Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Seu SlideShare está sendo baixado.
×
Confira estes a seguir
Recomendadas
Mais Conteúdo rRelacionado
Diapositivos para si (20)
Semelhante a How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD413 - AWS re:Inforce 2019 (20)
Mais de Amazon Web Services (20)
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD413 - AWS re:Inforce 2019
- 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How GoDaddy protects ecommerce and domains with AWS KMS and encryption Demetrius Comes VP of Engineering GoDaddy S D D 4 1 3 Ed Abrams Sr. Director of Engineering GoDaddy
- 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. “Intellect without will is worthless, will without intellect is dangerous.” —Hans von Seeckt
- 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. "Everything fails, all the time." —Werner Vogels VP & CTO, Amazon.com
- 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Take aways: Developers need a simplified interface for managing the complexity of encryption details (algorithms, key management, metadata storage, versioning) An enterprise scale solution must provide mechanisms not only for key rotation but re-encryption of data with rotated keys An enterprise scale solution must provide the safety net of blast-radius reduction for compromised keys GoDaddy is open sourcing Asherah: An Application Encryption SDK as a solution to these problems
- 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. 18+ MILLION global customers 77 MILLION domainsunder management 300K DNSqueries persecond © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Open source commitment MembershipsandPOCs Adopt JDK Demetrius Comes, Technical Steering Committee Member. Linux Foundation, CNCF Kubernetes Ed Abrams, POC, Silver tier. ECMA, TC-39, & JavaScript Charlie Robbins, ECMA POC. Brad Farias, TC-39 Member. Domain Connect Arnold Blinn, POC (TBD 2019 Funding). OpenJS Foundation Charlie Robbins, Board Member, Gold tier. WordPress Aaron Campbell and Mike Schroder, permanent core contributors and GoDaddy reps
- 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Projects Javascript • Svgs • Ekke • warehouse.ai WordPress • coblocks • WP Primer Theme Kubernetes • External secrets • Client tool • terminus
- 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Recent history: Phase 0 Phase I Retro Phase II Retro Phase III Self Service Phase 0 Process Initial Account Governance Framework AWS Onboarding Timeline 3/1/18 5/1/18 6/1/18 7/1/18 8/1/18 9/1/18 10/1/18 11/1/18 12/1/18 1/1/19 2/1/19 3/1/19 4/1/19
- 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Public cloud: goals, constraints, measures, practices Security Application architecture Operational Readiness Budget Compliance& Privacy Speed Performance Availability Quality (SPAQ) Engineering practices Increased speed of delivery Increased application performance Increased reliability & availability
- 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Recent history: Phase 0 Phase I Retro Phase II Retro Phase III Self Service Phase I Initial Onboard of GD Services (on boarded ~10 teams) AWS Onboarding Timeline 3/1/18 5/1/18 6/1/18 7/1/18 8/1/18 9/1/18 10/1/18 11/1/18 12/1/18 1/1/19 2/1/19 3/1/19 4/1/19
- 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Phase 1 retro: • Developed a starter list of SDKs and Services • Use more of the Service Catalog • No Amazon VPC Peering was the right call • Need for an ongoing support model
- 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Recent history: Phase 0 Phase I Retro Phase II Retro Phase III Self Service Phase II Second Round Onboard of GD Services AWS Onboarding Timeline 3/1/18 5/1/18 6/1/18 7/1/18 8/1/18 9/1/18 10/1/18 11/1/18 12/1/18 1/1/19 2/1/19 3/1/19 4/1/19
- 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Phase 2: AWS Onboarding Process Changes to: Architecture, PII, or Corporate Standards Passive review once a year Readiness review Budget approval Architecture review Compliance review Operational review Pen / vulnerability tests Process retro Live operations Constant audits Monthly budget review Monthly operational review Prototype Limited Budget Learn Learn Learn No real data
- 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Recent history: Phase 0 Phase I Retro Phase II Retro Phase III Self Service Phase III Onboarding Parallel work to Automate & Deploy Self Service Portal AWS Onboarding Timeline 3/1/18 5/1/18 6/1/18 7/1/18 8/1/18 9/1/18 10/1/18 11/1/18 12/1/18 1/1/19 2/1/19 3/1/19 4/1/19
- 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Recent history: Phase 0 Phase I Retro Phase II Retro Phase III Self Service Self Service Self Service Onboarding Portal AWS Onboarding Timeline 3/1/18 5/1/18 6/1/18 7/1/18 8/1/18 9/1/18 10/1/18 11/1/18 12/1/18 1/1/19 2/1/19 3/1/19 4/1/19
- 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The Problem: The background AWS Building blocks for secure access and storage of data Key rotation Raise the bar Ensure key rotation with re-encryption of the data with the new key
- 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Our goals: Democratize the technology to: • Rotate keys efficiently • Re-encrypt data efficiently • Audit log of key and data access • Cross language interoperability • Isolate security zones so that we can take every opportunity to add defense in depth against known threats and continuously model new ones
- 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. GoDaddy’s solution: Asherah https://github.com/godaddy/asherah © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered architecture
- 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Hierarchical keys: blast radius reduction
- 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Key Management Service GoDaddy has chosen to use AWS Key Management Service for managing Data at Rest Encryption Managed service to securely create, control, rotate, and use encryption keys Integrated with other AWS services such as Identity and Access Management and KMS for additional complexity abstraction away from developers.
