Data Encryption : securing your data stored in Amazon Web Services data centers

There might come a time when an organization or an individual decides to store data in Amazon Simple Storage Service (S3), effectively storing said data in Amazon Web Services Data Center.

By using Amazon Simple Storage Service (S3), we gain access to virtually unlimited storage capacity at a very cheap cost per month (going as low as 0.021$/GB/month).?

But, are you sure your data is secure in Amazon S3 ? That no one can gain access to your data in-transit (when sending your data from on-premise data centers or your computer to Amazon S3) or at rest (when your data is inside Amazon Web Services Data Centers) ?

In this article, I want to talk about one possible solution to this situation : encrypting your data !

What is Data Encryption ?

Data encryption is used to protect data from being stolen, changed or compromised. It works by transforming your data into an incomprehensible code that can only be decrypted with a unique digital key. Here are the key components of data encryption :

• Plaintext : is your actual data in its readable form, before encryption. Usually it’s readable by whoever has access to it. It can be images, videos, audios, excel files, powerpoint presentations, contracts etc
• Ciphertext : is your data after encryption. In this form, your data is not readable or usable by anyone who doesn’t have both your encryption key and the mathematical algorithm used to encrypt said data. Imagine your data going from “mybook.pdf” to “Gh56DF!@hJk2@2xF$#23” : That's what encrypting your data means !
• Algorithm : represents the formula or method used to perform encryption or decryption of your data. Popular ones include “Triple DES”, “Advanced Encryption Standard” and much more.
• Encryption key : is the secret text that must be used to encrypt and/or decrypt data, in conjunction with the algorithm. You can use one key per object (object refers to your data, whether it’s files, images, videos, pdf etc), one key per group of objects, multiple keys per object, you decide !?

Types of encryption :?

The two types of encryption commonly used are :?

• Symmetric encryption
• Asymmetric encryption

In symmetric encryption, only one key is used for both encrypting and decrypting data. It is fast, making it ideal for large volumes of secure data transfer. But it relies on the fact that whoever you are sending encrypted data to, like Amazon S3, has the same key you have used to encrypt your data. The challenge is to send your encryption key securely to your recipient.?

In Asymmetric encryption, two keys are used : a public key and a private key. Public key is used to encrypt data, private key is used to decrypt said data. This means that anyone with a public key can encrypt the data, but only those who have the corresponding private key can decrypt and read that data. It is more expensive computationally, making it not ideal for securely transferring vast amounts of data. But it’s a better choice to exchange light private information, like symmetric encryption keys.

Encrypting data when using Amazon Web Services :?

Protecting our data in transit vs data at rest

When you are uploading your data to Amazon S3, there are two point in time where you should be concerned about the security of your data :?

• First is during the data transfer, it is called “data in-transit”, meaning when data is traveling from your infrastructure to Amazon Simple Storage Service (S3) data centers
• Secondly, when data is stored in Amazon S3, it is called “data at rest”.?

When your data is in transit, secure communication protocols such as HTTPS and SSH help to secure your data by encrypting the tunnel your data will transit through. You just have to make sure to use the right protocol to transfer data.

When data is at rest, there are two main encryption methods : client side encryption and server side encryption.

A primer on Client side encryption

Client side encryption consists in encrypting your data before it reaches Amazon S3. That way, Amazon S3 will only see encrypted data (ciphertext) because data is encrypted before being uploaded to the cloud. Here are the keys characteristics of client-side encryption :?

• You manage your own keys : to encrypt your data, you need one or multiple encryption keys. When using client side encryption, you are in charge of storing and protecting those keys. Without them, you might not be able to decrypt your data ever again.?
• You manage encryption & decryption : you decide how and when data is encrypted or decrypted.?
• You manage storage and compute needed : you are in charge of storing your encrypted data on your local infrastructure before uploading it to Amazon S3. Same goes for your keys, you have to securely store them. Also, the encryption/decryption process might require a large amount of computational resources to process large quantities of data.

Advantages of using client-side encryption are pretty clear :?

• You have complete control over your encryption keys and policies, giving you more flexibility. This might be useful in regulated environments.
• You benefit from increased security, because your data is in ciphertext form before leaving your infrastructure.?

Tools like Amazon Encryption SDK helps you manage the complexities of using client-side encryption.?

A primer on Server side encryption (using Amazon S3)

Server-Side Encryption consists in encrypting your data after it reaches Amazon S3 endpoint. Amazon S3 will be in charge of encrypting/decrypting your data, and the type of Server-Side Encryption you choose will determine how your keys are managed, who (you or an AWS service) manages it, and how the encryption and decryption process is handled.?

There are 3 types of Server-Side Encryption supported in Amazon S3 :?

Server-Side Encryption with Customer-Provided keys (SSE-C) :You are in charge of securely managing and storing your keys, and providing Amazon S3 with those keys. Amazon S3 will use them to encrypt & decrypt your data.

• Key point : you control your keys and offload the encryption to S3. Offloading encryption to S3 means you don’t have to manage computational power needed for the encryption process.

Server-Side Encryption with S3 managed keys (SSE-S3) : Amazon S3 managed keys and takes care of encryption & decryption process. It is really a handoff process where you don’t have to manage anything. For your information : today, all data uploaded to Amazon S3 is encrypted by default, at no additional cost. You can think of this encryption method as the default one if you haven’t specified any while uploading your data to S3.?

• Key points :?No control of keys as they are all handled by Amazon S3, No role separation : anyone in your organization with access to Amazon S3 can read or decrypt your encrypted data.

Server-Side Encryption with AWS Key Management Service (SSE-KMS) : Amazon S3 encrypts your data using keys managed by AWS Key Management Service (KMS). AWS KMS is a fully managed service that allows you to create, manage, and control encryption keys in a secure and compliant way. You can control who has access to these keys, rotate the keys after a certain period and define policies to manage how these keys are used.?

• Key points : More security and control over access to your encryption keys, AWS handle encryption process, You can audit key usage and monitor key access and usage (useful for regulated industries), You can implement role separation : one can have access to keys, but not access to data stored in Amazon S3. And vice-versa.?

Conclusion

Data security is an important topic when using cloud technologies like Amazon S3.?

Whether you prefer full control with client-side encryption or a more hands-off approach with server-side encryption, I hope this article has given you a good foundation and has helped you understand the trade-offs between both. Amazon Web Services offers tools for both encryption types, so it’s all about finding what suits your needs best.