Cloud Data Security
This is a guide on cloud data security.
Survey of Cryptographic Mechanisms
I want to start out this lesson looking at an extension of the CIA triad. As you learned in the previous lesson, the previous course, course three, CIA is confidentiality, integrity, and availability. But in 2002, Donn Parker, who was a retired information security consultant and researcher, expanded on the CIA model and added three extra elements. This was later renamed the Parkerian Hexad in honor of Donn Parker.
And he's highly regarded. And so this is an expression of a set of components that are added to the CIA triad. And I think it's more comprehensive and more of a complete security model, so I wanted to teach it to you here in this course.
[Video description begins] A hexad diagram displays. It has the text, Information Security, in the center. The following texts display in the hexad: Confidentiality, Possession, Integrity, Authenticity, Availability, and Utility. [Video description ends]
The first additional thing that Parker added was possession or control. So for example, let's say a thief were able to steal some sealed envelope that had a bank debit card and the PIN number. Even if the thief didn't open that envelope, it's reasonable that the victim would be concerned that the thief could do that at any time. So this situation illustrates loss of control or possession.
So for example, if somebody is able to break into a safe at a corporate office and able to steal access keys or stock certificates or other securities, okay? Basically it's a loss of control, a loss of possession, but not necessarily a breach of confidentiality. Next, we have authenticity. Many people actually think the CIA triad, the A stands for authenticity, but in fact it stands for availability. What Parker did was he separated the integrity model into integrity and authenticity.
Because, typically, since we use the same type of mechanisms to get authenticity as we do integrity, like digital signatures and hashed password authentication codes, often those are combined into integrity. But this is going to be a separate component, and it refers to the veracity of the claim of origin, or authorship of information. So this would be specifically using things like digital signatures for electronic information, making sure that code is authentic, that it upgrades, that images are authentic, for example.
And then the final one is utility, and utility means usefulness. Often you hear the term utility used with warranty as kind of two separate things, for example, an ITIL. But utility, for example, let's say somebody encrypts data on disk to prevent unauthorized access, or maybe they encrypt it on a USB fob, then they lose the decryption key, okay? That would be a breach of utility. So the data is still confidential but it's not useful. This is the Parkerian Hexad, we're going to add that.
So if you have all six together, you have confidentiality, integrity, availability, control, authenticity, and utility. Now the main goal, really, of this lesson in this course is to talk about cloud data security. So we need to get a little bit of basics out of the way.
[Video description begins] Screen title: Cryptology [Video description ends]
Cryptology is basically two disciplines. Cryptography, which is the study and practice of securing communications, and involves encryption and hashing and digital signatures. And then cryptanalysis, which is the study and practice of exploiting weaknesses, finding gaps in algorithms and mechanisms and secure communication. Cryptology, or cryptosystems, often provide confidentiality, integrity, peer authentication, and non-repudiation. Cryptography uses ciphers. These are algorithms used for encryption and decryption. And the algorithms are often seeded or combined with or interleaved with a key, a string of pseudorandom or non-random alphanumeric characters. A cipher outlines the well-defined series of procedures that are followed to encrypt and decrypt or to provide a cryptographic one-way hash. There's many different types of ciphers, from the simple to the complex. That's beyond the scope of this course.
[Video description begins] A checklist graphic for Cipher displays. It has three list items: Generate key, Create blocks, and XOR. [Video description ends]
These different types of keys, okay? Keys can be manually generated strings of alphanumeric characters, okay, like your password, for example. They can be random or pseudorandom generated. This can be done by humans, it could be done by software. Truly random keys are very, very difficult to generate. So often, we just use cryptographically practical pseudorandom keys. We can have a static key.
This is used for a relatively long period of time. It could be used multiple times for different key establishment processes. Then there's session keys. A session key is a single-use symmetric key that's used for an entire session. So let's say for an SSL/TLS session or for an IPsec transform session. It encrypts and decrypts all the messages for that specific session. Using short-term session keys as opposed to static keys makes many cryptanalysis attacks more difficult.
And then ephemeral keys. Ephemeral keys are used for a very short period of time and they're not stored anywhere permanently. They're only used for one single key establishment process. Often, we get integrity and origin authentication by using cryptographic hashing with a MAC or a secret key. So for example, let's say our data is some type of transaction where we're going to pay somebody $100. We take that transaction data and we combine it with a secret key, and we send it through a hashing algorithm.
The result will be a HMAC authenticated fingerprint of a fixed length, MD5, SHA-1, SHA-2. Then that fingerprint is appended or attached to the original data and sent over a untrusted network. The recipient will then take that same secret key, which can be generated and shared in several different ways, verify the HMAC, and then apply the hashing algorithm to see the original data.
