When using a key stored inside Google Cloud HSM, is it possible to get the following metadata fields about the HSM hardware being used:
Device model name
Device serial number
Firmware Version
Hardware Version
Valid FIPS certificate for device
Number of the certificate issued for device
? When ordering a certificate from a CA, we are asked for these fields for regulatory reasons.
You can see the relevant information Google Cloud HSM makes available about key provenance at https://cloud.google.com/kms/docs/attest-key; you can download an attestation which will assert that the key is limited to an HSM. However, we do not make all the information you are requesting available (and the information specific to a particular HSM does not map well to our on-demand shared infrastructure model).
Can you share the name of the Certificate Authority with these requirements? We'd be happy to approach them about accepting Cloud HSM keys.
Thanks for using Google Cloud and Cloud HSM.
Related
I am about to launch a webapp based on subscription. FYI, the web application manages health care data, and my customers are concerned about the security of data in the cloud.
Is there any certificate, or any official information I can give to my customers on the behalf of AWS proving that the data in any storage used by my application will be encrypted?
THANK YOU
From What is AWS Artifact?:
AWS Artifact provides on-demand downloads of AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and Service Organization Control (SOC) reports. You can submit the security and compliance documents (also known as audit artifacts) to your auditors or regulators to demonstrate the security and compliance of the AWS infrastructure and services that you use. You can also use these documents as guidelines to evaluate your own cloud architecture and assess the effectiveness of your company's internal controls. AWS Artifact provides documents about AWS only. AWS customers are responsible for developing or obtaining documents that demonstrate the security and compliance of their companies.
It explains what AWS does. However, you would also need to prove that you are using the cloud correctly, such as verifying user's identities and not making buckets public.
NO, there is no such a document, you need to apply and obtain this certificate.
AWS is complaint, for there part Security of the cloud, and you are responsible for the Security in the cloud. AWS Artifact is a repository.
AWS Config is the tool you will use to monitor the configuration of
your stack, can repair configurations also.
AWS Cloudwach will monitor the performance, brings you alerts and evoke Lambda
AWS Cloud Trail will monitor the API calls.
AWS Macy to check your buckets for Personal Identifiable information.
Then you are the one who enable encryption and choose the Key management and rotation, AWS KMS.
Just to mention few services to be aware of. Best regards.
Topic - Google Cloud KMS and support for custom keys
I was exploring the documentation for the google cloud KMS. It mentions that the Cloud KMS is more of management service that helps controlling and managing the DEKs which are used by google in 2 ways
CMEK - Allowing google to create KEK and us to manage the rotation and other aspects
CMEK - Allowing to import your own key which will act as KEK on top of google DEK.
From what I understand and seen, cloud KMS allows control over the key that encrypts the DEK.
Does Google Cloud KMS also support storing our custom private keys (CSEK) for encryption and usage/signing.
Customer-supplied Encryption Keys (CSEK) are a feature of Google Cloud Storage and Google Compute Engine.Google uses the encryption key supplied by the customer to protect the Google-generated keys used to encrypt and decrypt the user’s data [1].
When a customer supplied a CSEK (Customer Supplied Encryption Key) Cloud storage does not store the CSEK key permanently on the google server or manage the key. You have to provide the key for each cloud storage operation, and your key is purged from Google’s servers after the operation is complete. Cloud Storage stores only a cryptographic hash of the key so that in the future if the customer again supplies the key, it can be validated against the hash. But the key cannot be recovered from this hash, and the hash cannot be used to decrypt the data [2].
In Case of Google Compute Engine also, Google does not store your keys on it’s servers and cannot access your protected data unless you provide the key. If you by mistake forget or lose your key, there is no way for Google to recover the key or to recover any data encrypted with the lost key. For instance when you delete a persistent disk, google discards the cipher keys, rendering the data irretrievable [3].
Useful Links:
[1] https://cloud.google.com/security/encryption/customer-supplied-encryption-keys
[2] https://cloud.google.com/storage/docs/encryption/customer-supplied-keys
[3] https://cloud.google.com/compute/docs/disks/customer-supplied-encryption
I need to know what are the best practices for, where and how to keep the db creds and like thirdparty api's key/tokens on server.
