O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Protecting Your Data with Encryption on AWS

7.693 visualizações

Publicada em

AWS offers you the ability to add additional layers of security to your data at rest in the cloud, providing access control as well scalable and efficient encryption features. Flexible key management options allow you to choose whether to have AWS manage the encryption keys or to keep complete control over the keys yourself. In this session, you will learn how to secure data when using AWS services. We will discuss data encryption using Key Management Service, S3 access controls, edge and host access security, and database platform security features.

Publicada em: Tecnologia
  • Tired of being scammed? Take advantage of a program that, actually makes you money! ➤➤ http://scamcb.com/ezpayjobs/pdf
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui

Protecting Your Data with Encryption on AWS

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dave Walker, Specialist Solution Architect Security and Compliance 07/07/16 Protecting your Data with Encryption on AWS
  2. 2. What to expect from this session • Understand your options for protecting your data with encryption in AWS • Securing access to data on Amazon S3 using policies • Database platform security • Automatically validate and audit your data protection policies • …and some myth-busting and a Case Study courtesy of Al Davidson at the Ministry of Justice
  3. 3. More Detail: • UK Security Roadshow Crypto Options Slides: http://www.slideshare.net/AmazonWebServices/crypto-options- in-aws-59677556 • Video: https://youtu.be/9bn7p2tdym0 • Whitepapers: • Encrypting Data at Rest: https://d0.awsstatic.com/whitepapers/AWS_Securing_Data_at_Rest_with_Encry ption.pdf • AWS Key Management Service Cryptographic Details: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
  4. 4. Encryption in Transit
  5. 5. Authenticating AWS to you and protecting confidentiality using TLS • TLS is used with every AWS API to protect data upload/download and configuration change • You can provide your own certificates to be presented to your customers when using: • Amazon Elastic Load Balancing • Amazon CloudFront (content distribution network)
  6. 6. AWS Certificate Manager (ACM) • Provision trusted TLS certificates from AWS for use with AWS resources: • Elastic Load Balancing • Amazon CloudFront distributions • AWS handles the drudgery • Key pair and CSR generation • Managed renewal and deployment • Domain validation (DV) through email • Available through AWS Management Console, AWS Command Line Interface (AWS CLI), or API
  7. 7. ACM-provided certificates Domain names • Single domain name: www.example.com • Wildcard domain names: *.example.com • Combination of wildcard and non-wildcard names • Multiple domain names in the same certificate (up to 10) ACM-provided certificates are managed • Private keys are generated, protected, and managed • ACM-provided certificates cannot be used on Amazon EC2 instances or on-premises servers Algorithms • RSA 2048 and SHA-256 Free
  8. 8. Making TLS work better in your apps • “signal to noise” • A TLS library designed by AWS to help your developers implement transport security • Avoids implementing rarely-used TLS options and extensions; ~6,000 lines of code https://github.com/awslabs/s2n
  9. 9. Encryption at Rest
  10. 10. Plaintext data Hardware/ software Encrypted data Encrypted data in storage Encrypted data key Symmetric data key Master keySymmetric data key ? Key hierarchy ? Data at rest encryption primer
  11. 11. Where are keys stored? • Hardware you own? • Hardware the cloud provider owns? Where are keys used? • Client software you control? • Server software the cloud provider controls? Who can use the keys? • Users and applications that have permissions? • Cloud provider applications you give permissions? What assurances are there for proper security around keys? “Key” questions to consider with any solution
  12. 12. Client-side encryption • You encrypt your data before data submitted to service • You supply encryption keys OR use keys in yourAWS account • Available clients: • Amazon S3, Amazon EMR File System (EMRFS), Amazon DynamoDB Server-side encryption • AWS encrypts data on your behalf after data is received by service • Integrated services: • S3, Amazon Elastic Block Store (Amazon EBS), Amazon RDS,Amazon Redshift, Amazon WorkMail, Amazon WorkSpaces, AWS CloudTrail,Amazon Simple Email Service (Amazon SES), Amazon Elastic Transcoder, AWS Import/Export Snowball,Amazon Kinesis Firehose Options for using encryption in AWS
