Townsend Security Data Privacy Blog

Microsoft SQL Server Encryption in AWS - Without Cloud Lock-In

Posted by Patrick Townsend on Feb 28, 2020 10:00:14 AM

Interest in Microsoft SQL Server database encryption is booming! What is driving the sudden rush to encrypt sensitive data? Certainly the new California Consumer Privacy Act (CCPA) is a part of this. Just a few days after the CCPA became law the first class action lawsuit was filed. No business wants to deal with a class action lawsuit, and encryption is the only safe harbor from class action lawsuits.

Encryption & Key Management for SQL Server - Definitive Guide We have to give some credit to Microsoft, too. In the past, database encryption was only available in the Enterprise editions of SQL Server. Upgrading from SQL Server Standard, Express and Web editions was an expensive proposition. Then (... SURPRISE! ...) in November 2019 Microsoft announced that SQL Server Standard Edition 2019 would also support encryption in the same way that the Enterprise edition does. It was a great Holiday gift to the many thousands of SQL Server users and ISVs who need to meet compliance regulations.

And the continued publicity about data breaches, ransomware, state actors, and new zero-day exploits continued to elevate everyone’s awareness of the threats to their sensitive data. So encryption is suddenly hot.

Let’s take a look at using SQL Server encryption in Amazon Web Services (AWS). 

Encryption Key Management

If you’ve been following this blog series you know how important key management is to an encryption strategy. That is even more true in the AWS environment. While Amazon makes available a proprietary key service, it can’t be used with databases like SQL Server that implement vendor or open standards. And AWS KMS is a shared encryption key service - both you and Amazon have access to your keys. So, before you start your SQL Server encryption project, be sure to get your key management strategy right.

Local Master Key Storage

When you implement encryption with SQL Server you have a choice about where you store the master keys. You can store them next to the SQL Server database (bad), or you can store the keys in an external key management system using the SQL Server Extensible Key Management (EKM) interface (better). Using an external key management system through the EKM interface is the only way to protect your data under CCPA, and it’s a best security practice. That is what we will focus on for the rest of this blog. 

SQL Server and Extensible Key Management (EKM) Provider

Starting in SQL Server 2008 Enterprise, Microsoft implemented database encryption and added the EKM Provider interface for encryption key management. This interface pre-dated the modern KMIP interface, but provides a similar architecture for integrating encryption key management for SQL Server. The EKM Provider architecture has been a part of SQL Server Enterprise since that release more than a decade ago. Our customers have performed many upgrades to SQL Server and the EKM interface has been stable and reliable. 

The EKM Provider architecture is essentially a set of rules for implementing a plug-in module for SQL Server to integrate with a key manager such as our Alliance Key Manager for SQL Server. You code a Windows DLL to the specification, register it to SQL Server, run an activation command in the SQL Server console, and you have encrypted your SQL Server database! It is fast, easy and straightforward.

Key Management in the Cloud

Now you need a key manager that implements the EKM Provider interface, and you need a place to deploy that key manager. Our customers usually deploy Alliance Key Manager directly from the EC2 console and the AWS Marketplace when they want a dedicated key manager that runs within AWS. Alliance Key Manager runs in an EC2 instance, is dedicated to you (not shared with Amazon or us), and provides the EKM Provider software at no additional charge. You just: 

  • Launch Alliance Key Manager
  • Answer a few configuration questions
  • Download the certificates that SQL Server needs
  • Configure the EKM Provider
  • And activate it

In a short period of time you can fully protect SQL Server with strong encryption and proper key management.

Key Management Outside of the Cloud

Some Microsoft SQL Server users want full control of their encryption keys outside of the AWS cloud. This is incredibly easy! You can deploy Alliance Key Manager as a VMware instance in your on-premise data center, then configure the SQL Server EKM Provider to connect to the on-premise key server. The EKM Provider interface is exactly the same in all Alliance Key Manager platforms. You will need to set network permissions in AWS, and allow a connection to the on-premise key server, but that’s it. You can get key management outside the AWS cloud very easily. Additionally, if you initially deploy in the cloud and want to migrate to your own data center, that is also fast and easy.

Key Management Across AWS Regions

Many AWS customers deploy their applications in different AWS regions in order to achieve a higher level of resilience and reliability for failover. Alliance Key Manager can fully support this approach. You can deploy the production key manager in the same region as your AWS application, and deploy the failover key manager in the remote AWS region where your failover runs. Once configured, they will automatically synchronize the keys and access policy, and will give you an optimal, real time failover across the AWS region boundary. 

Business Continuity and High Availability

The key manager you deploy with SQL Server has to match the high availability strategy you use with SQL Server and your applications. This means the key manager has to fail over in real time. Alliance Key Manager mirrors keys in real time in an active-active configuration. If your database and applications are designed for continuous operation, Alliance Key Manager will give you the immediate failover support you need - and that can be cross-region, outside the cloud, and even across cloud service providers.

