O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
©Amazon.com,	Inc.	and	its	affiliates.		All	rights	reserved.
Crypto-Options on AWS
Bertram Dorn – Specialized Solutions Arc...
Agenda
• Theory
• Options
The Cryptographic Trinity
Key
Algorithm
Data
If	you	don’t	own	all	three	parts	of	the	solution,	your
data	is	not	considered...
Acces to AWS
• WebInterface
• CLI
• SDK
• API
Admin
For	instrumentation
AWS
AWS	IAM
All	of	the	AWS	APIs	are	available	via	...
In Region I:
AWS AZ AWS AZ
In Region II:
AWS DC AWS DC
AWS DC AWS DC
Between Regions:
Region
Availability Zone
Availability Zone
Region
Availability Zone
Availability Zone
Public
Customer	
WA...
Summary
• Data in transit within an AZ might leave the building
• Data in transit between AZs will leave the building
• Da...
Discussion Points
• Hard encryption might be excessive, for some purposes
• Find out where you need which kind of encrypti...
But:
Getting	Data	at	rest	encrypted	on	AWS
is	so	easy	that	you	should	consider	a	policy:
All	data	need	to	be	encrypted	at	...
AWS	services	and	where	we	look	into	today:
Technology Partners Consulting Partners AWS MarketplaceEcosystem
Elastic Beanst...
AWS Key Management Service I
• Designed for Scalability and Throughput
• Uses bespoke AWS hardware + software
• Is a multi...
AWS Key Management Service II
Reference Architecture
Application or
AWS Service
+
Data	Key											Encrypted	Data	Key
En...
S3 (normal mode)
AWS AZ
AWS AZ
AWS AZ
• Data is sent to S3 encrypted
• S3 stores the data unencrypted
• Data travels unenc...
S3 (server-side encryption)
AWS AZ
AWS AZ
AWS AZ
• Data is sent to S3 encrypted
• S3 encrypts data with AWS owned key
• Da...
S3 (server-side, user key)
AWS AZ
AWS AZ
AWS AZ
• Data is sent to S3 encrypted
• S3 encrypts data with customer key sent i...
S3 (server-side, user key + KMS)
AWS AZ
AWS AZ
AWS AZ
• Data is sent to S3 encrypted
• S3 encrypts data with key sent in r...
Example
Instance	A
bucket
object
roleAWS	IAM
AWS	KMS
Amazon
S3
Amazon	
EC2
Instance	B
AWS	CloudTrail
S3 (client-side encryption)
AWS AZ
AWS AZ
AWS AZ
• Client encrypts the data locally with local held key
• Data is sent to ...
EBS (normal mode)
AWS AZ
AWS AZ
• Instance sends data to volume via hypervisor module
– Module can encrypt or not, dependi...
EBS (server-side encryption)
AWS AZ
AWS AZ
• Instance sends encrypted data over hypervisor to volume
– Instance OS needs t...
CloudHSM
• Tamper-Proof and Tamper-Evident
– Destroys its stored keys if under attack
• FIPS 140-2 Level2 certified
• Base...
Redshift can use CloudHSM
• When using CloudHSM
– Redshift gets cluster key from HSM
– Redshift generates a database key a...
RDS Crypto Support
• RDS / Oracle can use CloudHSM to store keys for Oracle Wallet
– So TDE can be HSM-backed
• RDS / MySQ...
VPC VGW
• Hardware IPsec termination points
• Data on the VPC side of the VGW is unprotected by the VGW (no
re-encryption)...
Between Regions
Region
Availability Zone
Availability Zone
Region
Availability Zone
Availability Zone
Public
Customer	
WAN...
Others
• Glacier
– Archives have always been encrypted – this is entirely transparent to the user
– Glacier keys are AES25...
Bertram	Dorn
Amazon	Web	Services	Germany	GmbH
bedorn@amazon.de
Additional	 Ressources:
http://aws.amazon.com/documentation...
HSM Integration for Customer-Only Key
Web-Server
HSM
Storage
TLS	connection
toHSM,	nokey
Extractpolicy
TLS	connection
HSM	...
Crypto Options in AWS
Próximos SlideShares
Carregando em…5
×