  13. 13. Your applications in your data center Your key management infrastructure in EC2 Your encryption client application Your key management infrastructure Your application in EC2 Your encrypted data in select AWS services Client-side encryption in AWS S3/EMRFS and DynamoDB encryption clients in AWS SDKs
  14. 14. Amazon S3 Web Server HTTPS Customer Data Amazon S3 Storage Fleet Key is used at S3 web server, and then deleted. Customer must provide same key when downloading to allow S3 to decrypt data. Customer- provided key Server-side encryption in AWS S3 server-side encryption with customer-provided encryption keys (SSE-C) Plaintext Data Encrypted Data Customer- provided key
  15. 15. AWS Key Management Service (AWS KMS) • Managed service that simplifies creation, control, rotation, deletion, and use of AES256 encryption keys in your applications • Integrated with AWS server-sideencryption • S3, EBS, RDS, Amazon Aurora, Amazon Redshift, Amazon WorkMail, Amazon WorkSpaces, AWS CloudTrail, and Amazon Elastic Transcoder • Integrated with AWS client-side encryption • AWS SDKs, S3 encryption client, EMRFS client, and DynamoDB encryption client • Integrated with CloudTrail to provide auditable logs of key usage for regulatory and compliance activities • Available in all commercial regions except China
  16. 16. AWS KMS Integrated with AWS Identity and Access Management (IAM) console
  17. 17. KMS integration with AWS services • Storage: EBS, S3, Snowball • Database: All RDS engines • Data Analytics: Amazon Redshift, EMR, Amazon Kinesis Firehose • Enterprise Apps: WorkMail, WorkSpaces • Developer Tools: AWS CodeCommit • Management: CloudTrail • App Svcs: Elastic Transcoder, Simple Email Service
  18. 18. How clients and AWS services typically integrate with KMS Two-tiered key hierarchy using envelope encryption • Unique data key encrypts customer data • KMS master keys encrypt data keys Benefits • Limits risk of compromised data key • Better performance for encrypting large data • Easier to manage small number of master keys than millions of data keys • Centralized access and audit of key activity Customer master keys Data key 1 S3 object EBS volume Amazon Redshift cluster Data key 2 Data key 3 Data key 4 Custom application KMS
  19. 19. Your application or AWS service + Data key Encrypted data key Encrypted data Master keys in customer’s account KMS How AWS services use your KMS keys 1. Client calls kms:GenerateDataKey by passing the ID of the KMS master key in your account. 2. Client request is authenticated based on permissions set on both the user and the key. 3. A unique data encryption key is created and encrypted under the KMS master key. 4. The plaintext and encrypted data key is returned to the client. 5. The plaintext data key is used to encrypt data and is then deleted when practical. 6. The encrypted data key is stored; it’s sent back to KMS when needed for data decryption.
  20. 20. create-volume [--dry-run | --no-dry-run] [--size <value>] [--snapshot-id <value>] --availability-zone <value> [--volume-type <value>] [--iops <value>] [--encrypted | --no-encrypted] [--kms-key-id <value>] [--cli-input-json <value>] [--generate-cli-skeleton] Console AWS CLI/SDK Interfaces to select KMS keys in AWS services
  21. 21. You control how and when your KMS keys can be used and by whom Sample permissions on a key: • Can only be used for encryption and decryption by <these users and roles> in <this account> • Can only be used by applicationA to encrypt data, but only used by application B to decrypt data • Can only be used to decrypt data if the service resource is active and additional parameters about the resource are passed in the call • Can be managed only by this set of administrator users or roles Fully integrated with AWS Identity and Access Management
  22. 22. Rotating master keys in KMS What key rotation means: • A new version of a master key is created, but mapped to the same key ID or alias • All new encryption requests use the new version • All previous versions of keys are kept to perform decryption on older ciphertexts There is nothing users or applications need to do after a rotation—the same key ID or alias just works AWS CLI enable-key-rotation --key-id <value> Console (Key Summary Page)