Now with cryptographic hashing, what we have is the avalanche effect. So that if one 0 or 1 is flipped in the original data, it will have a tremendous result. So for example, let's say the original pay to Terry Smith $100 has one modification to it, okay? Maybe just the last name is spelled differently, S-M-Y-T-H. The result, the HMAC authenticated fingerprint, will be completely different, okay?
It will be absolutely an avalanche effect. Also, the bit size of a cryptographic hash, let's say 256 bits, 506 bits, 1,024, is really only half as strong as other cryptosystems. And that's because of the birthday paradox, which means if 23 people are at a birthday party, the odds are 50%, or 50/50 that two people share the same birthday, okay? Not the same birth date, but the same birthday in the calendar year.
[Video description begins] Two flow diagrams display. In the first diagram, a laptop labelled as Data displays. Below the laptop, the Secret key connects to the Hashing algorithm placed on the boundary of a cloud network. The Hashing algorithm points to the cloud network. A box labelled HMAC-authenticated fingerprint is joined to another box with alphanumeric characters. This box connects to a box containing the text-Pay to Terry Smith $100.00 One hundred and xx/100 dollars- and is joined to a box containing the same alphanumeric characters. Another box with the same transaction details, outside the cloud network, connects to the Hashing algorithm and the box containing the text- Pay to Terry Smith $100.00 One hundred and xx/100 dollars. In the second diagram, a box with alphanumeric characters ia at the top, followed by a box labelled Secret key. This box connects to a box labelledHMAC verified, which further connects to a box labelled Hashing algorithm. A box containing the text-Pay to Terry Smith $100.00 One hundred and xx/100 dollars- connects to the Hashing algorithm box. [Video description ends]
Common hashing functions are MD5, SHA-1, you can see the bit sizes are different. SHA-2 and SHA-3, which start with 256-bit keys and get larger. RIPEMD, and again as I mentioned, hashes are actually only half as strong as the key lengths because of that birthday paradox.
[Video description begins] A graphic of a funnel displays on the left-hand side. A document labelled as Data of arbitrary length displays at the mouth of the funnel. The funnel is labelled as Hash function. A box with alphanumeric characters, labelled as Fixed-length hash, displays at the bottom of the funnel. [Video description ends]
We also have symmetric key cryptosystems, where the same key is used for encryption and decryption. The keys are typically from 40 to 512 bits in length. So they're smaller key spaces but they provide wire-speed encryption. They're based on simpler mathematical functions and they're often used for bulk data encryption and session keys.
[Video description begins] A diagram displays. It shows a box containing a horizontal flowchart. At the left-most side is a box labelled $1000. This points to a key icon labelled as Encrypt. This box points to a box containing some characters, which further points to a key icon labelled as Decrypt. The Decrypt key points to a box labelled as $1000. 4 branches emerge from the flowchart box. Each branch ends in a box containing salient features of symmetric key cryptosystems. [Video description ends]
Common symmetric key cryptosystems are DES, 3DES, or triple-DES, RC4, Blowfish and Twofish, and AES-CBC, Counter Block Chaining, and AES-Galois Counter Mode.
[Video description begins] Galois Counter Mode is abbreviated to: GCM. [Video description ends]
We also have asymmetric key cryptosystems. This is where different keys are used for encryption and decryption. This is called public key cryptography because you have a private key and the mathematically related public key. For example, your system or your software generates an RSA key pair. The key ranges are higher, from 512 to 4,096 bits in length and even higher, these are much less susceptible to brute force attacks.
But they're used to encrypt smaller amounts of information, okay? So they're used to protect the information in a certificate or to protect other session keys or symmetric keys. Common asymmetric key cryptosystems are RSA, DSA and ECDSA, Elliptic-curve DSA, PGP and GPG, Diffie-Hellman, and Elliptic-curve Diffie-Hellman Ephemeral, and El-Gamal.
Common Cryptographic Protocols
Okay, the first technology I want to talk about in this lesson is the prevailing Internet security which is now a part of the IP version 6 stack, and that is IPsec or IP Security. All of the cloud service providers are going to support some type of managed IPsec site-to-site VPN, typically, using what's known as IKE, Internet Key Exchange version 1, which is a two phase process.
In the first phase, the two endpoints in this example here, the customer gateway and the virtual private gateway of the provider are going to create kind of a secure communication channel which they'll negotiate parameters. And then the second phase is the actual protection of the information sent over the VPN tunnel between the gateways. So if you go to Amazon Web Services, for example, this is a very easy thing to set up.
But realize, that if you're going to choose a managed IPsec VPN from the cloud service provider, you're going to be limited as to what protocols and methodologies you can use. If you need to support other types of well-established VPN clouds, then in that case, you're going to be going with a customer managed IPsec VPN.
