How do you protect your private information and customer PII in the cloud when you don’t control all the hardware or software components that might access that information? AWS allows you to offload many management and data-handling tasks, but how do you evaluate the risks to your data as it passes through these services? AWS offers many options for using encryption to protect your data in transit and at rest. A variety of features let you determine how much control you want over your encryption keys in order to meet your security goals. This webinar will help you understand which AWS encryption features are available, when to use them, and how to integrate them in your workloads. In this webinar, you will learn:
• Learn how to think about using encryption to protect your private information in the cloud • Learn how to evaluate key management architectures to determine whether they meet your needs • Learn how to use AWS encryption features to accomplish your data security goals
Who Should Attend: • Developers, DevOps Engineers, and IT Security Administrators
2. Agenda
Review the fundamentals of encryption and key management
Overview of how AWS protects your data with encryption
Learn how AWS Key Management Service simplifies encryption at
a low price
Understand alternatives like AWS CloudHSM and partner solutions
4. Where are keys stored?
• Hardware you own?
• Hardware the cloud provider owns?
Where are keys used?
• Client software you control?
• Server software cloud provider controls?
Who can use the keys?
• Users and applications that have permissions?
• Cloud provider applications you give permissions?
What assurances are their for proper keys usage?
“Key” Questions to Consider With Any Solution
5. Server-side encryption
• Amazon S3, Amazon EBS, Amazon RDS, Amazon Redshift,
Amazon WorkMail, Amazon Elastic Transcoder
• Will encrypt data on your behalf after API call received by
service
• Uses keys in your AWS account
Client-side encryption
• S3, Amazon EMR, Amazon DynamoDB
• Encryption happens in application before data submitted service
• You supply keys OR use keys in your AWS account
AWS Encryption Models
7. Plaintext
Data
Encrypted
Data
Customer
Provided KeyAmazon S3 Web
Server
HTTPS
Customer
Data
Amazon S3
Storage Fleet
Key is used at S3 webserver, then deleted
Customer must provide same key when
downloading to allow S3 to decrypt data
Customer
Provided Key
Server-side encryption in AWS
S3 Server-Side Encryption with Customer-Provided Keys (SSE-C)
10. Your
applications
in your data
center
Your key
management
infrastructure in EC2
Your encryption
client application
Your key management
infrastructure Your application
in EC2
Your encrypted data in select AWS services
Client-side encryption in AWS
Amazon S3/EMRFS and Dynamo DB Encryption Clients in AWS SDKs
11. Managed service simplifies creation, control, rotation, and use of
encryption keys in your applications
Integrated with AWS Server-side encryption
• Amazon S3, EBS, RDS, Redshift, WorkMail, and Elastic Transcoder
Integrated with Client-side encryption
• AWS SDKs, S3 Encryption Client, DynamoDB Encryption Client
Integrated with AWS CloudTrail to provide auditable logs for regulatory and
compliance activities
Available in all commercial regions except China
AWS Key Management Service
13. How AWS Services Integrate with AWS
Key Management Service
Two-tiered key hierarchy using envelope
encryption
• Unique data key encrypts customer data
• AWS KMS master keys encrypt data
keys
Benefits:
• Limits risk of compromised data key
• Better performance for encrypting large
data
• Easier to manage small number of
master keys than millions of data keys
• Centralized access and audit of key
activity
Customer Master
Key(s)
