Atlassian's Solution for Multi-Region Encryption and Decryption - AWS Summit Sydney

•

2 likes•632 views

Atlassian runs a global SaaS platform where security and customer privacy are critical. This talk focuses on the solution they built using KMS and IAM to provide resilient cross-region encryption and decryption, optimised for performance. Come and learn how Atlassian approached this challenge, and built a solution using a combination of AWS services and the AWS Encryption SDK.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian's Solution for Multi-Region
Encryption and Decryption
Tom Knight
Developer
Atlassian
Martien Verbruggen
Architect
Atlassian

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian
creates products for customers

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian
creates customerscloud products for

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian
creates more customerscloud products for

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian
cloud products for more customerscreates more

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Atlassian’s Platform as a Service
µ Micros

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Micros, our PaaS
µ Micros
Developers
Services
Resources

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Region 1
Cryptor use case: database credentials
Application
Region 2
Application
Region X
DB
Manager
config config
1 - create database
2 - store credentials
3 - get credentials4 - connect

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Region 4
Cryptor use case: confidential messages
Not a
Consumer
Region 1
Producer
MessagesMessages
Region 4
Consumer
Messages
Region 2
Consumer
Messages

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cryptor optimises for
Security Resilience Performance Ease of use

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cryptor optimises for
Security Resilience Performance Ease of use
Manage keys
and
authorisation

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Why not just use KMS?
Single-region
Performance
Resilience
Trusted
Secure
Powerful authZ

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Region 1
Solution: Use the SDK and customise
Region 2 Region 3
Any region
KMS 3KMS 2KMS 1
TTL
based
cache
encryption
envelope
Application

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Encryption SDK example
val cache = LocalCryptoMaterialsCache(KMS_MAX_CACHE_SIZE)
val keyProvider = MultipleProviderFactory.buildMultiProvider(KmsMasterKey::class.java, keys)
val cmm = CachingCryptoMaterialsManager
.newBuilder()
.withMasterKeyProvider(keyProvider)
.withCache(cache)
.withMaxAge(KMS_MAX_CACHE_AGE, TimeUnit.SECONDS)
.build()

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multi-region Fault
tolerance
Performance
Implementation

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Solution: Encryption
Multiple regions
Quorum: 2 out of 3 regions - configurable
Bespoke encryption context
Improve datakey reusage
Encryption pooling
Pre fetch data keys
Usage and TTL

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Encryption context
Meta data Extra layer of
security

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Solution: Decryption
Decryption caching
Latency-based selection of KMS
Fetch keys in parallel
Datakeys are decrypted in parallel

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Solution: Integration
Java library
Most widely used language in Atlassian
Sidecar
Docker container with 2 API endpoints
Java library with Spring Boot

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample code for library call
// Setup
val cryptorClient = CryptorClientFactory.build(keyAliasList, config)
// Values
val originalPlainText = "Encrypt Me"
val encryptionContext = mapOf("CustomerId" to "123456")
// Encrypt and Decrypt
val cipherText = cryptorClient.encrypt(keyAlias, originalPlainText,
encryptionContext)
val plainText = cryptorClient.decrypt(cipherText, encryptionContext)

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample REST call

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Solution: service descriptor
name: encrypting-service
organization: foo
...
resources:
- type: cryptor
name: secret-key
decryptors:
- secret-reader
- secret-checker
- audit-agent
µ

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cryptor account
Micros account
Solution: PaaS and resource provider
Keys
Roles
Policies
AWS IAM
AWS KMS
setup(@roles, key-alias)
µ Micros
Cryptor
provider

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Solution: Operational
Standard metrics and logs from sidecar
Visible to service owners, security and central team
Standard configuration
Standardised cache configurations
Multi-region configurations

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Metrics dashboard

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Summary
Security Resilience Performance Ease of use

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Open source
Announcement when we ship it, at
https://www.atlassian.com/blog/technology

Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tom Knight Martien Verbruggen