Unlimited Databases

Most of our Microsoft SQL Server customers run multiple applications and databases. Alliance Key Manager does not restrict the number of SQL Server databases that you connect to it, and there are no client-side licenses per database. You can encrypt your first database with Alliance Key Manager, and then add any number of additional databases at no charge. Alliance Key Manager does not count or limit the number of databases you protect. You can even protect other databases like MongoDB and MySQL using the same key manager. This is the way enterprise key management should work!

Cloud Independence - It’s real

Amazon Web Services provides a great number of cloud services for applications and storage. Unfortunately, most of the AWS services implement a proprietary interface. The result is cloud lock-in restricting your ability to easily move to other cloud platforms. A business opportunity, merger, acquisition and other events can be painful when you have cloud lock-in. Alliance Key Manager runs in a number of cloud and virtualized environments and will help you avoid cloud lock-in. Cloud independence is real.

Evaluations and Proof-of-Concept

At Townsend Security we know that key management is a part of your critical infrastructure. We make evaluations and Proof-of-Concept projects extremely easy. You can launch Alliance Key Manager for AWS directly from the AWS Marketplace, get access to Quick Start guides for SQL Server, and be up and running quickly. Alliance Key Manager will automatically license for a free 30-day evaluation period, and you will have access to our technical support group for assistance.

HINT: When you launch Alliance Key Manager from the AWS Marketplace, be sure to register with us. Amazon does not share your company information with us, so we won’t be able to help unless you register. Here is the link to register.

True Enterprise Key Management for SQL Server, dedicated to you, is a couple of clicks away right from the AWS Marketplace

Patrick

Encryption Key Management for AWS

Topics: Amazon Web Services (AWS), SQL Server

AWS and Key Management and Pricing

Posted by Patrick Townsend on Feb 4, 2020 8:42:06 AM

Ahhhh, Amazon Web Services (AWS) are so delightfully inexpensive, aren’t they? The AWS Key Management Service (KMS) is one of those really inexpensive services that many of us love to use. For many AWS customers AWS KMS isn’t even noticeable on your bill.

Or, is it?

New call-to-action Increased private data in the cloud requires more encryption keys. What happens when more and more projects are moved to the AWS cloud? Many organizations are assigning each database user their own key, which is a great strategy to deal with GDPR and CCPA. The number of keys starts to go up quickly, and your AWS KMS cost goes up with them. Here is something that happened to one of our customers who had a growing need for keys.

Here is something that happened to one of our customers who had a growing need for keys:

They decided to use a separate encryption key for each of their customers. The idea was to encrypt with an encryption key unique to each customer. When they needed to delete the customer data they only needed to delete the encryption key for that customer. With lots of customers they soon had thousands of encryption keys. And they were shocked when a really large Amazon bill came due for those keys. AWS charges $1.00 for each key and it adds up really fast. So some caution is in order.

Is there any way to avoid the high cost of AWS KMS for multiple keys?

Yes there is. Our Alliance Key Manager in AWS solution can be deployed right in the AWS cloud at a low monthly cost, with no charge per encryption key. Whether you need 10 encryption keys, or 100,000 encryption keys, the cost is the same. And we don’t count the number of endpoints, either. So, the cost remains the same even as you increase your data protection.

Besides a lower cost for key management, there are other benefits to deploying our key manager in AWS:

  • You have exclusive access to the key manager – unlike AWS KMS, it isn’t shared with Amazon (or us).
  • You can deploy redundant key managers (product and high availability) across different AWS geographic regions.
  • You can mirror your encryption keys from AWS to an on-premise key manager.
  • You can deploy replicating key managers across multiple clouds.
  • You have full support for encryption of databases like SQL Server, MySQL, MongoDB, and others.

When you need a lot of encryption keys in AWS, our Alliance Key Manager is a winner. We don’t charge per key, you have flexible options to deploy key management in the cloud and on premises, you will save a lot of money over AWS KMS, and you will have a dedicated Enterprise key management solution that you don’t share with anyone. You will be deploying a true cloud neutral key management solution.

Talk to us to find out more details about the benefits of deploying Alliance Key Manager for AWS for your organization.

Patrick

Encryption Key Management for AWS

Topics: Amazon Web Services (AWS)

Notice to Alliance Key Management users in AWS

Posted by Luke Probasco on Oct 11, 2018 11:36:59 AM

This week Amazon Web Services sent an email to our AWS customers informing them that Alliance Key Manager was no longer available in the AWS Marketplace. This email message was inaccurate and misleading. Townsend Security is committed to providing dedicated, compliant key management solutions to AWS customers, as well as to other cloud platform customers, and continues to make our solution available on the AWS Marketplace.

