O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

(SEC301) Strategies for Protecting Data Using Encryption in AWS

8.104 visualizações

Publicada em

Protecting sensitive data in the cloud typically requires encryption. Managing the keys used for encryption can be challenging as your sensitive data passes between services and applications. AWS offers several options for using encryption and managing keys to help simplify the protection of your data at rest. This session will help you understand which features are available and how to use them, with emphasis on AWS Key Management Service and AWS CloudHSM. Adobe Systems Incorporated will present their experience using AWS encryption services to solve data security needs.

Publicada em: Tecnologia

(SEC301) Strategies for Protecting Data Using Encryption in AWS

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ken Beer Principal Product Manager, AWS Cryptography Services October 2015 SEC301 Strategies for Protecting Data Using Encryption in AWS
  2. 2. What to expect from this session • Understand your options for protecting your data with encryption in AWS • Understand how AWS Key Management Service (KMS) can simplify encryption • Understand alternatives such as AWS CloudHSM and partner solutions • Hear from Adobe Systems about their use of KMS
  3. 3. Plaintext data Hardware/ software Encrypted data Encrypted data in storage Encrypted data key Symmetric data key Master keySymmetric data key ? Key hierarchy ? Encryption primer
  4. 4. Where are keys stored? • Hardware you own? • Hardware the cloud provider owns? Where are keys used? • Client software you control? • Server software the cloud provider controls? Who can use the keys? • Users and applications that have permissions? • Cloud provider applications you give permissions? What assurances are there for proper security around keys? “Key” questions to consider with any solution
  5. 5. Client-side encryption • You encrypt your data before data submitted to service • You supply encryption keys OR use keys in your AWS account • Available clients: • Amazon S3, Amazon EMR File System (EMRFS), Amazon DynamoDB Server-side encryption • AWS encrypts data on your behalf after data is received by service • Integrated services: • S3, Amazon EBS, Amazon RDS, Amazon Redshift, Amazon WorkMail/WorkSpaces, AWS CloudTrail, Amazon Simple Email Service, Amazon Elastic Transcoder, AWS Import/Export Snowball, Amazon Kinesis Firehose Options for using encryption in AWS
  6. 6. Your applications in your data center Your key management infrastructure in EC2 Your encryption client application Your key management infrastructure Your application in EC2 Your encrypted data in select AWS services Client-side encryption in AWS S3/EMRFS and DynamoDB encryption clients in AWS SDKs
  7. 7. Amazon S3 Web Server HTTPS Customer Data Amazon S3 Storage Fleet Key is used at S3 web server, and then deleted. Customer must provide same key when downloading to allow S3 to decrypt data. Customer- provided key Server-side encryption in AWS S3 server-side encryption with customer-provided encryption keys (SSE-C) Plaintext Data Encrypted Data Customer- provided key
  8. 8. Server-side encryption in AWS S3 (SSE-KMS)
  9. 9. AWS Key Management Service (KMS) • Managed service that simplifies creation, control, rotation, and use of encryption keys in your applications • Integrated with AWS server-side encryption • S3, EBS, RDS, Amazon Aurora, Amazon Redshift, WorkMail, Amazon WorkSpaces, CloudTrail, and Amazon Elastic Transcoder • Integrated with AWS client-side encryption • AWS SDKs, S3 encryption client, EMRFS client, and DynamoDB encryption client • Integrated with CloudTrail to provide auditable logs of key usage for regulatory and compliance activities • Available in all commercial regions except China
  10. 10. AWS KMS Integrated with AWS Identity and Access Management (IAM) console
  11. 11. How clients and AWS services typically integrate with KMS Two-tiered key hierarchy using envelope encryption • Unique data key encrypts customer data • KMS master keys encrypt data keys Benefits • Limits risk of compromised data key • Better performance for encrypting large data • Easier to manage small number of master keys than millions of data keys • Centralized access and audit of key activity Customer master keys Data key 1 S3 object EBS volume Amazon Redshift cluster Data key 2 Data key 3 Data key 4 Custom application KMS
  12. 12. Your application or AWS service + Data key Encrypted data key Encrypted data Master keys in customer’s account KMS How AWS services use your KMS keys 1. Client calls kms:GenerateDataKey by passing the ID of the KMS master key in your account. 2. Client request is authenticated based on permissions set on both the user and the key. 3. A unique data encryption key is created and encrypted under the KMS master key. 4. The plaintext and encrypted data key is returned to the client. 5. The plaintext data key is used to encrypt data and is then deleted when practical. 6. The encrypted data key is stored; it’s sent back to KMS when needed for data decryption.
