AWS re:Invent 2016: AWS Partners and Data Privacy (GPST303)

290 visualizações

Publicada em

In this session, we share best practices and easily-leveraged solutions for enacting autonomous systems in the face of subversion. From gag orders to warrantless searches and seizures, learn about specific tactics to protect and exercise data privacy, both for partners and customers.

Publicada em: Tecnologia
0 comentários
1 gostou
  • Seja o primeiro a comentar

Sem downloads
Visualizações totais
No SlideShare
A partir de incorporações
Número de incorporações
Incorporações 0
Nenhuma incorporação

Nenhuma nota no slide

AWS re:Invent 2016: AWS Partners and Data Privacy (GPST303)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ken Beer, General Manager, AWS Key Management Service November 29, 2016 GPST303 AWS Partners and Data Privacy
  2. 2. Privacy Concerns for AWS Partners Prevent unauthorized access to data owned… - by the partner - the partner’s customer - the partner’s partners Provide evidence of all access to data
  3. 3. Ensuring privacy using security controls • Identity and Access Management • Encryption at rest techniques you can apply • Key management strategies • Logging for audit and assurance
  4. 4. Client-side encryption at rest • You encrypt your data before data submitted to service • You supply encryption keys OR use keys in your AWS account • Requires more developer expertise • Available AWS clients to help: • Amazon S3, Amazon EMR File System (EMRFS), Amazon DynamoDB, AWS Encryption SDK • Using these clients does not give AWS employees access to your keys or your data
  5. 5. Your applications in your data center Your key management infrastructure in EC2 Your encryption client application Your key management infrastructure Your application in Amazon EC2 Your encrypted data in select AWS services Client-side encryption at rest
  6. 6. Server-side encryption at rest • AWS encrypts data on your behalf after the data is received by service • Over 23 AWS services support encryption including Amazon S3, Amazon EBS, Amazon RDS, and AWS Lambda • Requires less developer expertise than client-side • Using server-side encryption does not give AWS employees access to your keys or your data
  7. 7. create-volume [--dry-run | --no-dry-run] [--size <value>] [--snapshot-id <value>] --availability-zone <value> [--volume-type <value>] [--iops <value>] [--encrypted | --no-encrypted] [--kms-key-id <value>] [--cli-input-json <value>] [--generate-cli-skeleton] Console AWS CLI/SDK Server-side encryption at rest in Amazon EBS
  8. 8. Plaintext data Hardware/ software Encrypted data Encrypted data in storage Encrypted data key Symmetric data key Master keySymmetric data key ? Key hierarchy ? The key management challenge
  9. 9. Key Management Strategies • Roll your own solution • Store keys in a different own server/instance • Use open source software with unique access controls • Commercial vendors • Dedicated appliance or virtual appliance to store keys • AWS CloudHSM • AWS Key Management Service
  10. 10. AWS CloudHSM • You receive dedicated access to HSM appliances • HSMs located in AWS data centers • Monitored by AWS for power and network connectivity • HSMs are inside your Amazon VPC – isolated from the rest of the network • Uses Gemalto SafeNet Luna SA HSM appliances • Only you have access to your keys and operations on the keys using custom clients – no AWS APIs CloudHSM AWS administrator – Provisions the appliance You – Control keys and client crypto operations Amazon Virtual Private Cloud
  11. 11. AWS CloudHSM Available in nine regions worldwide • US East (N. Virginia, Ohio), US West (N. California, Oregon), EU (Frankfurt, Ireland) and Asia Pacific (Sydney, Tokyo, Singapore) Compliance • Included in AWS PCI DSS and SOC-1 compliance packages • FIPS 140-2 level 2 (maintained by Gemalto/SafeNet) Typical use cases • Use with Amazon RDS for Oracle TDE • Partner ecosystem (Oracle, SQL Server, Apache, SafeNet) • Custom applications using non-AWS SDKs
  12. 12. AWS Key Management Service (KMS) • Managed service that simplifies creation, control, rotation, and use of encryption keys in your applications • Integrated with AWS server-side encryption • Integrated with AWS client-side encryption via SDKs • Integrated with AWS CloudTrail to provide auditable logs of key usage for regulatory and compliance activities • Available in all commercial regions except China
  13. 13. Integration with AWS KMS Two-tiered key hierarchy using envelope encryption • Unique data key encrypts customer data • AWS KMS customer master keys (CMKs) encrypt data keys Customer master keys Data key 1 S3 object EBS volume Amazon Redshift cluster Data key 2 Data key 3 Data key 4 Custom application AWS KMS
  14. 14. Integration with AWS KMS Benefits • Limits risk of compromised data key • Better performance for encrypting large data • Easier to manage small number of CMKs than millions of data keys • Centralized access and audit of key activity Customer master keys Data key 1 S3 object EBS volume Amazon Redshift cluster Data key 2 Data key 3 Data key 4 Custom application AWS KMS
