Server-side encryption available for AWS S3 storage

by Rick Vanover in Security

on October 10, 2011, 6:02 AM PDT

Server-side encryption available for AWS S3 storage

One of the legitimizing aspects of cloud computing is to self-manage the encryption keys, such as Amazon's new SSE. But, how does one go about doing this? IT pro Rick Vanover shares a few tips.

In many areas of IT, we have to learn to managing key. This could be simple stuff such as usernames and passwords, but also more complicated topics such as encryption keys. While I’m not an encryption key expert per se, I do know enough about them to get a number of things done. But more importantly, I know that they need to be fully protected.

With the recent news of Amazon launching Server Side Encryption (SSE) for data-at-rest encryption, this is another reminder to me of the critical nature of key management. The Amazon solution allows 256-bit AES encryption to be performed locally on data before it is uploaded into the S3 storage cloud. Further, there is an option within the encryption client provided by the AmazonS3EncryptionClient class to leverage APIs to do the encryption locally with self-managed keys before transferring to S3. Given the popularity of public cloud computing and the inevitable increase in its use, it’s critical to refine some best practices on key management for cloud applications.

We can borrow a few tricks from the things we’ve always done on key management, such as ensuring encryption keys are used for backups that go offsite.

Limit the number of encryption keys in use (but protect them very well) and spread out the encryption. For example, if you lose one key somehow, don’t make that bring down your whole encryption algorithm.
Store the keys on a mechanism with robust auditing, including reads on a file system as well as any other access. That way, any activity (even a read) is logged for any forensic requirement.
Issue an escrow copy of newly rotated encryption keys to an internal security team or external software escrow agency. Limited information on what the keys are for may need to be provided, but the takeaway is that a backup or check-and-balance of the protection of the keys is made.

In the case of Amazon SSE, cloud solution administrators will be able to manage keys for data going in and out of cloud applications for S3 data transfers. Currently for Amazon’s Elastic Block Store storage resources (EBS), SSE is not supported. I personally don’t think SSE would be capable on EBS, but a new encryption mechanism may be available or used within AMIs to provide at-rest encryption of data traveling to, through, and from the Amazon clouds.

How does SSE give more confidence to your S3 data storage strategy? Share your comments below.

By Rick Vanover

Rick Vanover is an IT Infrastructure Manager for Alliance Data in Columbus, Ohio. Rick's IT certifications include VMware VCP, Microsoft Windows Server 2008 MCITP, Windows Server 2003 MCSA and others. \ \ Previous experiences included working for Dematic Corp (formerly Siemens L&A, Siemens Dematic, Rapistan)in Grand Rapids, MI in various capacities deploying custom software solutions to the material handling industry using a mix of current hardware and software products. You can reach Rick at b4real@usa.net. Follow rick on Twitter at @RickVanover http://twitter.com/RickVanover

Account Information

Contact Rick Vanover

Your message has been sent
|
See all of Rick's content

Editor's Picks

Image: Rawpixel/Adobe Stock

TechRepublic Premium
TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

TechRepublic Staff
Published: March 14, 2023, 9:10 AM EDT Modified: March 15, 2023, 9:16 AM EDT Read More See more TechRepublic Premium
Image: Blue Planet Studio/Adobe Stock

Payroll
The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

Ali Azhar
Published: February 28, 2023, 11:11 AM EST Modified: March 20, 2023, 4:45 PM EDT Read More See more Payroll
Image: Microsoft.

Software
Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

Mary Branscombe
Published: February 28, 2023, 2:59 PM EST Modified: February 28, 2023, 2:59 PM EST Read More See more Software
Image: tanatat/Adobe Stock

CXO
Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Owen Hughes
Published: March 3, 2023, 3:12 PM EST Modified: March 16, 2023, 12:56 PM EDT Read More See more CXO
Image: Nuthawut/Adobe Stock

Software
The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

Brenna Miles
Published: December 27, 2022, 11:45 AM EST Modified: March 16, 2023, 2:25 PM EDT Read More See more Software
Image: Song_about_summer/Adobe Stock

Security
1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

Karl Greenberg
Published: March 2, 2023, 3:44 PM EST Modified: March 7, 2023, 4:10 PM EST Read More See more Security

PURPOSE The purpose of this policy from TechRepublic Premium is to provide guidelines for employee performance reviews, which will clearly document accomplishments and areas of opportunity via an encouraging and thought-provoking analysis. This will assist in determining the next steps for employees as well as their future at the organization. This policy can be customized ...

PURPOSE The purpose of this policy from TechRepublic Premium is to provide guidelines for requesting, filing and permitting paid/unpaid time off as well as to ensure coverage during holidays, vacation(s) and other absences where staffing levels must be consistent to meet the needs of the business. From the policy: TIME OFF GUIDELINES All time off ...

PURPOSE This policy describes the organization’s employee privacy guidelines and outlines employee privacy expectations. From the policy: POLICY DETAILS The organization’s IT equipment, services and systems are intended for business use only. However, the organization acknowledges that staff, consultants and volunteers occasionally require opportunities to make or receive personal phone calls, access personal email, utilize ...

Server-side encryption available for AWS S3 storage

Server-side encryption available for AWS S3 storage

Editor's Picks

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

The Best Human Resources Payroll Software of 2023

Windows 11 update brings Bing Chat into the taskbar

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

The 10 best agile project management software for 2023

1Password is looking to a password-free future. Here’s why

Employee performance review policy

Employee time off policy

Employee privacy policy

Security response policy

Account Information

Server-side encryption available for AWS S3 storage

Daily Tech Insider Newsletter

Account Information

Share with Your Friends

Account Information

Contact Rick Vanover

Editor's Picks

Daily Tech Insider Newsletter