7. SOC 1/2 – Control Objectives
• Control Objective 1: Security Organization
• Control Objective 2: Amazon User Access
• Control Objective 3: Logical Security
• Control Objective 4: Secure Data Handling
• Control Objective 5: Physical Security and Environmental Safeguards
• Control Objective 6: Change Management
• Control Objective 7: Data Integrity, Availability and Redundancy
• Control Objective 8: Incident Handling
Monday, April 29, 13
24. Customer Challenge: Encryption (part 1)
• Customers have requirements that require them to use specific
encryption key management procedures not previously possible
on AWS
– Requirements are based on contractual or regulatory mandates for
keeping encryption keys stored in a specific manner or with specific
access controls
– Good key management is critical
Monday, April 29, 13
25. Customer Challenge: Encryption (part 2)
• Customers want to run applications and store data in AWS but
previously had to retain keys in HSMs in on-premises data centers
– Applications may slow down due to network latency
– Requires several DCs to provide high availability, disaster recovery and
durability of keys
Monday, April 29, 13
26. AWS Data Protection Solutions
• AWS offers several data protection mechanisms including access control,
encryption, etc.
• AWS data encryption solutions allow customers to:
– Encrypt and decrypt sensitive data inside or outside AWS
– Decide which data to encrypt
• AWS CloudHSM complements existing AWS data protection and encryption
solutions
• With AWS CloudHSM customers can:
– Encrypt data inside AWS
– Store keys in AWS within a Hardware Security Module
– Decide how to encrypt data – the AWS CloudHSM implements cryptographic
functions and key storage for customer applications
– Use third party validated hardware for key storage
Monday, April 29, 13
27. HSM – Hardware Security Module
• A hardware device that performs cryptographic operations and key storage
• Used for strong protection of private keys
• Tamper resistant – keys are protected physically and logically
– If a tampering attempt is detected, the appliance destroys the keys
• Device administration and security administration are logically separate
– Physical control of the appliance does not grant access to the keys
• Certified by 3rd parties to comply with government standards for physical and
logical security:
– FIPS 140-2
– Common Criteria EAL4+
• Example vendors include: SafeNet, Thales
• Historically located in on-premises datacenters
HSM
Monday, April 29, 13
28. What is AWS CloudHSM?
• Customers receive dedicated access to HSM appliances
• HSMs are physically located in AWS datacenters – in close network
proximity to Amazon EC2 instances
• Physically managed and monitored by AWS, but customers control their
own keys
• HSMs are inside customer’s VPC – dedicated to the customer and
isolated from the rest of the network
AWS$CloudHSM
Monday, April 29, 13
29. AWS CloudHSM Service Highlights
• Secure Key Storage – customers retain control of their own keys and
cryptographic operations on the HSM
• Contractual and Regulatory Compliance – helps customers comply with
the most stringent regulatory and contractual requirements for key
protection
• Reliable and Durable Key Storage – AWS CloudHSMs are located in
multiple Availability Zones and Regions to help customers build highly
available applications that require secure key storage
• Simple and Secure Connectivity – AWS CloudHSMs are in the
customer’s VPC
• Better Application Performance – reduce network latency and increase
the performance of AWS applications that use HSMs
Monday, April 29, 13
30. How Customers Use AWS CloudHSM
• Customers use AWS CloudHSM as an architectural building block
in securing applications
– Object encryption
– Digital Rights Management (DRM)
– Document signing
– Secure document repository
– Database encryption
– Transaction processing
Monday, April 29, 13
31. Customer use cases
• Large Silicon Valley company: video DRM
• Start-up document rights management service: enterprise document
protection
• Very large tech company: Root of trust for Public Key Infrastructure (PKI)
authentication system
• Very large financial services organization: Root of trust for key
management system for virtual machine authentication & encryption
Monday, April 29, 13
32. On-Premises Integration with AWS CloudHSM
HSM
Customers’ applications continue to
use standard crypto APIs
(PKCS#11, MS CAPI, JCA/JCE,
etc.).
SafeNet HSM client replaces
existing crypto service provider
libraries and connects to the HSM to
implement API calls in hardware
SafeNet HSM$Client$can$share$load$and$
store$keys$redundantly$across$mul<ple$
HSMs
Key$material$is$securely$replicated$to$
HSM(s)$in$the$customer’s$datacenter
B
A
C
D
AWS
Amazon$Virtual$Private$Cloud
AWS$CloudHSMAmazon$VPC$Instance
Corporate$Datacenter
SSL
VPN INTERNET
AWS$Direct$
Connect
Application
HSM Client
A
C
D
B
SSL
Monday, April 29, 13
33. Key Storage & Secure Operations for AWS Workloads
CloudHSMs are in the customer’s VPC
and isolated from other AWS networksE
Secure key storage in tamper-resistant/
tamper-evident hardware available in
multiple regions and AZs
D
Application performance improves (due to
close network proximity with AWS
workloads)
C
Customers control and manage their own
keys
B
AWS manages the HSM appliance but
does not have access to customers’
keys
A
AWS
Amazon Virtual Private Cloud
AWS CloudHSM Amazon VPC Instance
SSL
Application
HSM Client
C
D
E
B
A
Monday, April 29, 13