[Video description begins] A diagram for CSP Managed IPsec Site-to-Site VPN displays. The AWS environment contains the VPC environment. The VPC environment comprises two VPC subnets with availability zones. One of the VPC subnets connects to a router. The router and the VPC environment connect to the Virtual private gateway. A VPN connection connects to the Virtual private gateway in the AWS environment. The VPN connection also connects to the Customer gateway of the Customer network. The host highlights Virtual private gateway and Customer gateway. [Video description ends]
Let's look at Amazon Web Services real quick and look at their site-to-site VPN solution. I'm up at the VPC dashboard, the Virtual Private Cloud dashboard, and if I scroll down, I can find the VPN area.
[Video description begins] The VPC Management Console web page displays. The VPC Dashboard page is open now. In the left navigator pane, different menus such as Virtual Private Cloud and Security display. On the right, are 2 buttons labelled Launch VPC Wizard and Launch EC2 Instances. Below the buttons, the Resources by Region section displays. The host scrolls down in the left pane and points to the Virtual Private Network (VPN) area. [Video description ends]
So basically, when you set up a site-to-site VPN connection, there's going to be two pieces to this. I'll click on Create VPN connection.
[Video description begins] Then, he clicks the Site-to-Site VPN Connections menu. On the right, the Create VPN Connection button appears. He clicks the button. [Video description ends]
You're going to name it, okay, give it some type of name tag, then you want to set up the Virtual Private Gateway with, this is actually the Amazon Web Services side. Or you can select an existing gateway if you have one, then the customer gateway.
And if you have an existing one, you can go ahead and choose that or you can create a new one here, and then you have two options for routing. This is what I said earlier about some of the limitations, okay? You either have dynamic routing, using border gateway protocol, BGP, or static routing, okay?
[Video description begins] The Create VPN Connection page displays. The host points to the Name tag and Virtual Private Gateway field. Then he points to the Customer Gateway option, which has two radio buttons, Existing and New. The Existing radio button is selected. Next, he points to the Customer Gateway ID field. He points to Routing options field. It has 2 radio options- Dynamic which is selected by default, and Static. [Video description ends]
Those are the only two options. Now, if you go down here, you can see what's going to happen is you're going to create two tunnels, so it's going to have high availability built in. Amazon will go ahead, if you want to, and generate an IP CIDR for the inside Tunnel 1 and inside Tunnel 2. They'll also generate a pre-shared key for Tunnel 1 or Tunnel 2, or you can do that on your own, and then just create the VPN.
[Video description begins] Then, he points to the Tunnel Options section, which has fields, such as Inside IP CIDR for Tunnel 1 and Pre-Shared Key for Tunnel 1. Then he points to the Create VPN Connection button at the bottom of the page. [Video description ends]
So if you go back to the diagram I just showed you, this is exactly what we're setting up here, the virtual private gateway and the customer gateway information.
[Video description begins] The diagram for CSP Managed IPsec Site-to-Site VPN displays. The host highlights the Customer gateway, VPN connection, and Virtual private gateway. [Video description ends]
So what you would most likely do is go back to this area here and create your customer gateway first, which is basically, you're going to name it.
[Video description begins] The Create VPN Connections page displays. The host clicks the back arrow. The VPC Management Console page displays. In the navigator, he clicks the Customer Gateways menu in the Virtual Private Network (VPN) group. On the right, the Create Customer Gateway button appears. He clicks the button. [Video description ends]
Are you going to do static routing? Okay, if you are, you know what's the IP address? That would be the publicly routable IP address of that endpoint, that customer services equipment, okay? So it would say, it could be a firewall, maybe an adaptive security appliance from Cisco, but it has a public IP address, so that would be static routing.
With dynamic, it's going to have to be border gateway protocol, and so you would choose an autonomous system number. Maybe you've already got one, okay, that you've been assigned from your service provider. Or you could just go ahead and use a ASN that will be given to you from Amazon, okay? And it says, if you don't have one, you could use a private ASN in the range of 64,512 to 65,534 and then you set up the virtual private gateway, the VPG.
[Video description begins] The Create Customer Gateway page displays. He hovers over all the fields. Next, he points to the IP Address field. He clicks the Dynamic radio button. A new field, BGP ASN, appears with a value 65000. He points to the information icon next to the BGP ASN field, and a tooltip appears. The IP Address field shows a warning message that redas as: Must be a valid public IP address. Next, he goes back to the VPC Management Console web page. [Video description ends]
This is the side of the provider. So basically, you're going to name it. And you're going to go with the, you know, default ASN from Amazon or you could have a custom ASN if you already have one, and that's all there is to it.
