(SEC401) Encryption Key Storage with AWS KMS at Okta
-
Upload
amazon-web-services -
Category
Technology
-
view
5.222 -
download
2
Transcript of (SEC401) Encryption Key Storage with AWS KMS at Okta
![Page 1: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jon Todd – Sr. Software Architect, Okta
October 2015
SEC401
Encryption Key Storage
With AWS KMS at Okta
![Page 2: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/2.jpg)
AWS technologies covered
• AWS Key Management Service (AWS KMS)
• AWS Identity and Access Management (IAM)
• AWS CloudTrail
• AWS SDK for Java
• Amazon Elastic Compute Cloud
(Amazon EC2)
![Page 3: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/3.jpg)
Agenda
• Background
• What’s Okta?
• Encryption use cases
• Why use a key server?
• Okta case study of KMS
• Threat model KMS and Amazon EC2
• Failure mitigation
• Authorization and auditing
• Monitoring and tuning
![Page 4: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/4.jpg)
What is an Okta?
Author: Frasmacon - CC by SA 3.0
A. An 8 legged creature
B. A unit of measure
C. An abbreviation
D. A made-up name for a company
![Page 5: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/5.jpg)
What is Okta?
Okta is the foundation for secure connections
between people and technology.
![Page 6: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/6.jpg)
One platform, many use cases
Centralized management of every
user, app, device
www.okta.com
IT
Enterprise-grade security built directly
into your cloud apps
developer.okta.com
Developers
![Page 7: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/7.jpg)
More than 2000 customers
Education,
Non-ProfitFinanceTechnologyCloudHealth Services
Manufacturing
, Energy Media Consumer
![Page 8: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/8.jpg)
Used in 185 countries globally
![Page 9: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/9.jpg)
Encryption background
![Page 10: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/10.jpg)
Encryption use cases
• Fundamental
• Confidentiality
• Authenticity
• Practical
• Compliance
• Least privilege principle
![Page 11: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/11.jpg)
The problem with encryption
Managing these
![Page 12: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/12.jpg)
Alternative approaches to confidentiality
• Use cases for hashing instead of encryption
• Authentication
• Correlation
• Use cases without needing keys
• Homomorphic applications
• Ordering, range query (for example, CryptDB)
• Only require encrypt
• Use asymmetric crypto
• Trust No One (client encryption scenarios)
• File storage or password vault
![Page 13: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/13.jpg)
Why use a key server?
![Page 14: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/14.jpg)
Example application
Requirements:
1. Data in database is encrypted
at rest and in memory
2. Encryption keys reside only in
memory
3. Service has access to the
plaintext data
Client Service
+
![Page 15: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/15.jpg)
Where do we get the keys from?
• At server startup
• Environment variable
• File
• At run time
• Over JMX + TLS
• Over SSH
• Key service
![Page 16: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/16.jpg)
Key service
• Separation of duties
• Auditable
• Easy rotation of master key
• Data key in memory for very short period
• Centralized master key never leaves key service
+
Client Service
Master key
EncryptKey Service
DB
![Page 17: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/17.jpg)
Okta case study of AWS KMS
![Page 18: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/18.jpg)
Encryption use cases
• Privacy of user data
• Protection of PII, PCI, PHI
• Credential storage
• SAML keys
• OAuth tokens
• Third-party application credentials
![Page 19: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/19.jpg)
Requirements
• Strong encryption
256 bit AES GCM
Strong random-number generator
• Separation of duties
By design
Quorum management of servers
• Support auto-scale through secure bootstrapping
Hypervisor bootstraps IAM keys
• Auditability
Encryption context + CloudTrail
![Page 20: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/20.jpg)
Threat model:
AWS KMS and Amazon EC2
![Page 21: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/21.jpg)
+
Client EC2 instance
Master key
EncryptKMS
DB
Data key
![Page 22: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/22.jpg)
Threat model: Amazon EC2 and IAM metadata service
+
Client EC2 instance
Master key
EncryptKMS
DB
Data key
![Page 23: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/23.jpg)
Getting IAM credentials for KMS
• IAM roles for EC2
• Hypervisor provides a per-instance metadata service
• Metadata service is accessible by all users
• Credentials aren’t channel bound
• Credentials are short lived
![Page 24: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/24.jpg)
IAM credentials via metadata service
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/MyApp
{
"Code" : "Success",
"LastUpdated" : "2015-08-20T21:17:41Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : “SOME_ACCESS_ID",
"SecretAccessKey" : ”SOME_SECRET_ACCESS_KEY",
"Token" : “SOME_SIGNED_TOKEN",
"Expiration" : "2015-08-21T03:22:28Z"
}
![Page 25: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/25.jpg)
IAM credential rotation
• Credentials expire in ~ 6 hours
• Credentials are rotated every ~ 1 hour
Current Time: 2015-08-20T22:14:52Z
LastUpdated: 2015-08-20T21:17:41Z
Expiration: 2015-08-21T03:22:28Z
Current Time: 2015-08-20T22:29:39Z
LastUpdated: 2015-08-20T22:18:48Z
Expiration: 2015-08-21T04:47:30Z
![Page 26: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/26.jpg)
Threat model: KMS transport
+
Client EC2 instance
Master key
EncryptKMS
DB
Data key
![Page 27: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/27.jpg)
Transport Security
• TLS for confidentiality and authentication of server
• “A” rating on Qualys SSL Labs
• Disallowed protocols SSL2 & SSL3
• Supported protocols TLS 1.0, 1.1, 1.2
• Forward secrecy required
• Verisign root CA
• IAM Signature V4 for authN and authZ of client
![Page 28: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/28.jpg)
Threat model: KMS
+
Client EC2 instance
Master key
EncryptKMS
DB
Data key
