CloudHSM Deep-Dive. Dave Walker Specialised Solutions Architect Security/Compliance Amazon Web Services UK Ltd

Size: px

Start display at page:

Download "CloudHSM Deep-Dive. Dave Walker Specialised Solutions Architect Security/Compliance Amazon Web Services UK Ltd"

Lenard Austin
6 years ago
Views:

CloudHSM Tamper-Proof and Tamper-Evident Destroys its stored keys if under attack FIPS 140-2 Level 2 certified Base

backed-up (ideally to HSM on customer premises) Can be (and should) be combined in HA clusters Is NOT a key management

2 CloudHSM Tamper-Proof and Tamper-Evident Destroys its stored keys if under attack FIPS Level 2 certified Base position is to be a Keystore Can also be used to timestamp documents You can send data for encrypt / decrypt Needs to be backed-up (ideally to HSM on customer premises) Can be (and should) be combined in HA clusters Is NOT a key management system but can work with some third-party ones Communicates via: PKCS#11 JCE Some applications need a plugin Safenet have one for Apache

3 CloudHSM Integration with S3, EBS, EC2 S3 Integration using SafeNet KeySecure on EC2 White paper at EBS and EC2 Use SafeNet KeySecure (6.1.2 or later) on EC2, backed by CloudHSM, for key management Install SafeNet ProtectV Manager on EC2 (c1.medium / m1.medium) Install ProtectV Client on EC2 instances Use ProtectV for EBS volume encryption (ext3, ext4, swap) Supported platforms: RHEL 5.8, 6.2, 6.3 CentOS 6.2 Microsoft Windows 2008, 2012 Encrypt full EBS-backed EC2 instances, including root volumes

4 AWS Databases and CloudHSM Redshift: When using CloudHSM Redshift gets cluster key from HSM Redshift generates a database key and encrypts it with the cluster key from the CloudHSM Redshift encrypts data with the database key Redshift supports re-encryption RDS RDS / Oracle EE can use CloudHSM to store keys as per Oracle Wallet So TDE can be HSM-backed Note that in-memory database contents (once the database has been unlocked) are cleartext RAM encryption is not something AWS has today, but it has been done in other contexts Homomorphic encryption Proof-of-concept with KVM

5 SafeNet Product Support for AWS SafeNet Product AWS Service(s) Supported Notes ProtectV and Virtual KeySecure for AWS EC2 or VPC Instances and EBS Storage GovCloud (Beta) Requires Safenet KeySecure (HW or Virtual) Available in AWS MarketPlace, as well as SafeNet sales channels Virtual KeySecure for AWS CloudHSM Available in AWS Marketplace CloudHSM supports Virtual KeySecure as the hardware root of trust for vks master keys StorageSecure AWS Storage Gateway Safenet KeySecure Hardware (optional) iscsi integration (however StorageSecure also supports CIFS, NFS, FTP, TFTP and HTTP protocols.) Luna SA 7000 HSM CloudHSM RedShift RDS (via 3 rd party vendor) High availability Key synchronization Key Management Luna Backup HSM CloudHSM Key backup ProtectApp S3 and EBS volumes Can be integrated with Amazon S3 Encryption Clients and AWS SDKs (Java and.net) Requires SafeNet KeySecure (HW or virtual) Can be installed on an EC2/VPC instance to protect data stored on EBS volumes. ProtectFile EBS volumes and S3 Requires SafeNet KeySecure (HD or Virtual)

6 Difference between CloudHSM and KMS CloudHSM Single-tenant HSM Customer-managed durability and availability Customer managed root of trust FIPS Validation Broad third-party app support Symmetric and asymmetric ops High fixed price ($16.5k/yr/hsm) KMS Multi-tenant AWS service Highly available and durable key storage and management AWS managed root of trust Extensive auditing Broad support for AWS services Symmetric encryption only Usage-based pricing

7 Why Customers Choose CloudHSM Reasons include: Control Complete control of encryption keys, AWS cannot access key material Fine-grained control of how AWS assets can use your keys Compliance FIPS level 2 or 3 certification Common Criteria EAL4 certification Performance/Availability When required, local CloudHSM much better than on-prem Network transit times Usage patterns

8 Customer Control Over Keys Three reasons for this requirement Regulatory (hard), Policy (soft) and Trust (soft) Soft requirements may be addressed by threat modelling KMS can be simpler and less expensive for customer to use Important to engage customer s governance resources With CloudHSM, customers have absolute control and authority over keys through separation of duties

9 Separation of Duties AWS manages the appliance Customer control keys and crypto operations CloudHSM Separation of duties is enforced by the HSM appliance itself, using RBAC

