© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

SEC 304: Encryption and Key Management in AWS

Ken Beer, Identity and Access Management

Todd Cignetti, AWS Security

Jason Chan, Netflix

November 15, 2013

“Key” Questions to Consider

• Where are the keys stored?

• Where are the keys used?

• Who has access to the keys?

Agenda

• AWS encrypts data and manages the keys for you

• You encrypt your data and manage your own keys – On your own

– With AWS partner solutions

– Using AWS CloudHSM

• Netflix case study using AWS CloudHSM – Key management based on data classification

Envelope Encryption Primer

Plaintext

Data Hardware/

Software

Encrypted

Data

Encrypted

Data in Storage

Encrypted

Data Key

Symmetric

Data Key

Key-Encrypting

Key Symmetric

Data Key

? Key Hierarchy

?

Server-Side Encryption AWS encrypts data and manages keys for you

Server-Side Encryption

AWS Storage Services

S3 Glacier Redshift RDS for

Oracle

RDS for

MS-SQL

HTTPS

Your applications in your

data center Your applications in

Amazon EC2

S3 Server Side Encryption

How AWS Protects Encryption Keys

Service hosts with

regional master keys

• Service uses regularly rotated, regional

256-bit AES master keys to encrypt

data keys

Encrypted data

key Encrypted

Data

Service host with your

stored data

• Your encrypted data key is stored with

your encrypted data

Service host with your

plaintext data • AWS service generates unique 256-bit

AES data key per object, archive, cluster or

database

• Strict access controls on AWS employees

who can access/manage regional

master keys

Client-Side Encryption You encrypt your data and manage your own keys

Client-Side Encryption Overview

Your encryption

client application

Your key management

infrastructure

Your

applications

in your data

center

Your application in

Amazon EC2

Your key

management

infrastructure in EC2

Your Encrypted Data in AWS Services

…

Client-Side Encryption Amazon S3 Encryption Client with AWS SDKs

Your encryption

client application

Your key management

infrastructure

Your

applications

in your data

center

Your key

management

infrastructure in EC2

Your Encrypted Data in Amazon S3

AWS SDK with

S3 Encryption Client

Your application in

Amazon EC2

Client-Side Encryption Amazon S3 Encryption Client with AWS SDKs

• Client creates dynamic 256-bit data key

• You supply the key-encrypting key – Symmetric or asymmetric (public portion)

• Uses JCE (can optionally configure crypto provider)

• Encrypted data key stored with encrypted data in S3

as object metadata or instruction file

• Available in Java, Ruby and .NET

AWS SDKs

What About Key Management Infrastructure?

Your encryption

client application

Your

applications

in your data

center

Your application in

Amazon EC2

Your Encrypted Data in AWS Services

…

Your key

management

infrastructure in EC2

Your key management

infrastructure

Key Management Infrastructure

• Secure the usage of keys

• Secure the storage of keys

Client-Side Encryption Using an AWS partner solution

Solutions for EC2, EBS, S3, RDS, and EMR

Client-Side Encryption You encrypt your data and manage your own keys in

AWS CloudHSM

HSM – Hardware Security Module

• Hardware device for crypto operations and key storage

• Provides strong protection of private keys – Physical device control does not grant access to the keys

– Security officer controls access to the keys

– Appliance administrator has no access to the keys

• Certified by third parties to comply with security standards

HSM

AWS CloudHSM

• You receive dedicated access to HSM

appliances

• HSMs are located in AWS data centers

• Managed & monitored by AWS

• You control the keys

• HSMs are inside your VPC – isolated

from the rest of the network

• Uses SafeNet Luna SA HSM appliances

CloudHSM

AWS Administrator –

manages the appliance

You – control keys and

crypto operations

Virtual Private Cloud

AWS CloudHSM: What’s New

• Available in four regions worldwide – US East (N. Virginia), US West (Oregon), EU (Ireland), and Asia

Pacific (Sydney)

• Easy to get started – AWS CloudFormation template

– Application notes to help integrate with third-party software

• PCI DSS compliance – CloudHSM added to AWS 2013 PCI DSS compliance package

Database Encryption

• Customer-managed databases in EC2 – Oracle Database 11g TDE (Transparent Data Encryption)

