Embed Size (px)
Citation preview
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ken Beer
Principal Product Manager, AWS Cryptography Services
June 16, 2015
Protecting Your Data with
AWS Encryption
Agenda
Review the fundamentals of encryption and key management
Overview of how AWS protects your data with encryption
Learn how AWS Key Management Service simplifies encryption at
a low price
Understand alternatives like AWS CloudHSM and partner solutions
Plaintext
dataHardware/
software
Encrypted
data
Encrypted
data in storage
Encrypted
data key
Symmetric
data key
Master keySymmetric
data key
? Key hierarchy
?
Encryption Primer
Where are keys stored?
• Hardware you own?
• Hardware the cloud provider owns?
Where are keys used?
• Client software you control?
• Server software cloud provider controls?
Who can use the keys?
• Users and applications that have permissions?
• Cloud provider applications you give permissions?
What assurances are their for proper keys usage?
“Key” Questions to Consider With Any Solution
Server-side encryption
• Amazon S3, Amazon EBS, Amazon RDS, Amazon Redshift,
Amazon WorkMail, Amazon Elastic Transcoder
• Will encrypt data on your behalf after API call received by
service
• Uses keys in your AWS account
Client-side encryption
• S3, Amazon EMR, Amazon DynamoDB
• Encryption happens in application before data submitted service
• You supply keys OR use keys in your AWS account
AWS Encryption Models
Server-side encryption in AWSAmazon S3
Plaintext
DataEncrypted
Data
Customer
Provided Key Amazon S3 Web
Server
HTTPS
Customer
Data
Amazon S3
Storage Fleet
Key is used at S3 webserver, then deleted
Customer must provide same key when
downloading to allow S3 to decrypt data
Customer
Provided Key
Server-side encryption in AWSS3 Server-Side Encryption with Customer-Provided Keys (SSE-C)
Server-side encryption in AWSAmazon EBS
Server-side encryption in AWSAmazon Redshift
Your
applications
in your data
center
Your key
management
infrastructure in EC2
Your encryption
client application
Your key management
infrastructure Your application
in EC2
Your encrypted data in select AWS services
Client-side encryption in AWSAmazon S3/EMRFS and Dynamo DB Encryption Clients in AWS SDKs
Managed service simplifies creation, control, rotation, and use of encryption keys in your applications
Integrated with AWS Server-side encryption• Amazon S3, EBS, RDS, Redshift, WorkMail, and Elastic Transcoder
Integrated with Client-side encryption• AWS SDKs, S3 Encryption Client, DynamoDB Encryption Client
Integrated with AWS CloudTrail to provide auditable logs for regulatory and compliance activities
Available in all commercial regions except China
AWS Key Management Service
AWS Key Management ServiceIntegrated with AWS IAM Console
How AWS Services Integrate with AWS
Key Management ServiceTwo-tiered key hierarchy using envelope encryption
• Unique data key encrypts customer data
• AWS KMS master keys encrypt data keys
Benefits:
• Limits risk of compromised data key
• Better performance for encrypting large data
• Easier to manage small number of master keys than millions of data keys
• Centralized access and audit of key activity
Customer Master
Key(s)
