data key
  • 29. KMS key hierarchy • CMK – Customer master key • HSA – Hardened security appliance • EKT – Exported key token • HBK – HSA backing key • CDK – Customer data key • CT – Customer token Source: KMS Cryptographic Details
  • 30. Threat model – final comparison Low Risk Low Cost High Cost High Risk DIY KMS Cloud HSM • AWS CloudHSM • HSM at cost of managing High Availability (HA) • DIY • Roll your own credential management and rotation • Separate operational team • Quorum-based management • Run high-availability service • No access to hardware/TPM
  • 32. Implementation goals • Multiregion support for disaster recovery (DR) • Mitigate total KMS failure • Avoid vendor lock-in • Minimal performance impact • Operational tools for key rotation
  • 33. Mapping KMS key hierarchy to Okta key hierarchy • Region master key • Provided to service at run time by operator • Unique per region • Encrypts tenant master key • Tenant master key • Unique per tenant • Encrypts tenant data key • Tenant data key • Encrypts data
  • 34. Tradeoffs of an extended key hierarchy Pros • Adoptions of KMS is easier and incremental • KMS data keys are enumerable, allowing rotation • Local encryption provides more control • Fewer calls to KMS for encryption Cons • Local encryption requires more responsibility • Sharing ciphertext across services is complex
  • 36. Multiregion encryption and decryption • Encrypt & store tenant key encrypted by each region key • Decrypt talks to closest KMS region • RSA public key used for encrypt only • Private key provided to service only in event of KMS outage Service KMS East KMS West Region master keyRegion master key Tenant master key RSA Key Region master key DB
  • 37. September 20th KMS increased error rate
  • 38. Okta failed-over automatically KMS requests by region https://trust.okta.com
  • 40. Encryption context • Features: • Additional authenticated data (AAD) via AES GCM • Logging – Understand why the key was accessed • Authorization – Fine-grained access control to data keys • Okta’s implementation • Type: <ServiceName>.<EntityName> • Id: <EntityId> • A good encryption context identifies or classifies • Think carefully about mutability and storage of context • Encryption context shouldn’t contain sensitive data
  • 43. Auditing Correlate CloudTrail logs with service logs to detect events not triggered by the service
  • 45. Rollout and TTL tuning TuningGradual rollout
  • 47. Region failovers • ~ 0.001% failure rate without tuning HttpClient retries • At retry value of 3, failure rate is negligible
  • 48. SDK client tuning kmsClientConfig = new ClientConfiguration() .withSocketTimeout(3000) // 3 seconds .withConnectionTimeout(3000) // 3 seconds .withConnectionTTL(60000) // 1 minute .withMaxErrorRetry(3); client = new AWSKMSClient(kmsClientConfig);
  • 50. Feature requests for KMS • Support for multiregion encryption • Security enhancements • Transport encryption in addition to TLS • Tighter access control for IAM credentials in EC2 metadata service • Bind IAM credentials to EC2 instance/hypervisor • PKI features • KMS storage and rotation for asymmetric keys • Certificate authority as a service
  • 51. KMS takeaways Low Risk Low Cost High Cost High Risk DIY KMS Cloud HSM • It’s highly available • It’s simple to get up and running • Enables separation of duties • Enables secure scaling automatically • Orders of magnitude cheaper
  • 52. Implementation recommendations • You may not need encryption or keys for confidentiality • Put thought into encryption context • Reconcile CloudTrail logs with application logs • Tune the SDK for timeout and retries • Consider an extended key hierarchy
  • 53. Reference • User-Based and Resource-Based Permissions – http://docs.aws.amazon.com/IAM/latest/UserGuide/polici es_permissions.html#TypesPermissions • AWS Key Management Service Cryptographic Details – https://d0.awsstatic.com/whitepapers/KMS- Cryptographic-Details.pdf • KMS Developer Guide – http://docs.aws.amazon.com/kms/latest/developerguide/ kms-dg.pdf
  • 55. Thank you! Follow me on twitter www.okta.com@JonToddDotCom Learn more about Okta