  23. 23. Auditability of KMS key usage through AWS CloudTrail "EventName":"DecryptResult", This KMS API action was called… "EventTiime":"2014-08-18T18:13:07Z", ….at this time "RequestParameters": "{"keyId":"2b42x363-1911-4e3a-8321-6b67329025ex”}”, …in reference to this key “EncryptionContext":"volumeid-12345", …to protect this AWS resource "SourceIPAddress":"", …from this IP address "UserIdentity": “{"arn":"arn:aws:iam:: 111122223333:user/User123“} …by this AWS user in this account
  24. 24. KMS APIs to build your own applications Example management API actions • CreateKey, CreateAlias • DisableKey • EnableKeyRotation • PutKeyPolicy • ListKeys, DescribeKey Example data API actions • Encrypt • Decrypt • ReEncrypt • GenerateDataKey 26 API actions and growing http://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html
  25. 25. KMS assurances Why should you trust AWS with your keys? • Your plaintext keys are never stored in nonvolatile memory • There are no tools in place to access your physical key material • You control who has permissions to use your keys • There is separation of duties between systems that use master keys and ones that use data keys with multiparty controls • You can find evidence of every KMS API call in CloudTrail for you to monitor • Also, there is third-party evidence of these controls: • Service Organization Control (SOC 1) • PCI-DSS • In process for FIPS 140-2 • See AWS Compliance packages for details
  26. 26. Ubiquitous encryption AWS CloudTrail IAM EBS RDS Amazon Redshift S3 Amazon Glacier Encrypted in transit and at rest Fully auditable Fully managed keys in KMS Restricted access
  27. 27. Pricing for KMS $1/key version/month $0.03 per 10,000 API requests ($0.04 per 10,000 API requests in AWS GovCloud) • 20,000 free requests per month
  28. 28. Alternatives to KMS In order to have different controls over the security of your keys 1. AWS CloudHSM 2. AWS Partner solutions 3. Do it yourself
  29. 29. AWS CloudHSM • You receive dedicated access to HSM appliances • HSMs located in AWS data centers • Managed and monitored by AWS • Only you have access to your keys and operations on the keys • HSMs are inside your Amazon VPC— isolated from the rest of the network • Uses SafeNet Luna SA 7000 HSM appliances CloudHSM AWS administrator— Manages the appliance You—Control keys and crypto operations Amazon VPC
  30. 30. AWS CloudHSM Available in eight regions worldwide • US East (N. Virginia), US West (Oregon), AWS GovCloud (US), EU (Ireland), EU (Frankfurt), Asia Pacific (Sydney), Asia Pacific (Singapore) and Asia Pacific (Tokyo) Compliance • Included in AWS PCI DSS and SOC-1 compliance packages • FIPS 140-2 level 2 (maintained by Gemalto/SafeNet) Typical use cases • Use with Amazon Redshift and RDS for Oracle • Integrate with third-party software (Oracle – including Oracle EE in RDS, Microsoft SQL Server, Apache, SafeNet) • Build your own custom applications
  31. 31. SafeNet ProtectV manager and Virtual KeySecure in EC2 EBS volume encryption with CloudHSM and SafeNet Software SafeNet ProtectV with Virtual KeySecure CloudHSM stores the master key SafeNet ProtectV client CloudHSM Your encrypted data in EBS Your applications in EC2 ProtectV client • Encrypts I/O from EC2 instances to EBS volumes • Includes preboot authentication
  32. 32. Pricing for CloudHSM • HSM provisioned in any region has a $5,000 one-time charge • Starting at $1.88/hour metered charge after setup • Hourly rate varies by region • As low as $21,500 in year one; $16,500 in subsequent years • Requests not billed; limited only by the device capacity • Varies depending on algorithm and key size
  33. 33. Comparing CloudHSM with KMS CloudHSM • Dedicated access to one or more HSM devices that comply with government standards (FIPS 140-2, Common Criteria) • Broad range of symmetric and asymmetric algorithms • Generate or import keys • You control all access to your keys and the application software that uses them • Supported applications: • Your custom software • Third-party software • AWS services: Amazon Redshift, RDS for Oracle KMS • Highly available and durable key storage, management, and auditable service • AWS-managed root of trust • AES256-GCM and configurable key rotation • Generate keys in-service • Easily encrypt your data across AWS services and within your own applications based on policies you define; full CloudTrail integration • Supported applications: • Your custom software built with AWS SDKs/CLI • AWS services (S3, EBS, RDS, Amazon Aurora, Amazon Redshift, WorkMail, WorkSpaces, CloudTrail, Elastic Transcoder)
