SlideShare a Scribd company logo

How to implement data encryption at rest in compliance with enterprise requirements

Steffen Mazanek, profile picture
Steffen Mazanek

The document discusses implementing data encryption at rest to comply with enterprise requirements and ensure security on AWS, presented by Steffen Mazanek and Louay Mresheh. It covers various aspects of AWS security, including key management, encryption methods, compliance needs for data protection classes, and best practices for securing sensitive information. The agenda includes a hands-on demonstration of KMS (Key Management Service) functionalities and emphasizes the importance of a structured security framework in cloud environments.

Technology
Related topics:
Data Protection Practices
1 of 29
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Community Day 2019 Sponsors How to implement data encryption at rest in compliance with enterprise requirements Steffen Mazanek, Louay Mresheh | 09/09/2019
About the speakers Steffen Mazanek (AWS usergroup Dresden) Louay Mresheh • AWS architecture and security • T-Systems International GmbH / Public Cloud unit 2 Connect on LinkedIn
Agenda • AWS security in general • Motivation for data protection, encryption requirements and KMS overview • KMS hands-on / demos • Managed security and compliance 3
4 Security “in” the cloud is not easy Lax or misconfiguration as #1 threat https://aws.amazon.com/compliance/shared-responsibility-model/
. SecuritySecurity Security as a central pillar for good architecture in the “AWS Well-Architected Framework” Source: https://wa.aws.amazon.com/wat.design_principles.wa-dp.en.html Operational Excellence Reliability Performance Efficiency Cost Optimization 5 ✓ Implement a strong identity foundation ✓ Enable traceability ✓ Apply security at all layers ✓ Automate security best practices ✓ Protect data in transit and at rest ✓ Keep people away from data ✓ Prepare for security events
. Security: relevant AWS services (extract) 6 Identity and Access Management Detective Controls Config Infrastructure Protection Data Protection Incident Response IAM Organizations MFA tokenTemporary security credential CloudWatch CloudTrail VPC WAFShield Inspector Macie KMS IAM GuardDuty Lambda Security Hub Secrets Manager Config CloudWatch Trusted Advisor Cognito CloudHSM Certificate Manager
Agenda • AWS security in general • Motivation for data protection, encryption requirements and KMS overview • KMS hands-on / demos • Managed security and compliance 7
Don‘t be the company from the news 8 • Check your snapshots: • filter for public in console • Better: activate a control, AWS managed config rule is available (https://docs.aws.amazon.com/config/latest/developerguide/ebs-snapshot-public-restorable-check.html) • Use encryption, only unencrypted snapshots can be made publicly available (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html) https://techcrunch.com/2019/08/09/aws-ebs-cloud-backups-leak/
Why data encryption? • Compliance, enterprise regulation / policies • Security best practice • Protection from hypervisor mistakes, e.g. • your disk is accidentally shared with another client • mistake in disk decommissioning process • Data confidentiality and integrity • Control/minimize access to data (keep people away from data) • Destroy large amounts of data by deleting the key 9
Concepts/terminology • Data encryption in transit → IPSec/VPN, TLS (AWS Certificate Manager) • Data encryption at rest → focus of this presentation • Client-side → encrypt before submitting data to AWS, AWS encryption SDK in different programming languages, service clients etc. • Server-side → AWS encrypts the data after it is received by the service 10
Enterprise data encryption requirements example • For the data protection class PUBLIC encryption is not required. • For the data protection class INTERNAL encryption with AWS-managed key must be used. • For the data protection class CONFIDENTIAL encryption with customer-managed key must be used. • Keys need to be rotated on regular basis. • Management and use of keys according to least privileges principal. • A dedicated role group for key admins must be used. • Multi-factor authentication must be implemented for critical KMS API calls. • KMS key activities must be logged. • The deletion of keys must be alarmed. • If encryption context is used, no sensitive data must be used for encryption context. → Example implementation/architecture in demo part 11
CIS recommendations regarding data protection https://d1.awsstatic.com/whitepapers/compliance/CIS_Amazon_Web_Services_Three- tier_Web_Architecture_Benchmark.pdf Work with multiple CMKs → More fine-grained control 12…