Crypto Options in AWS

4.180 visualizações

Publicada em

Crypto Options in AWS

Publicada em: Negócios

Crypto Options in AWS

  1. 1. ©Amazon.com, Inc. and its affiliates. All rights reserved. Crypto-Options on AWS Bertram Dorn – Specialized Solutions Architect Security/Compliance Network/Databases Amazon Web Services EMEA
  2. 2. Agenda • Theory • Options
  3. 3. The Cryptographic Trinity Key Algorithm Data If you don’t own all three parts of the solution, your data is not considered to be “hard” encrypted…
  4. 4. Acces to AWS • WebInterface • CLI • SDK • API Admin For instrumentation AWS AWS IAM All of the AWS APIs are available via SSL/TLS protected endpoints which provide server authentication. AWS allows customers to use their own encryption mechanisms for nearly all the services, including S3, EBS, SimpleDB and EC2. IPSec tunnels to VPC are also encrypted. Amaon S3 also offers Server Side Encryption as an option for customers. Customers may also use third-party encryption technologies.
  5. 5. In Region I: AWS AZ AWS AZ
  6. 6. In Region II: AWS DC AWS DC AWS DC AWS DC
  7. 7. Between Regions: Region Availability Zone Availability Zone Region Availability Zone Availability Zone Public Customer WAN DX Site DX Site
  8. 8. Summary • Data in transit within an AZ might leave the building • Data in transit between AZs will leave the building • Data in transit between AWS Regions or between AWS and customer premises needs to be taken care of, too • What about devices? – Device decommissioning is a primary task for AWS – This is fully compliant and audited – No device leaves our DCs in a functional state – People leaving a DC need to pass through a metal detector Whatever you do: Encrypt Your Data in Flight Let’s discuss data at rest
  9. 9. Discussion Points • Hard encryption might be excessive, for some purposes • Find out where you need which kind of encryption – map your view of risk and need • Think about the lifetime of your data (example: German expiry of use of 3DES and resulting requirement for bulk data re-encryption with stronger algorithm…) • Sometimes encryption is only there for Compliance reasons… Work on your data classification Find balance between your obligation for executive care, cost and complexity
  10. 10. But: Getting Data at rest encrypted on AWS is so easy that you should consider a policy: All data need to be encrypted at rest!
  11. 11. AWS services and where we look into today: Technology Partners Consulting Partners AWS MarketplaceEcosystem Elastic Beanstalk for Java, Node.js, Python, Ruby, PHP and .Net OpsWorks CloudFormationContainers & Deployment (PaaS) Management & AdministrationIAM CloudWatchCloudTrail APIs and SDKsManagement ConsoleCloud HSM Command Line Interface Direct Connect Route 53VPC Networking Analytics Data PipelineRedshiftEMR Kinesis SWFSNS SQS CloudSearchSES AppStreamCloudFront Application Services WorkSpaces Regions Availability Zones Content Delivery POPs Storage GatewayS3 EBS Glacier Import/Export DynamoDB ElastiCache StorageCompute Databases RDS MySQL, PostgreSQL Oracle, SQL Server Elastic Load BalancerEC2 Auto Scaling +
  12. 12. AWS Key Management Service I • Designed for Scalability and Throughput • Uses bespoke AWS hardware + software • Is a multi-tenant service • Is a regionalizes service • PerformsAES256 operations • API for crypto command: – Key Management – Encryption / Decryption • Customer selects MasterKey • Data Key is transported via envelope encryption • Services are responsible for the en/de/re- cryption action Customer Master Key(s) Data Key 1 Amazon S3 Object Amazon EBS Volume Amazon Redshift Cluster Data Key 2 Data Key 3 Data Key 4 Custom Application AWS KMS
  13. 13. AWS Key Management Service II Reference Architecture Application or AWS Service + Data Key Encrypted Data Key Encrypted Data Master Key(s) in Customer’s Account AWS Key Management Service 1. Application or AWS service client requests an encryption key to use to encrypt data, and passes a reference to a master key under the account. 2. Client request is authenticated based on whether they have access to use the master key. 3. A new data encryption key is created and a copy of it is encrypted under the master key. 4. Both data key and encrypted data key are returned to the client. Data key is used to encrypt customer data and then deleted as soon as is practical. 5. Encrypted data key is stored for later use and sent back to AWS KMS when the source data needs to be decrypted.
  14. 14. S3 (normal mode) AWS AZ AWS AZ AWS AZ • Data is sent to S3 encrypted • S3 stores the data unencrypted • Data travels unencrypted between AZs • Enforce https: { "Statement": [{ "Effect": "Deny”, "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": false } }, "Resource": "arn:aws:s3:::bucket/*" ]} }