10 Third-Party Compliance Validation Requirements PCI or other vertical-specific security standard Government workloads (US, Canada, and others) Enterprise policies increasingly require FIPS validation CloudHSM uses SafeNet Luna SA 7000 appliances FIPS Level 2 Validated Common Criteria EAL4 Validated

11 Performance/Availability Advantages Customers may have existing on-prem HSMs Applications that require HSM access could leverage on-prem HSMs over VPN or DX Latency and availability characteristics of VPN or DX make CloudHSM desirable

12 Amazon Really Can t Access Keys AWS has appliance admin to the HSM Luna SA separates appliance admin from security officer Customer initializes HSM themselves via SSH AWS never sees partition credentials Device is automatically wiped if unauthorised access attempted Bottom line you don t have to trust AWS, you are trusting the HSM vendor (SafeNet) and and third party FIPS/CC validations

13 Operations Each HSM is dedicated to one customer No sharing or partitioning of the appliance Customer is responsible for operating the HSMs in HA mode SafeNet Client handles replication to multiple HSMs (up to 16) SafeNet Client load balances across available HSMs Password authentication controls access to the HSM PEDs (Pin Entry Devices) are not currently supported AWS monitors & manages the devices and network infrastructure See FAQ and Technical docs for additional details

14 CloudHSM Public API and SDK Self-service provisioning and management now supported through a public API CreateHSM and DeleteHSM to provision and terminate HSMs ModifyHSM permits changing the network configuration as well as setting up syslog forwarding ListHSMs and DescribeHSM allow discovery and querying of provisioned HSMs ListAvailableZones provides visibility into where CloudHSM capacity is available

15 CloudHSM Command Line Interface (CLI) Tools Provisioning and de-provisioning Easy to provision an HSM, intialise it, clone keys from existing HSMs Easier HSM management Lots of automation in the CLI to reduce management effort Simpler HA configuration Help you build and maintain HSM high availability (HA) configurations From 9 manual steps, interacting with appliance shell directly To 2 simpler steps: create-hapg, add-hsm-to-hapg (for each HSM) Source code available via open source license

16 CloudHSM for RDS Oracle TDE Transparent data encryption support for RDS Oracle databases Store master encryption keys in CloudHSM instances High availability support for two or more HSMs Up to 20 separate databases per HSM

17 Auditing CloudTrail Track resource changes Audit activities for security and compliance purposes Review all CloudHSM API calls Syslog Audit operations on the HSM appliance Send syslog to customer-built and managed collector

18 CloudHSM Use Cases

19 EBS Volume Encryption Customer Applications SafeNet ProtectV Client SafeNet KeySecure Master key stored in CloudHSM SafeNet ProtectV & KeySecure Instances with ProtectV client authenticate to KeySecure ProtectV client encrypts all I/O to EBS volume (AES256) CloudHSM Availability Zone

20 Redshift Encryption Cluster master key in CloudHSM Direct integration no client software required AWS CloudHSM Amazon Redshift Cluster Your encrypted data in Amazon Redshift Your applications in Amazon EC2

Database Encryption (non-rds) Customer-managed database in EC2 Oracle 11g & 12c with Transparent Data Encryption (TDE) Microsoft SQL Server 2008 & 2012 with

21 Database Encryption (non-rds) Customer-managed database in EC2 Oracle 11g & 12c with Transparent Data Encryption (TDE) Microsoft SQL Server 2008 & 2012 with TDE AWS CloudHSM Master key is created in the HSM and never leaves Your database with TDE in Amazon EC2 Your applications in Amazon EC2 Master key in CloudHSM

22 Custom Software Applications Architectural building block to help you secure your applications Use standard libraries, with back-end HSM rather than software-based crypto PKCS#11, JCA/JCE, Microsoft CAPI/CNG/EKM Code examples and details in the CloudHSM User Guide make it easier to get started

23 Other Use Cases Customer use cases continue to emerge: Enterprises using on-prem HSMs and want to move these workloads to the cloud Startups who want to offer high assurance services and achieve compliance Enterprises who are not using HSMs for some of their on-prem apps but who want to use HSMs for these apps in the cloud Examples: Object encryption Digital Rights Management (DRM) Document signing, secure document management & secure document repository Payments, financial applications & transaction processing Privileged account management Certification authority (CA)

24 Using CloudHSM

25 Detailed Examples Building the CloudHSM Environment Configuring High Availability Integrating with RDS

26 Building a CloudHSM Environment Create customer infrastructure using CF template Install the CLI Tools Provision HSMs Initialise HSMs