– Microsoft SQL Server 2008 and 2012 TDE

– Master key in CloudHSM

CloudHSM Your database

with TDE in EC2

Master key is created in

the HSM and never

leaves

Your applications

in EC2

SafeNet ProtectV Manager

and Virtual KeySecure

in EC2

EBS Volume Encryption

• SafeNet ProtectV with Virtual KeySecure

• CloudHSM stores the master key

SafeNet

ProtectV

Client

CloudHSM

Your encrypted data

in Amazon EBS

Your applications

in EC2

ProtectV Client

• Encrypts I/O from EC2

instances to EBS

volumes

• Includes pre-boot

authentication

Safenet

ProtectApp with AWS

S3 Encryption Client

SafeNet virtual

KeySecure

in EC2

Your applications

in EC2

S3 Encryption

Encryption of S3 objects using master keys in CloudHSM

CloudHSM

Your encrypted data

in an S3 bucket

Amazon Redshift Encryption

• Cluster master key in on-premises SafeNet HSM or CloudHSM

• No special client software required

Your

applications

in EC2 Redshift Cluster

Your encrypted data

in Redshift

CloudHSM

CloudHSM: Custom Software Applications

An architectural building block to help you secure your own

applications

• Use standard libraries, with back-end HSM rather than software-

based crypto

– PKCS#11, JCA/JCE, Microsoft CAPI/CNG

• Code examples and details in the CloudHSM Getting Started Guide

make it easier to get started (aws.amazon.com/cloudhsm)

Customer Stories

Entersekt:

Securing Financial Transactions

• Custom application using CloudHSM – Authenticate financial transactions using a mobile device

– Based on digital certificates (PKI)

– Stores private signing keys in CloudHSM appliances

– Private keys used for cert-based auth. (vs. SMS or passwords)

– CloudHSM generates random numbers (instead of mobile device RNG)

• Migrated application infrastructure to AWS while enhancing security

Netflix Key Management with CloudHSM Jason Chan

Engineering Director, Cloud Security

vs.

• No injuries playing

paintball

– But, you’ll lose

• Bomb technicians don’t

wear paintball suits

– Even if they are easier to

work in

Netflix Key Management

Lots of use cases for keying material

• Password reset tokens

• Data encryption

• DRM

• Hash/verify

How do we handle key management?

• It depends – Paintballs or pipe bombs?

• What are the throughput requirements?

• What happens if we lose a key? – Inconvenient or

catastrophic

Key Management: Sensitivity Levels

• Low: Key is provided to end instance – High throughput, resistant to backend outages

• Medium: Key lives on crypto proxy/scale-out

layer – Each crypto operation is a REST call

• High: Key lives in AWS CloudHSM – Crypto proxy layer implements call on behalf of originating client

Why Netflix needs strong security: CloudHSM Use Cases

• Proxy layer key database encryption/decryption – HSM-based key to handle database of low and medium

sensitivity keys

• Hardware root of trust for internal CA

• Device activation – The process of binding devices (NRDs) to accounts

• Currently analyzing uses cases for PCI in the

cloud

Goals

• Remove data center dependencies and

complexity

• Increase reliability

• Increase performance

Approach

• HSMs per region/environment

• Updated our crypto client and proxy (migrated

from SafeNet DataSecure in the data center to

Luna in the cloud)

• Migrated keys

• Decommissioned data center configuration

Results

• Using AWS CloudHSM with

HSM appliances in US-East,

US-West, and EU-West

• Lower latency and high security

• Eliminate on-premises data

center-based HSM/KM

• Saves money – 33% savings

over original projections AWS

Virtual Private Cloud

CloudHSM VPC Instance

SSL

Application

HSM Client

Resources

• Whitepaper on data-at-rest encryption and key management in AWS – https://aws.amazon.com/whitepapers/

• S3 Encryption Client – http://aws.amazon.com/articles/2850096021478074

• AWS CloudHSM – https://aws.amazon.com/cloudhsm/

• AWS Partner Network – http://www.aws-partner-directory.com/

• AWS Security Blog – http://blogs.aws.amazon.com/security

Please give us your feedback on this

presentation

As a thank you, we will select prize

winners daily for completed surveys!

SEC304