This is from the email message sent by Amazon:

We are writing to inform you that, as of 10 October 2018, Townsend Security will no longer offer "Alliance Key Manager for AWS" to new subscribers on AWS Marketplace.”

In fact, Townsend Security posted a new version of Alliance Key Manager on AWS this week, and withdrew the older version. The withdrawn version is Alliance Key Manager version 4.5. The new version is Alliance Key Manager version 4.6, which adds new support for VMware vSphere and vSAN encryption key management. You can find the current version of Alliance Key Manager in the AWS Marketplace here:

Both versions of Alliance Key Manager remain under full software support and maintenance. You can upgrade to the new version if and when you wish to.

Please be aware that Amazon prevents us from knowing your customer details when you use the fee-based offering on AWS. Unless you register with us we won't be able to inform you if we have important updates and security patches. If you are an Alliance Key Manager customer on AWS, please register with us here.

Our goal is to provide you with the best key management and encryption solutions on the AWS platform. You always have exclusive control of your encryption keys and – neither Amazon nor Townsend Security can manage or access your keys.

If you have any questions please contact us here.

Townsend Security

Encryption Key Management AWS

Topics: Alliance Key Manager, Amazon Web Services (AWS)

Who owns my encryption key in the Amazon AWS cloud?

Posted by Patrick Townsend on May 16, 2017 9:41:44 AM

One of the most frequent questions I receive about encryption in the AWS cloud is “Who owns the encryption keys in the cloud?” and “Does Amazon have access to my keys?” I understand why this is a confusing question. I also understand why the question is important to many Enterprise customers. Cloud service providers don’t like to talk about this very much, so let’s spend some time running this to ground. We’ll start with the question about Amazon’s access to your encryption keys.

How to Meet Best Practices for Protecting Information in AWS by Stephen Wynkoop Amazon Web Services provides two encryption key management options:

  • AWS Cloud HSM
  • AWS Key Management Service (KMS)

The answer to the question of key ownership depends on which service you are using. Let’s deal with the easy one first.

The AWS Cloud HSM is a physical hardware security module (HSM) that is dedicated to you. It is physically located in an AWS regional cloud data center, but only you have administrative access to the key server. Amazon is clear on the topic of encryption key ownership with the Cloud HSM service: Only you have access to the keys. Of course, Amazon has physical access to the HSM in their data center, but I think we can trust Amazon’s claim that only you have access to the actual encryption keys in a Cloud HSM server.

Now let’s turn our attention to the AWS Key Management Service, or KMS. This is a multi-tenant service provided by Amazon which is backed by an Amazon hardware security module. That is, Amazon creates a key that is only used by you, but that key is protected (encrypted) by an Amazon managed HSM. When you create a key in KMS it is called a Customer Master Key, or CMK. The CMK is actually a data structure that contains your symmetric key and meta data about the key. The CMK is protected by an Amazon HSM key. So, the answer to the question about who owns your key is straight-forward: You and Amazon share ownership of the encryption key and that ownership is equal. You both can access the raw encryption key.

Recently Amazon introduced a new “Bring Your Own Key” option for the KMS service. Does this change anything about who has access to the key? No, you are bringing your own encryption key and loading it into the AWS KMS service as a part of a CMK, but it is still protected in the KMS service by an Amazon HSM key. This means that you and Amazon share equal ownership of the key and both of you have access to the key. The only difference with Bring Your Own Key is that you retain the actual value of the encryption key outside of the AWS cloud.

So, to summarize: The AWS Cloud HSM service provides dedicated encryption keys that only you have access to. The AWS Key Management Service provides encryption keys and both you and Amazon have access to the key.

So, why is this important? Here are some comments that Enterprise customers have shared with me:

In almost every country both law enforcement and national security agencies have legal means to compel a cloud service provider to surrender data related to cloud customers. Certainly in the US this is the case, and it is true in most other countries. In the US it is additionally true that law enforcement and national security agencies may access this information and prohibit the cloud service provider from notifying you – the customer – that access has been granted. Cloud service providers like Amazon and others naturally abide by the laws of the countries in which they operate. But this means that your encryption keys in AWS KMS can be surrendered without your knowledge. You may not like this aspect of your country’s legal system, but it is a fact of life.

Why is this of concern to Enterprise customers? It is because significant law enforcement or intelligence service activity concerning your employees or customers may take place without your knowledge. If you are an executive in a large Enterprise you really want to know if there are potential problems in your workforce, or significant problems with a customer or service provider. Questions like these might arise:

  • Do I have an employee engaging in illegal activity?
  • Do I have multiple employees colluding together to engage in illegal activity?
  • Is one of my customers engaging in criminal activity that may compromise my business?
  • Are there managers in my organization that are breaking the law?
  • Is there some activity that may significantly damage my business reputation?
  • How can I deal with a problem if I don’t know about it?