KMS overview and concepts • securely store the keys you use to encrypt your data in the cloud and centrally manage these keys • Envelope encryption / two-tiered key hierarchy • 4KB limit, better performance • Unique data key encrypts customer data • Customer master keys encrypt data keys • Centralized access and better auditability • Limits blast radius (compromised data key) 13
KMS CLI session aws kms generate-data-key --key-id <keyarn> --key-spec AES_256 --output text --query CiphertextBlob | base64 --decode > encrEnvelopeKey envelopeKey=$(aws kms decrypt --ciphertext-blob fileb://encrEnvelopeKey --output text --query Plaintext) openssl enc -in confidential-data.txt -out encrypted-data.txt -e -aes256 -k $envelopeKey Keep your encrypted data key at a safe place!! Later: envelopeKey=$(aws kms decrypt --ciphertext-blob fileb://encrEnvelopeKey --output text --query Plaintext) openssl enc -in encrypted-data.txt -out confidential-data.txt -d -aes256 -k $envelopeKey https://docs.aws.amazon.com/cli/latest/reference/kms/
KMS overview and concepts • Regional service • Integrated with most AWS services, but in different ways • EBS -> encrypted data key stored with every volume, plaintext key in hypervisor memory until disk gets detached • S3 -> encrypted data key stored with every object • AWS managed CMK, one per service called aws/ebs, aws/rds etc. • Customer-managed CMK for more granularity and control • Cause costs (per month, per key, per version) • you can bring your own crypto material in order to keep your own copy of the key • Key aliases, key rotation 15
KMS overview and concepts • Keys can be shared across accounts • Critical KMS events can be monitered and automatically remediated in case of any violation detected, automation is key! • AWS-managed config rules can be used to check encryption settings for DBs, disks and buckets • KMS comes with a waiting period on key deletion (if you did not bring your own key) • KMS is relying on shared HSMs (FIPS 140-2 Level 2) • https://d1.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf 16
https://aws.amazon.com/blogs/security/are-kms-custom-key-stores-right-for-you/ • Dedicated HSM in VPC → CloudHSM service (FIPS 140-2 L 3) • Custom key store provides more flexibility with CloudHSM but is more complex to manage
Managing access to keys from two sides • Key policy • Define who can manage the key (you can even lock out root) • Define who can use the key • You can lock yourself out → AWS support case • You can delegate to IAM • Service roles might need access (e.g. Cloud9 needs access to EBS key) • IAM 18
{ "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<accountid>:role/Project_Key_Admin“ → give access to key admin role OR "AWS": "arn:aws:iam::<accounted>:root“ → access is controlled via IAM }, "Action": [ "kms:Create*", "kms:Describe*", "kms:List*", "kms:Enable*", "kms:Disable*", "kms:Get*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, https://docs.aws.amazon.com/de_de/kms/latest/developer guide/key-policies.html
Agenda • AWS security in general • Motivation for data protection, encryption requirements and KMS overview • KMS hands-on / demos • Managed security and compliance 20
Demo 1 Creation of a new S3 bucket → auto-tag with internal, disclose and encrypt 21 DPC (Data Protection Class) Encryption confidential KMS key internal S3-SSE public None
Demo 2 Disabling EBS encryption by default triggers a notification and automation to enable it again 22
Demo 3 23 Key creation triggers an automated check, right policies need to be attached and key rotation being enabled
Demo 4 24 Critical KMS events such as key deletion trigger an alarm
Agenda • AWS security in general • Motivation for data protection, encryption requirements and KMS overview • KMS hands-on / demos • Managed security and compliance 25
. Building blocks for security and compliance management
. Managed security and compliance by T-Systems Use of many relevant data sources Cloud Security and Compliance as a building block for your cloud applications Ready to use / minimal on-boarding phase Anomaly detection Security and compliance automation Customer-specific compliance rules Continuous monitoring & near-realtime alerts Security and compliance assessment 24/7 operations and incident management
. • 200+ AWS certifications • 50+ Prof./Specialty Level • Actively contributing to the AWS community • Donating to Open Source, e.g. PacBot or VM hardening scripts • Permanent training program T-Systems as AWS partner Well-architected Partner Program Direct Connect Partner Program We are hiring!
Thank you! Questions? More Information about our AWS services you find here

