keys and certificates on aws cloud security for enterprises · keys and certificates on aws cloud...

Keys and Certificates on AWS Cloud Security for Enterprises

Seattle AWS Architects & Engineers MeetupAugust 22, 2016

PROPRIETARY & CONFIDENTIAL

About Me

Ryan TreatSenior Product [email protected]

Resided in the Seattle area for the past 20 years 10 years of experience with Venafi products 3 years in Product Management

‐ Responsible for Venafi Trust Protection PlatformTM features involved with server certificates, certificate authority and hosting platform integrations, and the product's API


Agenda

Keys and Certificates

DevOps and AWS

Venafi Solutions for AWS

Q&A

Fundamentals

Keys and Certificates


Encryption Keys

Enable secure communication between two independent entities, a server and a client

Asymmetric Keys (key pairs)

‐ One key encrypts data that only the other key can decrypt and vice versa

‐ The private key is not exposed

‐ The public key must be shared

ABC +

= ABC+

=


Establishing Trust

How do you know that the public key shared with you belongs to the entity you think it does?

That requires…

‐ You to have control over the other entity; or

‐ You to involve a third party that you alreadytrust to attest to the identity of the other entity

Certificate Authorities (CAs) are the third parties


Certificate Authorities

Differing levels of trust assurance through rigor of validation – domain, organization, and extended (EV)

CAs cannot assure security… that depends upon how well private keys are protected

Public Trust CA business has become marginalized

Certificates are now a commodity thanks to free and subscription options


Digital Certificates

Certificate Signing Requests (CSRs) are the public key signed by the private key plus identifying information

Certificates are the public key signed by the CA’s private key plus identifying information (CN, SANs)

‐ Certificates expire to limit risk; shorter validity periods are less risky because compromised keys are useful for a shorter period of time


Self-Signed Certificates

Obtaining a certificate signed by CA can take an average of 4.5 hours due to the vetting/approval processes

Self-Signed certificates can be obtained in seconds because they are minted without the involvement of a CA but that also means they won’t be trusted

Untrusted certificates are never accepted by default but clients may make a judgment call and still establish a connection with the entity… blind trust!

There is no external record of issuance… no visibility!


Man-in-the-Middle

When you choose to connect despite not trusting the certificate provided by the remote entity, you don’t know who you are connecting to…

www.example.com

www.example.com

username/passwordcredit card numbersocial security number?

username/password

credit card number

social security number


Wildcard Certificates

A certificate that is valid for use with all entities from the same domain (*.example.com)

High flexibility since you don’t need to get a new certificates when you have a new application

High risk since one private key is shared by all entities using the wildcard certificate

Private key compromise puts all applications using the wildcard certificate at risk of data theft and provides opportunity for impersonation


Key Compromise

Someone with a stolen private key and access to network traffic encrypted using that key has access to private data

www.example.com

username/passwordcredit card numbersocial security number

? username/password

credit card number

social security number

Speed of Business

DevOps and AWS


DevOps

Five Principles of DevOps1. Iterative

2. Continuous

3. Collaborative

4. Systemic

5. Automated

“a change in IT culture, focusing on rapid IT service delivery”


DevOps Lifecycle

Configuration Management

Infrastructure Automation

Continuous Deployment

Build Test Package DeployDevelop


Microservices

Complex application architectures

Tasks are broken down into smaller components that are more easily tested with higher confidence

Many inter-service connections to secure


DevOpsSec

“a security-infused practice addressing security concerns across the entire application life cycle”

Build Test Package DeployDevelop

Keys and certificates are needed before applications can be completely deployed


Conclusions

Organizations need a lot more certificates

Certificates are needed fast, within seconds

Enterprise PKI needs to provide this service its DevOps customers


Problems Solved, Right?

Frequent application redeployment allows for‐ Shorter certificate validity → reduced risk from

compromised keys

‐ No worries about certificate expiration → reduced risk of service interruption

Unaddressed Challenges‐ Security policy compliance violations – key size, signature

algorithm, self-signing, wildcards, unauthorized CA, etc.

‐ Lack of enterprise visibility – essential if Enterprise PKI is going to allow certificates to be issued without review


Amazon Web Services

AWS Certificate Manager (“ACM”)

Elastic Load Balancing

CloudFront (content delivery)

Elastic Cloud Computing (EC2) Instances (virtual machines)

• Amazon Linux• Debian• SUSE• FreeBSD• CentOS• Red Hat Enterprise Linux• SUSE Linux Enterprise Server• Ubuntu

• Windows Server 2003 R2 • Windows Server 2008• Windows Server 2008 R2• Windows Server 2012• Windows Server 2012 R2


AWS Certificate Store

Identity and Access Management (IAM)

Server certificate repository with CLI based management

Used by AWS applications including:

‐ Elastic Load Balancing

‐ CloudFront

‐ API Gateway

‐ Elastic Beanstalk

‐ OpsWorks

aws iam list-server-certificates

Dev

Op

s

Trust Protection Platform

Venafi Solutions for AWS


AWS ELB/CloudFront with ACM

Common NameDNS SANs

Venafi User

Customer

1

2

4

5

AWS Certificate Manager

3

DCV


AWS ELB/CloudFront with other CA

Venafi User

Customer

5

IAM

4

3

Certificate Authority

2

1


AWS Elastic Instances

Elastic Cloud Computing (EC2) Instances

Elastic Load Balancer

Trust ProtectionPlatform

Certificate Authorities

REST API

DevOps Configuration Management

vCert

Unpublished Work of Venafi, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Venafi, Inc. Access to this work is restricted to Venafi employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Venafi, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Venafi, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Venafi, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Venafi marks referenced in this presentation are trademarks or registered trademarks of Venafi, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

© 2016 Venafi Proprietary and Confidential

keys and certificates on aws cloud security for enterprises · keys and certificates on aws cloud...

Documents