  15. 15. Customer Master Keys (CMKs) in AWS KMS Default CMKs • Generated by AWS and unique to your account • Usable only by users/roles in your account • AWS manages key lifecycle, but can’t directly access key material Custom CMKs • Generated by AWS, but you manage lifecycle of the CMK • You control how and when your CMKs can be used and by whom by defining granular permissions on your keys using IAM and KMS policies • AWS can’t directly access key material
  16. 16. Import Key: Bring your own keys to AWS KMS • You control how keys are generated • You store the master copy of the key outside of AWS • You can use imported keys with all KMS-integrated services • You can define an optional expiration time • You can delete and re-import the key at any time to control when AWS can use it to encrypt/decrypt data on your behalf • Works with standards-based key management infrastructure, including SafeNet Gemalto and Thales e-Security
  17. 17. Import Key: Bring your own keys to AWS KMS Import encrypted key material under the KMS CMK key ID; set optional expiration period Import Your key material protected in KMS Download a public wrapping key KMS Download RSA public key Create customer master key (CMK) container Empty CMK container with unique key ID KMS Creates Export your key material encrypted under the public wrapping key Your key management infrastructure Export Your 256-bit key material encrypted under KMS public key
  18. 18. Workloads enabled by Import Key • A bank customer can generate and store the master copy of their key material in a FIPS 140-2 validated solution to satisfy their InfoSec requirements • A pharma customer could make keys available only during processing of drug trial data in EMR/Amazon Redshift • When processing is finished, expire/delete the keys so that data stored at rest in AWS cannot be decrypted • A government customer that needs access to data for many years doesn’t have to trust AWS to never lose their keys
  19. 19. Audit key usage/data access with AWS CloudTrail “eventName":“Decrypt", This KMS API was called… “eventTime":"2016-08-18T18:13:07Z", this time... “requestParameters": { “keyId”: “1234abcd-12ab-34cd-56ef-1234567890ab”, reference to this key... “encryptionContext":"volumeid-12345”} …to protect this resource... “sourceIPAddress”:"”, ...from this address... “userIdentity": { {"arn":"arn:aws:iam::111122223333:user/User123”} …by this AWS user in this account. • Automation: CloudWatch alarms or events on CloudTrail logs • Reconciliation: find anomalous key usage by generating audit logs in your application and comparing it to CloudTrail logs
  20. 20. AWS KMS assurances: Why trust AWS? • There are no tools in place to access your physical key material • Your plaintext keys are never stored in nonvolatile memory • You control who has permissions to use your keys • Separation of duties between systems that use master keys and ones that use data keys • Multiparty controls for all maintenance of KMS systems that use your master keys
  21. 21. AWS KMS assurances: compliance • AWS Service Organization Controls (SOC 1, SOC 2, SOC 3) • PCI-DSS Level 1 • ISO 27017, ISO 27018, ISO 9001 • In evaluation for FIPS 140-2 and FedRAMP
  22. 22. Comparison of key management options KMS CloudHSM AWS Marketplace Partner Solutions DIY Where keys are generated and stored AWS, or Imported by you In AWS, on an HSM that you control Your network or in EC2 instance Your network or in AWS Where keys are used AWS services or your applications AWS or your applications Your network or your EC2 instance Your network or your EC2 instance How to control key use Policy you define; enforced by AWS Custom code + SafeNet APIs Vendor-specific management Config files, vendor- specific management Responsibility for performance/scale AWS You You You Integration with AWS services? Yes Limited Limited Limited Pricing model Per key/usage Per hour Per hour/per year Variable
  23. 23. Law enforcement requests for encrypted data • We can’t predict what law enforcement will ask for • We have no tools to decrypt your data or your keys outside of the existing APIs you call that cause your data to be decrypted • We only consider responding to requests if the target is our customer • We tell law enforcement to talk to you if the target is your customer, even if their data is hosted in our infrastructure
  24. 24. AWS do’s and don’ts you can count on We Do… • …challenge overly broad government subpoenas • …advocate for modern privacy laws • …oppose legislation that would weaken information security • …notify customers before disclosing content information • …offer strong encryption and key management options • …recommend security best practices We Do Not… • …disclose customer information unless legally required • …participate in government programs to capture customer data
  25. 25. Call to action • Enable encryption at rest • What is your key management strategy? • Is KMS right for your customers? • Is Import Key right for your customers? • Does your customer need a dedicated HSM to store keys? • Customers have customers, too (privacy preservation can be recursive)
  26. 26. Thank you!
  27. 27. Remember to complete your evaluations!