  13. 13. create-volume [--dry-run | --no-dry-run] [--size <value>] [--snapshot-id <value>] --availability-zone <value> [--volume-type <value>] [--iops <value>] [--encrypted | --no-encrypted] [--kms-key-id <value>] [--cli-input-json <value>] [--generate-cli-skeleton] Console AWS CLI/SDK Interfaces to select KMS keys in AWS services
  14. 14. You control how and when your KMS keys can be used and by whom Sample permissions on a key: • Can only be used for encryption and decryption by <these users and roles> in <this account> • Can only be used by application A to encrypt data, but only used by application B to decrypt data • Can only be used to decrypt data if the service resource is active and additional parameters about the resource are passed in the call • Can be managed only by this set of administrator users or roles Fully integrated with AWS Identity and Access Management
  15. 15. Rotating keys in KMS What key rotation means: • A new version of a master key is created, but mapped to the same key ID or alias • All new encryption requests use the new version • All previous versions of keys are kept to perform decryption on older ciphertexts There is nothing users/applications need to do after a rotation – the same keyID or alias just works AWS CLI enable-key-rotation --key-id <value> Console (Key Summary Page)
  16. 16. Auditability of KMS key usage through AWS CloudTrail "EventName":"DecryptResult", This KMS API was called… "EventTiime":"2014-08-18T18:13:07Z", ….at this time "RequestParameters": "{"keyId":"2b42x363-1911-4e3a-8321-6b67329025ex”}”, …in reference to this key “EncryptionContext":"volumeid-12345", …to protect this AWS resource "SourceIPAddress":"42.23.141.114 ", …from this IP address "UserIdentity": “{"arn":"arn:aws:iam::957737256530:user/User123“} …by this AWS user in this account
  17. 17. KMS APIs to build your own applications Example management APIs • CreateKey, CreateAlias • DisableKey • EnableKeyRotation • PutKeyPolicy • ListKeys, DescribeKey Example data APIs • Encrypt • Decrypt • ReEncrypt • GenerateDataKey 26 APIs and growing http://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html
  18. 18. KMS assurances Why should you trust AWS with your keys? • There are no tools in place to access your physical key material. • Your plaintext keys are never stored in nonvolatile memory. • You control who has permissions to use your keys. • Separation of duties between systems that use master keys and ones that use data keys. • Multiparty controls for all maintenance of KMS systems that use your master keys. • Third-party evidence of these controls: • Service Organization Control (SOC 1) • PCI-DSS • See AWS Compliance packages for details
  19. 19. Pricing for KMS $1/key version/month $0.03 per 10,000 API requests • 20,000 free requests per month
  20. 20. Alternatives to KMS In order to have different controls over the security of your keys 1. AWS CloudHSM 2. AWS Partner Solutions 3. Do it yourself
  21. 21. AWS CloudHSM • You receive dedicated access to HSM appliances • HSMs located in AWS data centers • Managed and monitored by AWS • Only you have access to your keys and operations on the keys • HSMs are inside your Amazon VPC – isolated from the rest of the network • Uses SafeNet Luna SA HSM appliances CloudHSM AWS administrator – Manages the appliance You – Control keys and crypto operations Amazon Virtual Private Cloud
  22. 22. AWS CloudHSM Available in seven regions worldwide • US East (N. Virginia), US West (Oregon), EU (Ireland), EU (Frankfurt) and Asia Pacific (Sydney, Tokyo, Singapore) Compliance • Included in AWS PCI DSS and SOC-1 compliance packages • FIPS 140-2 level 2 (maintained by Gemalto/SafeNet) Typical use cases • Use with Redshift, RDS for Oracle • Integrate with third-party software (Oracle, SQL Server, Apache, SafeNet) • Build your own custom applications
