Support Cloud Data Encryption with Foundational AWS
The importance of encryption in today’s computing environments is self-evident. You can — and most often should — encrypt your data in the cloud. The goal of encryption, which turns data into an unintelligible scramble or cipher, is to prevent secrets from becoming known to unauthorized people and institutions. As such, only authorized people — those who possess the decryption key — are able to turn the cipher back into readable information.
Encryption generally can be applied to data at rest and in transit. At-rest encryption is used mainly for disks, databases, snapshots, machine images, etc. In-transit encryption is used primarily for the internet and sometimes for intranets. For encryption to happen, both an algorithm and keys must be in place.
In a broad sense, there are two types of encryption. Each brings advantages and disadvantages.
With symmetrical encryption, the encryption and decryption processes are done by the same key. Symmetrical encryption is, as a rule, faster than its asymmetrical counterpart. As such, it is employed mostly to encrypt large volumes of data. However, symmetrical encryption tends to be less secure than asymmetrical. (There’s a strategy to overcome that downside, which we’ll cover shortly.)
With asymmetrical encryption, there are two different keys, a public key and a private key. These keys are generated as a pair, and keys from different pairs can’t work together. The public key is used only to encrypt data — which is why it can be transmitted — and the private key is used only to decrypt. The private key never travels or is transmitted in any way, shape or form. That would pose a big security risk.
Asymmetrical encryption is more robust than symmetrical, but also slower. Therefore the encryption of voluminous data is usually not a good use case for asymmetrical encryption. It is rather used to encrypt much smaller data, up to 4 KB, typically a symmetrical key. In this particular use case the symmetrical key is denominated a data key.
Two-Step Encryption Minimizes Drawbacks
To make the most of the advantages of both types of encryption, and minimize their drawbacks, the strategy to follow is this: use a two-step combination of both symmetrical and asymmetrical encryption to develop a secure and efficient arrangement. Here’s how it can work:
Step 1
Person A has some secret data to transmit to Person B so he generates a data key to encrypt said data. This is fast and efficient because bulky data is encrypted using the faster symmetrical process.
Step 2
Person A then takes Person B’s public key and encrypts the data key. This is more secure than symmetrical only, and also fast because the data key is a small piece of data. Person A transmits to Person B the symmetrically encrypted data along with the asymmetrically encrypted data key. Since Person B is the only one who can decrypt the data key — using the matching private key — the whole process achieves the goal of both speed and security.
Key Management
Key Management Service, or KMS, is the module that provides key management and encryption/decryption to the AWS cloud. It is seamlessly integrated with an extensive list of AWS services to assist with encryption. KMS employs the aforementioned two-step strategy so it’s a great way to make it work for you.
KMS also complies with the following standards:
- HIPAA
- PCI DSS Level 1
- Overall FIPS 140-2, Level 2 HSM (hardware security module)
- FIPS 140-2, Level 3 for a number of categories
- fedRamp
In general terms there are two modes of operation in KMS, depending on your desired level of control:
AWS-managed keys
The keys are managed by the platform and you as the owner can see them but don’t have to manage them. This is the default mode. If you choose to encrypt your data when using an AWS service this is probably the mode you’ll be using.
Customer-managed keys
These keys are managed by you, the client. In this case, you get to create the keys, control their permissions policies and key rotation. You can also disable and enable them.
There’s a clear tradeoff between control and undifferentiated work. The thing to bear in mind is this: once you generate a secret, you also generate the burden of protecting it, rotating and otherwise maintaining it. This is the reason customer-managed keys are recommended only to applications with the most stringent security requirements, usually in tightly regulated markets.
(Regarding encryption in transit, all AWS services offer TLS (Transport Layer Security) endpoints, a.k.a https.)
AWS Services that Integrate with KMS
Here’s a summary of foundational AWS services that integrate with KMS, and therefore support cloud encryption.
S3
This is the object-storage workhorse. Objects include videos, photos, audio -- really any kind of digital asset. S3 is probably the most cost-effective type of storage, anywhere.
Elastic Block Storage (EBS)
Essentially a network drive, this is the most common type of block storage used with EC2 virtual machines.
Relational Database Service (RDS)
Probably the most widely used AWS database product, RDS supports a number of engines, including MySQL, PostgreSQL, Microsoft SQL Server and others.
CloudTrail
This is a service that logs calls to AWS APIs, and therefore can be used to audit encryption-key usage.
Lambda
AWS’ function-as-a-service (FaaS) offering, Lambda is widely used in serverless architectures. It integrates with KMS to encrypt environment variables so that code never contains secrets.
Secrets Manager
This service allows you to more easily store and rotate secrets, including app or database credentials, third-party keys and passwords, throughout their lifecycle.
The Takeaway
Protecting your data is paramount. Using AWS to encrypt in the cloud helps you securely and efficiently achieve this fundamental objective. For more on data protection, read part 1 in our series Securing the Cloud with AWS.
References: