SlideShare a Scribd company logo

How to implement data encryption at rest in compliance with enterprise requirements

Steffen Mazanek
Steffen Mazanek

The document discusses implementing data encryption at rest to comply with enterprise requirements and ensure security on AWS, presented by Steffen Mazanek and Louay Mresheh. It covers various aspects of AWS security, including key management, encryption methods, compliance needs for data protection classes, and best practices for securing sensitive information. The agenda includes a hands-on demonstration of KMS (Key Management Service) functionalities and emphasizes the importance of a structured security framework in cloud environments.

Technology
1 of 29
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Community Day 2019 Sponsors How to implement data encryption at rest in compliance with enterprise requirements Steffen Mazanek, Louay Mresheh | 09/09/2019
About the speakers Steffen Mazanek (AWS usergroup Dresden) Louay Mresheh • AWS architecture and security • T-Systems International GmbH / Public Cloud unit 2 Connect on LinkedIn
Agenda • AWS security in general • Motivation for data protection, encryption requirements and KMS overview • KMS hands-on / demos • Managed security and compliance 3
4 Security “in” the cloud is not easy Lax or misconfiguration as #1 threat https://aws.amazon.com/compliance/shared-responsibility-model/
. SecuritySecurity Security as a central pillar for good architecture in the “AWS Well-Architected Framework” Source: https://wa.aws.amazon.com/wat.design_principles.wa-dp.en.html Operational Excellence Reliability Performance Efficiency Cost Optimization 5 ✓ Implement a strong identity foundation ✓ Enable traceability ✓ Apply security at all layers ✓ Automate security best practices ✓ Protect data in transit and at rest ✓ Keep people away from data ✓ Prepare for security events
. Security: relevant AWS services (extract) 6 Identity and Access Management Detective Controls Config Infrastructure Protection Data Protection Incident Response IAM Organizations MFA tokenTemporary security credential CloudWatch CloudTrail VPC WAFShield Inspector Macie KMS IAM GuardDuty Lambda Security Hub Secrets Manager Config CloudWatch Trusted Advisor Cognito CloudHSM Certificate Manager
Agenda • AWS security in general • Motivation for data protection, encryption requirements and KMS overview • KMS hands-on / demos • Managed security and compliance 7
Don‘t be the company from the news 8 • Check your snapshots: • filter for public in console • Better: activate a control, AWS managed config rule is available (https://docs.aws.amazon.com/config/latest/developerguide/ebs-snapshot-public-restorable-check.html) • Use encryption, only unencrypted snapshots can be made publicly available (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html) https://techcrunch.com/2019/08/09/aws-ebs-cloud-backups-leak/
Why data encryption? • Compliance, enterprise regulation / policies • Security best practice • Protection from hypervisor mistakes, e.g. • your disk is accidentally shared with another client • mistake in disk decommissioning process • Data confidentiality and integrity • Control/minimize access to data (keep people away from data) • Destroy large amounts of data by deleting the key 9
Concepts/terminology • Data encryption in transit → IPSec/VPN, TLS (AWS Certificate Manager) • Data encryption at rest → focus of this presentation • Client-side → encrypt before submitting data to AWS, AWS encryption SDK in different programming languages, service clients etc. • Server-side → AWS encrypts the data after it is received by the service 10
Enterprise data encryption requirements example • For the data protection class PUBLIC encryption is not required. • For the data protection class INTERNAL encryption with AWS-managed key must be used. • For the data protection class CONFIDENTIAL encryption with customer-managed key must be used. • Keys need to be rotated on regular basis. • Management and use of keys according to least privileges principal. • A dedicated role group for key admins must be used. • Multi-factor authentication must be implemented for critical KMS API calls. • KMS key activities must be logged. • The deletion of keys must be alarmed. • If encryption context is used, no sensitive data must be used for encryption context. → Example implementation/architecture in demo part 11
CIS recommendations regarding data protection https://d1.awsstatic.com/whitepapers/compliance/CIS_Amazon_Web_Services_Three- tier_Web_Architecture_Benchmark.pdf Work with multiple CMKs → More fine-grained control 12…
