ra2 studio - Fotolia


In AWS encryption, a little paranoia goes a long way

IT teams must take a layered approach to AWS security, and encryption is no different. Each Amazon service has different security characteristics, requiring the right security tool.

AWS infrastructure operates outside of the physical control of the enterprise. Securing this infrastructure requires...

comprehensive thought into how the data moves to and from the public cloud. But data encryption is also imperative, and a number of native AWS and third-party tools exist to encrypt AWS data services -- when used properly.

Different security architectures have a chain of trust involved in AWS encryption key management, and this has ramifications on the security, complexity and performance of applications that access secured data. Most modern cloud applications take advantage of public key cryptography in which master keys are never shared directly. Instead, clients and servers use each other's public keys to generate hash values that are sent over the Internet to authorize access to particular stores.

But modern AWS applications don't typically involve one client and one server. They span multiple servers used for different functions: storing data, analyzing data and powering various applications such as CRM, ERP and business intelligence. Key management infrastructure sits at the middle of all of this, allowing users and applications to access just the right subset of data required to get the job done.

Each AWS encryption approach can protect all major data services.

The fundamental problem in all of this is that each application -- and the servers used to store keys -- opens up the possibility of attack. Hackers just need to find one weak link to gain access to enterprise data. A good key management infrastructure helps limit the affect when an application or credential is compromised.

In addition to concerns about hackers, enterprises need to consider the possibility that governments could compromise cloud key management infrastructure. Legal precedents worldwide are unfolding that could affect the integrity of this chain of trust. An American company might be less concerned than a company based in Europe if Amazon was compelled to hand over its master keys. Recognizing these concerns, leading companies such as Amazon are setting up appropriate safeguards to protect enterprise data so that it can only be decrypted using enterprise-managed keys.

Key management models

There are three main architectures that companies use to secure a key management infrastructure (KMI) on top of AWS applications.

  1. The enterprise controls the encryption method and the entire KMI. The keys can be stored outside of the cloud or in an Elastic Compute Cloud instance.
  2. The enterprise controls the encryption method and management layer, while AWS provides the storage component of the KMI.
  3. Amazon controls the encryption method and the entire KMI.

Each AWS encryption approach can protect all major data services. The first approach appeals to enterprises concerned about security risks with the AWS chain of trust. But this comes at a cost; applications become increasingly complex as they save, process and retrieve data from the cloud. The third approach reduces the complexity of managing the KMI, but requires a higher level of trust in the integrity of the AWS infrastructure.

An enterprise that chooses to manage the encryption technique and KMI can choose from a wide variety of open source and commercial tools. The enterprise maintains full control over the encryption keys and the apps that use those keys.

Match security tools to AWS storage services

There are different tools suited for different storage services, and a few products are designed to work across multiple storage services. But different storage services have different operating processes and security requirements, providing an additional challenge. OpenSSL and Bouncy Castle are open source tools that can encrypt data at rest, making them suitable for Amazon Simple Storage Service (S3).

The Amazon S3 encryption client is another alternative baked into the AWS SDKs. IT teams can pass keys to the client using SSL or SSH from the enterprise KMI. Information for implementing this is available in the AWS SDK for Java documentation. CloudBerry Explorer PRO for Amazon S3 is one of several third-party tools available to simplify key management.

An enterprise that chooses to manage the encryption technique and KMI can choose from a wide variety of open source and commercial tools.

Developers can secure Amazon Elastic Block Store volumes using a wide variety of file system and block-level encryption tools, including loop-AES and dm-crypt. Other tools, such as LUKS, eCryptfs and EncFs, can encrypt a single directory. But these tools don't work well for encrypting boot volumes. IT teams need a commercial tool, like Trend Micro SecureCloud, to encrypt boot volumes in addition to data volumes.

Amazon Relational Database Service (RDS) doesn't expose the attached disk, so other approaches are required. Selective AWS encryption can be done on data in transit using OpenSSL. Other database-specific tools, like CipherCloud and HPE SecureData, are better suited for securing RDS.

The security infrastructure becomes considerably more complex if the enterprise needs to implement Amazon Elastic MapReduce. This service has different security properties required for the source data, Hadoop Distributed File System, shuffle phase and output.

If the enterprise chooses to manage the keys off the cloud, it can deploy an on-premises AWS CloudHSM appliance. Multiple appliances are recommended for deploying apps across AWS availability zones.

The AWS Key Management Service (KMS) includes integration into all Amazon data storage services. One previous exception was Amazon Aurora, which was released without KMS integration. But this has been rectified in more recent versions of Aurora that include support for KMS. In this scenario, the enterprise uses KMS to provide and use keys to encrypt data in various AWS applications. The service provides tight integration, which can improve the application development and deployment lifecycle. Amazon does give enterprises the ability to audit access of its keys across all services, but the enterprise needs to trust the integrity of the AWS managed chain of trust for this to be a viable option. The KMS Cryptographic Details White Paper dives into the underlying safeguards of this approach.

An enterprise might want to manage its own AWS encryption architecture for simple applications. However, this can be burdensome, particularly if they need to move data across relational data stores, EMR applications and long-term archives. At the end of the day, security requires a healthy degree of paranoia to prevent compromised infrastructure.

Next Steps

Discover your AWS data encryption options

AWS security policy shares responsibility

IT teams should brush up on AWS security best practices

Dig Deeper on AWS security