How to implement data encryption at rest in compliance with - - PowerPoint PPT Presentation

how to implement data encryption at rest in compliance
SMART_READER_LITE
LIVE PREVIEW

How to implement data encryption at rest in compliance with - - PowerPoint PPT Presentation

Oct 28, 2023 645 likes •953 views

How to implement data encryption at rest in compliance with enterprise requirements Steffen Mazanek, Louay Mresheh | 09/09/2019 Community Day 2019 Sponsors About the speakers Steffen Mazanek (AWS usergroup Dresden) Louay Mresheh AWS

slide-1
SLIDE 1

Community Day 2019 Sponsors

How to implement data encryption at rest in compliance with enterprise requirements

Steffen Mazanek, Louay Mresheh | 09/09/2019

slide-2
SLIDE 2

About the speakers

Steffen Mazanek (AWS usergroup Dresden) Louay Mresheh

  • AWS architecture and security
  • T-Systems International GmbH / Public Cloud unit

2

Connect on LinkedIn

slide-3
SLIDE 3

Agenda

  • AWS security in general
  • Motivation for data protection, encryption requirements and KMS overview
  • KMS hands-on / demos
  • Managed security and compliance

3

slide-4
SLIDE 4

4

Security “in” the cloud is not easy Lax or misconfiguration as #1 threat

https://aws.amazon.com/compliance/shared-responsibility-model/

slide-5
SLIDE 5 .

Security Security

Security as a central pillar for good architecture in the “AWS Well-Architected Framework”

Source: https://wa.aws.amazon.com/wat.design_principles.wa-dp.en.html

Operational Excellence Reliability Performance Efficiency Cost Optimization

5

✓ Implement a strong identity foundation ✓ Enable traceability ✓ Apply security at all layers ✓ Automate security best practices ✓ Protect data in transit and at rest ✓ Keep people away from data ✓ Prepare for security events

slide-6
SLIDE 6 .

Security: relevant AWS services (extract)

6

Identity and Access Management Detective Controls

Config

Infrastructure Protection Data Protection Incident Response

IAM Organizations MFA token Temporary security credential CloudWatch CloudTrail VPC WAF Shield Inspector Macie KMS IAM GuardDuty Lambda Security Hub Secrets Manager Config CloudWatch Trusted Advisor Cognito CloudHSM Certificate Manager

slide-7
SLIDE 7

Agenda

  • AWS security in general
  • Motivation for data protection, encryption requirements and KMS overview
  • KMS hands-on / demos
  • Managed security and compliance

7

slide-8
SLIDE 8

Don‘t be the company from the news

8

  • Check your snapshots:
  • filter for public in console
  • Better: activate a control, AWS managed config rule is available

(https://docs.aws.amazon.com/config/latest/developerguide/ebs-snapshot-public-restorable-check.html)

  • Use encryption, only unencrypted snapshots can be made publicly available

(https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html)

https://techcrunch.com/2019/08/09/aws-ebs-cloud-backups-leak/

slide-9
SLIDE 9

Why data encryption?

  • Compliance, enterprise regulation / policies
  • Security best practice
  • Protection from hypervisor mistakes, e.g.
  • your disk is accidentally shared with another client
  • mistake in disk decommissioning process
  • Data confidentiality and integrity
  • Control/minimize access to data (keep people away from data)
  • Destroy large amounts of data by deleting the key

9

slide-10
SLIDE 10

Concepts/terminology

  • Data encryption in transit → IPSec/VPN, TLS (AWS Certificate Manager)
  • Data encryption at rest → focus of this presentation
  • Client-side → encrypt before submitting data to AWS, AWS encryption SDK in

different programming languages, service clients etc.

  • Server-side → AWS encrypts the data after it is received by the service

10

slide-11
SLIDE 11

Enterprise data encryption requirements example

  • For the data protection class PUBLIC encryption is not required.
  • For the data protection class INTERNAL encryption with AWS-managed key must be used.
  • For the data protection class CONFIDENTIAL encryption with customer-managed key must be used.
  • Keys need to be rotated on regular basis.
  • Management and use of keys according to least privileges principal.
  • A dedicated role group for key admins must be used.
  • Multi-factor authentication must be implemented for critical KMS API calls.
  • KMS key activities must be logged.
  • The deletion of keys must be alarmed.
  • If encryption context is used, no sensitive data must be used for encryption context.