Data Key 1
S3 Object EBS
Volume
Amazon
Redshift
Cluster
Data Key 2 Data Key 3 Data Key 4
Custom
Application
AWS KMS
14. Your Application or
AWS Service
+
Data Key Encrypted Data Key
Encrypted
Data
Master Key(s) in
Customer’s Account
AWS
Key Management Service
1. Application requests encryption key to use to encrypt data, passes reference to master key in account.
2. Client request authenticated based on master key permissions.
3. New data encryption key created - copy encrypted under master key.
4. Plaintext and encrypted data key returned to the client.
5. Plaintext data key used to encrypt data and then deleted.
6. Encrypted data key stored for later use and sent back to AWS KMS for when decryption occurs.
AWS Key Management Service
How Keys are Used to Protect Your Data
16. AWS Key Management Service
You control how and when your keys can be used and by whom
Sample permissions on a key:
• Managed only by this group of users
• Used for encryption and decryption by this group of users and
applications
• Used by application A to encrypt data, but used by application B to
decrypt data
• Used to decrypt data if the application also includes additional
parameters unique to the data
Fully integrated with AWS Identity and Access Management
17. AWS Key Management Service
Auditability of key usage through AWS CloudTrail
"EventName":"DecryptResult", This KMS API was called…
"EventTiime":"2014-08-18T18:13:07Z", ….at this time
"RequestParameters":
"{"keyId":"2b42x313-1911-4e2a-8321-6b67324025eb”}”, …in reference to this key
“EncryptionContext":"volumeid-23657", …to protect this AWS resource
"SourceIPAddress":"46.23.143.114 ", …from this IP address
"UserIdentity":
“{"arn":"arn:aws:iam::957787256530:user/User123“} …by this AWS user in this account
18. AWS Key Management Service
APIs to build your own applications
Example Management APIs
• CreateKey, CreateAlias
• DisableKey
• EnableKeyRotation
• PutPolicy
• ListKeys, DescribeKey
Example Data APIs
• Encrypt
• Decrypt
• ReEncrypt
• GenerateDataKey
26 APIs and growing
http://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html
19. • Plaintext keys never stored in persistent memory on runtime
systems
• Separation of duties between systems that use master keys and
ones that use data keys
• Multiparty controls for all maintenance of KMS systems that use
your master keys
• See public white papers and Service Organization Control
(SOC 1) compliance package for details
AWS Key Management Service Assurance
Why should you trust AWS with your keys?
20. Pricing for KMS
$1/key version/month
$0.03 per 10,000 API requests
• 20,000 free requests per month
21. Alternatives to KMS
In order to have more control over the physical security of your keys
AWS CloudHSM
AWS Partner Solutions
Do it yourself
22. AWS CloudHSM
• You receive dedicated access to HSM
appliances
• HSMs located in AWS datacenters
• Managed and monitored by AWS
• Only you have access to your keys and
operations on the keys
• HSMs are inside your Amazon VPC –
isolated from the rest of the network
• Uses SafeNet Luna SA HSM appliances
CloudHSM
AWS Administrator –
manages the appliance
You – control keys and
crypto operations
Amazon Virtual Private Cloud
23. AWS CloudHSM
Available in seven regions worldwide
• US East (N. Virginia), US West (Oregon), EU (Ireland), EU (Frankfurt)
and Asia Pacific (Sydney, Tokyo, Singapore)
Compliance
• Included in AWS PCI DSS and Service Organization Control
(SOC) compliance packages
Typical use cases
• Use with Amazon Redshift, RDS for Oracle
• Integrate with third-party software (Oracle, SQL Server, Apache,
SafeNet)
• Build your own custom applications
24. SafeNet ProtectV Manager
and Virtual KeySecure
in EC2
Amazon EBS Volume Encryption with
CloudHSM and SafeNet Software
SafeNet ProtectV with Virtual KeySecure
AWS CloudHSM stores the master key
SafeNet
ProtectV
Client
CloudHSM
Your encrypted data
in EBS
Your applications
in EC2
ProtectV Client
• Encrypts I/O from
EC2 instances to EBS
volumes
• Includes preboot
authentication
25. Pricing for CloudHSM
HSM provisioned in any region has a $5,000 one-time charge
Starting at $1.88/hour metered charge after setup
• Hourly rate varies by region
As low as $21,500 in year one; $16,500 in subsequent years
Requests not billed; limited only by the device capacity