[Video description begins] The VPC Management Console page displays. In the navigator, he clicks the Virtual Private Gateways menu. On the right, the Create Virtual Private Gateway button appears. He clicks the button. The Create Virtual Private Gateway page displays. The host points to the Name field. Then, he points to the ASN option, which has two radio buttons, Amazon default ASN and Custom ASN. The Custom ASN radio button is selected, and a value 64512 displays in the field below. Then, he points to the Create Virtual Private Gateway button and clicks the back arrow to go back to the VPC Management Console web page. [Video description ends]
You just create the VPG and the customer gateway, and then you go back to the site-to-site VPN connections. And you just come in and you just choose them from the drop-down list.
[Video description begins] The host clicks the Site-to-Site VPN Connection menu in the navigator and clicks the Create VPN Connection button on the right-hand side. The Create VPN Connection page displays and he points to the options on the page. [Video description ends]
Now, this is a customer managed VPN and there are other solutions too, okay? So for larger organizations, in the past, they would actually spin up a special type of virtual private cloud, a VPC, which was a transit VPC that all of their branch offices could connect to.
And they would go through that VPC to actually connect to their resources, their own public and private subnets, their own resources. But nowadays, AWS has a new feature called a transit gateway. Okay, this is for larger enterprise organizations, people with lots of branch offices, people with lots of locations. Lots of choices here from a managed service provider standpoint.
[Video description begins] The host clicks the back arrow and the VPC Management Console web page displays. The Virtual Private Gateways menu is active in the navigator. He points to the Transit Gateways menu in the navigator. [Video description ends]
Now, a lot of organizations will still use a customer managed IP site VPN, where they're going to have some type of virtual router, maybe it's a Cisco CSR router. Then they'll have their own zones, an active zone and a standby zone, and they'll actually have their VPN instances in those zones. It could also be from the marketplace.
Both Google Cloud, both Amazon, Microsoft, they all have partners in their marketplaces that can provide these VPN solutions. Then you would have your own custom VPN connection. So if you didn't want to use BGP or static routing, but you wanted to use your existing OSPF VPN cloud, or your EIGRP, or RIP version two, or maybe you're doing dynamic multipoint VPN, IPsec over GRE.
Maybe you've got a GET, Group Encrypted Transport VPN. If you want to keep your own existing VPN cloud, then this would be the approach that you would take.
[Video description begins] A diagram for Customer-Managed IPsec VPN displays. The AWS environment contains the VPC environment. The VPC environment comprises two VPC subnets, Zone A - Active and Zone B - Standby. Both VPC subnets and the VPC environment connect to a Virtual router. A Custom VPN connection connects to the Virtual router in the AWS environment. The Custom VPN connection also connects to the Customer gateway of the Customer network. [Video description ends]
Another very important technology is TLS, Transport Layer Security. Now, what I would recommend to you is to go get the book, Bulletproof SSL and TLS by Ivan Ristic. That's a fantastic book and TLS is so important. Now I don't say SSL, TLS, here, because we're really using transport layer security 1.1, 1.2, or 1.3, and the handshake protocol of TLS is extremely important.
But as you can see here, what we're using is we're using a combination of symmetric session keys and asymmetric key cryptography. And TLS is very important because basically whether it's Google or Amazon Web Services, all that really is is a bunch of API calls. And those API calls are going to be protected by TLS. Any type of end point that you connect to to get to services of the cloud provider, you're going to be using TLS.
Your own web services, or managed web services, those are going to be using HTTPS. So your elastic load balancer, your application elastic load balancer may be a SSL/TLS listener where it's the single point of contact that everybody who goes through a URL to go to your website, they're going to the load balancer. And that's running the SSL listener on it. So it decrypts the TLS and then possibly re-encrypts or sends it in the clear back to your own virtual private cloud or other resources. So TLS is also an important protocol when you're using a cloud service provider.
[Video description begins] Two examples of Transport Layer Security (TLS) display. In the first diagram, sample interaction between a client and a server displays. On one side, four client instances display and on the other side, three server instances display. In the second diagram, a sample interaction between three client instances and two server instances displays. [Video description ends]
Because whenever you're using a browser and you're going up to have a management session, whether it's in the Google Console or whether you're using the AWS Management Console, it's going to be using SSL/TLS. When you manage your Linux instances, you're going to be using Secure Shell.
[Video description begins] Screen title: Secure Shell abbreviated to SSH. A diagram displays. A laptop labelled as SSH Client sends out a message- Hello- through an Encrypt key, which sends out an encrypted message to the Decrypt key. The Decrypt key sends out the original message to the SSH server. [Video description ends]
And we talked about this previously, when you have a programmatic account, or programmatic access either through a SDK or a CLI, you're going to get a key ID and then you're going to get a Public Key Exchange. You're going to have a secret key that you're going to use, which is part of a key pair.
And you'll use that to access your Linux instances or maybe you'll use that to connect to your bastion host or your jump host. And in a Windows environment, you'll use it to get the initiative password for RDP, or the remote desktop protocol. And finally, digital signatures are very important because any programmatic user who's sending API calls are going to be digitally signed.