![Page 29: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/29.jpg)
KMS key hierarchy
• CMK – Customer master key
• HSA – Hardened security appliance
• EKT – Exported key token
• HBK – HSA backing key
• CDK – Customer data key
• CT – Customer token
Source: KMS Cryptographic Details
![Page 30: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/30.jpg)
Threat model – final comparison
Low Risk
Low Cost
High Cost
High Risk
DIY
KMS
Cloud HSM
• AWS CloudHSM
• HSM at cost of managing
High Availability (HA)
• DIY
• Roll your own credential
management and rotation
• Separate operational team
• Quorum-based management
• Run high-availability service
• No access to hardware/TPM
![Page 31: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/31.jpg)
Implementing KMS
![Page 32: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/32.jpg)
Implementation goals
• Multiregion support for disaster recovery (DR)
• Mitigate total KMS failure
• Avoid vendor lock-in
• Minimal performance impact
• Operational tools for key rotation
![Page 33: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/33.jpg)
Mapping KMS key hierarchy to Okta key hierarchy
• Region master key
• Provided to service at
run time by operator
• Unique per region
• Encrypts tenant master key
• Tenant master key
• Unique per tenant
• Encrypts tenant data key
• Tenant data key
• Encrypts data
![Page 34: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/34.jpg)
Tradeoffs of an extended key hierarchy
Pros
• Adoptions of KMS is easier and incremental
• KMS data keys are enumerable, allowing rotation
• Local encryption provides more control
• Fewer calls to KMS for encryption
Cons
• Local encryption requires more responsibility
• Sharing ciphertext across services is complex
![Page 35: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/35.jpg)
Failure mitigation
![Page 36: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/36.jpg)
Multiregion encryption and decryption
• Encrypt & store tenant key
encrypted by each region key
• Decrypt talks to closest KMS
region
• RSA public key used for
encrypt only
• Private key provided to
service only in event of KMS
outage
Service
KMS East KMS West
Region master keyRegion master key
Tenant master key
RSA Key
Region master key
DB
![Page 37: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/37.jpg)
September 20th KMS increased error rate
![Page 38: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/38.jpg)
Okta failed-over automatically
KMS requests by region
https://trust.okta.com
![Page 39: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/39.jpg)
Authorization and auditing
![Page 40: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/40.jpg)
Encryption context
• Features:
• Additional authenticated data (AAD) via AES GCM
• Logging – Understand why the key was accessed
• Authorization – Fine-grained access control to data keys
• Okta’s implementation
• Type: <ServiceName>.<EntityName>
• Id: <EntityId>
• A good encryption context identifies or classifies
• Think carefully about mutability and storage of context
• Encryption context shouldn’t contain sensitive data
![Page 41: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/41.jpg)
Granular decryption policy
{
"Effect":"Allow”,
"Principal":{"AWS":"arn:...:DirectoryAppRole"},
"Action":"kms:Decrypt",
"Condition":{
"StringEquals”:{
"kms:EncryptionContext:type":
”DirectoryService:SensitiveObject”
}
}
}
![Page 42: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/42.jpg)
CloudTrail
![Page 43: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/43.jpg)
Auditing
Correlate CloudTrail logs with service logs to detect events
not triggered by the service
![Page 44: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/44.jpg)
Rollout and tuning
![Page 45: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/45.jpg)
Rollout and TTL tuning
TuningGradual rollout
![Page 46: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/46.jpg)
Performance
![Page 47: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/47.jpg)
Region failovers
• ~ 0.001% failure rate without tuning HttpClient retries
• At retry value of 3, failure rate is negligible
![Page 48: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/48.jpg)
SDK client tuning
kmsClientConfig = new ClientConfiguration()
.withSocketTimeout(3000) // 3 seconds
.withConnectionTimeout(3000) // 3 seconds
.withConnectionTTL(60000) // 1 minute
.withMaxErrorRetry(3);
client = new AWSKMSClient(kmsClientConfig);
![Page 49: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/49.jpg)
Final thoughts
![Page 50: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/50.jpg)
Feature requests for KMS
• Support for multiregion encryption
• Security enhancements
• Transport encryption in addition to TLS
• Tighter access control for IAM credentials in EC2 metadata
service
• Bind IAM credentials to EC2 instance/hypervisor
• PKI features
• KMS storage and rotation for asymmetric keys
• Certificate authority as a service
![Page 51: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/51.jpg)
KMS takeaways
Low Risk
Low Cost
High Cost
High Risk
DIY
KMS
Cloud HSM
• It’s highly available
• It’s simple to get up and running
• Enables separation of duties
• Enables secure scaling
automatically
• Orders of magnitude cheaper
![Page 52: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/52.jpg)
Implementation recommendations
• You may not need encryption or keys
for confidentiality
• Put thought into encryption context
• Reconcile CloudTrail logs with
application logs
• Tune the SDK for timeout and retries
• Consider an extended key hierarchy
![Page 53: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/53.jpg)
Reference
• User-Based and Resource-Based Permissions –http://docs.aws.amazon.com/IAM/latest/UserGuide/polici
es_permissions.html#TypesPermissions
• AWS Key Management Service Cryptographic Details –https://d0.awsstatic.com/whitepapers/KMS-
Cryptographic-Details.pdf
• KMS Developer Guide –http://docs.aws.amazon.com/kms/latest/developerguide/
kms-dg.pdf
![Page 54: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/54.jpg)
Remember to complete
your evaluations!
![Page 55: (SEC401) Encryption Key Storage with AWS KMS at Okta](https://reader034.fdocuments.us/reader034/viewer/2022042611/587565bc1a28abd80a8b5037/html5/thumbnails/55.jpg)
Thank you!
Follow me on twitterwww.okta.com@JonToddDotCom
Learn more about Okta