  23. 23. SafeNet ProtectV manager and Virtual KeySecure in EC2 EBS volume encryption with CloudHSM and SafeNet Software SafeNet ProtectV with Virtual KeySecure CloudHSM stores the master key SafeNet ProtectV client CloudHSM Your encrypted data in EBS Your applications in EC2 ProtectV client • Encrypts I/O from EC2 instances to EBS volumes • Includes preboot authentication
  24. 24. Pricing for CloudHSM HSM provisioned in any region has a $5,000 one-time charge Starting at $1.88/hour metered charge after setup • Hourly rate varies by region As low as $21,500 in year one; $16,500 in subsequent years Requests not billed; limited only by the device capacity • Varies depending on algorithm and key size
  25. 25. Comparing CloudHSM with KMS CloudHSM • Dedicated access to one or more HSM devices that complies with government standards (e.g., FIPS 140-2, Common Criteria) • You control all access to your keys and the application software that uses them • Supported applications: • Your custom software • Third-party software • AWS services: Redshift, RDS for Oracle KMS • Highly available and durable key storage, management, and auditable service • Easily encrypt your data across AWS services and within your own applications based on policies you define • Supported applications: • Your custom software built with AWS SDKs/CLI • AWS services (S3, EBS, RDS, Aurora, Redshift, WorkMail, WorkSpaces, CloudTrail, Elastic Transcoder)
  26. 26. Partner solutions in AWS Marketplace • Browse, test, and buy encryption and key management solutions • Pay-by-the-hour, monthly, or annual • Software fees added to AWS bill • Bring Your Own License
  27. 27. Your encryption client application Your key management infrastructure Your applications in your data center Your application in EC2 Your key management infrastructure in EC2 Your encrypted data in AWS services … DIY key management in AWS Encrypt data client-side and send ciphertext to AWS storage services
  28. 28. KMS AWS CloudHSM AWS Marketplace Partner Solutions DIY Where keys are generated and stored AWS In AWS, on an HSM that you control Your network or in AWS Your network or in AWS Where keys are used AWS services or your applications AWS or your applications Your network or your EC2 instance Your network or your EC2 instance How to control key use Policy you define; enforced by AWS Customer code + SafeNet APIs Vendor-specific management Config files, vendor- specific management Responsibility for performance/scale AWS You You You Integration with AWS services? Yes Limited Limited Limited Pricing model Per key/usage Per hour Per hour/per year Variable Comparison of key management options
  29. 29. KMS CloudHSM AWS Marketplace Partner Solutions DIY Where keys are generated and stored AWS In AWS, on an HSM that you control Your network or in AWS Your network or in AWS Where keys are used AWS services or your applications AWS or your applications Your network or your EC2 instance Your network or your EC2 instance How to control key use Policy you define; enforced by AWS Customer code + SafeNet APIs Vendor-specific management Config files, vendor- specific management Responsibility for performance/scale AWS You You You Integration with AWS services? Yes Limited Limited Limited Pricing model Per key/usage Per hour Per hour/per year Variable Comparison of key management options
  30. 30. KMS CloudHSM AWS Marketplace Partner Solutions DIY Where keys are generated and stored AWS In AWS, on an HSM that you control Your network or in AWS Your network or in AWS Where keys are used AWS services or your applications AWS or your applications Your network or your EC2 instance Your network or your EC2 instance How to control key use Policy you define; enforced by AWS Customer code + SafeNet APIs Vendor-specific management Config files, vendor- specific management Responsibility for performance/scale AWS You You You Integration with AWS services? Yes Limited Limited Limited Pricing model Per key/usage Per hour Per hour/per year Variable Comparison of key management options