KMS overview and concepts • securely store the keys you use to encrypt your data in the cloud and centrally manage these keys • Envelope encryption / two-tiered key hierarchy • 4KB limit, better performance • Unique data key encrypts customer data • Customer master keys encrypt data keys • Centralized access and better auditability • Limits blast radius (compromised data key) 13
KMS CLI session aws kms generate-data-key --key-id <keyarn> --key-spec AES_256 --output text --query CiphertextBlob | base64 --decode > encrEnvelopeKey envelopeKey=$(aws kms decrypt --ciphertext-blob fileb://encrEnvelopeKey --output text --query Plaintext) openssl enc -in confidential-data.txt -out encrypted-data.txt -e -aes256 -k $envelopeKey Keep your encrypted data key at a safe place!! Later: envelopeKey=$(aws kms decrypt --ciphertext-blob fileb://encrEnvelopeKey --output text --query Plaintext) openssl enc -in encrypted-data.txt -out confidential-data.txt -d -aes256 -k $envelopeKey https://docs.aws.amazon.com/cli/latest/reference/kms/
KMS overview and concepts • Regional service • Integrated with most AWS services, but in different ways • EBS -> encrypted data key stored with every volume, plaintext key in hypervisor memory until disk gets detached • S3 -> encrypted data key stored with every object • AWS managed CMK, one per service called aws/ebs, aws/rds etc. • Customer-managed CMK for more granularity and control • Cause costs (per month, per key, per version) • you can bring your own crypto material in order to keep your own copy of the key • Key aliases, key rotation 15
KMS overview and concepts • Keys can be shared across accounts • Critical KMS events can be monitered and automatically remediated in case of any violation detected, automation is key! • AWS-managed config rules can be used to check encryption settings for DBs, disks and buckets • KMS comes with a waiting period on key deletion (if you did not bring your own key) • KMS is relying on shared HSMs (FIPS 140-2 Level 2) • https://d1.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf 16
https://aws.amazon.com/blogs/security/are-kms-custom-key-stores-right-for-you/ • Dedicated HSM in VPC → CloudHSM service (FIPS 140-2 L 3) • Custom key store provides more flexibility with CloudHSM but is more complex to manage
Managing access to keys from two sides • Key policy • Define who can manage the key (you can even lock out root) • Define who can use the key • You can lock yourself out → AWS support case • You can delegate to IAM • Service roles might need access (e.g. Cloud9 needs access to EBS key) • IAM 18
{ "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<accountid>:role/Project_Key_Admin“ → give access to key admin role OR "AWS": "arn:aws:iam::<accounted>:root“ → access is controlled via IAM }, "Action": [ "kms:Create*", "kms:Describe*", "kms:List*", "kms:Enable*", "kms:Disable*", "kms:Get*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, https://docs.aws.amazon.com/de_de/kms/latest/developer guide/key-policies.html
Agenda • AWS security in general • Motivation for data protection, encryption requirements and KMS overview • KMS hands-on / demos • Managed security and compliance 20
Demo 1 Creation of a new S3 bucket → auto-tag with internal, disclose and encrypt 21 DPC (Data Protection Class) Encryption confidential KMS key internal S3-SSE public None
Demo 2 Disabling EBS encryption by default triggers a notification and automation to enable it again 22
Demo 3 23 Key creation triggers an automated check, right policies need to be attached and key rotation being enabled
Demo 4 24 Critical KMS events such as key deletion trigger an alarm
Agenda • AWS security in general • Motivation for data protection, encryption requirements and KMS overview • KMS hands-on / demos • Managed security and compliance 25
. Building blocks for security and compliance management
. Managed security and compliance by T-Systems Use of many relevant data sources Cloud Security and Compliance as a building block for your cloud applications Ready to use / minimal on-boarding phase Anomaly detection Security and compliance automation Customer-specific compliance rules Continuous monitoring & near-realtime alerts Security and compliance assessment 24/7 operations and incident management
. • 200+ AWS certifications • 50+ Prof./Specialty Level • Actively contributing to the AWS community • Donating to Open Source, e.g. PacBot or VM hardening scripts • Permanent training program T-Systems as AWS partner Well-architected Partner Program Direct Connect Partner Program We are hiring!
Thank you! Questions? More Information about our AWS services you find here