When your IT systems are physically located in your data center law enforcement and intelligence agencies have to contact you to get access to data. That is not the case in the cloud – you will be in the dark in many cases.

In my experience Enterprise customers will cooperate with their legal requirement to provide data to law enforcement. This is not a question of cooperating with legal requirements to surrender data in a criminal investigation. But Enterprise customers really want to know when significant legal events take place that affect their organizations.

The critical concern is visibility of law enforcement and intelligence service activity that affects you. For this reason many Enterprise customers will not use the AWS Key Management Service. And because they do not have physical access to the Amazon Cloud HSM devices, they will not use this dedicated encryption key management service either.

I hope this clarifies some of the issues related to the Amazon key management options. Of course, these issues are not exclusive to Amazon, the same issues are relevant to the Microsoft, IBM and Google cloud platforms. There are good alternative options to cloud encryption key management services and we will cover those in a separate blog.

Patrick

How to Meet Best Practices for Protecting Information in AWS by Stephen Wynkoop

Topics: Amazon Web Services (AWS), Encryption Key Management

How Do I Find and Start Alliance Key Manager for Encryption Key Management in AWS?

Posted by Patrick Townsend on Sep 6, 2016 10:52:19 AM

For Amazon Web Services (AWS) users, encryption and key management has never been easier.  Townsend Security's Alliance Key Manager uses the same FIPS 140-2 compliant key management technology found in the company's HSM and in use by over 3,000 customers worldwide. In the AWS Marketplace, there are two entries for Alliance Key Manager – one is for the fee-based implementation and one is for the Bring Your Own License (BYOL) implementation. Both are identical in their key management functionality. If you only need one or two instances of Alliance Key Manager you can use the fee-based entry in the marketplace. If you are going to use more than a couple of instances of the key manager you may want to use the Bring Your Own License entry to launch the key manager. There are discounts available for multiple instances of Alliance Key Manager and the BYOL version may be less expensive.

How to Meet Best Practices for Protecting Information in AWS by Stephen Wynkoop If you are logged into your AWS account you can directly launch Alliance Key Manager from the marketplace. Both licensing models support a free 30-day license to use the key manager. 

Before launching, you should determine if you want to run the key manager in the public AWS cloud, or if you want to run the key manager in a virtual private cloud (VPC).  The AWS virtual private cloud platform provides more isolation from other cloud customers and therefore a bit more security, if that is desired.

As you launch Alliance Key Manager in the AWS cloud you will need to select a region in which to run the key manager. Alliance Key Manager supports all of the AWS regions and you can run it anywhere. Your choice of regions may reflect your estimate of where you will have the greatest demand, or where you want critical key material to reside.

Once your AWS instance of Alliance Key Manager has been launched you can open an SSH session to the key manager to perform initial set up. You will change your password, create a set of server and client PKI certificates, indicate whether this instance of the key server is a primary or secondary mirror server, and create some initial unique encryption keys. After answering these questions you will have a fully functional, dedicated EC2 instance of Alliance Key Manager ready to use.

Alliance Key Manager comes with a full suite of software development kits (SDKs) and documentation, but the marketplace is limited to three documents. After you launch your AWS instance of the key manager please contact Townsend Security to register and get access to the AKM Supplemental documentation.  Unless you register at the Townsend Security web site it will not be possible to contact you and send you the documentation. There is no charge for access to the documentation.

The AWS license comes with customer support at the Basic level. This provides technical support and software updates via email during business hours. A Premium Support options is available that provides telephone and web support and includes 24/7/365 support for business interruption issues. Please visit the Townsend Security web site for more information about the Premium Support option and to register your instance of Alliance Key Manager for AWS.

At Townsend Security we want to provide you with a positive experience with our key management products and provide you the support you deserve. When you run our Alliance Key Manager in AWS we won’t know who you are because Amazon does not report that information. By registering at the Townsend Security web site you get access to documentation, SDKs and free support. And we can keep you up to date on the latest security patches and enhancements!

You can find more information about Alliance Key Manager in AWS here.

How to Meet Best Practices for Protecting Information in AWS by Stephen Wynkoop

 

Topics: Alliance Key Manager, Amazon Web Services (AWS)

How Do I Encrypt Data and Manage Encryption Keys Using Java in Amazon Web Services (AWS)?

Posted by Patrick Townsend on Aug 22, 2016 10:51:12 AM

eBook - Encryption Key Management Simplified If you are a Java developer you probably know that the Java language has full native support for AES encryption. You don’t need any third-party SDKs or add-ins to Java to use industry-standard, strong encryption. The standard Java APIs are based on industry standards and are very efficient. Don’t hesitate to use that built-in facility. You include it in your Java application like this:

import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

Encryption key management is another story. To implement good encryption key management you will need to turn to an enterprise key management solution and their Java library to make this happen. Our Alliance Key Manager for AWS solution provides a Java SDK to help you with encryption key use. The Alliance Key Manager Java SDK lets you easily retrieve an encryption key for use in your application, or alternatively to send data to Alliance Key Manager on a secure connection where the encryption or decryption task can be performed directly on the key server. This encryption service is helpful in situations where you don’t want to expose the encryption key in your application or server environment.

