cloudhsm deep-dive · pdf filecloudhsm deep-dive dave walker ... leverage on-prem hsms over...
TRANSCRIPT
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
CloudHSM Deep-Dive
Dave Walker – Specialised Solutions Architect Security/Compliance
Amazon Web Services UK Ltd
CloudHSM
• Tamper-Proof and Tamper-Evident– Destroys its stored keys if under attack
• FIPS 140-2 Level 2 certified• Base position is to be a Keystore• Can also be used to timestamp documents• You can send data for encrypt / decrypt• Needs to be backed-up (ideally to HSM on customer premises)• Can be (and should) be combined in HA clusters• Is NOT a key management system
– but can work with some third-party ones• Communicates via:
– PKCS#11– JCE
• Some applications need a “plugin”• Safenet have one for Apache
CloudHSM Integration with S3, EBS, EC2
• S3– Integration using SafeNet KeySecure on EC2– White paper at http://www2.safenet-inc.com/AWS-
guides/SafeNetKMIP_AmazonS3_IntegrationGuide.pdf• EBS and EC2
– Use SafeNet KeySecure (6.1.2 or later) on EC2, backed by CloudHSM, for key management
– Install SafeNet ProtectV Manager on EC2 (c1.medium / m1.medium)– Install ProtectV Client on EC2 instances– Use ProtectV for EBS volume encryption (ext3, ext4, swap)– Supported platforms:
• RHEL 5.8, 6.2, 6.3• CentOS 6.2• Microsoft Windows 2008, 2012
– Encrypt full EBS-backed EC2 instances, including root volumes
AWS Databases and CloudHSM
• Redshift:– When using CloudHSM
• Redshift gets cluster key from HSM
• Redshift generates a database key and encrypts it with the cluster key from the CloudHSM
• Redshift encrypts data with the database key
• Redshift supports re-encryption
• RDS– RDS / Oracle EE can use CloudHSM to store keys as per Oracle Wallet
• So TDE can be HSM-backed
• Note that in-memory database contents (once the database has
been unlocked) are cleartext– RAM encryption is not something AWS has today, but it has been done in other
contexts– Homomorphic encryption
– Proof-of-concept with KVM
SafeNet Product Support for AWSSafeNet Product AWS Service(s) Supported Notes
ProtectV and Virtual
KeySecure for AWS
EC2 or VPC Instances and EBS
Storage
GovCloud (Beta)
• Requires Safenet KeySecure (HW or Virtual)
• Available in AWS MarketPlace, as well as SafeNet sales channels
Virtual KeySecure for AWS CloudHSM • Available in AWS Marketplace
• CloudHSM supports Virtual KeySecure as the hardware root of trust
for vKS master keys
StorageSecure AWS Storage Gateway • Safenet KeySecure Hardware (optional)
• iSCSI integration (however StorageSecure also supports CIFS,
NFS, FTP, TFTP and HTTP protocols.)
Luna SA 7000 HSM CloudHSM
RedShift
RDS (via 3rd party vendor)
• High availability
• Key synchronization
• Key Management
Luna Backup HSM CloudHSM • Key backup
ProtectApp S3 and EBS volumes • Can be integrated with Amazon S3 Encryption Clients and AWS
SDKs (Java and .Net)
• Requires SafeNet KeySecure (HW or virtual)
• Can be installed on an EC2/VPC instance to protect data stored on
EBS volumes.
ProtectFile EBS volumes and S3 • Requires SafeNet KeySecure (HD or Virtual)
Difference between CloudHSM and
KMSCloudHSM
• Single-tenant HSM
• Customer-managed durability and
availability
• Customer managed root of trust
• FIPS 140-2 Validation
• Broad third-party app support
• Symmetric and asymmetric ops
• High fixed price ($16.5k/yr/hsm)
KMS
• Multi-tenant AWS service
• Highly available and durable key
storage and management
• AWS managed root of trust
• Extensive auditing
• Broad support for AWS services
• Symmetric encryption only
• Usage-based pricing
Why Customers Choose CloudHSM
• Reasons include:– Control
• Complete control of encryption keys, AWS cannot access key material
• Fine-grained control of how AWS assets can use your keys
– Compliance
• FIPS 140-2 level 2 or 3 certification
• Common Criteria EAL4 certification
– Performance/Availability
• When required, “local” CloudHSM much better than on-prem
– Network transit times
– Usage patterns
Customer Control Over Keys
• Three reasons for this requirement– Regulatory (hard), Policy (soft) and Trust (soft)
• Soft requirements may be addressed by threat
modelling– KMS can be simpler and less expensive for customer to use
– Important to engage customer’s governance resources
• With CloudHSM, customers have absolute
control and authority over keys through
separation of duties
Separation of Duties
• Separation of duties is enforced by the HSM
appliance itself, using RBAC
