Against a backdrop of constant concern about cloud security among enterprise customers, AWS has added an encryption...
layer to its services.
The automated Elastic Block Store (EBS) encryption is a welcome addition to Amazon Web Services (AWS), but its key management leaves something to be desired, customers and industry security experts say.
AWS already offered encryption on its Simple Storage Service (S3), its Redshift data warehouse and Oracle and SQL Server databases with its Relational Database Service (RDS). AWS also supports Secure Socket Layer / Transport Layer Security in CloudFront, RDS and Elastic Load Balancing.
Edward HaletkyCEO of the Virtualization Practice
"Data encryption at rest is always a good thing, and it's great to see that EBS is now on par with S3 in terms of server-side encryption," said Brian Schott, CTO for Nimbis Services Inc., a systems integrator in McLean, Virginia that serves Department of Defense component suppliers. "Many cloud deployers manage their own encrypted EBS data volumes using [the] Linux [utility] dm-crypt, but it is particularly difficult to encrypt the root volume and still be able to boot the system securely."
While EBS encryption is another step forward, key management is the main issue for AWS customers going forward, security experts said.
EBS encryption uses AWS managed keys but other services allow customers to retain control, such as CloudHSM, which can be used with applications on EC2 or with Amazon Redshift.
Though perhaps convenient for some, security-conscious customers will want to manage their own keys, according to Edward Haletky, CEO of the Virtualization Practice LLC based in Austin, Texas.
Customers still have the option to apply their own encrypted file system to AWS storage for control over encryption keys, but it's not ideal, according to Schott.
"This involves a high degree of system orchestration," he said. "Furthermore, relying on key storage in the [file system] metadata service is like leaving your front door key under the mat."
More on the cloud security to-do list
While it's a good move for Amazon to bring EBS up to speed with the rest of its storage offerings through encryption at rest, security experts would like to see a bigger shift in how AWS does security that would give tenants more control.
Tenants must be able to encrypt at the virtual machine (VM) level, and have more comprehensive audit capabilities within AWS, according to Haletky.
"When [Amazon] decrypts data, they read the key out of the [Hardware Security Module]… that readout means the key is somewhere in memory, but not on the virtual machine, it's in the host,” Haletky said.
Since Amazon owns the host, that makes it harder to crack the encryption key, "but it would be nice if they did it higher in the stack," Haletky said. "It's not just the disks you need to encrypt, it's the memory you need to encrypt to go even further. … If you break into the VM, that data is still unencrypted."
AWS also offers auditing capabilities for compliance-conscious customers with its CloudTrail service, which tracks application performance interface calls made by a given AWS account, but that could go further, Haletky said.
Automated logging of activity on the host would go a long way toward settling cloud security and compliance concerns in the AWS cloud, Haletky said. AWS customers would know whether the server or an AWS admin had accessed encryption keys and what was decrypted, for example.
"The problem with Amazon is that while I know for a fact that they have really great security … there's no way, as a tenant, for me to prove that," he said.