More Related Content

PPTX
Aws(in)security - the devil is in the detail
Pawel Rzepa
 
PDF
AWS Security Best Practices (March 2017)
Julien SIMON
 
PDF
Consul 1.6: Layer 7 Traffic Management and Mesh Gateways
Mitchell Pronschinske
 
PDF
Aws container webinar day 2
HoseokSeo7
 
PDF
An Overview of AWS IoT (November 2016)
Julien SIMON
 
PDF
Using Sass in Your WordPress Projects
Jeremy Green
 
PDF
Protecting your data in AWS
Dinah Barrett
 
PDF
Using encryption with_aws
saifam
 
Aws(in)security - the devil is in the detail
Pawel Rzepa
 
AWS Security Best Practices (March 2017)
Julien SIMON
 
Consul 1.6: Layer 7 Traffic Management and Mesh Gateways
Mitchell Pronschinske
 
Aws container webinar day 2
HoseokSeo7
 
An Overview of AWS IoT (November 2016)
Julien SIMON
 
Using Sass in Your WordPress Projects
Jeremy Green
 
Protecting your data in AWS
Dinah Barrett
 
Using encryption with_aws
saifam
 

Similar to How to implement data encryption at rest in compliance with enterprise requirements (10)

PDF
Vijayanirmala a_community_builders_guidebook_for_securing_your_secrets
VijayaNirmalaGopal
 
PDF
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
Amazon Web Services Korea
 
PPTX
Application security meetup - cloud security best practices 24062021
lior mazor
 
PDF
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
PPTX
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
Alert Logic
 
PPTX
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
 
PDF
Protect your Data on AWS using the Encryption method.pdf
Zen Bit Tech
 
PPTX
Introduction to AWS KMS
Akesh Patil
 
PDF
Hands-On AWS: Java SDK + CLI for Cloud Developers
Meetu Maltiar
 
PPTX
Automate or die! Rootedcon 2017
Toni de la Fuente
 
Vijayanirmala a_community_builders_guidebook_for_securing_your_secrets
VijayaNirmalaGopal
 
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
Amazon Web Services Korea
 
Application security meetup - cloud security best practices 24062021
lior mazor
 
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
Alert Logic
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
 
Protect your Data on AWS using the Encryption method.pdf
Zen Bit Tech
 
Introduction to AWS KMS
Akesh Patil
 
Hands-On AWS: Java SDK + CLI for Cloud Developers
Meetu Maltiar
 
Automate or die! Rootedcon 2017
Toni de la Fuente
 
Ad

Recently uploaded (20)

PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Ad

How to implement data encryption at rest in compliance with enterprise requirements