Many developers use the Java Keystore (JKS/JCEKS) facility for storing encryption keys. The Java key store is more a key storage facility rather than a key management facility and rarely meets compliance regulations for separating keys from the data they protect, providing for separation of duties, and dual control. If you are currently storing encryption keys in a JKS repository you may want to consider moving them to true key management solution like Alliance Key Manager.

One of the advantages of the Alliance Key Manager SDK is the built-in high availability failover facility. By using the Alliance Key Manager SDK in the event of a network or other failure you automatically fail over to a secondary HA key server in real-time. This means your application keeps running even though a network or system error prevents access to the primary key server.

The Java SDK for Alliance Key Manager includes all of the support needed to make a secure connection to the key server, retrieve an encryption key, access the encryption and decryption services on Alliance Key Manager, and perform other common functions. By using the SDK the Java developer can avoid writing all of the code needed to perform these tasks – the work needed to retrieve an encryption key is reduced to a few lines of code.  We think this is a big bonus for the Java developer and helps make their lives easier. And sample source code will really speed along the process.

Here is an extract of the sample source code showing the retrieval of an encryption key from Alliance Key Manager, an encryption of some plaintext, and the decryption of that ciphertext:

// Note: Full sample source available (this is just an extract)

import javax.crypto.Cipher;

import javax.crypto.spec.IvParameterSpec;

import javax.crypto.spec.SecretKeySpec;


import com.townsendsecurity.akmcore.AkmException;

import com.townsendsecurity.akmcore.AkmUtil;

import com.townsendsecurity.akmcore.AkmRequest;


import com.townsendsecurity.akmkeys.AkmKeyRequest;

import com.townsendsecurity.akmkeys.AkmSymKey;


// The AKM configuration file

String sCfgFile = "/path/jakmcfg.xml"


// Create a key request object initialized from the configuration file

AkmKeyRequest keyRQ = null;

keyRQ = AkmKeyRequest.getInstance(sCfgFile);


// Define the key instance (version) name

String sInstance = "some-name"


// Retrieve the encryption key from Alliance Key Manager

AkmSymKey symkey = null;

symkey = keyRQ.retrieveSymKey(sKey, sInstance);


// Create a context

EncryptDecryptCBC cryptor = new EncryptDecryptCBC(symkey.getKeyBytes());


// Let’s encrypt some plaintext

byte[] ciphertext = null;

ciphertext = cryptor.encryptSymmetric(plaintext.getBytes());


// Let’s decrypt the ciphertext

byte[] plainbuf = null;

plainbuf = cryptor.decryptSymmetric(ciphertext);

There is no charge for the Java SDK and all Alliance Key Manager customers have access to the Java SDK and sample code. AWS customers must register on the Townsend Security web site to get access to the Java code. You can do that here.

Encryption Key Management Simplified eBook

Topics: Alliance Key Manager, Amazon Web Services (AWS), Encryption Key Management, Enryption

How Can I Be Sure I Never Lose My Encryption Keys in Amazon Web Services (AWS)?

Posted by Patrick Townsend on Aug 12, 2016 11:00:00 AM

As organizations move to the cloud, the topics of encryption and key management are top concerns.  "How can I be sure that I never lose my encryption keys?" is one that we hear a lot.  With Alliance Key Manager (AKM), Townsend Security's FIPS 140-2 compliant encryption key manager, you never have to worry about that! There are several layers of protection that help put this worry to rest. Let’s take a look at them in order.

Backup and Restore

How to Meet Best Practices for Protecting Information in AWS by Stephen Wynkoop The first layer of protection is that Alliance Key Manager gives you a complete backup and restore facility -including both a manual and automated facility. At any time you can run the manual backup operation to back up your key database, certificates, configurations and access control definitions. This backup can be sent to your own secure server either in the AWS cloud or in your own data center. You can also create the backup image and download it directly to your own server for safekeeping.

Alliance Key Manager also supports the ability to automatically backup to a secure server at an interval you specify. You can back up your encryption keys daily, weekly, monthly or at an interval you specify. Secure off-line backup is the first layer of protection.

High Availability

Most of our customers in AWS will deploy a second instance of Alliance Key Manager as a high availability failover key server. You can deploy the HA instance of the key server in a different region, or even completely outside of the AWS cloud. Once you deploy the secondary HA instance of the AKM key server you can start mirroring your data keys from the primary production instance of the key server to this secondary HA instance of the key server. Keys and access policies are securely mirrored in real time and the mirror architecture is active-active. This means that if you fail over to the secondary key server, create keys or make changes to key access policies, these will be mirrored back to the production key server in real time. Key mirroring provides a second layer of protection from key loss.

