At the ongoing Amazon re:Invent 2018, Amazon announced that AWS Key Management Service (KMS) has integrated with AWS CloudHSM. Users now have the option to create their own KMS custom key store. They can generate, store, and use their KMS keys in hardware security modules (HSMs) through the KSM. The KMS customer key store satisfies compliance obligations that would otherwise require the use of on-premises hardware security modules (HSMs). It supports AWS services and encryption toolkits that are integrated with KMS. Previously, AWS CloudHSM was not widely integrated with other AWS managed services. So, if someone required direct control of their HSMs but still wanted to use and store regulated data in AWS managed services, they had to choose between changing those requirements, not using a given AWS service, or building their own solution. With custom key store, users can configure their own CloudHSM cluster and authorize KMS to use it as a dedicated key store for keys rather than the default KMS key store. On using a KMS CMK in a custom key store, the cryptographic operations under that key are performed exclusively in the developer’s own CloudHSM cluster. Master keys that are stored in a custom key store are managed in the same way as any other master key in KMS and can be used by any AWS service that encrypts data and that supports KMS customer managed CMKs. The use of a custom key store does not affect KMS charges for storing and using a CMK. However, it does come with an increased cost and potential impact on performance and availability. Things to consider before using a custom key store Each custom key store requires the CloudHSM cluster to contain at least two HSMs. CloudHSM charges vary by region and the pricing comes to at least $1,000 per month, per HSM, if each device is permanently provisioned. The number of HSMs determines the rate at which keys can be used. Users should keep in mind the intended usage patterns for their keys and ensure appropriate provisioning of HSM resources. The number of HSMs and the use of availability zones (AZs) impacts the availability of a cluster. Configuration errors may result in a custom key store being disconnected, or key material being deleted. Users need to manually setup HSM clusters, configure HSM users, and potentially restore HSMs from backup. These are security-sensitive tasks for which users should have the appropriate resources and organizational controls in place. Read more about the KMS custom key stores on Amazon. Read Next How Amazon is reinventing Speech Recognition and Machine Translation with AI AWS updates the face detection, analysis and recognition capabilities in Amazon Rekognition Introducing Automatic Dashboards by Amazon CloudWatch for monitoring all AWS Resources.
Despite Facebook’s long line of scandals and multiple parliamentary hearings, the company and its leadership have remained unscathed, with no consequences or impact on their performance. Once again, Facebook is under fresh investigations; this time from New York’s Attorney General, Letitia James. The Canadian and British Columbia privacy commissioners have also decided to take Facebook to Federal Court to seek an order to force the company to correct its deficient privacy practices. It remains to be seen if Facebook’s lucky streak would continue in light of these charges. NY Attorney General’s investigation over FB’s email harvesting scandal Yesterday, New York’s Attorney General, Letitia James opened an investigation into Facebook Inc.’s unauthorized collection of 1.5 million users’ email contacts without users’ permission. This incident, which was first reported on Business Insider, happened last month where Facebook’s email password verification process for new users asked users to hand over the password to their personal email account. According to the Business Insider report, “a pseudononymous security researcher e-sushi noticed that Facebook was asking some users to enter their email passwords when they signed up for new accounts to verify their identities, a move widely condemned by security experts.” Read Also: Facebook confessed another data breach; says it “unintentionally uploaded” 1.5 million email contacts without consent On March 21st, Facebook opened up about a major blunder of exposing millions of user passwords in a plain text, soon after Security journalist, Brian Krebs first reported about this issue. “We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users”, the company said in their press release. Recently, on April 18, Facebook updated the same post stating that not tens of thousands, but “millions” of Instagram passwords were exposed. “Reports indicate that Facebook proceeded to access those user’s contacts and upload all of those contacts to Facebook to be used for targeted advertising”, the Attorney General mentioned in the statement. She further mentions that “It is time Facebook is held accountable for how it handles consumers’ personal information.” “Facebook has repeatedly demonstrated a lack of respect for consumers’ information while at the same time profiting from mining that data. Facebook’s announcement that it harvested 1.5 million users’ email address books, potentially gaining access to contact information for hundreds of millions of individual consumers without their knowledge, is the latest demonstration that Facebook does not take seriously its role in protecting our personal information”, James adds. “Facebook said last week that it did not realize this collection was happening until earlier this month when it stopped offering email password verification as an option for people signing up to Facebook for the first time”, CNN Business reports. One of the users on HackerNews wrote, “I’m glad the attorney general is getting involved. We need to start charging Facebook execs for these flagrant privacy violations. They’re being fined 3 billion dollars for legal expenses relating to an FTC inquiry… and their stock price went up by 8%. The market just does not care; it’s time regulators and law enforcement started to.” To know more about this news in detail, read Attorney General James’ official press release. Canadian and British Columbia privacy commissioners to take Facebook to Federal Court Canada and British Columbia privacy commissioners Daniel Therrien and Michael McEvoy, uncovered major shortcomings in Facebook’s procedures in their investigation, published yesterday. This investigation was initiated after media reported that “Facebook had allowed an organization to use an app to access users’ personal information and that some of the data was then shared with other organizations, including Cambridge Analytica, which was involved in U.S. political campaigns”, the report mentions. The app, at one point, called “This is Your Digital Life,” encouraged users to complete a personality quiz. It collected information about users who installed the app as well as their Facebook “friends.” Some 300,000 Facebook users worldwide added the app, leading to the potential disclosure of the personal information of approximately 87 million others, including more than 600,000 Canadians. The investigation also revealed that Facebook violated federal and B.C. privacy laws in a number of respects. According to the investigation, “Facebook committed serious contraventions of Canadian privacy laws and failed to take responsibility for protecting the personal information of Canadians.” According to the press release, Facebook has disputed the findings and refused to implement the watchdogs’ recommendations. They have also refused to voluntarily submit to audits of its privacy policies and practices over the next five years. Following this, the Office of the Privacy Commissioner of Canada (OPC) said it, therefore, plans to take Facebook to Federal Court to seek an order to force it the company to correct its deficient privacy practices. Daniel Therrien, the privacy commissioner of Canada, said, “Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company. Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.” He further added, “The stark contradiction between Facebook’s public promises to mend its ways on privacy and its refusal to address the serious problems we’ve identified – or even acknowledge that it broke the law – is extremely concerning. It is untenable that organizations are allowed to reject my office’s legal findings as mere opinions.” British Columbia Information and Privacy Commissioner Michael McEvoy said, “Facebook has spent more than a decade expressing contrition for its actions and avowing its commitment to people’s privacy. But when it comes to taking concrete actions needed to fix transgressions they demonstrate disregard.” The press release also mentions that “giving the federal Commissioner order-making powers would also ensure that his findings and remedial measures are binding on organizations that refuse to comply with the law”. To know more about the federal and B.C. privacy laws that FB violated, head over to the investigation report. Read Next Facebook AI introduces Aroma, a new code recommendation tool for developers Ahead of Indian elections, Facebook removes hundreds of assets spreading fake news and hate speech, but are they too late? Ahead of EU 2019 elections, Facebook expands its Ad Library to provide advertising transparency in all active ads