  34. 34. Partner solutions in AWS Marketplace • Browse, test, and buy encryption and key management solutions • Pay by the hour, monthly, or annually • Software fees added to AWS bill • Bring Your Own License
  35. 35. Your encryption client application Your key management infrastructure Your applications in your data center Your application in EC2 Your key management infrastructure in EC2 Your encrypted data in AWS services … DIY key management in AWS Encrypt data client-side and send ciphertext to AWS storage services
  36. 36. Comparison of key management options KMS CloudHSM AWS Marketplace Partner Solutions DIY Where keys are generated and stored AWS In AWS, on an HSM that you control Your network or in AWS Your network or in AWS Where keys are used AWS services or your applications AWS or your applications Your network or your EC2 instance Your network or your EC2 instance How to control key use Policy you define; enforced byAWS Customer code + SafeNetAPIs Vendor-specific management Config files, vendor- specific management Responsibility for performance/scale AWS You You You Integration withAWS services? Yes Limited Limited Limited Pricing model Per key/usage Per hour Per hour/per year Variable
  37. 37. AWS database services and encryption at rest Server-side encryption with KMS RDS MySQL RDS PostgreSQL RDS SQL Server RDS Oracle RDS MariaDB Amazon Aurora Amazon Redshift Server-side encryption with CloudHSM Amazon Redshift RDS Oracle—TDE Microsoft SQL TDE (outside RDS) Client-side encryption DynamoDB encryption client
  38. 38. 38MOJ Digital / @justice_digital 38 Government’s Journey To The Cloud Alistair Davidson Technical Architecture Lead, Ministry of Justice @drsnooks
  39. 39. 39MOJ Digital / @justice_digital 39Al Davidson / @drsnooks Why Cloud? ● Government service load can be very spiky ● When Government services go down, real impact on people’s lives ● Government efforts should be focussed on building great public services - not datacenters
  40. 40. 40MOJ Digital / @justice_digital 40Al Davidson / @drsnooks Huge savings to be made Projecting 750k / yr just from moving one set of products Monthly bill down from ~64k to ~2k when finished 97% saving
  41. 41. 41MOJ Digital / @justice_digital 41Al Davidson / @drsnooks Can we put Government data on the cloud? YES…..but it’s not a simple lift-and-shift Thinking needed to change on: Data Security Architecture Procurement Contracts etc etc
  42. 42. 42MOJ Digital / @justice_digital 42Al Davidson / @drsnooks Main barriers are not technical Procedural Contractual Educational Organisational / Cultural Made great progress, but still hear FUD about security
  43. 43. 43MOJ Digital / @justice_digital 43Al Davidson / @drsnooks People Problems ...are nearly always incentive problems Incentives are skewed towards old behaviours You say “savings” they hear “budget cuts” Vendor lock-in becomes self-reinforcing Heavyweight procurement leads to longer contracts Digital expertise centralised => outsourcing is easier option
  44. 44. 44MOJ Digital / @justice_digital 44Al Davidson / @drsnooks Mythbusting “you can't put Gov. data in the cloud AT ALL” “you can't store Gov. data offshore”
  45. 45. 45MOJ Digital / @justice_digital 45Al Davidson / @drsnooks WRONG on both counts This is hosted in AWS EU-WEST-1 So are 30+ more just within MoJ
  46. 46. 46MOJ Digital / @justice_digital 46Al Davidson / @drsnooks There is NO BLANKET REASON why Government data should not be on the public cloud (Chief SIRO “broad approval” for OFFICIAL)
  47. 47. 47MOJ Digital / @justice_digital 47Al Davidson / @drsnooks What does “Government data” mean? Traditional Impact Levels - IL0 - IL6 • no longer applied to technology Classifications simplified to 3 • OFFICIAL, SECRET, TOP SECRET Most info involved in public-facing services is OFFICIAL • SECRET is a BIG step up from OFFICIAL AWS considered acceptable for OFFICIAL
  48. 48. 48MOJ Digital / @justice_digital 48Al Davidson / @drsnooks Traditional security approach If ANY part is sensitive, the whole thing must be locked- down “What’s the highest level of security we need?” Over-emphasis on strong perimeter
  49. 49. 49MOJ Digital / @justice_digital 49Al Davidson / @drsnooks Modern security thinking What’s the minimum we need to ask the user for? What’s the smallest part we absolutely need to lock- down? What’s the lowest level of procedure we absolutely can’t do without?
