AWS re:Invent 2023
Better Together Using Encryption Authorization for Data Protection Sec333

Title

AWS re:Invent 2023 - Better together: Using encryption & authorization for data protection (SEC333)

Summary

  • Presenters: Quint Van Diemen (Principal, Office of the CISO, AWS Security) and Kevin Lee (Senior Product Manager, KMS Service).
  • Main Topic: The synergy between encryption and authorization to enhance data protection in AWS.
  • Key Points:
    • Encryption and authorization should be used in unison, not just in depth, to create robust data protection rules.
    • AWS has seen significant enhancements in these areas in recent years.
    • The session focused on real-world examples to demonstrate how to implement least privilege, go fast while staying secure, and protect data from all users, including those with high-level access.
    • Discussed the importance of IAM for authorizing API calls and the PARC model (Principal, Action, Resource, Condition).
    • Emphasized the use of guardrails and grants in IAM policies.
    • Showcased a sample application's evolution with increasing data protection measures.
    • Introduced AWS Organizations and SCPs for higher-order guardrails.
    • Highlighted the use of Amazon GuardDuty and CloudTrail for monitoring and incident response.
    • Discussed key management strategies and compliance without sacrificing developer velocity.
    • Explored protecting data from system administrators and operators using separation of duty and client-side encryption.
    • Introduced confidential computing and Nitro Enclaves for protecting data in use and ensuring it's accessed only by the intended software.

Insights

  • Encryption and Authorization Integration:

    • AWS's approach to data protection is unique in how it integrates encryption and authorization, allowing for granular and flexible control over data access.
    • The use of encryption not only secures data at rest but also enhances the identity verification process, tying access to specific roles and conditions.

  • IAM Policies and Data Protection:

    • IAM policies play a crucial role in data protection, with the PARC model serving as a foundation for defining access permissions.
    • The distinction between guardrails (maximum allowable permissions) and grants (actual permissions) is critical for setting up effective security measures.

  • Advanced Data Protection Techniques:

    • The session highlighted advanced techniques such as using AWS Organizations for centralized control, employing Amazon GuardDuty for anomaly detection, and leveraging CloudTrail for auditing and incident response.
    • These tools and services enable organizations to create a comprehensive data protection strategy that extends beyond basic encryption and authorization.

  • Key Management and Compliance:

    • Key management is a balancing act between control and performance. AWS offers various options, from native KMS to external key stores, to accommodate different compliance requirements.
    • The session underscored the importance of understanding the trade-offs and choosing the right key management strategy based on the organization's needs and compliance obligations.

  • Protecting Data from Insiders:

    • The concept of separation of duty within KMS key policies can help protect data from internal threats by ensuring no single individual has complete control over both the use and management of keys.
    • Client-side encryption and Nitro Enclaves were presented as solutions for protecting data from system administrators and operators, even when data is actively in use.

  • Confidential Computing and Nitro Enclaves:

    • Confidential computing, particularly Nitro Enclaves, offers a way to protect sensitive data and code from both cloud operators and an organization's own operators and admins.
    • The attestation process for Nitro Enclaves ensures that only the exact software intended by the organization can access the data, providing an additional layer of security.

  • Incremental Security Improvement:

    • The presenters advocated for an incremental approach to security, where organizations can start with basic measures and progressively adopt more advanced data protection strategies as they mature.
    • This approach allows for flexibility and scalability, enabling organizations to tailor their data protection measures to the sensitivity of the data and their overall security posture.
Best Practices for Serverless Developers Svs401Beyond 11 9s of Durability Data Protection with Amazon S3 Stg319