And so a digital signature, remember, is basically taking the original information, which could be code, it could be an API call, it could be a message. And it runs that through a hash algorithm, let's say SHA-1 or SHA-2. And then that particular hash result is encrypted with a private key and that's attached to the original message, and that's sent over the untrusted network.
So remember, the private key is actually encrypting the hashed result, not the original information, but the hashed result. And that's attached to the original message, the API call, for example, and that provides our integrity non-repudiation origin authentication. It doesn't provide confidentiality, okay? We are not encrypting the original message. If we want to get confidentiality, we'll include SSL/TLS.
Client-side vs. Server-side Encryption
Also, as your data travels over the Internet during read and write operations, you'll be using TLS, or Transport Layer Security. Or as it appears in your browser, HTTPS. But cloud storage and Amazon S3, which we're talking about right now as far as object storage goes, always encrypts your data on the server side before it gets written to disk, and they don't charge you extra for it, okay?
Now, cloud storage and AWS both encrypt data at rest using AES 256. So there's no setup, there's no configuration, you don't have to change the way you access the service, and there should be no visible performance impact. So data's automatically and transparently decrypted when read by an authorized user. However, beyond this standard operation, there's other ways to encrypt your data when you use, let's say, S3 and cloud storage.
Now, other managed services like Amazon Glacier, they'll also by default encrypt your data. Then of course, those data keys can further be server-side encrypted with customer managed keys. But if you do client-side encryption, which is what we're looking at here, the encryption occurs before the data gets sent up to the cloud service. So basically, it arrives, let's say in S3 or cloud storage, already encrypted. But it also undergoes server-side encryption.
Now here, you're going to encrypt it with some type of software package, either in your own data center, you're own server farm. Or you could actually have your applications running in an EC2 instance or Google Cloud virtual machine instance. And you could go and use a tool to encrypt it there and then send it up to a service or to some type of storage. Server-side encryption basically gives you two options.
[Video description begins] Screen title: Server-side Encryption. A diagram displays. It is almost similar to the first one, except for the following changes: Instead of cloud label above the arrow, HTTPS icon is present. Two of the boxes below have different labels: RDS for MS-SQL and RDS for Oracle in place of Amazon Dynamo DB and Amazon RDS. [Video description ends]
This happens after the service receives your data, but before it's written to disk and stored. So you can give them customer-supplied encryption keys. Where you would go into an interface, you could use the CLI, to create and manage your own encryption keys to be used by the server-side encryption, okay? So that's an additional layer on top of the default storage encryption.
Or you could do customer-managed encryption keys. Where you'd generate and manage encryption keys using a key management service. Both Amazon Web Services and Google will allow you to use server-side encryption, and you could also use their key management service. We'll talk more about how this key management service in S3 works a little bit later.
File and Database Security
Let's talk about file and database security in an IaaS scenario. So let's say, for example, you go to Amazon, you go to Google, and you spin up some instance of Linux or Windows in an Infrastructure as a Service environment. And maybe that block storage that you choose will be ephemeral or local, where it lives and dies with the instance.
Or maybe it's going to be a persistent storage, where you can detach it and attach it, or re-attach it to some other instance. Either way, it's important to realize that you're responsible for encrypting your files and your own databases when using Infrastructure as a Service. So basically, if I just have a VPC, I decide to spin up my own SQL servers, I'm responsible for encrypting those files and those databases.
[Video description begins] Infrastructure as a Service is abbreviated to: IaaS. [Video description ends]
Managed services like, for example, Relational Database Service from Amazon Web Services, will automatically encrypt block storage and databases using AES-256. But the key thing to remember here is it's up to you. It's your responsibility, based on that shared-responsibility model and your risk handling and your risk treatment, to know exactly when and where data is being encrypted by the provider and when it's not being encrypted. Some services will have multiple layers of key encryption.
So for example, if you're using data warehousing at Amazon Web Services and you spin up some Redshift clusters, you're going to have several keys there. You'll have data keys, you'll have cluster keys, you'll have master keys. And if you're using key-management services, you'll have a customer-managed key that is tied to some particular IAM user.
In addition, for compliance and added security, many organizations will use a Hardware Security Module, an HSM, either a physical or virtual HSM. We'll talk about that a little bit more towards the end of this course. And with file and database security, access controls are to be performed using Identity and Access Management and/or Single-sign-on federated services. So for example, your access to files and databases could be based on your users in global groups in Active Directory.
[Video description begins] Identity and Access Management is abbreviated to: IAM. [Video description ends]
Let me give you an example scenario of Amazon Web Services Relational Database Service.