→ Example implementation/architecture in demo part

11

slide-12
SLIDE 12

CIS recommendations regarding data protection

https://d1.awsstatic.com/whitepapers/compliance/CIS_Amazon_Web_Services_Three- tier_Web_Architecture_Benchmark.pdf Work with multiple CMKs → More fine-grained control

12

slide-13
SLIDE 13

KMS overview and concepts

  • securely store the keys you use to encrypt your data in

the cloud and centrally manage these keys

  • Envelope encryption / two-tiered key hierarchy
  • 4KB limit, better performance
  • Unique data key encrypts customer data
  • Customer master keys encrypt data keys
  • Centralized access and better auditability
  • Limits blast radius (compromised data key)

13

slide-14
SLIDE 14

KMS CLI session

aws kms generate-data-key --key-id <keyarn> --key-spec AES_256 --output text --query CiphertextBlob | base64 --decode > encrEnvelopeKey envelopeKey=$(aws kms decrypt --ciphertext-blob fileb://encrEnvelopeKey --output text --query Plaintext)

  • penssl enc -in confidential-data.txt -out encrypted-data.txt -e -aes256 -k $envelopeKey

Keep your encrypted data key at a safe place!! Later:

envelopeKey=$(aws kms decrypt --ciphertext-blob fileb://encrEnvelopeKey --output text --query Plaintext)

  • penssl enc -in encrypted-data.txt -out confidential-data.txt -d -aes256 -k $envelopeKey

https://docs.aws.amazon.com/cli/latest/reference/kms/

slide-15
SLIDE 15

KMS overview and concepts

  • Regional service
  • Integrated with most AWS services, but in different ways
  • EBS -> encrypted data key stored with every volume, plaintext key in hypervisor memory until disk gets

detached

  • S3 -> encrypted data key stored with every object
  • AWS managed CMK, one per service called aws/ebs, aws/rds etc.
  • Customer-managed CMK for more granularity and control
  • Cause costs (per month, per key, per version)
  • you can bring your own crypto material in order to keep your own copy of the key
  • Key aliases, key rotation

15

slide-16
SLIDE 16

KMS overview and concepts

  • Keys can be shared across accounts
  • Critical KMS events can be monitered and automatically remediated in case of any

violation detected, automation is key!

  • AWS-managed config rules can be used to check encryption settings for DBs, disks

and buckets

  • KMS comes with a waiting period on key deletion (if you did not bring your own key)
  • KMS is relying on shared HSMs (FIPS 140-2 Level 2)
  • https://d1.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf

16

slide-17
SLIDE 17

https://aws.amazon.com/blogs/security/are-kms-custom-key-stores-right-for-you/

  • Dedicated HSM in VPC →

CloudHSM service (FIPS 140-2 L 3)

  • Custom key store provides more

flexibility with CloudHSM but is more complex to manage

slide-18
SLIDE 18

Managing access to keys from two sides

  • Key policy
  • Define who can manage the key (you can even lock out root)
  • Define who can use the key
  • You can lock yourself out → AWS support case
  • You can delegate to IAM
  • Service roles might need access (e.g. Cloud9 needs access to EBS key)
  • IAM

18

slide-19
SLIDE 19

{ "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<accountid>:role/Project_Key_Admin“ → give give access ss to to key key admin admin role role OR OR "AWS": "arn:aws:iam::<accounted>:root“ → access ss is control trolled led via IAM }, "Action": [ "kms:Create*", "kms:Describe*", "kms:List*", "kms:Enable*", "kms:Disable*", "kms:Get*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" },

https://docs.aws.amazon.com/de_de/kms/latest/developer guide/key-policies.html

slide-20
SLIDE 20

Agenda

  • AWS security in general
  • Motivation for data protection, encryption requirements and KMS overview
  • KMS hands-on / demos
  • Managed security and compliance

20

slide-21
SLIDE 21

Demo 1

Creation of a new S3 bucket → auto-tag with internal, disclose and encrypt

21

DPC (Data Protection Class) Encryption confidential KMS key internal S3-SSE public None

slide-22
SLIDE 22

Demo 2

Disabling EBS encryption by default triggers a notification and automation to enable it again

22

slide-23
SLIDE 23

Demo 3

23

Key creation triggers an automated check, right policies need to be attached and key rotation being enabled

slide-24
SLIDE 24

Demo 4

24

Critical KMS events such as key deletion trigger an alarm

slide-25
SLIDE 25

Agenda

  • AWS security in general
  • Motivation for data protection, encryption requirements and KMS overview
  • KMS hands-on / demos
  • Managed security and compliance

25

slide-26
SLIDE 26 .

Building blocks for security and compliance management

slide-27
SLIDE 27 .

Managed security and compliance by T-Systems

Use of many relevant data sources

Cloud Security and Compliance as a building block for your cloud applications

Ready to use / minimal on-boarding phase Anomaly detection Security and compliance automation Customer-specific compliance rules Continuous monitoring & near-realtime alerts Security and compliance assessment 24/7 operations and incident management

slide-28
SLIDE 28 .
  • 200+ AWS certifications
  • 50+ Prof./Specialty Level
  • Actively contributing to the

AWS community

  • Donating to Open Source, e.g.

PacBot or VM hardening scripts

  • Permanent training program

T-Systems as AWS partner

Well-architected Partner Program Direct Connect Partner Program

We are hiring!

slide-29
SLIDE 29

Thank you! Questions?

More Information about our AWS services you find here