Well, it's about time!
AWS adds bring your own key crypto to its cloudy S3 storage
Amazon Web Services (AWS) has added bring-your-own-key (BYOK) encryption to its Simple Storage Service (S3). AWS points out that BYOK comes with some complexity. “... it is up to you to manage your encryption keys and to make sure that you know which keys were used to encrypt each object,” writes the company's omni-blogger …
-
-
-
Friday 12th June 2015 12:03 GMT Trevor_Pott
You mean Azure's laughable key management system that holds your keys by running inside a VM running on Azure? The one that is rather expensive? Pray, tell, how does Thales keep the NSA from getting my keys?
(Not saying Amazon's does, but that Azure crapfest doesn't stop the NSA from extracting my keys from the VM running on Azure that holds them!)
-
Friday 12th June 2015 22:00 GMT Anonymous Coward
"You mean Azure's laughable key management system that holds your keys by running inside a VM running on Azure"
You might want to use Google. Azure uses European military grade Thales HSMs to store the keys. They never touch a VM
"The one that is rather expensive"
Maybe to Microsoft. It's free to users.
Sounds like you need to read up on what an HSM actually does...
-
Saturday 13th June 2015 02:46 GMT Trevor_Pott
You're right, I had gotten things mixed round in my brain. I was thinking of the Alliance Key Manager for Azure that everyone had been touting as the ultimate solution to Azure security problems (hah!) before Thales came around. What garbage.
Microsoft did have pre-thales stuff too. The previous generation's broken, expensive and Microsoft-vulnerable Windows RMS-based setup, for example. That's pre-Azure RMS that didn't use the hardware modules.
Oh, and the Cloudlink "we'll encrypt your VMs" offering that uses Bitlocker, which everyone is well aware was designed weak from the start and pwned by the NSA bloody ages ago. That was a laugh riot.
With Thales HSMs enterprises with Azure subscriptions and which have Thales hardware on their premises can secure (quoted from https://technet.microsoft.com/en-ca/library/dn440580.aspx)
application that integrates with Azure RMS. This includes cloud services such as SharePoint Online, on-premises servers that run Exchange and SharePoint that work with Azure RMS by using the RMS connector, and client applications such as Office 2013
You cannot secure Exchange online, general VMs, general storage or, well...most of the stuff on Azure with Thales HSM. The things you can secure with Thales HSM you are trusting Microsoft that the key can't be extracted, intercepted or used because, well, it's pretty much Microsoft's own applications that use it at this point. (Though, to be fair, non-Microsoft applications that integrate with Azure RMS could in theory benefit.)
So you're still back to trusting Microsoft (and Thales, who are slightly more trustworthy), though you can't use Thales for a lot of things. It's a start. And maybe once it can be used for every element of the public cloud computing experience and we can guarantee every nanosecond of the chain of custody for the keys from you to the hardware device on Microsoft's premises can't be spied upon Azure will be ready for mildly sensitive workloads.
Amazon probably never will be.
Better still to just run the workloads on a regional service provider that lives in your own legal jurisdiction and not take the risk. You'll be less likely to sued into oblivion, probably get better service and you won't be putting your testicles in the vice of a convicted monopolist! Win/win/win.
-
Saturday 13th June 2015 12:13 GMT Anonymous Coward
"You're right, I had gotten things mixed round in my brain."
And again it seems:
"Oh, and the Cloudlink "we'll encrypt your VMs" offering that uses Bitlocker, which everyone is well aware was designed weak from the start and pwned by the NSA bloody ages ago"
Actually there are no known vulnerabilities in a Bitlocker setup that uses Microsoft's recommended settings - other than those that effect all such systems - such as the possibility of being able to extract keys from the memory of a running OS image. There has been no suggestion even from Snowden's revelations that the NSA have been able to directly defeat Bitlocker.
"You cannot secure Exchange online, general VMs, general storage or, well...most of the stuff on Azure with Thales HSM."
Wrong - Exchange Online (now Office 365) fully supports AD RMS. And again you show your lack of understanding. The model is not designed to secure the infrastructure or the storage itself. It is designed to encrypt and decrypt at clients, so that unencrypted data never passes over the Azure infrastructure at all....
"Better still to just run the workloads on a regional service provider that lives in your own legal jurisdiction and not take the risk."
The Microsoft / Thales model actually physically blocks cross region key access by design, so even if Microsoft USA were given a court order to give up data in say Ireland, they would not be able to if it was secured by the Thales HSM / AD RMS solution...
-
-
-
-
-
Friday 12th June 2015 13:47 GMT I Am Spartacus
Hang on ....
My thoughts exactly. We only have their word that they do not store the key anywhere. So, when I encrypt an object and store it in Ireland, whats to say that my key is not unofficially backed up in, say, US?
As I have to manage the key, I may as well do the encryption phase before I send the object to Amazon.