  • 1. Community Day 2019 Sponsors How to implement data encryption at rest in compliance with enterprise requirements Steffen Mazanek, Louay Mresheh | 09/09/2019
  • 2. About the speakers Steffen Mazanek (AWS usergroup Dresden) Louay Mresheh • AWS architecture and security • T-Systems International GmbH / Public Cloud unit 2 Connect on LinkedIn
  • 3. Agenda • AWS security in general • Motivation for data protection, encryption requirements and KMS overview • KMS hands-on / demos • Managed security and compliance 3
  • 4. 4 Security “in” the cloud is not easy Lax or misconfiguration as #1 threat https://aws.amazon.com/compliance/shared-responsibility-model/
  • 5. . SecuritySecurity Security as a central pillar for good architecture in the “AWS Well-Architected Framework” Source: https://wa.aws.amazon.com/wat.design_principles.wa-dp.en.html Operational Excellence Reliability Performance Efficiency Cost Optimization 5 ✓ Implement a strong identity foundation ✓ Enable traceability ✓ Apply security at all layers ✓ Automate security best practices ✓ Protect data in transit and at rest ✓ Keep people away from data ✓ Prepare for security events
  • 6. . Security: relevant AWS services (extract) 6 Identity and Access Management Detective Controls Config Infrastructure Protection Data Protection Incident Response IAM Organizations MFA tokenTemporary security credential CloudWatch CloudTrail VPC WAFShield Inspector Macie KMS IAM GuardDuty Lambda Security Hub Secrets Manager Config CloudWatch Trusted Advisor Cognito CloudHSM Certificate Manager
  • 7. Agenda • AWS security in general • Motivation for data protection, encryption requirements and KMS overview • KMS hands-on / demos • Managed security and compliance 7
  • 8. Don‘t be the company from the news 8 • Check your snapshots: • filter for public in console • Better: activate a control, AWS managed config rule is available (https://docs.aws.amazon.com/config/latest/developerguide/ebs-snapshot-public-restorable-check.html) • Use encryption, only unencrypted snapshots can be made publicly available (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html) https://techcrunch.com/2019/08/09/aws-ebs-cloud-backups-leak/
  • 9. Why data encryption? • Compliance, enterprise regulation / policies • Security best practice • Protection from hypervisor mistakes, e.g. • your disk is accidentally shared with another client • mistake in disk decommissioning process • Data confidentiality and integrity • Control/minimize access to data (keep people away from data) • Destroy large amounts of data by deleting the key 9
  • 10. Concepts/terminology • Data encryption in transit → IPSec/VPN, TLS (AWS Certificate Manager) • Data encryption at rest → focus of this presentation • Client-side → encrypt before submitting data to AWS, AWS encryption SDK in different programming languages, service clients etc. • Server-side → AWS encrypts the data after it is received by the service 10
  • 11. Enterprise data encryption requirements example • For the data protection class PUBLIC encryption is not required. • For the data protection class INTERNAL encryption with AWS-managed key must be used. • For the data protection class CONFIDENTIAL encryption with customer-managed key must be used. • Keys need to be rotated on regular basis. • Management and use of keys according to least privileges principal. • A dedicated role group for key admins must be used. • Multi-factor authentication must be implemented for critical KMS API calls. • KMS key activities must be logged. • The deletion of keys must be alarmed. • If encryption context is used, no sensitive data must be used for encryption context. → Example implementation/architecture in demo part 11
  • 12. CIS recommendations regarding data protection https://d1.awsstatic.com/whitepapers/compliance/CIS_Amazon_Web_Services_Three- tier_Web_Architecture_Benchmark.pdf Work with multiple CMKs → More fine-grained control 12…
  • 13. KMS overview and concepts • securely store the keys you use to encrypt your data in the cloud and centrally manage these keys • Envelope encryption / two-tiered key hierarchy • 4KB limit, better performance • Unique data key encrypts customer data • Customer master keys encrypt data keys • Centralized access and better auditability • Limits blast radius (compromised data key) 13
  • 14. KMS CLI session aws kms generate-data-key --key-id <keyarn> --key-spec AES_256 --output text --query CiphertextBlob | base64 --decode > encrEnvelopeKey envelopeKey=$(aws kms decrypt --ciphertext-blob fileb://encrEnvelopeKey --output text --query Plaintext) openssl enc -in confidential-data.txt -out encrypted-data.txt -e -aes256 -k $envelopeKey Keep your encrypted data key at a safe place!! Later: envelopeKey=$(aws kms decrypt --ciphertext-blob fileb://encrEnvelopeKey --output text --query Plaintext) openssl enc -in encrypted-data.txt -out confidential-data.txt -d -aes256 -k $envelopeKey https://docs.aws.amazon.com/cli/latest/reference/kms/
  • 15. KMS overview and concepts • Regional service • Integrated with most AWS services, but in different ways • EBS -> encrypted data key stored with every volume, plaintext key in hypervisor memory until disk gets detached • S3 -> encrypted data key stored with every object • AWS managed CMK, one per service called aws/ebs, aws/rds etc. • Customer-managed CMK for more granularity and control • Cause costs (per month, per key, per version) • you can bring your own crypto material in order to keep your own copy of the key • Key aliases, key rotation 15
  • 16. KMS overview and concepts • Keys can be shared across accounts • Critical KMS events can be monitered and automatically remediated in case of any violation detected, automation is key! • AWS-managed config rules can be used to check encryption settings for DBs, disks and buckets • KMS comes with a waiting period on key deletion (if you did not bring your own key) • KMS is relying on shared HSMs (FIPS 140-2 Level 2) • https://d1.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf 16
  • 17. https://aws.amazon.com/blogs/security/are-kms-custom-key-stores-right-for-you/ • Dedicated HSM in VPC → CloudHSM service (FIPS 140-2 L 3) • Custom key store provides more flexibility with CloudHSM but is more complex to manage
  • 18. Managing access to keys from two sides • Key policy • Define who can manage the key (you can even lock out root) • Define who can use the key • You can lock yourself out → AWS support case • You can delegate to IAM • Service roles might need access (e.g. Cloud9 needs access to EBS key) • IAM 18
  • 19. { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<accountid>:role/Project_Key_Admin“ → give access to key admin role OR "AWS": "arn:aws:iam::<accounted>:root“ → access is controlled via IAM }, "Action": [ "kms:Create*", "kms:Describe*", "kms:List*", "kms:Enable*", "kms:Disable*", "kms:Get*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, https://docs.aws.amazon.com/de_de/kms/latest/developer guide/key-policies.html
  • 20. Agenda • AWS security in general • Motivation for data protection, encryption requirements and KMS overview • KMS hands-on / demos • Managed security and compliance 20
  • 21. Demo 1 Creation of a new S3 bucket → auto-tag with internal, disclose and encrypt 21 DPC (Data Protection Class) Encryption confidential KMS key internal S3-SSE public None
  • 22. Demo 2 Disabling EBS encryption by default triggers a notification and automation to enable it again 22
  • 23. Demo 3 23 Key creation triggers an automated check, right policies need to be attached and key rotation being enabled
  • 24. Demo 4 24 Critical KMS events such as key deletion trigger an alarm
  • 25. Agenda • AWS security in general • Motivation for data protection, encryption requirements and KMS overview • KMS hands-on / demos • Managed security and compliance 25
  • 26. . Building blocks for security and compliance management
  • 27. . Managed security and compliance by T-Systems Use of many relevant data sources Cloud Security and Compliance as a building block for your cloud applications Ready to use / minimal on-boarding phase Anomaly detection Security and compliance automation Customer-specific compliance rules Continuous monitoring & near-realtime alerts Security and compliance assessment 24/7 operations and incident management
  • 28. . • 200+ AWS certifications • 50+ Prof./Specialty Level • Actively contributing to the AWS community • Donating to Open Source, e.g. PacBot or VM hardening scripts • Permanent training program T-Systems as AWS partner Well-architected Partner Program Direct Connect Partner Program We are hiring!
  • 29. Thank you! Questions? More Information about our AWS services you find here