AWS customers gained new control over cloud security in the Simple Storage Service this week, while Amazon fended off critiques about its ongoing use of a now-defunct Linux encryption utility.
Customers of the Simple Storage Service (S3) now have the option to store data in S3 using Amazon Web Service's (AWS) server-side encryption, but can still maintain control over the encryption keys. This is the kind of feature security-conscious IT pros requested with newly released Elastic Block Store encryption last week.
The S3 key management option comes on the heels of published reports this week that Amazon still uses the Linux encryption utility TrueCrypt as the only option for securely importing and exporting data to and from S3.
The developers of the open-source encryption utility publicly renounced its project on May 28, saying it was not secure and that IT pros shouldn't use it anymore.
Amazon faced some criticism for continuous use of TrueCrypt, but audits have revealed no vulnerabilities in TrueCrypt so far.
This allows companies to offload encryption to AWS while giving security practitioners more control.
-Edward Haletky, CEO of The Virtualization Practice
"AWS Import/Export is the only AWS service that uses TrueCrypt, but AWS is aware of the statement on the TrueCrypt website and continues to monitor closely," the company said through a spokesperson Friday.
AWS does not use TrueCrypt in the encryption performed on objects stored in S3, which includes the new S3 key management option.
S3 encryption key management now hinges on SSL trust
Customers have several key management options for S3. One option is to let Amazon manage the keys, which some security-sensitive shops may not be comfortable with.
"For some companies [not being able to manage encryption keys] was a non-starter to using S3 as it ran afoul of basic security management best practices," said Mark Szynaka, cloud architect for New York-based cloud consulting firm Cloud eBroker. "For some of my clients this was the most difficult security exception to get past."
Users can maintain control over keys with client-side encryption, which allows for control over the keys, but can create high-bandwidth requirements as encrypted data is sent over the wire to S3, according to Edward Haletky, CEO of The Virtualization Practice LLC in Austin, Texas.
This new approach gets closer to the best of both worlds, Haletky said.
"This allows companies to offload encryption to AWS while giving security practitioners more control," Haletky said.
To encrypt and decrypt objects, however, customers must supply the key, which is then retained in memory for a short amount of time. Amazon’s blog doesn't specify for how long it's held, except to say that it's "expeditiously" removed from memory.
To protect this transaction from the outside world, the transfer of the key occurs over a connection between the originating and destination server using the Secure Sockets Layer (SSL) tunneling protocol.
This, in turn, has its own vulnerabilities, Haletky said.
Adoption of this key management model "depends on the users and the acceptability of SSL in their environment," he added. "For those people that know how to do good SSL hygiene, it won't be a problem; for those that do not, it could be a weakness."
Good SSL "hygiene" involves pre-sharing certificates, and doing mutual authentication between a server and client connected by SSL. Keeping SSL keys well-protected is also critical, according to Haletky.