More Related Content

Similar to How to implement data encryption at rest in compliance with enterprise requirements (20)

PDF
Protect your Data on AWS using the Encryption method.pdf
Zen Bit Tech
 
PPSX
AWS Key Management
Nantha Kumar Rajasekaren
 
PDF
Kms cryptographic-details
saifam
 
PDF
Kms cryptographic-details (1)
saifam
 
PDF
Using encryption with_aws
saifam
 
PDF
Aws kms in 10 minutes
Rajendran Senapathi
 
PPTX
Introduction to AWS KMS
Akesh Patil
 
PPTX
Introduction of AWS KMS
Ricardo Schmidt
 
PDF
Aws securing data_at_rest_with_encryption (1)
CMR WORLD TECH
 
PPTX
UNEC__1732702810.pptxddgdfvcfgg hxh f f g h s s. Rcyctcecec
lefty8778
 
PDF
Austin CSS Slalom Presentation
Alert Logic
 
PPTX
Presentation by R Behera on KMS aws
Rasananda BEHERA
 
PPTX
Databricks Training | Databricks Course
Accentfuture
 
PDF
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
Amazon Web Services Korea
 
PPTX
Big data security in AWS.pptx
Ashish210583
 
PDF
MySQL Security on AWS Rds
Mydbops
 
PPTX
The fundamentals of AWS Cloud Security 🛠⛅️🚀
Thanh Nguyen
 
PDF
Building a GDPR-compliant architecture on AWS.pdf
Zen Bit Tech
 
PDF
Aws key kms dg
RENEE63398
 
PDF
Taking Security Responsibility in the AWS Cloud
Franklin Mosley
 
Protect your Data on AWS using the Encryption method.pdf
Zen Bit Tech
 
AWS Key Management
Nantha Kumar Rajasekaren
 
Kms cryptographic-details
saifam
 
Kms cryptographic-details (1)
saifam
 
Using encryption with_aws
saifam
 
Aws kms in 10 minutes
Rajendran Senapathi
 
Introduction to AWS KMS
Akesh Patil
 
Introduction of AWS KMS
Ricardo Schmidt
 
Aws securing data_at_rest_with_encryption (1)
CMR WORLD TECH
 
UNEC__1732702810.pptxddgdfvcfgg hxh f f g h s s. Rcyctcecec
lefty8778
 
Austin CSS Slalom Presentation
Alert Logic
 
Presentation by R Behera on KMS aws
Rasananda BEHERA
 
Databricks Training | Databricks Course
Accentfuture
 
AWS re:Invent re:Cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도
Amazon Web Services Korea
 
Big data security in AWS.pptx
Ashish210583
 
MySQL Security on AWS Rds
Mydbops
 
The fundamentals of AWS Cloud Security 🛠⛅️🚀
Thanh Nguyen
 
Building a GDPR-compliant architecture on AWS.pdf
Zen Bit Tech
 
Aws key kms dg
RENEE63398
 
Taking Security Responsibility in the AWS Cloud
Franklin Mosley
 

Recently uploaded (20)

PDF
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PPTX
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PDF
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
Ad

How to implement data encryption at rest in compliance with enterprise requirements