Data Key 1
S3 Object EBS
Volume
Amazon
Redshift
Cluster
Data Key 2 Data Key 3 Data Key 4
Custom
Application
AWS KMS
Your Application or
AWS Service
+
Data Key Encrypted Data Key
Encrypted
Data
Master Key(s) in
Customer’s Account
AWS
Key Management Service
1. Application requests encryption key to use to encrypt data, passes reference to master key in account.
2. Client request authenticated based on master key permissions.
3. New data encryption key created - copy encrypted under master key.
4. Plaintext and encrypted data key returned to the client.
5. Plaintext data key used to encrypt data and then deleted.
6. Encrypted data key stored for later use and sent back to AWS KMS for when decryption occurs.
AWS Key Management ServiceHow Keys are Used to Protect Your Data
create-volume [--dry-run | --no-dry-run] [--size <value>] [--snapshot-id
<value>] --availability-zone <value> [--volume-type <value>] [--iops <value>]
[--encrypted | --no-encrypted] [--kms-key-id <value>] [--cli-input-json <value>]
[--generate-cli-skeleton]
Console
CLI/SDK
AWS Key Management ServiceInterfaces to Select Keys in AWS Services
AWS Key Management ServiceYou control how and when your keys can be used and by whom
Sample permissions on a key:
• Managed only by this group of users
• Used for encryption and decryption by this group of users and
applications
• Used by application A to encrypt data, but used by application B to
decrypt data
• Used to decrypt data if the application also includes additional
parameters unique to the data
Fully integrated with AWS Identity and Access Management
AWS Key Management ServiceAuditability of key usage through AWS CloudTrail
"EventName":"DecryptResult", This KMS API was called…
"EventTiime":"2014-08-18T18:13:07Z", ….at this time
"RequestParameters":
"{\"keyId\":\"2b42x313-1911-4e2a-8321-6b67324025eb”}”, …in reference to this key
“EncryptionContext":"volumeid-23657", …to protect this AWS resource
"SourceIPAddress":"46.23.143.114 ", …from this IP address
"UserIdentity":
“{\"arn\":\"arn:aws:iam::957787256530:user/User123“} …by this AWS user in this account
AWS Key Management ServiceAPIs to build your own applications
Example Management APIs
• CreateKey, CreateAlias
• DisableKey
• EnableKeyRotation
• PutPolicy
• ListKeys, DescribeKey
Example Data APIs
• Encrypt
• Decrypt
• ReEncrypt
• GenerateDataKey
26 APIs and growing
http://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html
• Plaintext keys never stored in persistent memory on runtime
systems
• Separation of duties between systems that use master keys and
ones that use data keys
• Multiparty controls for all maintenance of KMS systems that use
your master keys
• See public white papers and Service Organization Control
(SOC 1) compliance package for details
AWS Key Management Service AssuranceWhy should you trust AWS with your keys?
Pricing for KMS
$1/key version/month
$0.03 per 10,000 API requests
• 20,000 free requests per month
Alternatives to KMSIn order to have more control over the physical security of your keys
AWS CloudHSM
AWS Partner Solutions
Do it yourself
AWS CloudHSM
• You receive dedicated access to HSM
appliances
• HSMs located in AWS datacenters
• Managed and monitored by AWS
• Only you have access to your keys and
operations on the keys
• HSMs are inside your Amazon VPC –
isolated from the rest of the network
• Uses SafeNet Luna SA HSM appliances
CloudHSM
AWS Administrator –
manages the appliance
You – control keys and
crypto operations
Amazon Virtual Private Cloud
AWS CloudHSM
Available in seven regions worldwide
• US East (N. Virginia), US West (Oregon), EU (Ireland), EU (Frankfurt) and Asia Pacific (Sydney, Tokyo, Singapore)
Compliance
• Included in AWS PCI DSS and Service Organization Control (SOC) compliance packages
Typical use cases
• Use with Amazon Redshift, RDS for Oracle
• Integrate with third-party software (Oracle, SQL Server, Apache, SafeNet)
• Build your own custom applications
SafeNet ProtectV Manager
and Virtual KeySecure
in EC2
Amazon EBS Volume Encryption with
CloudHSM and SafeNet Software
SafeNet ProtectV with Virtual KeySecure
AWS CloudHSM stores the master key
SafeNet
ProtectV
Client
CloudHSM
Your encrypted data
in EBS
Your applications
in EC2
ProtectV Client
• Encrypts I/O from
EC2 instances to EBS
volumes
• Includes preboot
authentication
Pricing for CloudHSM
HSM provisioned in any region has a $5,000 one-time charge
Starting at $1.88/hour metered charge after setup• Hourly rate varies by region
As low as $21,500 in year one; $16,500 in subsequent years
