Upload
mmik-huang
View
89
Download
0
Embed Size (px)
Citation preview
AWS CloudHMSMmik Huang
All about NIST FIPS 140-2
http://en.wikipedia.org/wiki/FIPS_140-2
FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4".
FIPS 140-2 Level 1 the lowest, imposes very limited requirements; loosely, all components must be "production-grade" and various egregious kinds of insecurity must be absent.
FIPS 140-2 Level 2 adds requirements for physical tamper-evidence and role-based authentication.
FIPS 140-2 Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces.
FIPS 140-2 Level 4 makes the physical security requirements more stringent, and requires robustness against environmental attacks.
FIPS 140-2, issued on 25 May 2001, Security requirements for cryptographic modules issued on 1 March 2006.
FIPS 140-3 is a new version of the standard which is currently under development. In the first draft version[2] of the FIPS 140-3 standard, NIST introduced a new software security section, one additional level of assurance (Level 5) and new Simple Power Analysis(SPA) and Differential Power Analysis (DPA) requirements. The draft issued on 11 Sep 2009, however, reverted to four security levels and limits the security levels of software to levels 1 and 2.
Hardware HMS http://www.safenet-inc.com/data-encryption/hardware-security-
modules-hsms/luna-hsms-key-management/luna-sa-network-hsm/
Key Management with Luna Hardware Security Modules
http://www.safenet-inc.com/data-encryption/hardware-security-modules-hsms/luna-hsms-key-management/
SafeNet Luna SA, a network-attached hardware security module, provides high assurance protection for encryption keys used by applications in on-premise, virtual, and cloud environments.
SafeNet ProtectV with virtual Key Secure for EBS volume encryption
Data at Rest Encryption Whitepaper: AWS has released a new whitepaper, Securing Data at Rest with Encryption, which outlines the wide range of options available for encrypting data at rest in the cloud based on where encryption keys are stored and how they are accessed. The whitepaper highlights a number of SafeNet solutions to deliver data at rest protection in AWS:
Client side object encryption for AWS S3 with SafeNet ProtectApp and the AWS SDKs
Storage encryption for the AWS Storage Gateway with SafeNet StorageSecure
Encryption and pre-boot authentication for EC2 instances and EBS volumes with SafeNet ProtectV
Hardware root of trust for AWS RDS TDE and Redshift with SafeNet Luna SA HSMs
Enterprise key management for the above solutions, as well as any Key Management Interoperability Protocol (KMIP) based key management partners.
SafeNet ProtectV with virtual Key Secure for EBS volume encryption
Amazon Redshift HSM Support: Thanks to an update to Amazon Redshift, users can now protect their Redshift encryption keys at the highest level possible with a hardware security module (HSM) – in the cloud with AWS CloudHSM and on-premises with SafeNet’s Luna SA. Read Amazon’s HSM management documentation to learn more about how to leverage an HSM to encrypt your Redshift cluster.
http://data-protection.safenet-inc.com/2013/11/enhancing-encryption-and-key-management-in-aws/
Cost
SafeNet Virtual KeySecure (Hourly)
$0.75/hr for software + AWS usage fees
Requires ProtectV encryption solution
SafeNet ProtectV, 100 Nodes (Hourly)
$3.62/hr for software + AWS usage fees
100 node / year = (3.62+0.75)*24*365 = 38281.2 USD
https://aws.amazon.com/marketplace/seller-profile/ref=dtl_pcp_sold_by?ie=UTF8&id=b985fa3c-56a3-42ba-8865-967fad6ffea4
Cost
CloudHSM service is charged using a one-time upfront fee and an hourly fee for the time that the CloudHSM is provisioned to you.
CloudHMS / year = 5000 + (1.88)*24*365 = 21468.8 USD
FAQ Q: What types of HSMs are available?
As part of the service, AWS currently provides Luna SA HSM appliances from SafeNet, Inc., with version 5 of the Luna SA software
Q: I don’t currently have a VPC. Can I still use AWS CloudHSM? No. To protect and isolate your CloudHSM from other Amazon customers, CloudHSM
must be provisioned inside a VPC. Creating a VPC is easy.
Q: How can my application use CloudHSM? SafeNet has integrated and tested the Luna SA HSM with a number of commercial
software solutions. Examples include
Oracle Database 11g,
Microsoft SQL Server 2008 and 2012,
SafeNet ProtectV with virtual Key Secure for EBS volume encryption,
Apache web server SSL termination with private keys stored in the HSM.
If you are developing your own custom application, your application can use the standard APIs supported by the Luna SA HSM, including PKCS#11, Microsoft CAPI/CNG and Java JCA/JCE (Java Cryptography Architecture/Java Cryptography Extensions).