encryption and key management in aws (sec304) | aws re:invent 2013
DESCRIPTION
This session will discuss the options available for encrypting data at rest and key management in AWS. It will focus on two primary scenarios: (1) AWS manages encryption keys on behalf of the customer to provide automated server-side encryption; (2) the customer manages their own encryption keys using partner solutions and/or AWS CloudHSM. Real-world customer examples will be presented to demonstrate adoption drivers of specific encryption technologies in AWS. Netflix Jason Chan will provide an overview of how NetFlix uses CloudHSM for secure key storage.TRANSCRIPT
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
SEC 304: Encryption and Key Management in AWS
Ken Beer, Identity and Access Management
Todd Cignetti, AWS Security
Jason Chan, Netflix
November 15, 2013
“Key” Questions to Consider
• Where are the keys stored?
• Where are the keys used?
• Who has access to the keys?
Agenda
• AWS encrypts data and manages the keys for you
• You encrypt your data and manage your own keys – On your own
– With AWS partner solutions
– Using AWS CloudHSM
• Netflix case study using AWS CloudHSM – Key management based on data classification
Envelope Encryption Primer
Plaintext
Data Hardware/
Software
Encrypted
Data
Encrypted
Data in Storage
Encrypted
Data Key
Symmetric
Data Key
Key-Encrypting
Key Symmetric
Data Key
? Key Hierarchy
?
Server-Side Encryption
AWS Storage Services
S3 Glacier Redshift RDS for
Oracle
RDS for
MS-SQL
HTTPS
Your applications in your
data center Your applications in
Amazon EC2
How AWS Protects Encryption Keys
Service hosts with
regional master keys
• Service uses regularly rotated, regional
256-bit AES master keys to encrypt
data keys
Encrypted data
key Encrypted
Data
Service host with your
stored data
• Your encrypted data key is stored with
your encrypted data
Service host with your
plaintext data • AWS service generates unique 256-bit
AES data key per object, archive, cluster or
database
• Strict access controls on AWS employees
who can access/manage regional
master keys
Client-Side Encryption Overview
Your encryption
client application
Your key management
infrastructure
Your
applications
in your data
center
Your application in
Amazon EC2
Your key
management
infrastructure in EC2
Your Encrypted Data in AWS Services
…
Client-Side Encryption Amazon S3 Encryption Client with AWS SDKs
Your encryption
client application
Your key management
infrastructure
Your
applications
in your data
center
Your key
management
infrastructure in EC2
Your Encrypted Data in Amazon S3
AWS SDK with
S3 Encryption Client
Your application in
Amazon EC2
Client-Side Encryption Amazon S3 Encryption Client with AWS SDKs
• Client creates dynamic 256-bit data key
• You supply the key-encrypting key – Symmetric or asymmetric (public portion)
• Uses JCE (can optionally configure crypto provider)
• Encrypted data key stored with encrypted data in S3
as object metadata or instruction file
• Available in Java, Ruby and .NET
AWS SDKs
What About Key Management Infrastructure?