What's hot

In this article i would like to share some of the insights on AWS Auto Scaling in following perspectives: • Need for Auto Scaling • How AWS Auto scaling can help to handle the various load volatility scenarios • How to configure an Auto scaling policy in AWS • Things to remember before Scaling out and down • Understand the intricacies while integrating Auto scaling with other Amazon Web Services • Risks involved in AWS Auto scaling

Auto scaling using Amazon Web Services ( AWS )

Harish Ganesan

AWS Blackbelt 2015シリーズ Amazon EC2 Container Service (Amazon ECS)

Amazon Web Services Japan

In this builders session, we cover the fundamentals of performance tuning for OLTP query workloads against Amazon Neptune. Using AWS CloudFormation scripts, participants have the opportunity to set up a Neptune and Jupyter Notebook stack, enabling them to run small read and write query workloads against Neptune in their own AWS account. After a short discussion of Neptune’s architecture, we tune the scripts to maximize the throughput of the sample workloads through client-side parameter tuning and server-side improvements, such as failover to larger instance types and provisioning additional read replicas. Throughout the session, we discuss how to use Amazon CloudWatch metrics to understand system behavior and identify optimization potential.

Neptune Performance Tuning: Get the Best out of Amazon Neptune (DAT360) - AWS...

Amazon Web Services

Amazon SageMaker is a fully-managed platform that lets developers and data scientists build and scale machine learning solutions. First, we'll show you how SageMaker Ground Truth helps you label large training datasets. Then, using Jupyter notebooks, we'll show you how to build, train and deploy models using built-in algorithms and frameworks (TensorFlow, Apache MXNet, etc). Finally, we'll show you how to use 3rd-party models from the AWS marketplace.

Build, train, and deploy ML models at scale.pdf

Amazon Web Services

Services comparison among Microsoft Azure AWS and Google Cloud Platform

indu Yadav

Amazon S3 and EC2

george.james

Come to this session to learn how Amazon DynamoDB was built as the hyper-scale database for internet-scale applications. In January 2012, Amazon launched DynamoDB, a cloud-based NoSQL database service designed from the ground up to support extreme scale, with the security, availability, performance, and manageability needed to run mission-critical workloads. This session discloses for the first time the underpinnings of DynamoDB, and how we run a fully managed nonrelational database used by more than 100,000 customers. We cover the underlying technical aspects of how an application works with DynamoDB for authentication, metadata, storage nodes, streams, backup, and global replication.

Amazon DynamoDB Under the Hood: How We Built a Hyper-Scale Database (DAT321) ...

Amazon Web Services

간단한 게임을 쉽고 저렴하게 서비스해보자! ::: AWS Game Master 온라인 시리즈 #1

Amazon Web Services Korea

Apache Kafka is a popular, open-source technology for collecting, processing, and analyzing streaming data in real-time. Amazon MSK is a fully managed service that removes the complexities of managing Kafka clusters so that you can focus on building real-time applications. In this session, we provide an overview of Amazon MSK and then discuss how to get started. We then look at some best practices and top tips, and walk through how to decide whether to choose Amazon MSK, Amazon Kinesis, or a mix of both to address your data streaming use cases.

A deep dive into Amazon MSK - ADB206 - Chicago AWS Summit

Amazon Web Services

Abstract: ********* A resilient architecture acts as a strong foundation for secure applications. Designing such an architecture can be challenging, if you’re not relying on security design principles to guide you. Nevertheless, many developers neglect those fundamentals. Thomas will start by discussing the importance of security design principles and how to apply them in your own projects. He will follow up with a deep-dive into a selection of important principles. Understanding the nuances of those principles allows you to adapt them to your specific needs and decide, whether and where to apply them. Speaker: ********** Thomas Kerbl (Team Lead / Principal Security Consultant - SEC Consult) Talk language: English

SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...

SBA Research

20191009 AWS Black Belt Online Seminar Amazon GameLift

Amazon Web Services Japan

Amazon EBS: Deep Dive

Amazon Web Services

AWS Elastic Beanstalk: Running Multi-Container Docker Applications - DevDay L...

