how to implement data encryption at rest in compliance ... to implement data... · •data...
TRANSCRIPT
![Page 1: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/1.jpg)
Community Day 2019 Sponsors
How to implement data encryption at rest in compliance with enterprise requirements
Steffen Mazanek, Louay Mresheh | 09/09/2019
![Page 2: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/2.jpg)
About the speakers
Steffen Mazanek (AWS usergroup Dresden)
Louay Mresheh
• AWS architecture and security
• T-Systems International GmbH / Public Cloud unit
2
Connect on LinkedIn
![Page 3: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/3.jpg)
Agenda
• AWS security in general
• Motivation for data protection, encryption requirements and KMS overview
• KMS hands-on / demos
• Managed security and compliance
3
![Page 4: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/4.jpg)
4
Security “in” the cloud is not easy
Lax or misconfiguration as #1 threat
https://aws.amazon.com/compliance/shared-responsibility-model/
![Page 5: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/5.jpg)
.
SecuritySecurity
Security as a central pillar for good architecture in the “AWS Well-Architected Framework”
Source: https://wa.aws.amazon.com/wat.design_principles.wa-dp.en.html
Operational Excellence
Reliability
Performance Efficiency
Cost Optimization
5
✓ Implement a strong identity foundation
✓ Enable traceability
✓ Apply security at all layers
✓ Automate security best practices
✓ Protect data in transit and at rest
✓ Keep people away from data
✓ Prepare for security events
![Page 6: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/6.jpg)
.
Security: relevant AWS services (extract)
6
Identity and Access Management
Detective Controls
Config
Infrastructure Protection
Data Protection
Incident Response
IAM OrganizationsMFA token
Temporary security credential
CloudWatch CloudTrail
VPC WAFShield Inspector
Macie KMS
IAM
GuardDuty
Lambda
Security Hub
Secrets Manager
Config CloudWatch
Trusted Advisor
Cognito
CloudHSM Certificate Manager
![Page 7: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/7.jpg)
Agenda
• AWS security in general
• Motivation for data protection, encryption requirements and KMS overview
• KMS hands-on / demos
• Managed security and compliance
7
![Page 8: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/8.jpg)
Don‘t be the company from the news
8
• Check your snapshots:
• filter for public in console
• Better: activate a control, AWS managed config rule is available(https://docs.aws.amazon.com/config/latest/developerguide/ebs-snapshot-public-restorable-check.html)
• Use encryption, only unencrypted snapshots can be made publicly available(https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html)
https://techcrunch.com/2019/08/09/aws-ebs-cloud-backups-leak/
![Page 9: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/9.jpg)
Why data encryption?
• Compliance, enterprise regulation / policies
• Security best practice
• Protection from hypervisor mistakes, e.g.• your disk is accidentally shared with another client
• mistake in disk decommissioning process
• Data confidentiality and integrity
• Control/minimize access to data (keep people away from data)
• Destroy large amounts of data by deleting the key
9
![Page 10: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/10.jpg)
Concepts/terminology
• Data encryption in transit → IPSec/VPN, TLS (AWS Certificate Manager)
• Data encryption at rest → focus of this presentation
• Client-side → encrypt before submitting data to AWS, AWS encryption SDK in different programming languages, service clients etc.
• Server-side → AWS encrypts the data after it is received by the service
10
![Page 11: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/11.jpg)
Enterprise data encryption requirements example• For the data protection class PUBLIC encryption is not required.
• For the data protection class INTERNAL encryption with AWS-managed key must be used.
• For the data protection class CONFIDENTIAL encryption with customer-managed key must be used.
• Keys need to be rotated on regular basis.
• Management and use of keys according to least privileges principal.
• A dedicated role group for key admins must be used.
• Multi-factor authentication must be implemented for critical KMS API calls.
• KMS key activities must be logged.
• The deletion of keys must be alarmed.
• If encryption context is used, no sensitive data must be used for encryption context.