Customer control keys
and crypto operations
CloudHSM
AWS manages the
appliance
Third-Party Compliance Validation
• Requirements – PCI or other vertical-specific security standard
– Government workloads (US, Canada, and others)
– Enterprise policies increasingly require FIPS validation
• CloudHSM uses SafeNet Luna SA 7000
appliances– FIPS 140-2 Level 2 Validated
– Common Criteria EAL4 Validated
Performance/Availability Advantages
• Customers may have existing on-prem HSMs
• Applications that require HSM access could
leverage on-prem HSMs over VPN or DX
• Latency and availability characteristics of VPN
or DX make CloudHSM desirable
Amazon Really Can’t Access Keys
• AWS has “appliance admin” to the HSM
• Luna SA separates appliance admin from “security officer”
• Customer initializes HSM themselves via SSH
• AWS never sees partition credentials
• Device is automatically wiped if unauthorised access attempted
• Bottom line – you don’t have to trust AWS, you are trusting the HSM vendor (SafeNet) and and third party FIPS/CC validations
Operations
• Each HSM is dedicated to one customer– No sharing or partitioning of the appliance
• Customer is responsible for operating the HSMs in HA mode– SafeNet Client handles replication to multiple HSMs (up to 16)
– SafeNet Client load balances across available HSMs
• Password authentication controls access to the HSM– PEDs (Pin Entry Devices) are not currently supported
• AWS monitors & manages the devices and network infrastructure
• See FAQ and Technical docs for additional details
• Self-service provisioning and management now supported through a public API– CreateHSM and DeleteHSM to provision and terminate HSMs
– ModifyHSM permits changing the network configuration as well as setting up syslog forwarding
• ListHSMs and DescribeHSM allow discovery and querying of provisioned HSMs
• ListAvailableZones provides visibility into where CloudHSM capacity is available
CloudHSM Public API and SDK
• Provisioning and de-provisioning– Easy to provision an HSM, intialise it, clone keys from existing
HSMs
• Easier HSM management– Lots of automation in the CLI to reduce management effort
• Simpler HA configuration– Help you build and maintain HSM high availability (HA)
configurations
– From 9 manual steps, interacting with appliance shell directly
– To 2 simpler steps: create-hapg, add-hsm-to-hapg (for each HSM)
• Source code available via open source license
CloudHSM Command Line Interface (CLI) Tools
• Transparent data encryption support for RDS
Oracle databases
• Store master encryption keys in CloudHSM
instances
• High availability support for two or more HSMs
• Up to 20 separate databases per HSM
CloudHSM for RDS Oracle TDE
Auditing
• CloudTrail– Track resource changes
– Audit activities for security and compliance purposes
– Review all CloudHSM API calls
• Syslog– Audit operations on the HSM appliance
– Send syslog to customer-built and managed collector
CloudHSM Use Cases
EBS Volume Encryption
• Master key stored in CloudHSM
• SafeNet ProtectV & KeySecure
• Instances with ProtectV client
authenticate to KeySecure
• ProtectV client encrypts all I/O to
EBS volume (AES256)
Availability Zone
CloudHSM
CustomerApplications
SafeNetKeySecure
SafeNetProtectV
Client
Redshift Encryption
• Cluster master key in CloudHSM
• Direct integration – no client software required
Your
applications
in Amazon
EC2
Amazon Redshift
Cluster
Your encrypted data
in Amazon Redshift
AWS CloudHSM
Database Encryption (non-RDS)
• Customer-managed
database in EC2– Oracle 11g & 12c with
Transparent Data Encryption
(TDE)
– Microsoft SQL Server 2008 &
2012 with TDE
– Master key in CloudHSM
AWS
CloudHSM
Your database
with TDE in
Amazon EC2
Master key is created in
the HSM and never
leaves
Your applications
in Amazon EC2
Custom Software Applications
• Architectural building block to help you secure
your applications
• Use standard libraries, with back-end HSM
rather than software-based crypto– PKCS#11, JCA/JCE, Microsoft CAPI/CNG/EKM
• Code examples and details in the CloudHSM
User Guide make it easier to get started
Other Use Cases
• Customer use cases continue to emerge:– Enterprises using on-prem HSMs and want to move these workloads to the cloud
– Startups who want to offer high assurance services and achieve compliance
– Enterprises who are not using HSMs for some of their on-prem apps but who want to use HSMs for these apps in the cloud