For customers concerned about protection from failures of the AWS cloud platform itself, you can mirror encryption keys to a key server outside of the AWS cloud. That secondary mirror key server can be located in your data center, in another cloud service provider platform, or in a hardware security module (cloud HSM) in a hosting center. Note that there is no limit to the number of backup mirror key servers that you can configure. Alliance Key Manager supports a many-to-many architecture for key mirroring.

Export Encryption Keys

A third layer of protection is provided by the key export facility of Alliance Key Manager. You can securely export individual encryption keys to your own internal systems. The key export facility also provides you with the ability to share an encryption key with another user or organization.

Separation of Duties & Dual Control

Using Separation of Duties and Dual Control can provide a fourth layer of protection for encryption keys. This level of protection is especially helpful for protecting from insider threats. You can create a separate AWS account for use by your security administrators to create and manage encryption keys. These key management administrators would have no access to normal AWS instances where you store sensitive data, and your normal AWS administrators would have no access to the key management account. By activating Dual Control in Alliance Key Manager at least two security administrators need to authenticate to the server to make changes or delete encryption keys.

Stand-alone Instance

Lastly, Alliance Key Manager runs as a stand-alone EC2 instance in the AWS cloud. You are automatically taking advantage of the security, resilience and recoverability provided by Amazon. Always use good AWS account security and management practices to help protect your sensitive data and encryption keys!

It may theoretically be possible to lose an encryption key, but you are going to have to work very hard to do so! Alliance Key Manager takes the fear of key loss out of your encryption strategy in AWS.

You can find more information about Alliance Key Manager for AWS here.

How to Meet Best Practices for Protecting Information in AWS by Stephen Wynkoop

Topics: Amazon Web Services (AWS), Encryption Key Management

Who Has Access to My Encryption Keys in Amazon Web Services (AWS)?

Posted by Patrick Townsend on Aug 5, 2016 9:23:56 AM

One of the most common questions we get here at Townsend Security is something like “Who has access to my encryption keys in AWS?” It is a natural question to ask and it can be hard to determine the answer to this question with many key management solutions - including the key management services provided by Amazon. Let me try to answer this question for our Alliance Key Manager for AWS.

eBook: Definitive Guide to Encryption Key Management Alliance Key Manager for AWS runs as a stand-alone EC2 instance in Amazon Web Services. There is no component of Alliance Key Manager that is shared by other users of AWS, and there is no component of Alliance Key Manager that uses encryption key management services provided by Amazon in AWS. Neither Amazon nor Townsend Security hold any credentials that grant access to the key manager solution, and there are no “backdoors” to the key manager. You, the AWS customer, solely and exclusively manage it.

Encryption keys in Alliance Key Manager are managed by the Alliance Key Manager Administrative Console. This is an application that you install on your PC and which accesses one or more instances of Alliance Key Manager in AWS. While you could install the administrative console in an EC2 instance in AWS, we recommend that you install it on a secure PC outside of AWS. You maintain full control over the application used to manage keys.

The administrative console connects to Alliance Key Manager over a secure TLS session using certificates that are issued by the Alliance Key Manager instance. That is, only administrators using PKI certificates known and authenticated by the specific key manager are allowed to perform management functions.

The use of encryption keys by applications or users inside of AWS or outside of AWS is likewise controlled by secure TLS sessions that are also validated to the specific key manager instance and certificate authority. Just having a valid certificate from Verisign or other certificate authority is not adequate to gain access to encryption keys.

An additional layer of encryption key access control allows you to restrict an encryption key to a user or group as defined on the client-side certificate. This level of key access control leverages to Common Name (CN) and Organizational Unit (OU) of the client-side certificate to control access to a key. If you specify that a key can only be accessed by user “Bill” in the group “Sales”, then Alliance Key Manager will inspect the connecting session to be sure that the certificate Common Name contains the value “Bill” and that the certificate Organizational Unit is “Sales”. Access is denied unless this rule is met.

Lastly, if an unauthorized user gains access to the Alliance Key Manager encryption key database they will not have access to the actual encryption keys. Data encryption keys (DEK) are encrypted by key encryption keys (KEK) which are stored separately. A stolen backup or copied key database file will be insufficient to gain access to the encryption keys.

You should be aware that any cloud service provider has low level access to your virtual machines and storage. That is true of Amazon’s cloud platform as it is with any other cloud platform. And you should also be aware that Amazon and other cloud service providers must obey the laws and regulations of the countries in which they operate. You cannot exclude the possibility that Amazon will provide access to your key management EC2 instance if required to do so under the law. In some countries this means that law enforcement organizations, national security agencies, and other governmental actors may have access to your encryption keys. And, while very unlikely, you cannot exclude the chance that an Amazon employee might make an unauthorized access to the EC2 instance of your key server. If these possibilities make you feel uncomfortable you should consider hosting your key management server outside of AWS. Townsend Security's Alliance Key Manager solution can be hosted in your data center or in a hosting facility that you designate for this and provide keys to your AWS applications.

