Amazon Cloud in encryption power grab

Public cloud providers have ultimate control over our data, applications, and data flows on their platforms.

Public cloud providers have ultimate control over our data, applications, and data flows on their platforms. This capability is the main cause of anxiety and a top reason for many companies to shy away from public cloud. One of the possible solutions to the problem is to implement a “lock and key” mechanism for public clouds. This would allow re-balancing of data control. The question is whether cloud providers want that.

Initial context

Enigma Bridge is a technology start-up, which has built a cloud key management service – comprising an enterprise PKI, secure hardware, trusted HTTPS interface, dynamic DNS, and so on. Security validations include physical tamper-resistance at FIPS140-2 Level 4, or Common Criteria EAL5+. 

My company, Enigma Bridge, was encouraged by Amazon Web Services (AWS) to submit the service to their marketplace. A process, which usually takes two weeks, has extended to a period of three months with a rejection at the end, and significant security consequences.

Dispute

An Amazon support team escalated our request to Amazon AWS product architects and they subsequently escalated the case to Amazon’s internal security teams – these are the groups I am aware of. There is an email trail showing the progress, from which I select two short quotations of Amazon teams to demonstrate their final rejection of our listing request.

“Our security teams have been investigating more into this and it is going to take some time for us to decide. Please note that the decision will impact not just new sellers like EnigmaBridge, but also existing product listings.”

“From what I’ve been able to gather the policy restrictions will prevent an AWS Marketplace listing, whether as paid-for AMI, BYOL AMI or even SaaS.”

Amazon justified the final decision by a change in its policy. However, I have not been given any specific policy statements. I would also expect support teams to know their marketplace listing policies by heart so the change must have been sudden.

A general concern Amazon voiced was that they were not able to ensure “the operational capabilities of external HSMs [We have no way of vetting each one of them].” – HSMs being hardware security modules, i.e., hardware providing the “lock and key” property. This argument goes to the heart of cloud technology. It is also one of the main features of our encryption platform. The scalability, multi-tenancy, and load balancing are features my company addressed from early design stages.

Justification

The question is, whether doubts about the operational capabilities justify this rejection. AWS is based on “renting” virtual servers, which have well defined operational parameters. There is no automatic scaling of hardware resources. While Amazon is big enough to add hardware resources as needed, they occasionally run out of the “cloud” – the latest incident happened in their London datacentre on March 24 (widely reported at the time). There absolutely must be clarity about the limitations of any new cloud service but using that as a reason for rejections of requests for marketplace listing is just not credible.

Security and control

There are more important consequences, though – security. As Amazon’s statements suggest, this change in their policy applies to all vendors, even existing listings. Independent key management systems are crucial for data encryption and security in general. 

Indeed, AWS Marketplace now contains only virtual encryption services running as software encryption on the Amazon platform.  This situation when AWS customers can only use software implementations restores Amazon’s capability of backdoor access to customer data. 

At the moment, all Amazon supported encryption services allow them, from the technology point of view, accessing customer encryption keys and data.

The dominating security role of cloud providers has feasibility and financial impact on public cloud customers. Certain external audit frameworks require “sole control” of encryption. The same requirement is part of legally binding qualified signatures in EU (eIDAS). A new data protection framework – General Data Protection Regulation (GDPR) will come into effect in early 2018 and affect anyone storing data of EU citizens with severe penalties derived from global revenues of companies found in breach of their obligations. 

Landscape

I do live in the real world. There is a constant re-balancing of rights and responsibilities between internet users trying to protect their privacy, enterprises protecting their commercial interests, and governments protecting us all.

The role of cloud providers has become ever more important due to the advancement of public cloud services. Security has become an important factor in public cloud marketing. All big players in the public cloud market offer protection of the platforms. They can encrypt data on the disk, provide encryption keys for your applications, and encrypt web traffic. 

What is not so clear is how much of this public cloud security is actually for the benefit of customers.

  • Encryption of data at rest (i.e., stored on disk) – if someone steals a disk from their data centre, the data will be encrypted;
  • HTTPS security – if someone listens to your web traffic, it will be encrypted;
  • Audit log of changes to your cloud resources – if your employee accesses a database server, you will see a record of that.

Only some of these mechanisms benefit cloud customer. Neither of these security measures, however, protects customers from their cloud provider.

  • The disk encryption key is stored in software on a virtual server run by the cloud provider.
  • The HTTPS server key is available on your virtual servers or via the provided software key management service of the cloud platform.
  • A valid court order may prevent the cloud provider to log access to your data.

Public cloud providers simply hold keys to omnipotent backdoor to our data.

Some say we should trust Amazon and other big cloud providers. They are the only ones who can protect us from all threats, including rogue service providers that could compromise our data. The cloud providers may argue that a complete control over all our data allows them to ensure that no one else can compromise it. 

However, strong security requires transparency. There is a lack of transparency. Even enterprise customers are unable to get satisfactory answers to questions about details of public cloud security. I also believe that strong security requires distribution of control for effective checks and balances.

Dan Cvrcek, co-founder, Enigma Bridge
Image Credit: Chaiyapop Bhumiwat / Shutterstock