  • 1. Community Day 2019 Sponsors How to implement data encryption at rest in compliance with enterprise requirements Steffen Mazanek, Louay Mresheh | 09/09/2019
  • 2. About the speakers Steffen Mazanek (AWS usergroup Dresden) Louay Mresheh • AWS architecture and security • T-Systems International GmbH / Public Cloud unit 2 Connect on LinkedIn
  • 3. Agenda • AWS security in general • Motivation for data protection, encryption requirements and KMS overview • KMS hands-on / demos • Managed security and compliance 3
  • 4. 4 Security “in” the cloud is not easy Lax or misconfiguration as #1 threat https://aws.amazon.com/compliance/shared-responsibility-model/
  • 5. . SecuritySecurity Security as a central pillar for good architecture in the “AWS Well-Architected Framework” Source: https://wa.aws.amazon.com/wat.design_principles.wa-dp.en.html Operational Excellence Reliability Performance Efficiency Cost Optimization 5 ✓ Implement a strong identity foundation ✓ Enable traceability ✓ Apply security at all layers ✓ Automate security best practices ✓ Protect data in transit and at rest ✓ Keep people away from data ✓ Prepare for security events
  • 6. . Security: relevant AWS services (extract) 6 Identity and Access Management Detective Controls Config Infrastructure Protection Data Protection Incident Response IAM Organizations MFA tokenTemporary security credential CloudWatch CloudTrail VPC WAFShield Inspector Macie KMS IAM GuardDuty Lambda Security Hub Secrets Manager Config CloudWatch Trusted Advisor Cognito CloudHSM Certificate Manager
  • 7. Agenda • AWS security in general • Motivation for data protection, encryption requirements and KMS overview • KMS hands-on / demos • Managed security and compliance 7
  • 8. Don‘t be the company from the news 8 • Check your snapshots: • filter for public in console • Better: activate a control, AWS managed config rule is available (https://docs.aws.amazon.com/config/latest/developerguide/ebs-snapshot-public-restorable-check.html) • Use encryption, only unencrypted snapshots can be made publicly available (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html) https://techcrunch.com/2019/08/09/aws-ebs-cloud-backups-leak/
  • 9. Why data encryption? • Compliance, enterprise regulation / policies • Security best practice • Protection from hypervisor mistakes, e.g. • your disk is accidentally shared with another client • mistake in disk decommissioning process • Data confidentiality and integrity • Control/minimize access to data (keep people away from data) • Destroy large amounts of data by deleting the key 9
  • 10. Concepts/terminology • Data encryption in transit → IPSec/VPN, TLS (AWS Certificate Manager) • Data encryption at rest → focus of this presentation • Client-side → encrypt before submitting data to AWS, AWS encryption SDK in different programming languages, service clients etc. • Server-side → AWS encrypts the data after it is received by the service 10
  • 11. Enterprise data encryption requirements example • For the data protection class PUBLIC encryption is not required. • For the data protection class INTERNAL encryption with AWS-managed key must be used. • For the data protection class CONFIDENTIAL encryption with customer-managed key must be used. • Keys need to be rotated on regular basis. • Management and use of keys according to least privileges principal. • A dedicated role group for key admins must be used. • Multi-factor authentication must be implemented for critical KMS API calls. • KMS key activities must be logged. • The deletion of keys must be alarmed. • If encryption context is used, no sensitive data must be used for encryption context. → Example implementation/architecture in demo part 11
  • 12. CIS recommendations regarding data protection https://d1.awsstatic.com/whitepapers/compliance/CIS_Amazon_Web_Services_Three- tier_Web_Architecture_Benchmark.pdf Work with multiple CMKs → More fine-grained control 12…
  • 13. KMS overview and concepts • securely store the keys you use to encrypt your data in the cloud and centrally manage these keys • Envelope encryption / two-tiered key hierarchy • 4KB limit, better performance • Unique data key encrypts customer data • Customer master keys encrypt data keys • Centralized access and better auditability • Limits blast radius (compromised data key) 13