Amazon Web Services

In this webinar, you'll learn about the foundational security blocks and how to start using them effectively to create robust and secure architectures. Discover how Identity and Access management is done and how it integrates with other AWS services. In addition, learn how to improve governance by using AWS Security Hub, AWS Config and CloudTrail to gain unprecedented visibility of activity in the account. Subsequently use AWS Config rules to rectify configuration issues quickly and effectively.

Fundamentals of AWS Security

Amazon Web Services

by Isaiah Weiner, Sr. Manager of Solutions Architecture, AWS Companies are using AWS to create and deploy efficient, fast, and cost-effective backup and restore capabilities to protect critical IT systems without incurring the infrastructure expense of a second physical site. In this session, we will talk about cloud-based services AWS provides to enable robust backup and rapid recovery of your IT infrastructure and data.

AWS for Backup and Recovery

Amazon Web Services

20180417 AWS White Belt Online Seminar クラウドジャーニー

Amazon Web Services Japan

Learn how Amazon.com continuously improves the availability and performance of its website with AWS. Gavin Jewell, Director of Amazon's Consumer Cloud Enablement group, will go in depth on how Amazon CloudFront helps them accelerate their website globally, and how it gives flexibility to apply various security measures at the edge. He will also explain how they are using services such as AWS Shield, AWS WAF, and Route 53. Lastly, we will explore Amazon.com’s continuous and incremental re-architecture program that ensures their infrastructure is constantly updated to use AWS natively.

Case Study: The internals of Amazon.com's architecture that allows it to secu...

Amazon Web Services

Netweb flytxt-big-data-case-study

IntelAPAC

Operational Excellence with Containerized Workloads Using AWS Fargate (CON320...

Amazon Web Services

This free, one-day training will provide a step-by-step introduction to the core AWS services for compute, storage, database, and networking. AWS technical experts will explain key features and use cases, share best practices, walk through technical demos, and be available to answer your questions one-on-one. Who should attend? AWSome Day is ideal for IT managers, system engineers, system administrators, and architects who are eager to learn more about cloud computing and how to get started on the AWS Cloud.

Introduction to the AWS Cloud - AWSome Day 2019 - Denver

Amazon Web Services

What's hot (20)

Auto scaling using Amazon Web Services ( AWS )

AWS Blackbelt 2015シリーズ Amazon EC2 Container Service (Amazon ECS)

Neptune Performance Tuning: Get the Best out of Amazon Neptune (DAT360) - AWS...

Build, train, and deploy ML models at scale.pdf

Services comparison among Microsoft Azure AWS and Google Cloud Platform

Amazon S3 and EC2

Amazon DynamoDB Under the Hood: How We Built a Hyper-Scale Database (DAT321) ...

간단한 게임을 쉽고 저렴하게 서비스해보자! ::: AWS Game Master 온라인 시리즈 #1

A deep dive into Amazon MSK - ADB206 - Chicago AWS Summit

SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...

20191009 AWS Black Belt Online Seminar Amazon GameLift

Amazon EBS: Deep Dive

AWS Elastic Beanstalk: Running Multi-Container Docker Applications - DevDay L...

Fundamentals of AWS Security

AWS for Backup and Recovery

20180417 AWS White Belt Online Seminar クラウドジャーニー

Case Study: The internals of Amazon.com's architecture that allows it to secu...

Netweb flytxt-big-data-case-study

Operational Excellence with Containerized Workloads Using AWS Fargate (CON320...

Introduction to the AWS Cloud - AWSome Day 2019 - Denver

Similar to Atlassian's Solution for Multi-Region Encryption and Decryption - AWS Summit Sydney

Customers are building secure environments in the cloud for data science, analytics, and machine learning. In this session we will introduce the services and features customers are using to build secure data science environments. The session will focus on Amazon SageMaker, a fully managed service supporting the entire machine learning lifecycle, and touch on other supporting AWS services. We are proud to be joined by Royal Bank of Scotland who will walk you through how they are building secure machine learning models on AWS today.