27 Create Infrastructure with CF

28 Create Infrastructure with CF Lookup your AZ identifiers on the EC2 Dashboard, and use those names

29 Install CLI Tools on Control Instance SSH to control instance deployed by CF Template Download and install the CloudHSM CLI Tools # Install python 2.7 sudo yum install python27 wget sudo python2.7 ez_setup.py # Download and install the CloudHSM CLI Tools wget sudo easy_install-2.7 -s /usr/local/bin CloudHsmCLI-beta.egg cloudhsm version { "Version": <version>" } Assign an IAM role to your instance to permit CloudHSM API access

30 Provision HSMs Create two HSMs (one for each subnet) $ cloudhsm -c cloudhsm.conf create-hsm --ssh-public-key-file cloudhsm_ssh.pub --iam-role-arn arn:aws:iam:: :role/cloudhsm-fra-cloudhsmrole- 1ZEAT0Z2PB8P --subnet-id subnet-d244b0bb { "HsmArn": "arn:aws:cloudhsm:eu-central-1: :hsmf32462d6", } "RequestId": "e55c9da1-7b5b-11e dd57de14ff9c"

31 Provision HSMs Describe status, wait until status changes from PENDING to RUNNING $ cloudhsm -c cloudhsm.conf describe-hsm -H arn:aws:cloudhsm:eu-central-1: :hsmf32462d6 { "EniId": "eni-047fbd6d", "EniIp": " ", "HsmArn": "arn:aws:cloudhsm:eu-central-1: :hsm-f32462d6", "IamRoleArn": "arn:aws:iam:: :role/cloudhsm-fra-cloudhsmrole-1zeat0z2pb8p", "Partitions": [], "RequestId": "2179b6f0-7b5c-11e4-a252-9d68fcf58947", "SerialNumber": "472673", "SoftwareVersion": " ", "SshPublicKey": ", "Status": RUNNING", "SubnetId": "subnet-d244b0bb", "SubscriptionStartDate": " T02:18:56.292Z", "SubscriptionType": "PRODUCTION", "VendorName": "SafeNet Inc." }

32 Provision HSMs Look for ENI CloudHSM Managed Interface, DO NOT DELETE! in the description

33 Provisioning HSMs Change the ENI security group to the one with the description Allows SSH and NTLS from the public subnet

34 Initialize the HSM $cloudhsm -c cloudhsm.conf initialize-hsm -H arn:aws:cloudhsm:eu-central-1: :hsm-f32462d6 - -label hsmlabel --cloning-domain cloningdomain --sopassword sopassword { } "Status": "Initialization of the HSM successful"

35 Configure High Availability Create an HAPG (high availability partition group) $ cloudhsm -c cloudhsm.conf create-hapg --group-label Partition_001 Partition_001 { "HapgArn": "arn:aws:cloudhsm:eu-central-1: :hapg- 8e3be050", } "RequestId": "ce3e1b17-7b64-11e4-a252-9d68fcf58947"

36 Configure High Availability Add the HSMs to the HAPG cloudhsm -c cloudhsm.conf add-hsm-to-hapg -H arn:aws:cloudhsm:eu-central-1: :hsm-f32462d6 -- hapg-arn arn:aws:cloudhsm:eu-central-1: :hapg- 8e3be050 --cloning-domain cloningdomain --partition-password partitionpassword --so-password sopassword { "Status": "Addition of HSM arn:aws:cloudhsm:eu-central- 1: :hsm-f32462d6 to HAPG arn:aws:cloudhsm:eucentral-1: :hapg-8e3be050 successful" } (then do it again for the second HSM)

37 Done! After this, you are ready to set up custom software with SafeNet clients, RDS integration, customer-managed databases, and more. Comprehensive documentation available at

38 CloudHSM Pricing and Trials HSM provisioned in any region has a $5,000 one-time charge, then metered hourly after that There is no stop only terminate We know this is challenging, since re-provisioning will incur another $5,000 upfront charge 30-day trials are available for customers on premium support Access these by opening a case with dev support

39 Conclusion HSMs, for basic key storage and bulk crypto, are available in AWS, if you need them They ll have better performance that on-prem HSMs, owing to co-location CloudHSM (and HSMs in general) aren t for everyone Customers need trained staff, tight operational practice

Crypto-Options on AWS. Bertram Dorn Specialized Solutions Architect Security/Compliance Network/Databases Amazon Web Services Germany GmbH

Crypto-Options on AWS. Bertram Dorn Specialized Solutions Architect Security/Compliance Network/Databases Amazon Web Services Germany GmbH Crypto-Options on AWS Bertram Dorn Specialized Solutions Architect Security/Compliance Network/Databases Amazon Web Services Germany GmbH Amazon.com, Inc. and its affiliates. All rights reserved. Agenda