EBS Encryption: Enhancing the Amazon Web Services Offering with Key Management

Wednesday, July 23, 2014

Gilad Parann-Nissany


Amazon Web Services is making great strides in securing its customers' stored data, their “data at rest.” We have seen two recent announcements:

  • Amazon announced S3 Server-Side Encryption with Customer-provided keys (which goes by the not-quite catchy acronym SSE-C). Previously, a user could tell S3 to encrypt data as soon as the data is stored, but Amazon managed the encryption keys and they were never exposed to the customer. With this new feature, users can specify those keys and Amazon will use them when “touching” the data, but will not keep the keys.
  • In another blog post, Amazon announced that Elastic Block Store (EBS) volumes can now be encrypted, but cryptographic keys are managed by Amazon.

Both of these announcements make it easier to encrypt data at rest, improving the security of cloud applications. But something is clearly missing from the second announcement, and the press was quick to point it out: in two words – key management.

Many, perhaps most, AWS customers use EBS volumes to store sensitive data: databases, image files, what have you. With Amazon's new solution, customers will be able to encrypt this data. But the encryption keys will be persisted somewhere on Amazon's infrastructure. This creates a couple of irresistible targets for hackers.

  • One point worthy of attention is a bit of a doomsday scenario. The AWS key storage is a “single point of secrets” holding keys for all customers, for the duration of their disk volumes' lifetime. If someone, a rogue AWS insider or a hacker, could get access to the key storage, the results would be catastrophic. They would be able to decrypt any of the encrypted EBS volumes, of any Amazon customer!
  • Another, less sweeping but perhaps more likely scenario, is if the attacker obtains credentials to a customer account, and is able to snapshot an EBS disk and attach it to a new EC2 instance. Despite the EBS disk being encrypted, once attached to an EC2 instance it can be copied out in the plain: the instance will be automatically provisioned by AWS with the decryption keys. This scenario can be surprising, since many customers believe that encryption should protect them from such a simple attack.

In contrast, when customer-side key management is supported, the customer can decide how to protect their data encryption keys based on customer-specific risk assessment. If needed, different keys can be protected differently. For example, some highly sensitive keys may be kept off-line when not in use.

Customers can decide whether to use hardware-based key management solutions (Hardware Security Modules, HSMs) or whether they prefer pure software approaches that rely on cryptographic techniques to secure the keys. Also some interesting new mathematical approaches, such as Homomorphic Key Management or Split Key Encryption, are becoming available. Customers can establish access control policies that fit the way they are doing business. Keys can be farmed out to specific users, user groups or indeed to customers of Amazon's customers.

Amazon Web Services have clearly gotten the message that customers require more control of their encryption keys, and added this capability into the S3 infrastructure. In fact the S3 solution is extremely easy to use, and can be integrated with key management solutions in a matter of minutes. So we can definitely hope AWS will move in the same direction with EBS.

Full disk encryption is becoming more and more popular in cloud settings, and some of the smaller clouds like Google Compute Engine have supported it for a while. Amazon is a bit late to this game, and should lead the way in enabling customer control of encryption keys. Some customers will never move sensitive data to the cloud. At the other extreme there are cloud customers who would prefer to leave everything to the cloud provider, even at the cost of reduced security and loss of control. But surveys show that the majority of security-aware customers are somewhere in the middle, they would like to get the benefits of a well-managed cloud infrastructure, along with the flexibility of managing their own data security.

Possibly Related Articles:
Cloud Security General Enterprise Security
Cloud key management EBS Encryption Amazon Web Services
Post Rating I Like this!
makejoh makejoh Then he turned and walked to the inn door. There was another roar of the engine sound, the trio soon disappear in my sight, I sat back in the chair, goedkope uggs kopen the heart has been feeling too lazy to think of anything, because if I decide to color and rice together, uggs cardy kopen online similar scenes will be a steady stream of occurrence. The boy was looking pale side, with some vibrato said to me: " short uggs kopen online Yang brother. man and the woman is good enough momentum, they Who""The rich.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.