Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Atlassian's Solution for Multi-Region Encryption and Decryption - AWS Summit Sydney

52 Aufrufe

Veröffentlicht am

Atlassian runs a global SaaS platform where security and customer privacy are critical. This talk focuses on the solution they built using KMS and IAM to provide resilient cross-region encryption and decryption, optimised for performance. Come and learn how Atlassian approached this challenge, and built a solution using a combination of AWS services and the AWS Encryption SDK.

  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Atlassian's Solution for Multi-Region Encryption and Decryption - AWS Summit Sydney

  1. 1. S U M M I T SYDNEY
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Atlassian's Solution for Multi-Region Encryption and Decryption Tom Knight Developer Atlassian Martien Verbruggen Architect Atlassian
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Atlassian creates products for customers
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Atlassian creates customerscloud products for
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Atlassian creates more customerscloud products for
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Atlassian creates more customerscloud products for
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Atlassian cloud products for more customerscreates more
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Atlassian’s Platform as a Service µ Micros
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Micros, our PaaS µ Micros Developers Services Resources
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Micros, our PaaS µ Micros Developers Services Resources
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Region 1 Cryptor use case: database credentials Application Region 2 Application Region X DB Manager config config 1 - create database 2 - store credentials 3 - get credentials4 - connect
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Region 4 Cryptor use case: confidential messages Not a Consumer Region 1 Producer MessagesMessages Region 4 Consumer Messages Region 2 Consumer Messages
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Cryptor optimises for Security Resilience Performance Ease of use
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Cryptor optimises for Security Resilience Performance Ease of use Manage keys and authorisation
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Cryptor optimises for Security Resilience Performance Ease of use Manage keys and authorisation Never™ fail
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Cryptor optimises for Security Resilience Performance Ease of use Manage keys and authorisation Never™ fail Deal with latency and scale
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Cryptor optimises for Security Resilience Performance Ease of use Manage keys and authorisation Never™ fail Deal with latency and scale Simple API, standard metrics, multi- region
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why not just use KMS? Single-region Performance Resilience Trusted Secure Powerful authZ
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Region 1 Solution: Use the SDK and customise Region 2 Region 3 Any region KMS 3KMS 2KMS 1 TTL based cache encryption envelope Application
  20. 20. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Encryption SDK example val cache = LocalCryptoMaterialsCache(KMS_MAX_CACHE_SIZE) val keyProvider = MultipleProviderFactory.buildMultiProvider(KmsMasterKey::class.java, keys) val cmm = CachingCryptoMaterialsManager .newBuilder() .withMasterKeyProvider(keyProvider) .withCache(cache) .withMaxAge(KMS_MAX_CACHE_AGE, TimeUnit.SECONDS) .build()
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Multi-region Fault tolerance Performance Implementation
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Solution: Encryption Multiple regions Quorum: 2 out of 3 regions - configurable Bespoke encryption context Improve datakey reusage Encryption pooling Pre fetch data keys Usage and TTL
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Encryption context Meta data Extra layer of security
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Solution: Encryption Multiple regions Quorum: 2 out of 3 regions - configurable Bespoke encryption context Improve datakey reusage Encryption pooling Pre fetch data keys Usage and TTL
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Solution: Decryption Decryption caching Latency-based selection of KMS Fetch keys in parallel Datakeys are decrypted in parallel
  26. 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Solution: Integration Java library Most widely used language in Atlassian Sidecar Docker container with 2 API endpoints Java library with Spring Boot
  27. 27. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sample code for library call // Setup val cryptorClient = CryptorClientFactory.build(keyAliasList, config) // Values val originalPlainText = "Encrypt Me" val encryptionContext = mapOf("CustomerId" to "123456") // Encrypt and Decrypt val cipherText = cryptorClient.encrypt(keyAlias, originalPlainText, encryptionContext) val plainText = cryptorClient.decrypt(cipherText, encryptionContext)
  28. 28. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sample REST call
  29. 29. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Solution: service descriptor name: encrypting-service organization: foo ... resources: - type: cryptor name: secret-key decryptors: - secret-reader - secret-checker - audit-agent µ
  30. 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Cryptor account Micros account Solution: PaaS and resource provider Keys Roles Policies AWS IAM AWS KMS setup(@roles, key-alias) µ Micros Cryptor provider
  31. 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Solution: Operational Standard metrics and logs from sidecar Visible to service owners, security and central team Standard configuration Standardised cache configurations Multi-region configurations
  32. 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Metrics dashboard
  33. 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Summary Security Resilience Performance Ease of use
  34. 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Summary Security Resilience Performance Ease of use
  35. 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Summary Security Resilience Performance Ease of use
  36. 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Summary Security Resilience Performance Ease of use
  37. 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Summary Security Resilience Performance Ease of use
  38. 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Open source Announcement when we ship it, at https://www.atlassian.com/blog/technology
  39. 39. Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Tom Knight Martien Verbruggen

×