Secure machine learning - Guarding your data and gaining insights

Amazon Web Services

Nubank, Latin America’s first (and largest) cloud-native bank, has relied on AWS since day one. Operating in the cloud allows Nubank’s developers to create software that scales and quickly adapts to the changing needs of a complex market and a growing business. Nubank relies on services like Amazon EC2, Amazon DynamoDB, Amazon VPC, Amazon S3, and AWS CloudFormation to let 8.5 million customers make around 2.5 million purchases per day—all without a dedicated infrastructure team. Learn how Nubank’s fully automated, cell-based architecture allows the bank to provide the best customer experience while generating reliable audited financial records for regulators.

How Nubank is building a customer-obsessed bank - FSV201 - New York AWS Summit

Amazon Web Services

Migliora la disponibilità e le prestazioni delle tue applicazioni con Amazon ...

Amazon Web Services

Data exfiltration is a key concern for financial institutions, which often store personally identifiable information, payment card information, and proprietary methods or algorithms. Balancing security and agility in identity and access management (IAM) policies is critical. To achieve this balance, Millennium Management developed a security framework that integrates into CI/CD pipelines. This framework utilizes semantic reasoning, proprietary security evaluations, and AWS Zelkova to achieve provably secure IAM policies pre-deployment in a distributed, multi-account environment. Learn how Millennium combined Zelkova with services such as AWS Step Functions, AWS Lambda, and AWS CodePipeline—for rapid development while mitigating data exfiltration risk.

How Millennium Management achieves provable security with AWS Zelkova - FSV30...

Amazon Web Services

Speaker: Donnie Prakoso, Technology Evangelist, ASEAN, AWS Most developers today are adopting a micro-services based application design. Microservices can provide higher system reliability, fine-grained scalability and faster development cycles. At hyperscale (thousands to millions of requests per second), however, additional thought, careful design, and greater operational rigor is required. In this session, learn from AWS experts who have extracted four fundamental design principles and best practices for hyperscale applications from the experiences of our customer globally. Aided by live demos, presenters will show how event driven architectures, asynchronous communication, service discover and service orchestration are the pillars of hyperscale systems.

AWS Summit Singapore 2019 | Operating Microservices at Hyperscale

AWS Summits

Automate Security Event Management Using Trust-Based Decision Models - AWS Su...

Amazon Web Services

Most modern businesses depend on a portfolio of technology solutions to successfully operate every day. How do you know whether your team is following best practices or what the risks are in your architectures? In this session, we show how the AWS Well-Architected Framework provides prescriptive advice on best practices and how the AWS Well-Architected Tool enables you to measure and improve your technology portfolio. We explain how other customers are using the AWS WA Tool in their businesses and share what we learned from reviewing tens of thousands of architectures across operational excellence, security, reliability, performance efficiency, and cost optimization.

Introduction to the AWS Well-Architected Framework and AWS WA Tool - SVC214-R...

Amazon Web Services

Castles in Castles - Secure Operational Scale - AWS Summit Sydney

Amazon Web Services

No matter how much effort, money, and resources you invest in your applications to ensure high availability and low latency, it won’t matter if your users are accessing them via a slow or congested public network. In this session, we introduce AWS Global Accelerator, a new global service that enables you to optimally route traffic to your multi-regional endpoints via static Anycast IP addresses that are announced from the expansive AWS edge network. This session walks through various features and customer use cases, including several examples that demonstrate how you can use Global Accelerator to achieve near-zero application downtime and reduce latency for your global applications.

Introduction to AWS Global Accelerator - SVC211 - Chicago AWS Summit

Amazon Web Services

AWS provides the most comprehensive, secure, scalable, and cost-effective portfolio of services for building data lakes for analytics. In this session, learn how to discover, load, store, catalog, prepare, and secure your data in a data lake. Then, learn to analyze with the largest choice of analytics approaches, including big data, data warehouse, operational, and real-timing streaming analytics, and even ML and AI. Ensure that your needs are met for existing and future analytics use cases. Hear how leading companies found success with their data lake initiatives.

