Infosecurity.US

Information Security & Occasional Forays Into Adjacent Realms

  • Web Log

AWS CloudFront Field Data Encryption, Protection for the Rest of Us →

December 15, 2017 by Marc Handelman in DBMS Security, Data-At-Rest, Data-In-Motion, Data Security, Information Security

Superlative AWS blog post by Alex Tomic and Cameron Worrell, detailing some of the best news yet in encryption capability on Amazon Web Services - table contained field level encrytion. With prudent end-to-end cryptographically protected data objects, I cannot emphasize how important it is to make this form of data-at-rest encryption available to your Security Architects, DBAs, Developers and Security Engineers as part of that end-to-end solution. Outstanding.

"Field-level encryption addresses this problem by ensuring sensitive data is encrypted at CloudFront edge locations. Sensitive data fields in HTTPS form POSTs are automatically encrypted with a user-provided public RSA key. After the data is encrypted, other systems in your architecture see only ciphertext. If this ciphertext unintentionally becomes externally available, the data is cryptographically protected and only designated systems with access to the private RSA key can decrypt the sensitive data." - AWS Blog Posting by Alex Tomic and Cameron Worrell

December 15, 2017 /Marc Handelman
DBMS Security, Data-At-Rest, Data-In-Motion, Data Security, Information Security

New S3 Encryption Feature, Is Amazon's Encryption Move Enough? →

November 08, 2017 by Marc Handelman in Cloud Security, Cloud Data Storage, Cybersecurity, Encryption, Data-At-Rest, Data-In-Motion

You be the judge... Essentially, all are targeted at data-and-objects-at-rest, rather than in-motion (except, perhaps the new cross-region replication feature with KMS).

Regardless, all of the annouced new features are welcome (in my currently rather jaded opinion). Now, if we can just overcome human error (not to mention blatant developer and data-owner lack-of-attention-to-detail, read about that here)...

  • Default Encryption – You can now mandate that all objects in a bucket must be stored in encrypted form without having to construct a bucket policy that rejects objects that are not encrypted.
  • Permission Checks – The S3 Console now displays a prominent indicator next to each S3 bucket that is publicly accessible.
  • Cross-Region Replication ACL Overwrite – When you replicate objects across AWS accounts, you can now specify that the object gets a new ACL that gives full access to the destination account.
  • Cross-Region Replication with KMS – You can now replicate objects that are encrypted with keys that are managed by AWS Key Management Service (KMS).
  • Detailed Inventory Report – The S3 Inventory report now includes the encryption status of each object. The report itself can also be encrypted. - via Jeff Barr, writing at the AWS Blog

And, thanks for the H/T go out to Trey Blalock over at rapidly growing Firewall Consultants!

November 08, 2017 /Marc Handelman
Cloud Security, Cloud Data Storage, Cybersecurity, Encryption, Data-At-Rest, Data-In-Motion