Requests not billed; limited only by the device capacity• Varies depending on algorithm and key size
Comparing CloudHSM with AWS KMS
AWS CloudHSM
• Dedicated access to HSM that
complies with government standards
(e.g. FIPS 140-2, Common Criteria)
• You control your keys and the
application software that uses them
• Supported applications: • Your custom software
• Third-party software
• Symmetric or asymmetric encryption
• Amazon Redshift, RDS for Oracle
AWS KMS
• Highly available and durable key storage,
management, and auditable solution
• Easily encrypt your data across AWS
services and within your own applications
based on policies you define
• Supported applications:• Your custom software (AWS SDK)
• Symmetric encryption
• AWS services (S3, EBS, RDS, Amazon Redshift,
WorkMail, Elastic Transcoder)
Partner Solutions in AWS Marketplace
Browse, test, and buy security software
Pay-by-the-hour, monthly, or annual
Software fees added to AWS bill
Bring Your Own License
Your encryption
client application
Your key management
infrastructure
Your
applications
in your data
center
Your application
in EC2
Your key
management
infrastructure in EC2
Your encrypted data in AWS services
…
DIY Key Management in AWSEncrypt data client-side and send ciphertext to AWS storage services
AWS Key
Management
Service
AWS CloudHSMAWS Marketplace
Partner SolutionsDIY
Where keys are
generated and stored
AWS In AWS, on an HSM
that you control
Your network or in
AWS
Your network or in
AWS
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced in AWS
Customer code +
SafeNet APIs
Vendor-specific
management
Config files, vendor-
specific management
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per key/usage Per hour Per hour/per year Variable
Comparison of Key Management Options
AWS Key
Management
Service
AWS CloudHSMAWS Marketplace
Partner SolutionsDIY
Where keys are
generated and stored
AWS In AWS, on an HSM
that you control
Your network or in
AWS
Your network or in
AWS
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced in AWS
Customer code +
SafeNet APIs
Vendor-specific
management
Config files, vendor-
specific management
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per key/usage Per hour Per hour/per year Variable
Comparison of Key Management Options
AWS Key
Management
Service
AWS CloudHSMAWS Marketplace
Partner SolutionsDIY
Where keys are
generated and stored
AWS In AWS, on an HSM
that you control
Your network or in
AWS
Your network or in
AWS
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced in AWS
Customer code +
SafeNet APIs
Vendor-specific
management
Config files, vendor-
specific management
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per key/usage Per hour Per hour/per year Variable
Comparison of Key Management Options
AWS Key
Management
Service
AWS CloudHSMAWS Marketplace
Partner SolutionsDIY
Where keys are
generated and stored
AWS In AWS, on an HSM
that you control
Your network or in
AWS
Your network or in
AWS
Where keys are used AWS services or your
applications
AWS or your
applications
Your network or your
EC2 instance
Your network or your
EC2 instance
How to control key use Policy you define;
enforced in AWS
Customer code +
SafeNet APIs
Vendor-specific
management
Config files, vendor-
specific management
Responsibility for
performance/scale
AWS You You You
Integration with AWS
services?
Yes Limited Limited Limited
Pricing model Per key/usage Per hour Per hour/per year Variable
Comparison of Key Management Options
Resources
AWS Key Management Service
• https://aws.amazon.com/kms
Whitepaper on AWS Key Management Service Cryptographic Details
• https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
AWS CloudHSM
• https://aws.amazon.com/cloudhsm/
Whitepaper on data-at-rest encryption and key management in AWS
• https://aws.amazon.com/whitepapers/
Amazon S3 Encryption Client
• http://aws.amazon.com/articles/2850096021478074
AWS Partner Network
• http://www.aws-partner-directory.com/
AWS Security Blog
• http://blogs.aws.amazon.com/security
Thank You!
AWS Summit – Chicago: An exciting, free cloud conference designed to educate and inform new
customers about the AWS platform, best practices and new cloud services.
Details• July 1, 2015
• Chicago, Illinois
• @ McCormick Place
Featuring• New product launches
• 36+ sessions, labs, and bootcamps
• Executive and partner networking
Registration is now open• Come and see what AWS and the cloud can do for you.
• Click here to register: http://amzn.to/1RooPPL
