Encrypting AWS Instances

Hi,

   I am trying to find a way to encrypt AWS instances below what CloudHSM can do.  CloudHSM encrypts the volumes.  I am told that is not good enough that I need to go even further.  Any advice is greatly appreciated.

Thanks,

Awakenings
awakeningsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

awakeningsAuthor Commented:
Oh...  FIPS 140-2 validated cryptographic modules is a requirement.
0
awakeningsAuthor Commented:
Alright...  So this around, the VMware session itself.  So the VMDK is launched, but someone can leak the session state.
0
btanExec ConsultantCommented:
In fact CloudHSM just guard your crypto keys used in the encryption process. Itself is already in compliance to the meet FIPS 140-2 and Common Criteria EAL4+ standards.
> But do note the appliance can be operated in FIPS 140-2 Level 2 mode by disabling non-FIPS-compliant algorithms and enabling password authentication in the HSM policy when you create the HSM partition. Have to check out the doc on this @ http://amazon-aws-hsmaas-safenet-docs.s3-website-us-east-1.amazonaws.com/007-011136-002_lunasa_5-1_webhelp_rev-a/Content/reference/capabilities_and_policies.htm

> Also from its FAQ, AWS is not involved in the creation and management of the key material stored within an HSM. You control the HSM partitions and must perform these tasks. In Luna SA terminology, AWS has Admin credentials to the HSM appliance, but never has Security Officer or Partition credentials. It is already designed to detect tampering if the physical barrier of the HSM appliance is breached - I believe you know it is using SafeNet Luna for the CloudHSM.

we need to be clear of its use case supported in AWS case where you are most likely in CloudHSM context using the SafeNet ProtectV with virtual Key Secure for EBS volume encryption. It just means having that Crypto key to encrypt the instance volume. Once it is booted up (or always turned on, like even bitlocker), the transparent decryption is done with the loaded in memory crypto key ... the data and file/folder are never encrypted at all. So layer of defense is not achieved which is recommended security practices.

In fact having instance always running, the volume encryption effect is "negated" as it is always in decrypted state (besides when the instance is at rest), the data are in plain. Adversary are more interested to data as crown jewel regardless of the instance image file. Hence besides disk or volume encryption, file/folder encryption is recommended to add.

Therefore use case for CloudHSM will need to expand to supported ones like using APIs key provided to interface with HSM and even to use it for the Database system in AWS...Some possible case as below.

a) Application (developed services) use of Crypto keys
(e.g. write custom applications and integrate them with CloudHSM)
- HSM client software installed on the application instance, to send cryptographic requests to the HSM. Eventually, client software transacting with HSM appliance via a secure channel using authorised credentials will returns the transaction result to the application through the cryptographic API (e.g. via PKCS#11, Microsoft CAPI/CNG and Java JCA/JCE) in the developer codes.

Note that the API used by application can be further leverage by Apps developer to encrypt the file and data as required so it is not necessarily used for partition or disk level encryption. It can layer over existing disk encryption at the OS level already

b) Database systems use of Crypto keys to protect database
(e.g. encrypting RDS databases with Oracle Transparent Data Encryption (TDE), and likewise applicable for Microsoft SQL Server 2008 and 2012 (TDE))
- Maintain control of the master encryption keys in CloudHSM instances when .

Note the TDE is encrypting the data in a database and not the partition per se in this use case.

As a whole, the FAQ is useful but to up the security posture, the defense in depth principle helps as shared on the approach above. CloudHSM is supporting role while the End User dictate how the Main actor (e.g. Appl/servers) can leverage on this Trusted Aide supporting (or staffing) it for the business objective. http://aws.amazon.com/cloudhsm/faqs/
0
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

awakeningsAuthor Commented:
btan,

    Everything you mention above I am aware of.  This does not come from me BTW.  The risk my management is concerned about is like this.  Let us take the putty application.  When you look at the putty application itself, you don't see what the executable is doing.  Management is concerned that the executable is siphoning off information somewhere else.  In this metaphore, the executable is the VMDK and the application is the OS.  In theory, data would be siphoned off prior to the OS even knowing about it.  This means that any detection capabilities, vulnerability scanners, and the like (even file integrity and RAM monitoring tools) will not detect the data being siphoned out of the AMI.  I do not even know what to say to this or how to start researching.  The only mitigation is to use something like Ravello (VMware emulator for AWS) and build the OS oneself and not use AMI's.  I may spend a whole day working on this or more.
0
btanExec ConsultantCommented:
Yes for stripping the OS and customised it external and internal services to be exposed as default. Something like server core concept. CloudHSM is out of the scope for such hardening and it has nothing to do here ..

Yes if application that is customised to add in the track and balance in the API supplied to make sure the containment is done to prevent leakage and protection data chunked out by the apps. CloudHSM can has those API but needs code to use it ...

Yes if application can be monitored in its activity assuming the API call log is available, it has even logged in OS which can be piped or forwarded for constant monitoring and alerting purpose. CloudHSM may have the logging piped to that central monitor SOC or NOC..but use case need to be build up

Yes if application can be contained such that all file, network and processes/threads tracking can be done as from its running to it closing. Kind of saying sandboxing it (if sandboxie is installed but it is "who guards the guards" and rather chicken and egg), or DLP-ed the whole instance such that watermarked doc or right mgmt doc are generated or having hypervisor level guardian on top of guest OS and appl (like using Catbird to plant in checker for the guest instances). There may be keys involved and if CloudHSM can come to picture, why not ...also need to build use case...

