More Related Content Similar to Atlassian's Solution for Multi-Region Encryption and Decryption - AWS Summit Sydney (20) More from Amazon Web Services (20) Atlassian's Solution for Multi-Region Encryption and Decryption - AWS Summit Sydney2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian's Solution for Multi-Region
Encryption and Decryption
Tom Knight
Developer
Atlassian
Martien Verbruggen
Architect
Atlassian
3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian
creates products for customers
4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian
creates customerscloud products for
5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian
creates more customerscloud products for
6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian
creates more customerscloud products for
7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian
cloud products for more customerscreates more
8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian’s Platform as a Service
µ Micros
9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Micros, our PaaS
µ Micros
Developers
Services
Resources
10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Micros, our PaaS
µ Micros
Developers
Services
Resources
11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Region 1
Cryptor use case: database credentials
Application
Region 2
Application
Region X
DB
Manager
config config
1 - create database
2 - store credentials
3 - get credentials4 - connect
12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Region 4
Cryptor use case: confidential messages
Not a
Consumer
Region 1
Producer
MessagesMessages
Region 4
Consumer
Messages
Region 2
Consumer
Messages
13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cryptor optimises for
Security Resilience Performance Ease of use
14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cryptor optimises for
Security Resilience Performance Ease of use
Manage keys
and
authorisation
15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cryptor optimises for
Security Resilience Performance Ease of use
Manage keys
and
authorisation
Never™ fail
16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cryptor optimises for
Security Resilience Performance Ease of use
Manage keys
and
authorisation
Never™ fail Deal with
latency and
scale
17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cryptor optimises for
Security Resilience Performance Ease of use
Manage keys
and
authorisation
Never™ fail Deal with
latency and
scale
Simple API,
standard
metrics, multi-
region
18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Why not just use KMS?
Single-region
Performance
Resilience
Trusted
Secure
Powerful authZ
19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Region 1
Solution: Use the SDK and customise
Region 2 Region 3
Any region
KMS 3KMS 2KMS 1
TTL
based
cache
encryption
envelope
Application
20. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Encryption SDK example
val cache = LocalCryptoMaterialsCache(KMS_MAX_CACHE_SIZE)
val keyProvider = MultipleProviderFactory.buildMultiProvider(KmsMasterKey::class.java, keys)
val cmm = CachingCryptoMaterialsManager
.newBuilder()
.withMasterKeyProvider(keyProvider)
.withCache(cache)
.withMaxAge(KMS_MAX_CACHE_AGE, TimeUnit.SECONDS)
.build()
21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multi-region Fault
tolerance
Performance
Implementation
22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Solution: Encryption
Multiple regions
Quorum: 2 out of 3 regions - configurable
Bespoke encryption context
Improve datakey reusage
Encryption pooling
Pre fetch data keys
Usage and TTL
23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Encryption context
Meta data Extra layer of
security
24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Solution: Encryption
Multiple regions
Quorum: 2 out of 3 regions - configurable
Bespoke encryption context
Improve datakey reusage
Encryption pooling
Pre fetch data keys
Usage and TTL
25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Solution: Decryption
Decryption caching
Latency-based selection of KMS
Fetch keys in parallel
Datakeys are decrypted in parallel
26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Solution: Integration
Java library
Most widely used language in Atlassian
Sidecar
Docker container with 2 API endpoints
Java library with Spring Boot
27. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample code for library call
// Setup
val cryptorClient = CryptorClientFactory.build(keyAliasList, config)
// Values
val originalPlainText = "Encrypt Me"
val encryptionContext = mapOf("CustomerId" to "123456")
// Encrypt and Decrypt
val cipherText = cryptorClient.encrypt(keyAlias, originalPlainText,
encryptionContext)
val plainText = cryptorClient.decrypt(cipherText, encryptionContext)
28. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample REST call
29. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Solution: service descriptor
name: encrypting-service
organization: foo
...
resources:
- type: cryptor
name: secret-key
decryptors:
- secret-reader
- secret-checker
- audit-agent
µ
30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cryptor account
Micros account
Solution: PaaS and resource provider
Keys
Roles
Policies
AWS IAM
AWS KMS
setup(@roles, key-alias)
µ Micros
Cryptor
provider
31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Solution: Operational
Standard metrics and logs from sidecar
Visible to service owners, security and central team
Standard configuration
Standardised cache configurations
Multi-region configurations
32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Metrics dashboard
33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Summary
Security Resilience Performance Ease of use
34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Summary
Security Resilience Performance Ease of use
35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Summary
Security Resilience Performance Ease of use
36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Summary
Security Resilience Performance Ease of use
37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Summary
Security Resilience Performance Ease of use
38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Open source
Announcement when we ship it, at
https://www.atlassian.com/blog/technology
39. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tom Knight Martien Verbruggen