AWS Key Management Service

The first time I took part in a project about PCI-DSS Compliance, I was impressed about the importance of Key Management to encrypt and decrypt credit or debit card information into the PCI-DSS Compliance. The Key Management process is important because PCI-DSS requires credit or debit card information is encrypted with a Data Encryption Key (DEK) and this key, DEK, has to be encrypted with a Key Encryption Key (KEK). In addition, DEK and KEK can’t be saved in the same server and they have to be rotated periodically. There are different ways to comply this requirement. AWS KMS is one of them and I’m going to write about it today.

AWS KMS or AWS Key Management Service is a fully managed service which helps us to control encryption keys that we used to encrypt data. This is a service integrated into other AWS services thus it’s useful if we want to protect data of other AWS services. AWS KMS is also integrated into AWS CloudTrail for logging and auditing encryption keys which is mandatory in many standards like PCI-DSS. Thanks to this centralized service, we can save Keys easily as well as configuring automatic key rotation, logging and auditing.

How AWS Services Integrate with AWS Key Management Service

If we want to store encrypted data into the Amazon S3, we can use the Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) architecture which uses an envelope key to encrypt each object’s data encryption key and this allow us greater control of who can decrypt data, and provides an audit log of key usage. On the other hand, we can use the Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) architecture where S3 encrypts the object with a unique data encryption key and this data encryption key is itself encrypted with a master key that the S3 service rotates annually. Another architecture is the Server-Side Encryption with Customer-Provided Keys (SSE-C) where we use our own key which is managed by ourself thus S3 never stores this key.

How SSE-S3 with AWS Managed Keys Works

All of these previous architectures encrypt data from the Server-Side which means data are encrypted after sending it to Amazon S3 thus AWS always encrypts data. However, if we want to encrypt data before sending it to Amazon S3 we can use the Client-Side Encryption architecture where we encrypt our data and we manage our own keys. There are two options of using Client-Side Encryption. The first option is using an AWS KMS-Managed Customer Master Key (CMK) where we first send a request to AWS KMS for a randomly generated data encryption key that we can use to encrypt our object data. The second option is using a Client-Side Master Key where keys an unencrypted data are never sent to AWS.

Client-Side Encryption

In addition to storing encrypted information into the Amazon S3, AWS KMS is also integrated with other AWS services such as Amazon EBS for encrypting volumes, Amazon Redshift for encrypting data warehouse and Amazon RDS for encrypting databases. What’s more, if we want to use a Hardware Security Module for crypto operations and key storage, we can also used AWS CloudHSM.

Comparison of key management options

We can use a Key Management Service for PCI-DSS compliance but we can also use this kind of service when we have to store keys for any other reason like Netflix does who uses AWS CloudHSM for storing passwords.

How do you manage your keys?

AWS Security Best Practices

Hosting our services into a Cloud Service Provider (CSP), such as Amazon, is not an easy task when we are thinking about responsibility. This is because the responsibility is shared between the Service Provider and our company. This responsibility could be unclear sometimes. Therefore, IT engineers have to read and study about how the CSP works to know what are their responsibilities and what are ours. For instance, it’s important to know who is responsible for access management, network traffic protection and data encryption.

Shared Security Model - Infrastructure Services

With regard to Access Management, Amazon has a service called AWS Identity and Access Management (IAM) which is useful to grant access to individual users and manage their credentials. This is a service where we can apply security best practices like rotating security credentials regularly, defining a strong password policy and managing permissions by group or users. In addition, AWS IAM are able to enable Multi-Factor Authentication (MFA) for privileged users as well as sending logs to AWS CloudTrail for visibility of user activities.

AWS CloudTrail Overview using Sumo Logic

 

Creating our virtual Data Center has some risks, if we don’t configure properly, because we have to define virtual networks into Amazon VPC where it’s recommended at least 2 subnets in different Availability Zones (AZs) for each layer of our network. What’s more, we can configure NACLs with rules similar to our security groups in order to add an additional layer of security to our VPC. VPC Flow Logs is another interesting feature which should be enabled if we want visibility of network traffic flows.

VPC with Public and Private Subnets and AWS Managed VPN Access

EC2 instances are going to communicate each other but there should be communication for only those TCP/UDP ports required. Therefore, it’s recommended to configure Security Groups as virtual firewalls to allow and deny traffic to or from instances. This is the best way to protect instances, or group of instances, because instances which are in a group are not going to communicate to instances of another group unless we allow it explicitly. As you can see, it’s no longer enough a network perimeter firewall to allow and deny traffic between networks but we are increasingly demanding firewalls to protect virtual machines from virtual machines even when they are in the same subnet.