  50. 50. 50MOJ Digital / @justice_digital 50Al Davidson / @drsnooks It's not about how much you can lock-down but how much you can OPEN
  51. 51. 51MOJ Digital / @justice_digital 51Al Davidson / @drsnooks “Security must be proportionate and justified” GDS Service Design Manual - https://www.gov.uk/service-manual/technology/security-as-enabler.html “User experience should be fantastic - security should be good enough” CESG Principles of effective cyber securityrisk management https://www.cesg.gov.uk/guidance/principles-effective-cyber-security-risk-management#user-experience
  52. 52. 52MOJ Digital / @justice_digital 52Al Davidson / @drsnooks Software that can’t be changed is not an asset It’s a liability ...and the same is true for infrastructure
  53. 53. 53MOJ Digital / @justice_digital 53Al Davidson / @drsnooks AWS Philosophy: Everything Fails, All Of The Time Applied to security: Everything Is (or Could Be) Vulnerable, All Of The Time
  54. 54. 54MOJ Digital / @justice_digital 54Al Davidson / @drsnooks A new 0-day vulnerability Is discovered every week (source: Symantec)
  55. 55. 55MOJ Digital / @justice_digital 55Al Davidson / @drsnooks “Secure” does not mean “unchangeable” it means the exact opposite - changeable rapidly in response to threats
  56. 56. 56MOJ Digital / @justice_digital 56Al Davidson / @drsnooks How not to do it One particular legacy system: ●Change-controlled - multiple sign-offs required ●Locked-down private network ●Physical hardware designed for predicted future peak capacity ●Testing is fully-manual ○ ‘5 or 6 people, 3 or 4 weeks’ ○ Significant costs just to run tests => Hasn’t been released since Feb 2015 CVE lists 78 vulnerabilities JUST IN JAVA since then
  57. 57. 57MOJ Digital / @justice_digital 57Al Davidson / @drsnooks How we do it now “Cloud Platform” Rapid deployment & stack creation Templated best- practice Continuous delivery Legacy migration next...
  58. 58. 58MOJ Digital / @justice_digital 58Al Davidson / @drsnooks Traditional Pen. Testing Once before go-live • maybe once every 6 months after that • system locked-down after testing c. 8-10k per test Always external • “because they’re the experts”
  59. 59. 59MOJ Digital / @justice_digital 59Al Davidson / @drsnooks Big bang pen tests are not enough in an environment of constant change They’re often templatized & one-size-fits-all Can only find vulnerabilities known at time of test
  60. 60. 60MOJ Digital / @justice_digital 60Al Davidson / @drsnooks Agile Security In-house ethical hacker, risk assessment & IA team Continuous engagement & dialogue with dev teams On-going consultation for risk-impacting changes On-going health checks
  61. 61. 61MOJ Digital / @justice_digital 61Al Davidson / @drsnooks Public cloud is easier to secure A public cloud solution can be more secure than physical hardware if done right Disposable, automatable, rapidly-changeable infrastructure Out-of-the-box tooling for every app to have it’s own - Sub-account & VPC - Users, roles & permissions - Rapidly-revokable secrets, keys, certificates - Firewall rules - Audit trail of API calls
  62. 62. 62MOJ Digital / @justice_digital 62Al Davidson / @drsnooks We Not Only Can Use The Cloud, We Should Cabinet Office (GDS) Tech Code of Practice (2013) says: “...evaluate potential public cloud solutions first – before you consider any other option” CESG Cloud Security Principles (2014) available at https://www.cesg.gov.uk/cloud-security-collection
  63. 63. 63MOJ Digital / @justice_digital 63Al Davidson / @drsnooks We’re Hiring! Developers, back-end & front-end Technical Architects Security Engineers Web operations User Researchers Designers Content Specialists Head of Development Come and help us Make Stuff That Matters recruitment@digital.justice.gov.uk / mojdigital.blog.gov.uk/working-at-moj-ds
  64. 64. 64MOJ Digital / @justice_digital 64Al Davidson / @drsnooks Contacts MoJ Digital @Justice_Digital mojdigital.blog.gov.uk Our code github.com/ministryofjustice Me @drsnooks apdavidson@gmail.com At work alistair.davidson@digital.justice.gov.uk
  65. 65. Please remember to rate this session under My Agenda on awssummit.london