Building data lakes for analytics on AWS - ADB201 - Santa Clara AWS Summit.pdf

Amazon Web Services

Architecting security & governance across your AWS environment

Amazon Web Services

Running Lean Performant Yet Cost Optimised - AWS Summit Sydney

Amazon Web Services

Threat detection solution on AWS democratizes cyber security tools that were previously cost and skill prohibitive, so they can counter the rapidly advancing threat landscape. The result will not only assist in improving the customer's security posture, but also provide a security architecture that can scale as business workloads scale. This solution will provide AWS customers with the capability to detect security threats, prioritize identified threats, and provide recommendations using threat intelligence. The scope is not limited to AWS, but also includes hybrid deployments, traditional data centers, enterprise/satellite offices, and other cloud service providers. Join this session to learn how you can leverage this solution to gain visibility in your environment and detect indicators of attack.

Threat Detection using artificial intelligence

Amazon Web Services

This session will show how Telstra uplifted their forensics and incident response capabilities by using AWS services and automation to deliver a scalable forensics platform. You will learn how to use AWS to simplify forensics and incident response in the cloud. Come see how automation enables investigators to easily retrieve the data they need to make decisions and respond faster during security incidents.

Automated Forensics and Incident Response on AWS - AWS Summit Sydney

Amazon Web Services

In this session, learn how to address threat detection and remediation in the AWS Cloud. We summarize the challenges of traditional threat detection efforts and explain how AWS helps you address them in a cloud environment. We also provide an overview of key AWS services that detect and remediate threats, such as Amazon GuardDuty. Be sure to also check out the corresponding threat detection chalk talk.

Threat detection and mitigation at AWS - SEC201 - Atlanta AWS Summit

Amazon Web Services

IT organizations often see governance control and innovation as competing priorities. Compliance-minded individuals may view rapid innovation as disruptive to the security, health, and stability of their organizations. Innovation-minded individuals may view governance control as inhibiting growth. With AWS, you don’t have to choose between governance control and growth—you can have both. In this session, we provide an overview of the common challenges in this area and share how to use AWS services to solve them. We explain how to establish guardrails to improve security and compliance while empowering builders to speed innovation.

The Zen of governance - Establish guardrails and empower builders - SVC201 - ...

Amazon Web Services

Do you ever feel like your efforts with security are futile? Change can lead to new, never-before-recognized opportunities to innovate. Security is no exception. Using measurements to drive us, we have found innovations in security that have led to greater collaboration and carefully curated security outcomes. The cloud has made never-before-seen security capabilities possible. Have you ever imagined talking about the five nines of security? We are! Come join the debate about how to make cloud workloads safer by adopting securability and a bounded measurable means of increasing the safety of software.

In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...

Amazon Web Services

Sicurezza in AWS automazione e best practice

Amazon Web Services

With the ongoing expansion of cloud transformation, the different stages of cloud adoption become instrumental in achieving successful adoption of cloud infrastructure and services. When considering each stage, it’s important to overlay the proper security framework alongside continuous monitoring to provide the necessary security outcomes for an optimal security posture. In this session, we describe how to deliver outcomes of continuous security and compliance through a security wrapper delivered through infrastructure as code. This presentation is brought to you by AWS partner, Armor Cloud Security.

The evolution of continuous cloud security and compliance - DEM05-S - New Yor...

Amazon Web Services

In this presentation, FINRA discusses different aspects of its holistic security strategy. Topics covered include how to leverage AWS native security solutions, how to use logs that tie IP and identity together for network access, how to implement a software-defined perimeter model to augment network-layer security controls, and how FINRA sped up DevOps through a unified and frictionless access strategy.

How FINRA achieves DevOps agility while securing its AWS environments - GRC33...

Amazon Web Services

Similar to Atlassian's Solution for Multi-Region Encryption and Decryption - AWS Summit Sydney (20)