No if the risk is acceptable and no worst off when data is out in cloud and accepted by owner. The provider can give all the controls (maybe) eventually it is not going to be fool proof. Probably need to make some risk based decision to be no worst off but have measures to mitigate and response if breach and incident really happened....
0
awakeningsAuthor Commented:
btan,

   Thank you.  In this case, I cannot use risk as an argument.  I think it is the right thing to do, but I cannot use it.  API's are out of scope because this is happening at a lower level than the OS.  In this case, the OS is not in scope because it is "before" the OS, yet data from within the OS is taken.  To me there seems to be a way for the VMDK to connect into the OS to pull the information from the OS.  It seems like Tripwire or a ram monitoring tool would be able to capture that information.  I agree that there has to be some level where one trusts the environment because no solution can be full-proof.  The concern is that AWS is leaking information to either AWS or a rogue element in AWS.  It cannot be TCP/IP oriented on the box itself because "no one can detect it" at that level (again, not me, my management). If it utilizes TCP/IP, it is prior to the OS level at the VMDK or the VMDK leaks information in some other fashion.  So, CloudHSM cannot have API's to detect.  

    It may be the case that I am not understanding the full role of the API, but maybe there is something you can enlighten me with?
0
awakeningsAuthor Commented:
So this isn't an application on the OS, it is the VMDK that could potentially leak information.
0
btanExec ConsultantCommented:
As mentioned also VMDK is itself already encrypted, but if it somehow adversary or insider is able to get VMDK start up e..g as in the configuration of those VM config is not well managed or abused, and susceptible to unauthorised access (assumed even with weak identity credential or use of tools like konboot that reset account w/o even needing to know login acct) get into the OS, the data are not protected and "naked".

It is back drilling into file/folder protection with user keys to ensure that second layer still deter such attempts. There is a specific purpose for each security layer. The assumption is the VMDK is breached so what are you control to safeguard your data (not the VMDK). Same analogy as protecting notebook with Bitlocker is not enough
0
awakeningsAuthor Commented:
Konboot is not relevant in this case as these are sitting in AWS and the systems are active.  The concern is that while the VMDK is active (in AWS), that data is actively leaking out of the VMDK at a lower level than the OS, so TCP/IP and other kinds of alerts will not notice such drains.  My skepticism abounds about the it, but I need to find a solution to this AWS insider problem.  I just don't know where to begin to look for this unicorn (or any mythical creature).  I feel like I am searching for a problem that is very low risk and possibly does not exist.  At some point, if you are in the cloud, you accept risk or get out of the cloud.  Mitigating risk is critical though.
0
btanExec ConsultantCommented:
Agree as well - but anything go, we are always planning for contingency and withdrawal plans in time to respond robustly. Coming back, insider threats against AWS is best by ot even going into Cloud as you just widen your perimeter boundary unintentionally. But we know that is old way of thinking - technology drives return and security can also in its supporting role. Hence, I am thinking towards more of not so much about confidentiality since we already much of it in prev post. We should review AWS IAM and MFA, the guards are in workflow around

a) Review the IAM Best Practices - Manage your AWS access keys and passwords, using IAM users and groups, using roles and delegation, and turning on logging. http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html

b) Tighten the access to AWS - Using MFA to add security to your account. http://blogs.aws.amazon.com/security/post/Tx1KJ4H6H5R80UD/-Securing-access-to-AWS-using-span-class-matches-MFA-span-Part-I
Create the separation of duties and access matrix of fellow not have privileges beyond what they are required (need to basis). http://blogs.aws.amazon.com/security/post/Tx27Y2HY1GGPVTQ/How-to-Create-a-Limited-IAM-Administrator-by-Using-Managed-Policies

c) Collaborate in safe way to distribute AWS credentials to those cloud EC2 instances - Assess the process of making access keys available in a secure and convenient way to applications that are running on EC2 instances. http://blogs.aws.amazon.com/security/post/Tx1XG3FX6VMU6O5/A-safer-way-to-distribute-AWS-credentials-to-EC2

I know that above is by no means to give anything as strong or concrete but it deter insider threats ... explore new tehnology to go into the context detection and intelligence. I am seeing this candidate of interest but I new to them though
- Cryptozone Appgate http://www.cryptzone.com/products/secure-access/appgate
- DrakTrace Enterprise Immune System Technology http://www.darktrace.com/products/enterprise-immune-system/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
awakeningsAuthor Commented:
Ya...  We have set up appropriate I&AM.  I came from Federal security so I know practices quite well.  I'll research Cryptzone and DarkTrace (never heard of the latter).  I think in this case, I'm dealing with someone who is making stuff up to show I am not good at what I do.  I'll give you points for your effort.  This person will not care about anything he wants as he is single mindedly paying attention to one aspect of security that, in his mind, I am overlooking.
0
btanExec ConsultantCommented:
understand where you are coming from, but the problem space of insider besides those controls in place is a tough space to solve it completely, we can talk till all the possible controls are in place but how much trust we have those controls, how to verify those controls are in place correctly etc...insider looks for mistakes - so you need to know what are low hanging and incident happened - no point building a fortess - there is no such silver bullet or panacea. Alright - pardon me baselining what is want to and need to is critical at least to me.

Regime check and Exercise Governance over having AWS need some risk assessment - not only insider. Apologies for not being to come with any concrete stuffs but to prevent Snowden type of  incident is not a point solutioning challenges to overcome...when 3rd party is inevitable. I come from the Govt side as well ..
0
btanExec ConsultantCommented:
thanks for the discussion and I hope this has bring us with open mind. The below shows otherwise
I think in this case, I'm dealing with someone who is making stuff up to show I am not good at what I do.  I'll give you points for your effort.  This person will not care about anything he wants as he is single mindedly paying attention to one aspect of security that, in his mind, I am overlooking.
0
awakeningsAuthor Commented:
Great comments under a difficult issue.
0
btanExec ConsultantCommented:
Thanks for sharing, we learnt as well.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.