The goal of the AWS Security blog is to provide you with guidance, best practices, and technical walkthroughs covering new service launches or topics such as how to help increase the security of your AWS account or better achieve your compliance goals. As we welcome 2015, we want to make sure that you did not miss any of the posts from 2014. This blog post includes a complete, categorized list of the AWS Security Blog posts published in 2014. (more…)
Previously, Todd Cignetti, AWS Security Product Manager, wrote a post that covered some typical use cases for AWS CloudHSM, a service that helps you securely generate, store, and manage the cryptographic keys used for data encryption such that they are accessible only by you. In this post, Todd continues the series on AWS CloudHSM with a discussion of key hierarchies.
Application developers are often asked to encrypt data to protect that data’s confidentiality, to meet compliance requirements or as a best practice. There are several options for generating an encryption key in software and using it to encrypt data, whether from open source or vendor-specific solutions. But once an encryption key is created and used to encrypt data, that key has to be stored for later use when the data needs to be decrypted. Storing the key with the data is like locking your front door while leaving the key in the lock—not recommended. (more…)
Many of our readers have told us that they want to learn more about encryption and key management in AWS. CloudHSM is an AWS service that can establish an even greater trust in AWS from which encryption and key management applications can be anchored. If you’re not familiar with AWS CloudHSM, you can read more about it on the CloudHSM Detail Page. It’s an AWS service that provides secure cryptographic key storage and operations within a tamper-resistant hardware device. HSMs are designed to securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the appliance.
Todd Cignetti, AWS Security Product Manager, works with AWS customers and partners who build applications that leverage CloudHSM. He describes several use cases for CloudHSM below to help you understand when you should consider using the service as a part of your application.
It may not be obvious how to use CloudHSM for practical applications, so I’d like to discuss how a few applications use the service. Frankly, it’s not always necessary to use HSM technology to store key material, so we’ll also discuss some of the common requirements that dictate the extra level of security provided by CloudHSM. CloudHSM is used for a wide range of applications, including database encryption, digital content encryption, payment applications, certificate management and public key infrastructure (PKI), and identity and auditing. (more…)