Keys and Certificates on AWS Cloud Security for Enterprises
Seattle AWS Architects & Engineers MeetupAugust 22, 2016
PROPRIETARY & CONFIDENTIAL
About Me
Ryan TreatSenior Product [email protected]
Resided in the Seattle area for the past 20 years 10 years of experience with Venafi products 3 years in Product Management
‐ Responsible for Venafi Trust Protection PlatformTM features involved with server certificates, certificate authority and hosting platform integrations, and the product's API
PROPRIETARY & CONFIDENTIAL
Encryption Keys
Enable secure communication between two independent entities, a server and a client
Asymmetric Keys (key pairs)
‐ One key encrypts data that only the other key can decrypt and vice versa
‐ The private key is not exposed
‐ The public key must be shared
ABC +
= ABC+
=
PROPRIETARY & CONFIDENTIAL
Establishing Trust
How do you know that the public key shared with you belongs to the entity you think it does?
That requires…
‐ You to have control over the other entity; or
‐ You to involve a third party that you alreadytrust to attest to the identity of the other entity
Certificate Authorities (CAs) are the third parties
PROPRIETARY & CONFIDENTIAL
Certificate Authorities
Differing levels of trust assurance through rigor of validation – domain, organization, and extended (EV)
CAs cannot assure security… that depends upon how well private keys are protected
Public Trust CA business has become marginalized
Certificates are now a commodity thanks to free and subscription options
PROPRIETARY & CONFIDENTIAL
Digital Certificates
Certificate Signing Requests (CSRs) are the public key signed by the private key plus identifying information
Certificates are the public key signed by the CA’s private key plus identifying information (CN, SANs)
‐ Certificates expire to limit risk; shorter validity periods are less risky because compromised keys are useful for a shorter period of time
PROPRIETARY & CONFIDENTIAL
Self-Signed Certificates
Obtaining a certificate signed by CA can take an average of 4.5 hours due to the vetting/approval processes
Self-Signed certificates can be obtained in seconds because they are minted without the involvement of a CA but that also means they won’t be trusted
Untrusted certificates are never accepted by default but clients may make a judgment call and still establish a connection with the entity… blind trust!
There is no external record of issuance… no visibility!
PROPRIETARY & CONFIDENTIAL
Man-in-the-Middle
When you choose to connect despite not trusting the certificate provided by the remote entity, you don’t know who you are connecting to…
www.example.com
www.example.com
username/passwordcredit card numbersocial security number?
username/password
credit card number
social security number
PROPRIETARY & CONFIDENTIAL
Wildcard Certificates
A certificate that is valid for use with all entities from the same domain (*.example.com)
High flexibility since you don’t need to get a new certificates when you have a new application
High risk since one private key is shared by all entities using the wildcard certificate
Private key compromise puts all applications using the wildcard certificate at risk of data theft and provides opportunity for impersonation
PROPRIETARY & CONFIDENTIAL
Key Compromise
Someone with a stolen private key and access to network traffic encrypted using that key has access to private data
www.example.com
username/passwordcredit card numbersocial security number
? username/password
credit card number
social security number
PROPRIETARY & CONFIDENTIAL
DevOps
Five Principles of DevOps1. Iterative
2. Continuous
3. Collaborative
4. Systemic
5. Automated
“a change in IT culture, focusing on rapid IT service delivery”
PROPRIETARY & CONFIDENTIAL
DevOps Lifecycle
Configuration Management
Infrastructure Automation
Continuous Deployment
Build Test Package DeployDevelop
PROPRIETARY & CONFIDENTIAL
Microservices
Complex application architectures
Tasks are broken down into smaller components that are more easily tested with higher confidence
Many inter-service connections to secure
PROPRIETARY & CONFIDENTIAL
DevOpsSec
“a security-infused practice addressing security concerns across the entire application life cycle”
Build Test Package DeployDevelop
Keys and certificates are needed before applications can be completely deployed
PROPRIETARY & CONFIDENTIAL
Conclusions
Organizations need a lot more certificates
Certificates are needed fast, within seconds
Enterprise PKI needs to provide this service its DevOps customers
PROPRIETARY & CONFIDENTIAL
Problems Solved, Right?
Frequent application redeployment allows for‐ Shorter certificate validity → reduced risk from
compromised keys
‐ No worries about certificate expiration → reduced risk of service interruption
Unaddressed Challenges‐ Security policy compliance violations – key size, signature
algorithm, self-signing, wildcards, unauthorized CA, etc.
‐ Lack of enterprise visibility – essential if Enterprise PKI is going to allow certificates to be issued without review
PROPRIETARY & CONFIDENTIAL
Amazon Web Services
AWS Certificate Manager (“ACM”)
Elastic Load Balancing
CloudFront (content delivery)
Elastic Cloud Computing (EC2) Instances (virtual machines)
• Amazon Linux• Debian• SUSE• FreeBSD• CentOS• Red Hat Enterprise Linux• SUSE Linux Enterprise Server• Ubuntu
• Windows Server 2003 R2 • Windows Server 2008• Windows Server 2008 R2• Windows Server 2012• Windows Server 2012 R2
PROPRIETARY & CONFIDENTIAL
AWS Certificate Store
Identity and Access Management (IAM)
Server certificate repository with CLI based management
Used by AWS applications including:
‐ Elastic Load Balancing
‐ CloudFront
‐ API Gateway
‐ Elastic Beanstalk
‐ OpsWorks
aws iam list-server-certificates
Dev
Op
s
PROPRIETARY & CONFIDENTIAL
AWS ELB/CloudFront with ACM
Common NameDNS SANs
Venafi User
Customer
1
2
4
5
AWS Certificate Manager
3
DCV
PROPRIETARY & CONFIDENTIAL
AWS ELB/CloudFront with other CA
Venafi User
Customer
5
IAM
4
3
Certificate Authority
2
1
PROPRIETARY & CONFIDENTIAL
AWS Elastic Instances
Elastic Cloud Computing (EC2) Instances
Elastic Load Balancer
Trust ProtectionPlatform
Certificate Authorities
REST API
DevOps Configuration Management
vCert
Unpublished Work of Venafi, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Venafi, Inc. Access to this work is restricted to Venafi employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Venafi, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Venafi, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Venafi, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Venafi marks referenced in this presentation are trademarks or registered trademarks of Venafi, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
© 2016 Venafi Proprietary and Confidential