- 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What’s out there already Tink (Google) https://github.com/google/tink • Simplify complex crypto apis • Rotate keys using a primitive called a keyset (the process for doing this is opaquely documented, if at all); manual process, up to implementer AWS Application Encryption SDK https://github.com/aws/aws-encryption-sdk-java/ • Envelope encryption ensures you don’t have to manage key material outside the library Asherah (GoDaddy) https://github.com/godaddy/asherah • Envelope encryption • Hierarchical keystore — opinionated view of how keys are arranged to partition blast radius/make incremental rotation feasible • CryptoPolicy based rotation: incremental, time based timeout, key revocation and turnover, etc.
- 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is the current status of Asherah? GoDaddy incubator project: • Actively tested internally •Does it fit our own enterprise-scale use-cases? •How easy is it to use? •How much protection does it add? • Begin the process of external audits •Design •Per-language code base • Normalize cross-language testing framework • Open source: start getting feedback early before moving to production validated solution
- 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Implementation walkthrough: // Session factory try (AppEncryptionSessionFactory appEncryptionSessionFactory = AppEncryptionSessionFactory .newBuilder("appservices", "reference_app") .withMetastorePersistence(metastorePersistence) .withCryptoPolicy(cryptoPolicy) .withKeyManagementService(keyManagementService) .withMetricsEnabled() .build()) { // Create session for a partition (which in our case is a shopper id). try (AppEncryption<byte[], byte[]> appBytes = appEncryptionSessionFactory .getAppEncryptionBytes("shopper123")) { String origPayload = "mysupersecretpayload"; // Encrypt the payload byte[] dataRowRecordBytes = appBytes.encrypt(origPayload.getBytes(UTF_8));
- 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Implementation walkthrough: // Consider this us "persisting" the DRR dataRowString = Base64.getEncoder().encodeToString(dataRowRecordBytes); logger.info("dataRowRecord as string = {}", dataRowString); byte[] newBytes = Base64.getDecoder().decode(dataRowString); // Decrypt the payload String decryptedPayloadString = new String(appBytes.decrypt(newBytes), UTF_8); logger.info("decryptedPayloadString = {}, matches = {}", decryptedPayloadString, origPayload.equals(decryptedPayloadString)); }); } }
- 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s talk about use cases
- 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Some pretty standard code ... public static void main(final String[] args) { doSomethingWithSecret(); // secret no longer in scope but still in heap until GC … } static void doSomethingWithSecret() { byte[] secretKey = getSecretFromStore(); // do something meaningful with secret … }
- 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Asherah includes a Secure Memory module
- 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Highly modular code and interfaces to give developers an easy way to continue to enhance security throughout the code base More generally ...
- 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Improved code ... public static void main(final String[] args) { SecretFactory secretFactory = new ProtectedMemorySecretFactory(); Secret secretKey = secretFactory.createSecret(getSecretFromStore()); // currently have secret bytes in protected memory secretKey.withSecretBytes(decryptedBytes -> { doSomethingWithSecret(decryptedBytes); }); // secret bytes back in protected memory ... }
- 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Key storage
- 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Use our hierarchical key model to start rotating keys and re-encryptioning data for customers that were potentially exposed at that time.
- 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. https://github.com/godaddy/asherah
- 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Conclusion https://github.com/godaddy/asherah
- 43. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Demetrius Comes VP of Engineering GoDaddy Ed Abrams Sr. Director of Engineering GoDaddy