  15. 15. S3 (server-side encryption) AWS AZ AWS AZ AWS AZ • Data is sent to S3 encrypted • S3 encrypts data with AWS owned key • Data travels encrypted between AZs • Data at rest is encrypted with AWS-owned key • Enforce at-rest encryption: { "Statement":[{ "Sid":"DenyUnEncryptedObjectUploads", "Effect":"Deny", "Principal":"*", "Action":"s3:PutObject", "Resource":"arn:aws:s3:::YourBucket/*", "Condition":{ "StringNotEquals":{ "s3:x-amz-server-side-encryption":"AES256" } } } ] }
  16. 16. S3 (server-side, user key) AWS AZ AWS AZ AWS AZ • Data is sent to S3 encrypted • S3 encrypts data with customer key sent in request – The key will be forgotten by AWS immediately • Data travels encrypted between AZs • Data at rest is encrypted with customer-owned key • Customer needs to send key in GET request
  17. 17. S3 (server-side, user key + KMS) AWS AZ AWS AZ AWS AZ • Data is sent to S3 encrypted • S3 encrypts data with key sent in request • Data travels encrypted between AZs • Data at rest is encrypted with customer-owned key • Key remains in KMS IAM KMS Object
  18. 18. Example Instance A bucket object roleAWS IAM AWS KMS Amazon S3 Amazon EC2 Instance B AWS CloudTrail
  19. 19. S3 (client-side encryption) AWS AZ AWS AZ AWS AZ • Client encrypts the data locally with local held key • Data is sent to S3 encrypted • Data travels encrypted between AZs • Data at rest is encrypted with customer-owned key • AWS never sees the key
  20. 20. EBS (normal mode) AWS AZ AWS AZ • Instance sends data to volume via hypervisor module – Module can encrypt or not, depending on customer choice – Data travels to the disks and between datacentres, potentially unencrypted – Data lives unencrypted on Disk
  21. 21. EBS (server-side encryption) AWS AZ AWS AZ • Instance sends encrypted data over hypervisor to volume – Instance OS needs to support encryption – Data travels encrypted to the disks and between datacentres – Data lives encrypted on Disk – AWS owns key/algorithm/data – Included in scope of AWS SOC1 report IAM KMS Volume
  22. 22. CloudHSM • Tamper-Proof and Tamper-Evident – Destroys its stored keys if under attack • FIPS 140-2 Level2 certified • Base position is to be a Keystore • Can also be used to timestamp documents • You can send data for encrypt / decrypt – Key never leaves the HSM as cleartext – Can be used by several commercial software products – Can be used by API to access the HSM • Needs to be backed-up (ideally to HSM on customer premises) • Can (and should) be combined in HA clusters • Is NOT a key managementsystem – but can work with some third-party ones • Communicates via: – PKCS#11 – JCE • Some applications need a “plugin”
  23. 23. Redshift can use CloudHSM • When using CloudHSM – Redshift gets cluster key from HSM – Redshift generates a database key and encrypts it with the cluster key from the CloudHSM – Redshift encrypts data with the database key – Redshift supports re-encryption
  24. 24. RDS Crypto Support • RDS / Oracle can use CloudHSM to store keys for Oracle Wallet – So TDE can be HSM-backed • RDS / MySQL, RDS / Postgres can use KMS to manage keys used to encrypt underlying EBS volumes – So all tables are encrypted at rest • Note that in-memory database contents (once the database has been unlocked) are cleartext – RAM encryption is not something AWS has today, but it has been done in other contexts
  25. 25. VPC VGW • Hardware IPsec termination points • Data on the VPC side of the VGW is unprotected by the VGW (no re-encryption) – If you need VPN termination with onward re-encryption, use EC2 instances with OpenSWAN or Cisco CRSs instead… • Uses pre-shared symmetric key • The Key is a shared one between AWS and the customer AWS AZ AWS AZCustomer
  26. 26. Between Regions Region Availability Zone Availability Zone Region Availability Zone Availability Zone Public Customer WAN DX Site DX Site Custome r DC
  27. 27. Others • Glacier – Archives have always been encrypted – this is entirely transparent to the user – Glacier keys are AES256 – AWS holds key/algorithm/data • Route53 – Supports signed zones • ELB – Supports SSL termination including onward re-encryption and customer choice of cipher suite (useful post-POODLE) – AWS holds keys/algorithm/data – Unidirectional trust only (no certificate-based authentication of client to server) • Import/Export Snowball – Uses AES256 inside the Snowball device – The Snowball device is equipped with a TPM to protect and authenticate crypto material
  28. 28. Bertram Dorn Amazon Web Services Germany GmbH bedorn@amazon.de Additional Ressources: http://aws.amazon.com/documentation http://aws.amazon.com/compliance http://aws.amazon.com/security
  29. 29. HSM Integration for Customer-Only Key Web-Server HSM Storage TLS connection toHSM, nokey Extractpolicy TLS connection HSM offloaded Generatetemp. AssymKey Pair Send Public Key toClient Encrypt Data WithPublic Key Send Cryped Data toServer Send Cryped Data toHSM Re-Encrypt with Sym-Storage Key Send Cryped Data toServer Store Data AES Storage Key Send Reqfor Secure Data Storage Delete TempData And Keys

×