[Video description begins] Relational Database Service is abbreviated to: RDS. [Video description ends]
So basically, you run the RDS in a VPC with firewalls configured for least privilege. You're going to use IAM policies to assign permission policies. You want to determine who's allowed to manage the RDS resources. You could use IAM to determine who can create, describe, modify, and delete DB instances, or tag resources, or even modify the security groups, which again is the AWS whitelisting firewall.
You'll use Transport Layer Security connections or HTTPS to database instances running DB engines. So connections to instances running MySQL, or MariaDB, or PostgreSQL, Oracle, or Microsoft SQL Server database engines.
[Video description begins] Transport Layer Security is abbreviated to: TLS. [Video description ends]
You can leverage server-side AES encryption for instances and snapshots of the database that are stored in object storage, like S3 or Google Cloud Storage. AWS uses industry standard AES-256 encryption algorithms to encrypt data on servers that host the RDS instance. And you can use network encryption as well, and TDE, Transparent Data Encryption, for your Oracle database instances.
Object Storage Security
Okay, in this lesson, let's talk about object storage security. And a couple of examples of object storage would be Google Cloud Storage and Amazon's S3. We'll also go up to AWS and look at AWS bucket security. A bucket is what stores the objects in object storage. So obviously, remember that all storage buckets are private by default.
So you have to go through the process of making a bucket and the objects in that bucket public. Identity and Access, IAM, user policies should be used to specify users that can access specific buckets and objects. IAM also provides a programmatic way to manage S3 permissions for multiple users. You can also use bucket or object-level Access Control Lists.
These are separate ways to create deny statements, for example, to restrict access to specific IAM users, even if the users are granted access via an IAM policy. So remember, any setting in the Access Control List will override the permissions in the IAM policies.
[Video description begins] Access Control Lists is abbreviated to: ACLs. [Video description ends]
You can also use an MFA delete. Basically, multi-factor authentication delete requires a user to authenticate using a multi-factor authentication device, like a Gemalto fob or a Gemalto card, or a software based TOTP-compliant, let's say Google Authenticator, before deleting an object or before disabling the bucket versioning feature.
You can also set up MFA protected API access, which requires the programmatic user to authenticate with an MFA device before they call certain Amazon S3 API operations. And it's very important to stringently monitor and report your buckets and objects. For example, in AWS, you could use CloudTrail logs. And the other providers offer services as well. Let's go up to AWS. So I'm at Amazon S3, I've got a bucket called shanpics, okay?
[Video description begins] The S3 Management Console web page displays. Just below the toolbar are 2 hyperlinks: Amazon S3 and shanpics2019. The host points to the bucket name - shanpics2019. The web page has four tabs: Overview, Properties, Permissions, and Management. The Overview tab is open. The following 4 buttons are present: Upload, Create folder, Download, and Actions. Download button is disabled now. He clicks the Upload button. [Video description ends]
Let's go ahead, and it's empty, so let's go ahead and upload a picture. So here's a picture of me from the early 90s when I was in my band, my alternative rock band. Click on Upload.
[Video description begins] The Upload dialog box opens. An image thumbnail displays there. He selects it and clicks Open. The Upload dialog box displays and he clicks the Upload button. The file appears in the shanpics2019 bucket. He clicks the file. [Video description ends]
Okay, so now I have in my shanpics2019 folder, or bucket, I have an object called bandpic.JPG. Now I can come in and I can go and set properties on this.
[Video description begins] The Properties tab displays. He points to different sections, such as Storage class, Encryption, and Metadata. Then, he clicks the Permissions tab and then the Overview tab. [Video description ends]
I can set up Encryption on an object-by-object basis. I can also add Tags, Metadata. I can change the Storage class for my server storage management. I can set up Permissions, okay? But I'm not gonna do that on the actual object itself, I'm gonna to go to the bucket layer and do that. If I go up to Properties, I can have Versioning, okay, multiple versions of an object in the same bucket, Server access logging on the bucket, Static website hosting, Object-level logging. And here's Default encryption.
[Video description begins] He clicks the shanpics2019 bucket and then clicks the Properties tab. He points to different sections, such as Versioning, Server access logging, and Static website hosting. He clicks the Default encryption area. [Video description ends]
If I click on that, it's gonna give me three options. Right now, I do not have default encryption turned on, on this bucket.
[Video description begins] The Default encryption dialog box displays. It has three radio buttons: None, AES-256, and AWS-KMS. The None radio button is selected. The host selects AES-256. [Video description ends]
There's really two options with AWS to do this on the server side. Now remember, I could have encrypted that picture first and then uploaded it, right? That would be client-side encryption. Notice I have AES-256. This is server-side encryption with Amazon S3 managed keys, okay?
So S3 evaluates and applies bucket policies before applying encryption settings. Even if you enable bucket encryption settings, your PUT requests, without encryption information, will be rejected if you have bucket policies that reject such PUT requests. So make sure that your Access Control Lists and your permissions are in concert with the encryption. So I can do the SSE S3. These are S3 managed keys.