You can find more information about Alliance Key Manager for AWS here.

eBook: Definitive Guide to Encryption Key Management

 

Topics: Alliance Key Manager, Amazon Web Services (AWS), Encryption Key Management

Data Protection in the Cloud & PCI DSS - Logs and Log Monitoring (Part 3)

Posted by Patrick Townsend on Mar 18, 2015 9:16:00 AM

This is the third part in our series looking at recent announcements by Amazon, Microsoft and other cloud service providers regarding new encryption and key management services. Let’s talk about log collection and active monitoring as a security best practice, and as a requirement to meet PCI DSS security requirements. Since the PCI DSS guidelines implement common security best practices, they are a good starting point for evaluating the security of any application and platform that processes sensitive data. Following the practice of the first part of this series we will use the PCI document “PCI DSS Cloud Computing Guidelines, Version 2.0” as our reference point, and add in some other sources of security best practices. Even if you don’t have to meet PCI data security requirements, this should be helpful when evaluating your security posture in the cloud.

Download Whitepaper on PCI Data Security

Collecting system logs and actively monitoring them is a core component of every cyber security recommendation. Cybercriminals often gain access to IT systems and go undetected for weeks or months. This gives them the ability to work on compromising systems and stealing data over time. Active monitoring is important in the attempt to detect and thwart this compromise.

Here is what PCI says about active monitoring in Section 10 of the PCI DSS (emphasis added):

Review logs and security events for all system components to identify anomalies or suspicious activity.

Many breaches occur over days or months before being detected. Checking logs daily minimizes the amount of time and exposure of a potential breach. Regular log reviews by personnel or automated means can identify and proactively address unauthorized access to the cardholder data environment. The log review process does not have to be manual. The use of log harvesting, parsing, and alerting tools can help facilitate the process by identifying log events that need to be reviewed.

In recognition of the importance of ongoing, active monitoring the National Institute of Standards and Technology (NIST) provides this guidance in their Special Publication 800-137 “Information Security Continuous Monitoring (ISCM)” guidance:

The Risk Management Framework (RMF) developed by NIST, describes a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. Ongoing monitoring is a critical part of that risk management process. In addition, an organization’s overall security architecture and accompanying security program are monitored to ensure that organization-wide operations remain within an acceptable level of risk, despite any changes that occur. Timely, relevant, and accurate information is vital, particularly when resources are limited and agencies must prioritize their efforts.

And active monitoring is a component of the SANS Top 20 security recommendations:

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

Deficiencies in security logging and analysis allow attackers to hide their location, malicious software, and activities on victim machines. Even if the victims know that their systems have been compromised, without protected and complete logging records they are blind to the details of the attack and to subsequent actions taken by the attackers. Without solid audit logs, an attack may go unnoticed indefinitely and the particular damages done may be irreversible.

Because of poor or nonexistent log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target organization knowing, even though the evidence of the attack has been recorded in unexamined log files.

Deploy a SIEM (Security Incident and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis.

This is why actively collecting and monitoring system and application logs is critical for your security strategy.

Implementing this critical security control in a cloud environment presents some special challenges. Here is what the PCI cloud guidance says:

Additionally, the ability to maintain an accurate and complete audit trail may require logs from all levels of the infrastructure, requiring involvement from both the CSP and the client. For example, the CSP could manage system-level, operating-system, and hypervisor logs, while the client configures logging for their own VMs and applications. In this scenario, the ability to associate various log files into meaningful events would require correlation of client-controlled logs and those controlled by the CSP.

It is not enough to collect logs from a few selected points in your cloud application environment. You need to collect all of the logs from all of the components that you deploy and use in your cloud application. This is because the effectiveness of active monitoring depends on the correlation of events across your entire application, database, and network and this includes the cloud providers systems and infrastructure. Here is what ISACA says about security event correlation:

Correlation of event data is critical to uncover security breaches because security incidents are made up of a series of events that occur at various touch points throughout a network--a many-to-one process. Unlike network management, which typically is exception-based or a one-to-one process, security management is far more complex. An attack typically touches a network at multiple points and leaves marks or breadcrumbs at each. By finding and following that breadcrumb trail, a security analyst can detect and hopefully prevent the attack.

Your encryption key management system is one of those critical system components that must be monitored and whose events should be aggregated into a unified view. Key management logs would include encryption key establishment and configuration, encryption key access and use, and operating system logs of every component of the key management service. You should be able to collect and monitor logs from all parts of your applications and cloud platform.