Amazon Security Groups

When we are talking about Encryption and Key Management, we have to know what architecture suits into our organization. There are mainly two types of architectures into AWS. The Client-Side Encryption architecture, where we encrypt our data and manage our own keys, and the Server-Side Encryption (SSE) architecture, where AWS encrypts data and manages the keys for us. We can use AWS Key Management Service (KMS) as well as AWS CloudHSM which help us to provision and use encryption keys to protect our data. For instance, Netflix Key Management is done with AWS CloudHSM.

AWS Services Integration with AWS Key Management Service

Although we are moving to the Cloud, security is still a concern by most companies and we have to configure security measures into our services to make them safe thus don’t give up because there are still a lot of work to do.

Do you want to share with us your Cloud Security Best Practices?

Creating your virtual Data Center

One of my first projects as a system administrator at Ariadnex was for the Government of Extremadura where I managed virtual machines, datastores and virtual networks into virtual data centers. Therefore, I learnt a lot about virtual infrastructures under XenServer and VMware. However, today, virtual data centers are moving from on-premise to the cloud, either Public Cloud, Private Cloud or Hybrid Cloud, where you can even pay-as-you-go (PAYG). For instance, we can deploy our data center into the major cloud providers such as Microsoft Azure, Google Cloud Platform or Amazon Cloud “easily” and pay as we use.

Lately, I’m reading, learning and working with AWS Cloud where I’ve created a virtual data center with firewalls, Elastic Load Balancer, WAF, EC2 instances, etc and there are a lot of things to take into account to deploy a virtual data center into Amazon Cloud. For instance, VLAN and ARP protocols don’t exist into AWS Cloud. Instead, VPC (Virtual Private Cloud) is used to isolate traffic, where we can create subnets into Availability Zones. What’s more, /24 subnets have 251 addresses available, instead of 254 addresses, because AWS needs three IP addresses for internal routing.

Choosing IP address ranges for your subnets

Routing is another mess into AWS, if we are used to traditional routing. VPC comes with a default route table but we can assign different route tables to different subnets, which contain rules for which packets go where. In addition, there are Internet Gateways where packets are sent if we want them to reach the Internet. On the other hand, we can deploy NAT instances in a public VPC subnet to enable outbound Internet traffic from instances in a private subnet. By default, private VPC subnets are routable internally while public subnets reach Internet through an Internet Gateway.

NAT access to Internet

Security is important too when we are creating a virtual data center. There are two kind of firewalls into AWS. The deprecated one, which is a stateless firewall, where we can create Network ACLs to allow or deny ports and IP addresses. On the other hand, the traditional one, which is a stateful firewall, where we can create Security Groups to allow or deny traffic to instances. For example, the Security Group “MyWebServers” to allow all traffic from the Internet, and the Security Group “MyBackends” to allow only traffic from “MyWebServers”. Moreover, dedicated cloud firewall AMI can be deployed from AWS Marketplace like FortiGate, Palo Alto and CheckPoint which offer many additional and important security functions, like IDS/IPS.

Security Groups = Stateful Firewall

Each organization will have their own requirements thus we’ll have to design the virtual data center accordingly. For instance, if we have several VPCs and we want to exchange information between them, we should configure VPC peering, or if we have to connect our on-premise data center to AWS, we can use Virtual Private Networks (VPN), AWS Direct Connect or both. Router 53 is another AWS Service interesting for DNS resolution, and VPC Flow Logs are useful for visibility and troubleshooting. As you can see, there are many infrastructure services into AWS and we’ll have to choose the right services to deploy a reliable and cost-effective virtual data center.

AWS Direct Connect

 

I think, this is just the beginning of the real cloud computing, where you deploy services around the world and you pay-as-you-go. They, I mean Amazon, Google and Microsoft, are changing the paradigm of systems, networks and storage, and we should pay attention of this amazing world.

What do you think about the future of Cloud Computing?

Video Selfie in French language

One of my wishes for this year is to improve my French language skills because I’ve already passed A1 level of French language and I want to apply for A2 level this year. Speaking Spanglish and Frañol is already a fact for me, I can do it, but when we have to speak a non-native language in a meeting, webex or conference is a must to speak properly because if we say “Relaxing cup of café con leche”, maybe, someone are going to laugh too much. Therefore, do you need languages? Are you happy studying languages? Because, although it’s a challenge, it’s also rewarding when you realise you can speak with someone in other language.