• Varies depending on algorithm and key size
26. Comparing CloudHSM with AWS KMS
AWS CloudHSM
• Dedicated access to HSM that
complies with government standards
(e.g. FIPS 140-2, Common Criteria)
• You control your keys and the
application software that uses them
• Supported applications:
• Your custom software
• Third-party software
• Symmetric or asymmetric encryption
• Amazon Redshift, RDS for Oracle
AWS KMS
• Highly available and durable key storage,
management, and auditable solution
• Easily encrypt your data across AWS
services and within your own applications
based on policies you define
• Supported applications:
• Your custom software (AWS SDK)
• Symmetric encryption
• AWS services (S3, EBS, RDS, Amazon Redshift,
WorkMail, Elastic Transcoder)
27. Partner Solutions in AWS Marketplace
Browse, test, and buy security software
Pay-by-the-hour, monthly, or annual
Software fees added to AWS bill
Bring Your Own License
28. Your encryption
client application
Your key management
infrastructure
Your
applications
in your data
center
Your application
in EC2
Your key
management
infrastructure in EC2
Your encrypted data in AWS services
…
DIY Key Management in AWS
Encrypt data client-side and send ciphertext to AWS storage services
29. AWS Key
Management
Service
AWS CloudHSM
AWS Marketplace
Partner Solutions
DIY
Where keys are
generated and stored
AWS In AWS, on an HSM
that you control
Your network or in
AWS
Your network or in
AWS
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced in AWS
Customer code +
SafeNet APIs
Vendor-specific
management
Config files, vendor-
specific management
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per key/usage Per hour Per hour/per year Variable
Comparison of Key Management Options
30. AWS Key
Management
Service
AWS CloudHSM
AWS Marketplace
Partner Solutions
DIY
Where keys are
generated and stored
AWS In AWS, on an HSM
that you control
Your network or in
AWS
Your network or in
AWS
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced in AWS
Customer code +
SafeNet APIs
Vendor-specific
management
Config files, vendor-
specific management
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per key/usage Per hour Per hour/per year Variable
Comparison of Key Management Options
31. AWS Key
Management
Service
AWS CloudHSM
AWS Marketplace
Partner Solutions
DIY
Where keys are
generated and stored
AWS In AWS, on an HSM
that you control
Your network or in
AWS
Your network or in
AWS
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced in AWS
Customer code +
SafeNet APIs
Vendor-specific
management
Config files, vendor-
specific management
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per key/usage Per hour Per hour/per year Variable
Comparison of Key Management Options
32. AWS Key
Management
Service
AWS CloudHSM
AWS Marketplace
Partner Solutions
DIY
Where keys are
generated and stored
AWS In AWS, on an HSM
that you control
Your network or in
AWS
Your network or in
AWS
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced in AWS
Customer code +
SafeNet APIs
Vendor-specific
management
Config files, vendor-
specific management
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per key/usage Per hour Per hour/per year Variable
Comparison of Key Management Options
33. Resources
AWS Key Management Service
• https://aws.amazon.com/kms
Whitepaper on AWS Key Management Service Cryptographic Details
• https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
AWS CloudHSM
• https://aws.amazon.com/cloudhsm/
Whitepaper on data-at-rest encryption and key management in AWS
• https://aws.amazon.com/whitepapers/
Amazon S3 Encryption Client
• http://aws.amazon.com/articles/2850096021478074
AWS Partner Network
• http://www.aws-partner-directory.com/
AWS Security Blog
• http://blogs.aws.amazon.com/security
35. AWS Summit – Chicago: An exciting, free cloud conference designed to educate and inform new
customers about the AWS platform, best practices and new cloud services.
Details
• July 1, 2015
• Chicago, Illinois
• @ McCormick Place
Featuring
• New product launches
• 36+ sessions, labs, and bootcamps
• Executive and partner networking
Registration is now open
• Come and see what AWS and the cloud can do for you.
• Click here to register: http://amzn.to/1RooPPL