Encryption is an important part of any data protection strategy. Over the past two years, Amazon AWS has introduced many features that are designed to simplify the task of storing your cloud-based information in encrypted form. Many customers appreciate the fact that AWS makes it very easy for them to encrypt their data. They enable it as needed, and rely on AWS for the heavy lifting.
Recently AWS announced that they can encrypt data stored on your EBS volumes (the virtual disks attached to your cloud servers). The stored data is encrypted, as is the data transfer path between the EBS volume and the EC2 instance. The data is decrypted on the instance on an as-needed basis, then stored only in memory.
This feature will aid your security, compliance, and auditing efforts by allowing you to verify that all of the data that you store on EBS is encrypted, whether it is stored on a boot volume or on a data volume. Further, because this feature makes use of KMS, you can track and audit all uses of the encryption keys.
Many years ago, I ran a project that required encryption at rest for all of the mission critical data. At the time to meet this business need required $200+K in hardware, software, and professional services. The installation took over 3 months.
With the recent announcements from AWS, encryption at rest is now as easy as checking a checkbox. Because encryption is now so easy to do, executive officers will expect that all business data is encrypted at rest. There is no additional cost or IT burden and hence no excuse not to implement the additional security.
Encrypting new AWS instances is as simple as a checkbox, but how to we encrypt existing instances that already have data? In some cases these instances have multiple terabytes of unencrypted data.
Blumetech asked one of our skilled AWS engineers to time how long it would take to convert an existing instance into an encrypted one. The test had one big caveat: nothing about the instance could change except for encryption. We wanted the IP, instance ID, security groups, tags, placement, tenancy, etc. to all be exactly the same. We were concerned that if any of these values changed application related problems would result.
On average it took our engineer about an 1 hour to encrypt a machine with two EBS volumes. Since the instance is stopped during most of the work (we can't safely encrypt data that is in use), lots of downtime was required to do the encryption. In addition, the manual process was prone to simple errors.
To resolve all of the problems Blumetech create an application that will automatically encrypt instances. Some of the key features:
- Error free conversion - The process is completely automated
- High Throughout - Over 50 instances/hr can be processed
- Built-in Multithreading
- Instance Verification Checks - Runs a series of checks to ensure that an instance can be encrypted
- Safe - Allows you to optionally retain your unencrypted data in case a rollback is required
- Detailed Logging
Use it Now
This functionality was released earlier this month. Please contact us if you are interested in using this new application.