  31. 31. Comparison of key management options KMS CloudHSM AWS Marketplace Partner Solutions DIY Where keys are generated and stored AWS In AWS, on an HSM that you control Your network or in AWS Your network or in AWS Where keys are used AWS services or your applications AWS or your applications Your network or your EC2 instance Your network or your EC2 instance How to control key use Policy you define; enforced by AWS Customer code + SafeNet APIs Vendor-specific management Config files, vendor- specific management Responsibility for performance/scale AWS You You You Integration with AWS services? Yes Limited Limited Limited Pricing model Per key/usage Per hour Per hour/per year Variable
  32. 32. Customer success story Frank Wiebe – Principal Scientist, Adobe Systems
  33. 33. Adobe use case • Mobile app built using the CreativeSDK makes API requests to purchase billable content • Mobile application generates an HMAC signature using a secret associated with app’s API key • The HMAC signature is used to validate the identity of the mobile app that will be connecting • This approach is used to securely identify the mobile app to avoid fraudulent charges against a customer’s account Adobe KMS AWS KMS
  34. 34. Adobe use case (cont’d) • API Gateway needed the capability to retrieve and securely store the secret associated with the API key in a cache. • We wanted to minimize the time plaintext sensitive data remained in cache and avoid storing the sensitive data on disk. • Using the combination of AWS KMS and Amazon ElastiCache for Redis met our requirements. • This approach was used to securely store the API key’s secret used to validate the digital signature of an API request processed by the adobe.io API Gateway.
  35. 35. Adobe requirements • Symmetric encryption • We needed a secure method for sharing a secret that could be used by both the mobile app and the API Gateway to validate an HMAC signature. • High availability and durability with low management overhead and cost • As a DevOps focused on API management, we did not have the time or the staff to build and deploy our own key management solution that would meet with the approval of Adobe Security. • Audit trail of and strong controls to manage use of encryption keys • We needed to control which EC2 instances could access keys. • Log the storage and retrieval of keys. • Fast deployment • Following the acquisition of Aviary by Adobe, we had less than 2 months to design, build, and deploy an approved solution to support the integration of the Aviary APIs within the CreativeSDK.
  36. 36. How AWS KMS meets Adobe requirements • Symmetric encryption • 256-bit AES-GCM for KMS master key • High availability and durability • Consistent with our experience of AWS as a whole • Audit trail of and strong controls to manage use of encryption keys • Integration with IAM policies • Ability to separate permission to encrypt from permission to decrypt using IAM roles for EC2 to acquire temporary security credentials to access KMS for 24 hours • CloudTrail shows us all use of KMS master keys • Fast deployment • Solution was designed, built, tested, and approved by Adobe Security within 4 weeks
  37. 37. 1. Client makes an API request to Adobe.io with API key and an object signed using the API key secret (“digital signature”). 2. API Gateway validates digital signature. How this works: • If the secret for validation is not in the NGINX shared cache, retrieve the secret (in plaintext) from the Adobe key management API and encrypt by sending to AWS KMS. • API Gateway calls AWS KMS to generate a data encryption key (DEK) for the secret using the GenerateDataKey API. • Encrypt the secret with the DEK using an AES-256 CBC SHA512 algorithm, and store the ciphertext blob versions of the DEK and secret in the shared cache with a TTL. • If secret for validation is in the NGINX shared cache, API Gateway makes a request to AWS KMS using the Decrypt API to retrieve the DEK (in plaintext form), which is then used to decrypt the ciphertext blob containing the secret. Adobe KMS AWS KMS API request flow
