TalksAWS re:Invent 2025 - State of the Art: AWS data protection in 2025 (ft. Vanguard) (SEC203)

AWS re:Invent 2025 - State of the Art: AWS data protection in 2025 (ft. Vanguard) (SEC203)

AWS re:Invent 2025 - State of the Art: AWS Data Protection in 2025 (ft. Vanguard)

Overview

  • Presentation by Ken Beer, Director of Cryptography at AWS, and Rajie Sharma from Vanguard
  • Focuses on AWS's efforts to enable "crypto agility" and migrate to post-quantum cryptography (PQC)
  • Covers AWS's cryptography services, Vanguard's approach to PQC adoption, and key technical details

AWS Cryptography Services

  • Key Management Service (KMS): Foundational root of trust, handles 30 billion crypto operations per hour
  • Cloud HSM: Provides hardware security modules for customers with specialized needs
  • Certificate Manager (ACM): Simplifies PKI management, including support for exportable certificates
  • Secrets Manager: Encrypted storage for application credentials and other secrets

The Need for Post-Quantum Cryptography (PQC)

  • Quantum computers pose a threat to current asymmetric cryptographic algorithms (RSA, ECC)
  • "Harvest now, decrypt later" attack vector - encrypted data captured today could be decrypted in the future
  • Authentication risks - digital signatures could be forged by a quantum computer
  • NIST has standardized new PQC algorithms like MLCM and MLDDSA to mitigate these threats

AWS's PQC Adoption Strategy

  1. Confidentiality in Transit: Prioritize integrating PQC (MLCM) into public-facing AWS services and endpoints
  2. Long-Term Authentication: Enable PQC (MLDDSA) for code signing and other long-lived digital signatures
  3. Short-Lived Authentication: Support PQC algorithms for TLS client/server authentication (e.g. MLDDSA)
  • AWS has implemented PQC in core services like KMS, ACM, CloudFront, and S3
  • Ongoing work to roll out PQC support across all AWS services

Vanguard's PQC Adoption Journey

  • Vanguard is a global asset manager with over $11.9 trillion in assets under management
  • Identified quantum computing as a material threat to their all-digital investor interactions
  • Vanguard's four-pillar approach:
    1. Strategic Response: Frame PQC as a business risk and opportunity, get executive buy-in
    2. Internal Initiatives: Build a "Cryptography Center of Excellence" to drive the migration
    3. Visibility and Monitoring: Discover and prioritize all cryptographic assets, monitor usage
    4. IT Collaboration: Work with partners and vendors to enable PQC across the ecosystem

Technical Approach and Tooling

  • Use AWS Config to discover and monitor the cryptographic posture of AWS services
  • Leverage CloudTrail logs and tools like AWS Athena to analyze TLS cipher suite usage
  • Experiment with VPC mirroring and static code analysis to identify cryptographic assets
  • Collaborate with AWS and industry standards bodies to ensure interoperability

Key Takeaways

  • PQC migration is a multi-year, cross-functional effort that requires strategic planning
  • AWS is making significant investments to integrate PQC into its services and tooling
  • Vanguard's approach highlights the importance of visibility, monitoring, and ecosystem collaboration
  • Proving the use of PQC algorithms is a key challenge that requires logging and auditing capabilities

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.