Your encryption
client application
Your
applications
in your data
center
Your application in
Amazon EC2
Your Encrypted Data in AWS Services
…
Your key
management
infrastructure in EC2
Your key management
infrastructure
HSM – Hardware Security Module
• Hardware device for crypto operations and key storage
• Provides strong protection of private keys – Physical device control does not grant access to the keys
– Security officer controls access to the keys
– Appliance administrator has no access to the keys
• Certified by third parties to comply with security standards
HSM
AWS CloudHSM
• You receive dedicated access to HSM
appliances
• HSMs are located in AWS data centers
• Managed & monitored by AWS
• You control the keys
• HSMs are inside your VPC – isolated
from the rest of the network
• Uses SafeNet Luna SA HSM appliances
CloudHSM
AWS Administrator –
manages the appliance
You – control keys and
crypto operations
Virtual Private Cloud
AWS CloudHSM: What’s New
• Available in four regions worldwide – US East (N. Virginia), US West (Oregon), EU (Ireland), and Asia
Pacific (Sydney)
• Easy to get started – AWS CloudFormation template
– Application notes to help integrate with third-party software
• PCI DSS compliance – CloudHSM added to AWS 2013 PCI DSS compliance package
Database Encryption
• Customer-managed databases in EC2 – Oracle Database 11g TDE (Transparent Data Encryption)
– Microsoft SQL Server 2008 and 2012 TDE
– Master key in CloudHSM
CloudHSM Your database
with TDE in EC2
Master key is created in
the HSM and never
leaves
Your applications
in EC2
SafeNet ProtectV Manager
and Virtual KeySecure
in EC2
EBS Volume Encryption
• SafeNet ProtectV with Virtual KeySecure
• CloudHSM stores the master key
SafeNet
ProtectV
Client
CloudHSM
Your encrypted data
in Amazon EBS
Your applications
in EC2
ProtectV Client
• Encrypts I/O from EC2
instances to EBS
volumes
• Includes pre-boot
authentication
Safenet
ProtectApp with AWS
S3 Encryption Client
SafeNet virtual
KeySecure
in EC2
Your applications
in EC2
S3 Encryption
Encryption of S3 objects using master keys in CloudHSM
CloudHSM
Your encrypted data
in an S3 bucket
Amazon Redshift Encryption
• Cluster master key in on-premises SafeNet HSM or CloudHSM
• No special client software required
Your
applications
in EC2 Redshift Cluster
Your encrypted data
in Redshift
CloudHSM
CloudHSM: Custom Software Applications
An architectural building block to help you secure your own
applications
• Use standard libraries, with back-end HSM rather than software-
based crypto
– PKCS#11, JCA/JCE, Microsoft CAPI/CNG
• Code examples and details in the CloudHSM Getting Started Guide
make it easier to get started (aws.amazon.com/cloudhsm)
Entersekt:
Securing Financial Transactions
• Custom application using CloudHSM – Authenticate financial transactions using a mobile device
– Based on digital certificates (PKI)
– Stores private signing keys in CloudHSM appliances
– Private keys used for cert-based auth. (vs. SMS or passwords)
– CloudHSM generates random numbers (instead of mobile device RNG)
• Migrated application infrastructure to AWS while enhancing security
vs.
• No injuries playing
paintball
– But, you’ll lose
• Bomb technicians don’t
wear paintball suits
– Even if they are easier to
work in
Netflix Key Management
Lots of use cases for keying material
• Password reset tokens
• Data encryption
• DRM
• Hash/verify
How do we handle key management?
• It depends – Paintballs or pipe bombs?
• What are the throughput requirements?
• What happens if we lose a key? – Inconvenient or
catastrophic
Key Management: Sensitivity Levels
• Low: Key is provided to end instance – High throughput, resistant to backend outages
• Medium: Key lives on crypto proxy/scale-out
layer – Each crypto operation is a REST call
• High: Key lives in AWS CloudHSM – Crypto proxy layer implements call on behalf of originating client
Why Netflix needs strong security: CloudHSM Use Cases
• Proxy layer key database encryption/decryption – HSM-based key to handle database of low and medium
sensitivity keys
• Hardware root of trust for internal CA
• Device activation – The process of binding devices (NRDs) to accounts
• Currently analyzing uses cases for PCI in the
cloud
Goals
• Remove data center dependencies and
complexity
• Increase reliability
• Increase performance
Approach
• HSMs per region/environment
• Updated our crypto client and proxy (migrated
from SafeNet DataSecure in the data center to
Luna in the cloud)
• Migrated keys
• Decommissioned data center configuration
Results
• Using AWS CloudHSM with
HSM appliances in US-East,
US-West, and EU-West
• Lower latency and high security
• Eliminate on-premises data
center-based HSM/KM
• Saves money – 33% savings
over original projections AWS
Virtual Private Cloud
CloudHSM VPC Instance
SSL
Application
HSM Client
Resources
• Whitepaper on data-at-rest encryption and key management in AWS – https://aws.amazon.com/whitepapers/
• S3 Encryption Client – http://aws.amazon.com/articles/2850096021478074
• AWS CloudHSM – https://aws.amazon.com/cloudhsm/
• AWS Partner Network – http://www.aws-partner-directory.com/
• AWS Security Blog – http://blogs.aws.amazon.com/security