  • 14. KMS CLI session aws kms generate-data-key --key-id <keyarn> --key-spec AES_256 --output text --query CiphertextBlob | base64 --decode > encrEnvelopeKey envelopeKey=$(aws kms decrypt --ciphertext-blob fileb://encrEnvelopeKey --output text --query Plaintext) openssl enc -in confidential-data.txt -out encrypted-data.txt -e -aes256 -k $envelopeKey Keep your encrypted data key at a safe place!! Later: envelopeKey=$(aws kms decrypt --ciphertext-blob fileb://encrEnvelopeKey --output text --query Plaintext) openssl enc -in encrypted-data.txt -out confidential-data.txt -d -aes256 -k $envelopeKey https://docs.aws.amazon.com/cli/latest/reference/kms/
  • 15. KMS overview and concepts • Regional service • Integrated with most AWS services, but in different ways • EBS -> encrypted data key stored with every volume, plaintext key in hypervisor memory until disk gets detached • S3 -> encrypted data key stored with every object • AWS managed CMK, one per service called aws/ebs, aws/rds etc. • Customer-managed CMK for more granularity and control • Cause costs (per month, per key, per version) • you can bring your own crypto material in order to keep your own copy of the key • Key aliases, key rotation 15
  • 16. KMS overview and concepts • Keys can be shared across accounts • Critical KMS events can be monitered and automatically remediated in case of any violation detected, automation is key! • AWS-managed config rules can be used to check encryption settings for DBs, disks and buckets • KMS comes with a waiting period on key deletion (if you did not bring your own key) • KMS is relying on shared HSMs (FIPS 140-2 Level 2) • https://d1.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf 16
  • 17. https://aws.amazon.com/blogs/security/are-kms-custom-key-stores-right-for-you/ • Dedicated HSM in VPC → CloudHSM service (FIPS 140-2 L 3) • Custom key store provides more flexibility with CloudHSM but is more complex to manage
  • 18. Managing access to keys from two sides • Key policy • Define who can manage the key (you can even lock out root) • Define who can use the key • You can lock yourself out → AWS support case • You can delegate to IAM • Service roles might need access (e.g. Cloud9 needs access to EBS key) • IAM 18
  • 19. { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<accountid>:role/Project_Key_Admin“ → give access to key admin role OR "AWS": "arn:aws:iam::<accounted>:root“ → access is controlled via IAM }, "Action": [ "kms:Create*", "kms:Describe*", "kms:List*", "kms:Enable*", "kms:Disable*", "kms:Get*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, https://docs.aws.amazon.com/de_de/kms/latest/developer guide/key-policies.html
  • 20. Agenda • AWS security in general • Motivation for data protection, encryption requirements and KMS overview • KMS hands-on / demos • Managed security and compliance 20
  • 21. Demo 1 Creation of a new S3 bucket → auto-tag with internal, disclose and encrypt 21 DPC (Data Protection Class) Encryption confidential KMS key internal S3-SSE public None
  • 22. Demo 2 Disabling EBS encryption by default triggers a notification and automation to enable it again 22
  • 23. Demo 3 23 Key creation triggers an automated check, right policies need to be attached and key rotation being enabled
  • 24. Demo 4 24 Critical KMS events such as key deletion trigger an alarm
  • 25. Agenda • AWS security in general • Motivation for data protection, encryption requirements and KMS overview • KMS hands-on / demos • Managed security and compliance 25
  • 26. . Building blocks for security and compliance management
  • 27. . Managed security and compliance by T-Systems Use of many relevant data sources Cloud Security and Compliance as a building block for your cloud applications Ready to use / minimal on-boarding phase Anomaly detection Security and compliance automation Customer-specific compliance rules Continuous monitoring & near-realtime alerts Security and compliance assessment 24/7 operations and incident management
  • 28. . • 200+ AWS certifications • 50+ Prof./Specialty Level • Actively contributing to the AWS community • Donating to Open Source, e.g. PacBot or VM hardening scripts • Permanent training program T-Systems as AWS partner Well-architected Partner Program Direct Connect Partner Program We are hiring!
  • 29. Thank you! Questions? More Information about our AWS services you find here