At its re:Inforce security-focused event in June, Amazon Web Services announced several additions for key management, certificate authority, secure computing and payment security. These are aimed at enabling AWS customers to better operate their regulated or risky workloads for their downstream stakeholders. Here, we cover the impact of those announcements, and what they mean for practitioners and ecosystem partners.
AWS has showcased its desire to further appeal to regulated industries. The additional toolsets effectively extend its shared responsibility model to more levels and environments, expanding the choices enterprise customers have to secure sensitive data. AWS’ primary customers are increasingly service and/or software providers themselves that have built their offerings within AWS, and they are the ones that must demonstrate additional shared responsibility capabilities to their downstream stakeholders. The company’s offerings enable both AWS and its primary customers to securely operate on their stakeholders’ behalf. It aims to further enable regulated enterprises to reduce risk and audit scope, and modernize their systems and infrastructure.
Data security and encryption updates announced both at re:Inforce and recently by AWS include:
S3 dual-layer server-side encryption with keys stored in AWS Key Management Service (DSSE-KMS). This new encryption choice for Amazon S3 applies two layers of encryption to objects when they are uploaded to an Amazon S3 storage bucket. Encryption options in all AWS services that use keys from AWS KMS require at least two sets of permissions: one to access the encrypted data itself and one to use the KMS key to decrypt it.
This dual-policy mechanism protects against a misconfiguration in either one that might otherwise grant access to the underlying data. While AWS S3 buckets are encrypted by default, DSSE-KMS pushes the shared responsibility model further by requiring two distinct parties within the customers’ environment to share responsibilities jointly. Specifically, DSSE-KMS satisfies National Security Agency CNSSP 15 for FIPS compliance and Data-at-Rest Capability Package (DAR CP) Version 5.0 guidance for two layers of CNSA encryption. DSSE-KMS is expected to be for heavily regulated workloads or environments with the strictest mandatory access controls. It is available in all AWS Regions, including all classified regions in AWS GovCloud.
AWS Database Encryption SDK for Amazon Dynamo DB. This is an enhancement to AWS’ encryption offering for DynamoDB workloads. Continuing the theme of extending shared responsibility operating models, the newest open-source Database Encryption SDK provides attribute-level, client-side encryption with options for the customer to use either the AWS KMS or their own encryption key providers.
The attribute-level encryption feature enables customers to encrypt specific values before storing them in the database, and then to easily search on the encrypted values without needing to decrypt them first. The offering would appeal to developers who need to protect the confidentiality of specific attributes, and use DynamoDB to store multi-tenant data where isolation across different classes of data is required.
AWS Confidential Computing — AWS Nitro System. As part of its data processing unit strategy, AWS is aiming to build trust into a broader level of workloads and improve its compute density. AWS Confidential Computing leverages the AWS Nitro System architecture to push the shared responsibility model another level up. This helps to absolve AWS’ operations from compromising customer data, and customers can absolve themselves from operating on their stakeholders’ data when using Nitro Enclaves.
AWS Nitro is available for all modern EC2 instances running on Intel Xeon, AMD Epyc, Graviton (Arm-based) or NVIDIA GPU-based architectures. AWS Confidential Computing leverages secure enclaves controlled and isolated by the AWS Nitro data processing units. To further bolster its credibility among regulated, defense or critical infrastructure industries, AWS performed and passed an external security review with NCC Group, which provides security testing and assurance for critical computing systems that must meet exhaustive standards such as Common Criteria.
AWS Private Certificate Authority. Recently launched as a separate product independent of its public certificate service (AWS Certificate Manager), AWS Private Certificate Authority not only enables customers to create private certificates, but also enables private certificate authorities to issue and manage private certificates. AWS Private Certificate Authority aims to simplify many aspects of on-premises public key infrastructure (PKI), yet it still offers options for hybrid deployments and hierarchies.
For example, customers can still maintain an offline, self-managed root certificate authority and tie to AWS issuing certificate authorities. Conversely, customers may use self-managed issuing CAs and the root CA within AWS Private Certificate Authority. AWS Private Certificate Authority can issue private certificates that authenticate resources such as users, devices and servers in environments like AWS and Active Directory. Historically, PKI was developed to provide lasting authentication and data confidentiality, with underlying certificates lasting several years. Cloud architectures; vast increases in the number of devices, users and processes requiring authentication; and greater security and compliance mandates are driving the need for certificate authorities.
AWS Payment Cryptography. Covering the “last mile” of payment systems, AWS Payment Cryptography offers additional choices for payment networks that are still tied to on-premises or hybrid hardware security modules or encryption key management offerings. AWS Payment Cryptography service enables customers to simplify the complex operations required for secure transmission of payments data while meeting PCI-PIN, PCI P2PE and PCI-DSS compliance requirements.
Given the recent guidance revisions within PCI-DSS 4.0, assessors and auditors alike are better aware of the effectiveness of controls within the cloud. The further trend toward infrastructure as code within AWS should enable faster and more accurate PCI-DSS audits. Increasingly, the basis of compliance changes from “point in time” to “continuous over time” is evident in both PCI-DSS 4.0 and other frameworks, such as SOC2 and ISO27K. While there is no perfect correlation between compliance and security outcomes, facilitating easier compliance and a more flexible payment network operation should give merchants, acquirers and processors alike more flexibility to accommodate massive changes in FinTech.
Cautious Optimism in Cloud Spending
Want insights on cloud computing trends delivered to your inbox? Join the 451 Alliance.