CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
KMS at Okta - Intermediate Level
1. Jon Todd - @JonToddDotCom
Encryption Key Storage
with AWS KMS at Okta
December 2015
2. 1 Background
• Okta
• Encryption
• Why use a key server?
2 KMS Evaluation 3 Implementation
3. What is Okta?
Okta is the foundation for secure connections
between people and technology.
4. One platform, many use cases
Centralized management of every
user, app, device
www.okta.com
IT
Enterprise-grade security built directly
into your cloud apps
developer.okta.com
Developers
5. More than 3000 customers
Education,
Non-ProfitFinanceTechnologyCloudHealth Services
Manufacturing
, Energy Media Consumer
11. Alternative approaches to confidentiality
• Use cases for hashing instead of encryption
• Authentication
• Correlation
• Use cases without needing keys
• Homomorphic applications
• Ordering, range query (for example, CryptDB)
• Only require encrypt
• Use asymmetric crypto
• Trust No One (client encryption scenarios)
• File storage or password vault
13. Example application
Requirements:
1. Data in database is encrypted
at rest and in memory
2. Encryption keys reside only in
memory
3. Service has access to the
plaintext data
Client Service
+
14. Where do we get the keys from?
• At server startup
• Environment variable
• File
• At run time
• Over JMX + TLS
• Over SSH
• Key service
15. Key service
• Separation of duties
• Auditable
• Easy rotation of master key
• Data key in memory for very short period
• Centralized master key never leaves key service
+
Client Service
Master key
Encrypt
Key Service
DB
23. Getting IAM credentials for KMS
• Credentials granted via IAM Role
• Hypervisor provides a per-instance metadata service
• Security considerations
• Metadata service is accessible by all users
• Credentials aren’t channel bound
• Credentials are short lived
25. IAM credential rotation
• Credentials expire in ~ 6 hours
• Credentials are rotated every ~ 1 hour
Current Time: 2015-08-20T22:14:52Z
LastUpdated: 2015-08-20T21:17:41Z
Expiration: 2015-08-21T03:22:28Z
Current Time: 2015-08-20T22:29:39Z
LastUpdated: 2015-08-20T22:18:48Z
Expiration: 2015-08-21T04:47:30Z
26. Threat model: KMS transport
+
Client EC2 instance
Master key
Encrypt
KMS
DB
Data key
27. Transport Security
• TLS for confidentiality and authentication of server
• “A” rating on Qualys SSL Labs
• Disallowed protocols SSL2 & SSL3
• Supported protocols TLS 1.0, 1.1, 1.2
• Forward secrecy required
• Verisign root CA
• IAM Signature V4 for authN and authZ of client
30. Threat model – final comparison
• AWS CloudHSM
• HSM at cost of managing
High Availability (HA)
• Low performance
• DIY
• Roll your own credential
management and rotation
• Separate operational team
• No access to hardware/TPM
Low Risk
Low Cost
High Cost
High Risk
DIY
KMS
Cloud HSM
34. Multiregion encryption and decryption
• Encrypt & store tenant key
encrypted by each region key
• Decrypt talks to closest KMS region
• RSA public key used for encrypt only
• Private key provided to service only
in event of KMS outage
Service
KMS East KMS West
Region master keyRegion master key
Tenant master key
RSA Key
Region master key
DB
38. Encryption context
• Features:
• Additional authenticated data (AAD) via AES GCM
• Logging – Understand why the key was accessed
• Authorization – Fine-grained access control to data
keys
• Okta’s implementation
• Type: <ServiceName>.<EntityName>
• Id: <EntityId>
• A good encryption context identifies or classifies
• Think carefully about mutability and storage of context
• Encryption context shouldn’t contain sensitive data
47. Implementation recommendations
• You may not need encryption or keys for
confidentiality
• Put thought into encryption context
• Reconcile CloudTrail logs with application
logs
• Tune the SDK for timeout and retries
• Consider an extended key hierarchy
49. Okta for developers
Universal Directory
Single Sign-On
Provisioning
Adaptive Multi-factor Authentication
Social Authentication
Inbound Federation
AD and LDAP Integration
50. Thank You.
Find me on twitter
www.okta.com@JonToddDotCom
Learn more about Okta
Notes de l'éditeur
Here you can see the end user SSO experience of Okta works both in a browser and natively on your mobile devices
Okta enables a whole host of identity functionality.
At it’s most basic we have two target audiences…
Since our product launch 5 years ago we’ve gained a lot of momentum
Customers across all major verticals
Including Eventbrite!
Scale
Manage 10’s of millions of identities on a multi-tenant architecture built entirely in AWS
Team of about 600 people and about 130 people in engineering
Java backend
JS Front end
Entirely hosted in the cloud in AWS
In general we like using and giving back to open source
LPP is defense in depth.
Encryption makes your data confidential but then you’re left with a problem. What do you do with the keys?
Encryption merely pushes the problem down to a smaller surface to protect
So before dealing with keys and key management. Consider alternate means of confidentiality
…
Now if none of these apply to your application and you actually do need access to the plaintext data then we need a good solution to manage keys
Describe the model
At rest – Compliance
In memory on the DB – Least privilege principle. DBAs don’t need access to secrets
Bootstrapping credentials for KMS
Closing:
There could be improvements
Bootstrapping and rotating credentials is hard if you were to do it yourself
More importantly AWS has the advantage with access to hardware leveraging what might be available like a TPM
Customer Master Key is a logical concept
Over the life of that MK there will be rotations, each with a new HBK
Operation is similar to an HSM
The actual keys performing encryption live in the HSA
Nothing leaves the HSA in plaintext
More details in the Cryptographic White Paper
Pricing:
KMS < $1000 per month
CouldHSM > $20k per month not factoring management and HA design time
DIY - > $200k up front plus $10k on going
Each tenant master key is rooted in 3 encryption providers
N. Virginia was the only affected region
How did Okta do?
Okta failed over automatically
Where the yellow meets the blue
Hammer home why this helps you. – YOU NEED TO KNOW WHY YOUR KEYS WERE USED
Note that the ID is internal so it would be meaningless if someone owned the AWS side
We use policy because our key management model is static
For a dynamic access control model they also offer Grants
Consider hashing, asymetric, homomorphic & trust no one models instead
Ask: Does my app actually need to operate on the plaintext?
Encryption Context
Hard to change later
Think identification and classification
Immutable, stored with encrypted data is easiest
Hierarchy:
Removes vendor lock-in
enables multiple trust roots and failover
comes at cost of complexity
IAM Config
Security details
Developer guide for writing code
Okta helps developers
Connect with customers – AD, LDAP, Federation
Secure your product (auth & mfa)