So this is based on the S3 service doing AES-256 encryption. Or, I could use key management system. Where basically my user account, which is right now the root account of this AWS account, would have a customer master key assigned to it. And I could use that CMK, that customer master key. And notice that it allows me to go and select a customer master key, if I had one, from the drop down.
Now I'm going to explain how KMS works here in a second. Remember, this option is encryption by the service of S3. And this is a global key management service which applies to many Amazon services and products. And by the way, you have similar options in Google Cloud Platform as well. You can do client-side encryption. You've also got a key management service as well. Or you can also have a service-by-service based encryption applied with various Google services.
Key Management Services
Now so far, we've established the fact that you can go ahead and encrypt the information, the file, encrypt the object before you upload it to a service or before you copy it to a file server or a database. We also established the fact that different services will encrypt, for example, with AES256. But we can also use a key management service from the cloud service provider.
[Video description begins] Screen title: Key Management Services [Video description ends]
So this is a cloud-hosted key management system where you can manage cryptographic keys, just like you were doing it on-premise. But you're gonna do it through either a SDK, a CLI, or a graphical interface on the cloud provider. It allows you to generate, use, rotate and destroy keys according to your own particular policy.
Now, let's say you were to add Google Cloud Platform and you're using Cloud KMS. At Cloud KMS, you can generate and use and rotate AES256, RSA 2048, RSA 3072, RSA 4096, as well as newer elliptic curve P256 and elliptic curve P384 cryptographic keys.
[Video description begins] Elliptic Curve is abbreviated to: EC. [Video description ends]
Google Cloud KMS is also integrated with Cloud Identity and Access Management, as well as Cloud Audit Logging. So you can manage permissions on individual keys, as well as monitor how they're being used. So you're gonna use the Cloud KMS at Google Cloud Platform to protect your secret keys and other sensitive data that you have to store at GCP. This is information based on Google Cloud Platform KMS.
Let me give you an example now of using the SSE KMS encryption on an S3 bucket. Now remember earlier, when I showed you the screenshot, we could have gone with the S3 service-based AES256. But in this situation, we're gonna select that third radio button to use KMS. So here's what's going to happen. Let's say we have Bob, over on the left-hand side.
And Bob wants to upload some video file. So he determines to apply default encryption either on the object or on the bucket, okay? So let's say he decides to do this on the bucket, as I showed you earlier, right? So he chooses the AWS KMS option. S3 will make an app e-call request to the KMS service to generate keys specifically for Bob.
[Video description begins] A diagram displays. A user with a file points to a bucket containing the text-S3, which further points to AWS KMS and CMK. A screenshot of Default encryption also displays. It has three radio buttons: None, AES-256, and AWS-KMS. The AWS-KMS radio button is highlighted. [Video description ends]
The first key, the gray key, is the plaintext key, the plaintext data key. The second one, the yellow one, is an encrypted version of that plaintext data key. Both of these keys get sent back to S3 from the KMS service. Now that S3 has all the keys necessary to perform the encryption of the video file, it will combine the file with the plaintext key and then perform AES256 encryption on both.
By the way, this is gonna be AES256 GCM, Galois/Counter Mode. So it's gonna have integrity and origin authentication built in. Because AES GCM, that's what we call an AEAD. It has the integrity and origin authentication built in. As opposed to AES256, which you have to have a separate HMAC, like SHA-256. So now that S3 has combined that file with the plaintext key, and encrypted them with AES256, it stores the encrypted data key along with the encrypted file. The plaintext key is now deleted from memory.
[Video description begins] The same diagram displays with the following modifications: The screenshot disappears. CMK points to two keys, grey and yellow, which point to the S3 bucket. The S3 bucket points to the user file with the yellow key, which, in turn, points to the user file with the grey key. A delete symbol appears on the yellow key. [Video description ends]
So let's say Bob now requests the encrypted video file from S3. S3 sends the associated encrypted data key over to the KMS service, and asks KMS to generate a plaintext data key. So KMS will use the same customer master key, which is basically tied to Bob's IM account. Combine that CMK with the encrypted data key, and then generate a plaintext version of that data key.
So S3 can now use this plaintext data key to perform a decryption operation and generate an unencrypted video file, which is then sent back to Bob. And that's how Amazon S3 SSE KMS encryption and decryption works.
Public Key Infrastructure
I want to talk briefly about PKI, public key infrastructure, which is based on asymmetric key cryptosystems. For example, a public and private key pair that are mathematically related, kind of like fraternal twins. If you encrypt with the private key, you decrypt with the public key, and vice versa. Now, PKI is really based on this web of trust concept that Zimmermann came up with, back with Pretty Good Privacy. Where, for example, let's say you and I both trust Bob.