→ Example implementation/architecture in demo part
11
![Page 12: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/12.jpg)
CIS recommendations regarding data protection
https://d1.awsstatic.com/whitepapers/compliance/CIS_Amazon_Web_Services_Three-tier_Web_Architecture_Benchmark.pdf
Work with multiple CMKs → More fine-grained control
12…
![Page 13: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/13.jpg)
KMS overview and concepts• securely store the keys you use to encrypt your data in
the cloud and centrally manage these keys
• Envelope encryption / two-tiered key hierarchy
• 4KB limit, better performance
• Unique data key encrypts customer data
• Customer master keys encrypt data keys
• Centralized access and better auditability
• Limits blast radius (compromised data key)
13
![Page 14: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/14.jpg)
KMS CLI session
aws kms generate-data-key --key-id <keyarn> --key-spec AES_256 --output text --query CiphertextBlob | base64 --decode > encrEnvelopeKey
envelopeKey=$(aws kms decrypt --ciphertext-blob fileb://encrEnvelopeKey --output text --query Plaintext)openssl enc -in confidential-data.txt -out encrypted-data.txt -e -aes256 -k $envelopeKey
Keep your encrypted data key at a safe place!!Later:
envelopeKey=$(aws kms decrypt --ciphertext-blob fileb://encrEnvelopeKey --output text --query Plaintext)openssl enc -in encrypted-data.txt -out confidential-data.txt -d -aes256 -k $envelopeKey
https://docs.aws.amazon.com/cli/latest/reference/kms/
![Page 15: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/15.jpg)
KMS overview and concepts• Regional service
• Integrated with most AWS services, but in different ways
• EBS -> encrypted data key stored with every volume, plaintext key in hypervisor memory until disk getsdetached
• S3 -> encrypted data key stored with every object
• AWS managed CMK, one per service called aws/ebs, aws/rds etc.
• Customer-managed CMK for more granularity and control
• Cause costs (per month, per key, per version)
• you can bring your own crypto material in order to keep your own copy of the key
• Key aliases, key rotation
15
![Page 16: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/16.jpg)
KMS overview and concepts• Keys can be shared across accounts
• Critical KMS events can be monitered and automatically remediated in case of anyviolation detected, automation is key!
• AWS-managed config rules can be used to check encryption settings for DBs, disksand buckets
• KMS comes with a waiting period on key deletion (if you did not bring your own key)
• KMS is relying on shared HSMs (FIPS 140-2 Level 2)
• https://d1.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
16
![Page 17: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/17.jpg)
https://aws.amazon.com/blogs/security/are-kms-custom-key-stores-right-for-you/
• Dedicated HSM in VPC →CloudHSM service (FIPS 140-2 L 3)
• Custom key store provides moreflexibility with CloudHSM butis more complex to manage
![Page 18: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/18.jpg)
Managing access to keys from two sides• Key policy
• Define who can manage the key (you can even lock out root)
• Define who can use the key
• You can lock yourself out → AWS support case
• You can delegate to IAM
• Service roles might need access (e.g. Cloud9 needs access to EBS key)
• IAM
18
![Page 19: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/19.jpg)
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<accountid>:role/Project_Key_Admin“ → give access to key admin role OR
"AWS": "arn:aws:iam::<accounted>:root“ → access is controlled via IAM
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:List*",
"kms:Enable*",
"kms:Disable*",
"kms:Get*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
https://docs.aws.amazon.com/de_de/kms/latest/developer
guide/key-policies.html
![Page 20: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/20.jpg)
Agenda
• AWS security in general
• Motivation for data protection, encryption requirements and KMS overview
• KMS hands-on / demos
• Managed security and compliance
20
![Page 21: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/21.jpg)
Demo 1
Creation of a new S3 bucket→ auto-tag with internal, disclose and encrypt
21
DPC (Data Protection Class) Encryption
confidential KMS key
internal S3-SSE
public None
![Page 22: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/22.jpg)
Demo 2
Disabling EBS encryption by default triggers a notification and automation to enable it again
22
![Page 23: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/23.jpg)
Demo 3
23
Key creation triggers an automated check, right policies need to be attached and key rotation being enabled
![Page 24: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/24.jpg)
Demo 4
24
Critical KMS events such as key deletion trigger an alarm
![Page 25: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/25.jpg)
Agenda
• AWS security in general
• Motivation for data protection, encryption requirements and KMS overview
• KMS hands-on / demos
• Managed security and compliance
25
![Page 26: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/26.jpg)
.
Building blocks for security and compliance management
![Page 27: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/27.jpg)
.
Managed security and compliance by T-Systems
Use of many relevant data sources
Cloud Security and Compliance as a building block for your cloud applications
Ready to use / minimal on-boarding phase
Anomaly detection
Security and compliance automation
Customer-specific compliance rules
Continuous monitoring &near-realtime alerts
Security and compliance assessment
24/7 operations and incident management
![Page 28: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/28.jpg)
.
• 200+ AWS certifications
• 50+ Prof./Specialty Level
• Actively contributing to the AWS community
• Donating to Open Source, e.g. PacBot or VM hardening scripts
• Permanent training program
T-Systems as AWS partner
Well-architected Partner ProgramDirect Connect Partner Program
We are hiring!
![Page 29: How to implement data encryption at rest in compliance ... to implement data... · •Data encryption in transit →IPSec/VPN, TLS (AWS Certificate Manager) •Data encryption at](https://reader034.vdocument.in/reader034/viewer/2022050102/5f4113a3c58e5e392037adb8/html5/thumbnails/29.jpg)
Thank you! Questions?More Information about our AWS services you find here