  38. 38. NGINX – AWS SDK – Setup function _M:new(o) local o = o or {} setmetatable(o, self) self.__index = self if not o.___super then printInitObject(o) self:throwIfInitParamsInvalid(o) self.kmsService = KmsService:new({ aws_region = o.aws_region, aws_secret_key = o.aws_secret_key, – Optional. The code will automatically look for an IAM user. aws_access_key = o.aws_access_key, – Optional. The code will automatically look for an IAM user. aws_iam_user = o.aws_iam_user, – Optional. But it's more performant to provide it. security_credentials_host = o.security_credentials_host, security_credentials_port = o.security_credentials_port, aws_debug = o.aws_debug, – Print warn level messages on the nginx logs. aws_conn_keepalive = o.aws_conn_keepalive, – How long to keep the sockets used for AWS alive. aws_conn_pool = o.aws_conn_pool, – The connection pool size for sockets used to connect to AWS. shared_cache_dict = o.shared_cache_dict – Shared dict to keep IAM credentials cached for performance improvements. }) end return o end Adobe has implemented an AWS SDK for NGINX that has been open sourced. This is the configuration of AWS KMS within the SDK. This SDK is available at https://github.com/adobe- apiplatform/api-gateway-aws
  39. 39. NGINX – Secret Reader integrated with AWS KMS -- Encrypts the plain_text returning a pair of ( cipher_text, seed_cipher ). Use this pair to call the decrypt method. -- @param plain_text The Text to encode -- function _M:encrypt(plain_text) local DEK_plain_text – the DEK plain text local seed_cipher – in the DEK cipher text blob local cipher, status, body = self.kmsService:generateDataKey(self.aws_key_id, "AES_256") if (cipher == nil) then ngx.log(ngx.WARN, "Could not GenerateDataKey. AWS Status:", tostring(status), ", Body:", tostring(body)) return nil, nil end seed_cipher = cipher.CiphertextBlob DEK_plain_text = cipher.Plaintext -- this is the plaintext of the DEK local cipher_text = self:encryptText(plain_text, DEK_plain_text) -- encrypt API Key secret return cipher_text, seed_cipher -- return the encrypt API Key secret & ciphertext blob End + function _M:encryptText(plain_text, seed_text) local aes_256_cbc_sha512x5 = aes:new(seed_text, ”—insert—your—salt—here--", aes.cipher(256, "cbc"), aes.hash.sha512, 5) local encrypted = aes_256_cbc_sha512x5:encrypt(plain_text) return encrypted end The SDK generates a data encryption key (DEK), and then uses the DEK to encrypt/decrypt data locally using the encryptText function (at right).
  40. 40. Operational experience post-deployment • No operational or performance-related issues since it was launched • 100% availability over the past 10 months • After initial design discussion with AWS Solutions Architect and KMS Product Manager, we haven’t opened an AWS Support case for this application
  41. 41. Wish list for KMS Cross-region replication of encrypted AWS resources • Can’t move KMS master keys between regions, but the process of re-encrypting data between regions could be easier
  42. 42. Resources KMS • https://aws.amazon.com/kms Whitepaper on KMS cryptographic details • https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf CloudHSM • https://aws.amazon.com/cloudhsm/ Whitepaper on data-at-rest encryption and key management in AWS • https://aws.amazon.com/whitepapers/ S3 encryption client • http://aws.amazon.com/articles/2850096021478074 AWS Partner Network • http://www.aws-partner-directory.com/ AWS Security Blog • http://blogs.aws.amazon.com/security
  43. 43. Related Sessions • SEC401: Encryption Key Storage at Okta • Pallazzo K at 4:15 P.M. today • STG402: Amazon EBS Deep Dive • BDT314: Running a Big Data and Analytics Application on Amazon EMR and Amazon Redshift with a Focus on Security
  44. 44. Remember to complete your evaluations!
  45. 45. Thank you!

×