Well, if you trust Bob, and I trust Bob, well, then you and I can then trust each other in that web of trust. So PKI builds upon that, where Bob, who's the trusted third party, now becomes a certificate authority, like GoDaddy, or Entrust, or Verisign, or Thawte, or Microsoft, or the list goes on and on. And all of those particular service providers and CAs have kind of a web of trust between themselves.
And it's very, very difficult to become a certificate authority. So this whole concept, really, is to create a globally scalable and secure way to distribute public keys so that we can conduct secure transactions over the Internet. Secure communication transactions, buying, and selling, and signing contracts, and we can all rely on a trusted third party. So if you notice that User A, on the left-hand side, they have a private key, okay, and they have a public key.
So they generate a key pair, let's say RSA, or DSA, or Elliptic Curve DSA. Well, they are also are going to get the public key of a trusted third party, a certificate authority. The public key of User A gets digitally signed by the certificate authority, okay? And that identity certificate is kind of what is sent between the participants, right? And so User A, and User C can both rely upon the trustworthiness, because they're both relying upon a trusted third party, or a certificate authority.
Now, the other component here is making sure that if User A or User C's certificate is compromised or revoked. Or it's no longer valid, based on the date and time stamp. Or they leave the company. Or their device is stolen, whatever, there's some way to let the parties know. There's really two main ways to do that. A certificate revocation list, which takes the serial number of the certificate and revokes it, or a database protocol based on the CRL, called OCSP. OCSP is what's most commonly used now on the Internet, with your browsers that are using SSL, TLS Now, you can leverage this PKI.
[Video description begins] An example of PKI displays. Two users, User A and User C, display each having one private key, denoted by a pink certificate, and one public key, denoted by a blue certificate. In addition, they both have one public key of a certificate authority abbreviated as CA. Below these 3 keys is one public key certificate, signed by CA, for each user. This key points to each other by means of a pair of right-left arrows. [Video description ends]
For example, if you go up to Google or Amazon Web Services, you can register your domain. And if you do this with AWS, it'll be at Register.com. So you can notice, I went up here, and I registered my domain names. I registered www.trainologie.com, and then the root, trainologie.com, and then I've used a wildcard, *.trainologie.com.
And I recommend, if you're going to do that, and you're going to create a certificate through their certificate manager, which makes this very, very easy, okay? They're going to generate a X.509 v3, version 3, identity certificate for you. Make sure that the domain name that you register has the www, then just the root, and then *.trainologie. So that will be everything that's down-level, and make sure you do that.
And it's very easy, it's very inexpensive to do that, up at your cloud service provider, they'll validate that, by the way. They're going to use a more simpler validation, either DNS or email.
[Video description begins] Screen title: Public Key Infrastructure. The AWS Certificate Manager web page displays. The Request a certificate page appears with the steps listed in the left pane. The first step - Add domain names- is selected. On the right, the Add domain names section displays. It has Domain name fields, which display the domain name, for example, www.trainologie.com. [Video description ends]
If you want to get Extended Validation, or EV, so notice that up on the address bar for Amazon, there's a green padlock. Amazon, aws.amazon.com, obviously went through extensive Extended Validation. Well, realize that this DNS email validation is not extended, so it's not going to get my trainologie.com that green padlock. I'll have to go through some extra validation to get that.
But the public key services that are available to you through your cloud service provider is a managed service. And it's very easy to do with a graphical interface.
Hardware Security Modules
I want to define a hardware security module, or an HSM. A module is a device or a modular component or a piece of hardware that protects and manages digital keys. And these can be session keys, they can be private keys, part of a PKI. They could be cryptographic hashes. They could be access keys. Basically, for strong authentication mechanisms and cryptoprocessing.
So they could also generate pseudorandom keys for different types of architectures. They can be a plugin card, but typically it's an external device that is hardware protected, tamper proof. So, for example, if you were to open up the chassis, it would zeroize all the information on the inside. It has very strict access to it, maybe only through multi-factor authentication. It's often air gapped from the network.
And it can be a hardware security module, a physical device, or a cloud service provider can create what's called an HSA. In other words, it's an abstracted virtual HSM. At Amazon Web Services, part of their key management service, they'll use the HSM to store customer-managed keys, or CMKs. These are used to encrypt data keys and cluster keys, and other types of keys. Highly-secure HSMs can generate and implement encryption keys.
They can allow you to be FIPS 140-2 Level 3 compliant. You can offload the SSL/TLS processing for your web servers or your elastic load balancers. You can protect the private keys for a certificate authority. They're also used by cyber currency exchanges. And they can enable TDE, Transparent Data Encryption, for Oracle databases. Some of the top manufacturers would be Futurex, Gemalto NV, and Hewlett-Packard, as well as IBM, SWIFT, and Thales eSecurity.