From time to time, my friends ask me why I studied English language and why I’m now studying French language. Actually, there are a lot of reasons but I always tell the tipping point was 10 years ago when I went to England for learning English language with a government grant and my wallet was stolen in London. I didn’t have passport, I didn’t have my ID, I didn’t know to speak English language, I didn’t know how to return to Spain without my identification. My plane took off the next day. I didn’t know what to do. It was my first trip abroad. I was nervous. At the end, a Spanish boy helped me to go to the police station to request a compliant. They allowed me to return to Spain the next day.

Two years later, I finished my studies at University and I started working as IT engineer at Ariadnex where I realised most technologies were made in EEUU thus technical guides were written in English language. Nobody told me about the importance of English language when I was at University. I remember the first weeks working as IT engineer, I had to read technical guides of load balancers. I didn’t understand anything. Therefore, I had to start learning English language at Official School of Languages.

However, today, I’m no longer studying English language but French language. Why? First, because I studied French language at high school, second, because French language is one of the main languages, along with English and German languages, into the European Commission. Indeed, there are lots of European Institutions in France and Belgium.

In fact, you can watch my last speech for the Official School of Languages. I have to improve. I know. This is my second year learning French language but I think it’s no bad.

Transcription:

Bonjour, je suis ici pour parler du Temple de Diane. Il est au core de la ville de Merida, à côte de la célèbre rue commerçante Santa Eulalia, qui est seulement une minute à pied d'ici. Le Temple de Diane est de l’époque de l'empereur Auguste du premier siècle. C'est une constructions religieuses qu'il est aujourd'hui connu pour son invocation à Diane, déesse de la chasse dans la mythologie romaine. Il s'agit d'un édifice en bon état de conservation, de plan rectangulaire avec six colonnes. On peut voir sa façade ici. J'aime beaucoup venir en été pour s'asseoir ici avec ma copine où on mange une crème glacée et on boit des bières. Enfin, on peut remarquer que le temple est un beau et joli lieu où on a prendre une photo. Au revoir.

Do you want to learn languages? Why are you learning languages?

My wishes!!

Today is the first day of the new year 2018, it’s time to write our wishes, it’s time to make a plan for the new year. I wrote I wanted the three kings brought me an AS for 2016 and I got it because Ariadnex manages the Autonomous Systems where Ariolo Cloud is hosted. I also wrote I didn’t want more toys for 2017 but procedures, methodologies, methods and security policies and it seems some companies have realised they need information security specialist to protect their services instead of spending their money in more appliances. Therefore, I’m going to write about my wishes for this new year, which perhaps are a little bit ambitious but I have to try.

This year is going to be my fourth year with the CISA certification and my third year with the CISM certification thus I need to keep learning about Information Security to be updated and to maintain these certifications through CPEs (Continuing Professional Education). As a result, I need to attend webinars and conferences, I need to deliver training courses, I need to keep studying. The Importance of Security at CUM was my unique speech last year but Security Courses on Networks and Systems, and the Ethical Hacking Course were enough to get my annually CPEs. Therefore, I would like to maintain these certifications delivering security courses again.

When I was at high school, I failed English exams from time to time, today, I’m writing in English language and I’m also able to speak in English. When I was at high school, I learnt a little bit of French language, today, I’m learning French at Official School of Languages and I passed A1 level of French last year. Learning a new language is time-consuming but it’s rewarding, thus, this is another wish for 2018, I want to pass A2 level of French.

I think security engineers have a lot of work to do into Industrial Control Systems (ICS) because most ICS are outdated, they were designed without taking into account the security, and they are increasingly connected to networks. In addition, the last malwares designed to attack ICS, like Stuxnet, Havex, Blackenergy2, CrashOverride, and now TRITON, are powerful malwares which can cause damage to the society. Therefore, I would like to go deeper into ICS to protect Critical Infrastructure Systems for this new year 2018.

I would like to learn a lot of thing but I want to learn further about Ethical Hacking. In fact, I would like to apply for OSCP certification. We’ll see. On the other hand, my CCNP certification expires next year, 2019, thus I don’t know yet if I’m going to start studying for another certification like CCNP Data Center because I would like to know how Nexus switches work. We’ll also see. Security and networking into a cloud computing environment is challenging thus I would like to learn how to deploy Web Apps safer into a cloud computing infrastructure like AWS Cloud. Once again, we’ll also see.

To sum up, CISA and CISM certification maintenance, studying French language, working with ICS and Critical Infrastructure Systems, and studying ethical hacking, networking and cloud computing. Maybe, I’m a little bit ambitious but I have 365 days to get it.

Do you want to tell us your wishes?