From security point of view.
I think you would like to store your credential like API-Keys, Certificate, Passwords or anything related to sensitive information ensuring more security right?
Well, As you may know cloud applications and services use cryptographic keys and secrets to help keep information secure.
For highly sensitive data, you should consider additional layers of protection for data. Encrypting data using a separate protection key prior to storage in Key Vault is worthwhile for example.
Azure Key Vault:
Azure Key Vault provides safeguards for following keys and secrets.for example, When you use Key Vault, you can encrypt authentication keys, storage account keys, data encryption keys, .pfx files, and passwords by using keys that are protected by hardware security modules (HSMs).
Key Vault reduce following problems:
Secret management
Key management
Certificate management
Store secrets backed by HSMs
Any Third party sensitive credentials
You could check for more details here
Access Your Key Vaults More securely
You may need to access your key vault more securely because of its data sensitivity learn more about Secure access to a key vault
How secret and Certificate collaborate with azure key vault
Also for key vault secret and certificate you can check here
Azure key vault quick start
Setting up and retrieve a secret from Azure Key Vault using the Azure portal you can quickly start from Microsoft official document for azure key vault
Note: Now a days azure key-vaults become more popular among the big organizations and towards the developer as well to manage large scale
of security key , certification and many more. For more details I
would recommend to take a look official document here
If you have any more query feel free to share. Thanks and happy coding!
Storing secrets on the server is not best practice. If you are using AWS you can use Secrets Manager to securely manage your secrets.
The documentation just lists server side encryption, where Google handles the keys. Is it possible to use customer supplied keys ala Cloud Storage?
It is not possible to use Customer Supplied Encryption keys, at this time, with Cloud Datastore.
One thing I dislike about Google Cloud Platform (GCP) is its less baked-in security model around roles/service accounts.
Running locally on my laptop, I need to use the service account's key specified in a JSON file. In AWS, I can just assume a role I have been granted access to assume (without needing to carry around a private key). Is there an analogue to this with GCP?
I am going to try and answer this. I have the AWS Security Specialty (8 AWS certifications) and I know AWS very well. I have been investing a lot of time this year mastering Google Cloud with a focus on authorization and security. I am also an MVP Security for Alibaba Cloud.
AWS has a focus on security and security features that I both admire and appreciate. However, unless you really spend the time to understand all the little details, it is easy to implement poor/broken security in AWS. I can also say the same about Google security. Google has excellent security built into Google Cloud Platform. Google just does it differently and also requires a lot of time to understand all the little features / details.
In AWS, you cannot just assume a role. You need an AWS Access Key first or be authenticated via a service role. Then you can call STS to assume a role. Both AWS and Google make this easy with AWS Access Keys / Google Service Accounts. Whereas AWS uses roles, Google uses roles/scopes. The end result is good in either platform.
Google authentication is based upon OAuth 2.0. AWS authentication is based upon Access Key / Secret Key. Both have their strengths and weaknesses. Both can be either easy to implement (if you understand them well) or a pain to get correct.
The major cloud providers (AWS, Azure, Alibaba, Google, IBM) are moving very fast with a constant stream of new features and services. Each one has strengths and weaknesses. Today, there is no platform that offers all the features of the others. AWS today is ahead both in features and market share. Google has a vast number of services that outnumber AWS and I don't know why this is overlooked. The other platforms are catching up quickly and today, you can implement enterprise class solutions and security with any of the cloud platforms.
Today, we would not choose only Microsoft or only Open Source for our application and server infrastructure. In 2019, we will not be chosing only AWS or only Google, etc. for our cloud infrastructure. We will mix and match the best services from each platform for our needs.
As described in the Getting Started with Authentication [1] page, for service accounts it is needed the key file in order to authenticate.
From [2]: You can authenticate to a Google Cloud Platform (GCP) API using service accounts or user accounts, and for APIs that don't require authentication, you can use API keys.
Service and user accounts needs the key file to authenticate. Taking this information into account, there is no manner to locally authenticate without using a key file.
Links:
[1] https://cloud.google.com/docs/authentication/getting-started
[2] https://cloud.google.com/docs/authentication/