• Examples:– Object encryption
– Digital Rights Management (DRM)
– Document signing, secure document management & secure document repository
– Payments, financial applications & transaction processing
– Privileged account management
– Certification authority (CA)
Using CloudHSM
Detailed Examples
• Building the CloudHSM Environment
• Configuring High Availability
• Integrating with RDS
Building a CloudHSM Environment
• Create customer
infrastructure using CF
template
• Install the CLI Tools
• Provision HSMs
• Initialise HSMs
Create Infrastructure with CF
Create Infrastructure with CF
Lookup your AZ identifiers on the EC2
Dashboard, and use those names
Install CLI Tools on Control Instance
• SSH to control instance deployed by CF Template
• Download and install the CloudHSM CLI Tools# Install python 2.7
sudo yum install python27
wget https://bitbucket.org/pypa/setuptools/raw/bootstrap/ez_setup.py
sudo python2.7 ez_setup.py
# Download and install the CloudHSM CLI Tools
wget https://s3.amazonaws.com/cloudhsm-software/CloudHsmCLI.egg
sudo easy_install-2.7 -s /usr/local/bin CloudHsmCLI-beta.egg
cloudhsm version
{
"Version": ”<version>"
}
• Assign an IAM role to your instance to permit CloudHSM API access
Provision HSMs
• Create two HSMs (one for each subnet)
$ cloudhsm -c cloudhsm.conf create-hsm --ssh-public-key-file
cloudhsm_ssh.pub --iam-role-arn
arn:aws:iam::315160724404:role/CloudHSM-FRA-CloudHsmRole-
1ZEAT0Z2PB8P --subnet-id subnet-d244b0bb
{
"HsmArn": "arn:aws:cloudhsm:eu-central-1:315160724404:hsm-
f32462d6",
"RequestId": "e55c9da1-7b5b-11e4-9222-dd57de14ff9c"
}
Provision HSMs
• Describe status, wait until status changes from “PENDING” to “RUNNING”
$ cloudhsm -c cloudhsm.conf describe-hsm -H arn:aws:cloudhsm:eu-central-1:315160724404:hsm-f32462d6
{
"EniId": "eni-047fbd6d",
"EniIp": "10.0.201.252",
"HsmArn": "arn:aws:cloudhsm:eu-central-1:315160724404:hsm-f32462d6",
"IamRoleArn": "arn:aws:iam::315160724404:role/CloudHSM-FRA-CloudHsmRole-1ZEAT0Z2PB8P",
"Partitions": [],
"RequestId": "2179b6f0-7b5c-11e4-a252-9d68fcf58947",
"SerialNumber": "472673",
"SoftwareVersion": "5.1.0-25",
"SshPublicKey": “…",
"Status": ”RUNNING",
"SubnetId": "subnet-d244b0bb",
"SubscriptionStartDate": "2014-12-04T02:18:56.292Z",
"SubscriptionType": "PRODUCTION",
"VendorName": "SafeNet Inc."
}
Provision HSMs
• Look for ENI “CloudHSM Managed Interface, DO
NOT DELETE!” in the description
Provisioning HSMs
• Change the ENI security group to the one with the description “Allows SSH and NTLS from the public subnet”
Initialize the HSM
$cloudhsm -c cloudhsm.conf initialize-hsm -H
arn:aws:cloudhsm:eu-central-1:315160724404:hsm-f32462d6 -
-label hsmLabel --cloning-domain cloningDomain --so-
password sopassword
{
"Status": "Initialization of the HSM successful"
}
Configure High Availability
• Create an HAPG (high availability partition group)
$ cloudhsm -c cloudhsm.conf create-hapg --group-label
Partition_001
Partition_001
{
"HapgArn": "arn:aws:cloudhsm:eu-central-1:315160724404:hapg-
8e3be050",
"RequestId": "ce3e1b17-7b64-11e4-a252-9d68fcf58947"
}
Configure High Availability
• Add the HSMs to the HAPGcloudhsm -c cloudhsm.conf add-hsm-to-hapg -H
arn:aws:cloudhsm:eu-central-1:315160724404:hsm-f32462d6 --
hapg-arn arn:aws:cloudhsm:eu-central-1:315160724404:hapg-
8e3be050 --cloning-domain cloningDomain --partition-password
partitionPassword --so-password sopassword
{
"Status": "Addition of HSM arn:aws:cloudhsm:eu-central-
1:315160724404:hsm-f32462d6 to HAPG arn:aws:cloudhsm:eu-
central-1:315160724404:hapg-8e3be050 successful"
}
(then do it again for the second HSM)
Done!
• After this, you are ready to set up custom
software with SafeNet clients, RDS integration,
customer-managed databases, and more.
• Comprehensive documentation available at
http://aws.amazon.com/cloudhsm
CloudHSM Pricing and Trials
• HSM provisioned in any region has a $5,000
one-time charge, then metered hourly after that
• There is no “stop” only “terminate”– We know this is challenging, since re-provisioning will incur
another $5,000 upfront charge
• 30-day trials are available for customers on
premium support– Access these by opening a case with dev support
Conclusion
• HSMs, for basic key storage and bulk crypto,
are available in AWS, if you need them
• They’ll have better performance that on-prem
HSMs, owing to co-location
• CloudHSM (and HSMs in general) aren’t for
everyone– Customers need trained staff, tight operational practice