Unfortunately, current key management services from cloud providers only provide a very limited level of access to critical component logs. You might have access to a limited audit trail of your own access to encryption keys, but no access to the key service system logs, HSM access logs, HSM audit logs, or HSM operating system logs. Without access to the logs in these components it is not possible for you to implement an effective log collection and active monitoring strategy. You are working in the dark, and without full access to all logs on all components of your cloud key management service you can’t comply with security best practices for log collection, correlation, and active monitoring.

Since key management systems are always in scope for PCI audit and are extensions of your application environment it is difficult to see how these new cloud key management services can meet PCI DSS requirements for log collection and monitoring as currently implemented.

Does this mean you can’t implement security best practices for key management in the cloud? I don’t think so. There are multiple vendors, including us (see below), who offer cloud key management solutions that provide full access to key management, configuration, key usage, application, and operating system logs.  You can deploy a key management service that fully supports security best practices for log collection and monitoring.

In part 4 of this series we’ll look at the topic of key custody and multi-tenancy and how it affects the security of your key management solution in the cloud.

Patrick


Resources

Alliance Key Manager for AWS

Alliance Key Manager for Azure

Alliance Key Manager for VMware and vCloud

Alliance Key Manager for Drupal

 

download the Whitepaper: Meet the Challenges of PCI Compliance

Topics: PCI DSS, Amazon Web Services (AWS), logging, cloud, Microsoft Azure

Understanding the Challenges of Data Protection in AWS

Posted by Michelle Larson on Mar 13, 2015 10:40:00 AM

An excerpt from the latest white paper “How to Meet Best Practices for Protecting Information in AWS” by Stephen Wynkoop, SQL Server MVP, Founder & Editor of SSWUG.org

How to Meet Best Practices for Protecting Information in AWS by Stephen Wynkoop Working in the cloud presents several challenges unique to that environment, including significant growth and change in the area of data protection and encryption. There is much confusion about what is - and is not - encrypted and protected.  This encryption of information, and the management of the keys and access controls is a core objective of this paper. If you can render information useless if accessed illegitimately, you have successfully addressed a whole host of regulations, compliance and best practices.

The very definition of protection by cloud providers is an important part of understanding the requirements and challenges of your configurations and information protection. AWS approaches data protection in several ways that impact your systems. The first is the configuration and design of your infrastructure. This consideration includes establishing Virtual Private Clouds (VPC) and providing for encryption of some information stores. The challenge exists in understanding the protection of these information stores and determining what you need to do to bring these protections in line with your requirements and compliance areas.

As you consider your systems, data protection will come down to several important areas:

  • Physical access controls – This refers to the doors, secure access controls and other protections at the physical server and server room level.
  • Logical access controls for your systems – These are the controls you put in place to prevent unwanted access to information.
  • Data access – Data access controls are typically enforced at the information stores level.
  • Protection of data in case of a breach – This is addressed by making the information in your systems unusable if accessed in a way that is unwanted.

Stephen’s white paper also covers the impact on data protection in public vs. private clouds, security fundamentals in AWS, and the best practices for deploying an encryption key management solution including:

  • Segregation of Duties
  • Dual Control and Split Knowledge
  • Key Creation (and understanding strong keys)
  • Key Rotation
  • Protection of Keys
  • Access Controls and Audits (Logging)

In his white paper, Stephen also discusses cloud-provider-based key management services and some of the important features, options, questions, and concerns that should be considered before selecting a service or a key management solution. Some important aspects to understand are:

  • Control, Ownership, and Access - By managing your own encryption services and providing for industry-compliant key management and data protection practices, you help ensure that your data remains managed by your own secure keys.
  • Multi-Tenancy and Key Management - In a worst case scenario it’s possible that keys could be compromised.
  • Access to Keys - Many systems and architectures are based on hybrid solutions. Cases where there are systems on-premises combined with systems in the cloud are areas that will be problematic with the AWS services. Systems not on the AWS hosted services will not have access to the key management services on AWS.

There are many different considerations when thinking about the choices in your key management solution. Be sure to fully understand logs, key management, backups and other elements that provide the utility you require. Finally, be sure you’re checking for proper compliance and certification of the solutions you are considering. It is important that any solution you choose has been through a FIPS 140-2 validation, and that you have a full understanding of any PCI, HIPAA or other regulatory body requirements.

Please download the full document to learn more about protecting information in Amazon Web Services and how Townsend Security’s Alliance Key Manager for AWS provides a FIPS 140-2 compliant encryption key manager to AWS users who need to meet data privacy compliance regulations and security best practices.

How to Meet Best Practices for Protecting Information in AWS by Stephen Wynkoop

Topics: Best Practices, Amazon Web Services (AWS), Encryption Key Management, White Paper, SSWUG, Cloud Security