Security is always top of mind for Heroku customers; COVID-19 has further increased the urgency for enterprises and developers to deliver more mission-critical applications with sensitive and regulated data.
Given the needs of our customers, including those in regulated industries like Health & Life Sciences and Financial Services, we are thrilled to announce that Heroku Private Spaces and Shield customers can now deploy a new Postgres, Redis, or Apache Kafka service with a key created and managed in their private AWS KMS account. With BYOK, enterprises gain full data custody and data access control without taking on the burden of managing any aspect of the data service itself.
This feature is available on all Private and Shield data plans, starting today, at no additional cost, outside of any cost associated with AWS KMS.
Those customers who choose not to use BYOK will still have their Heroku Data services encrypted with a key that we own and control. There is no change to the current experience or features.
Developed with Enterprise Security in Mind
Enterprises are increasingly thinking about the threat of a compromise to their data and data services. Many of our most progressive and security-conscious enterprise customers asked us for a “kill switch” that can prevent anyone from accessing their data and data service, even their own employees or us, upon request.
Late last year, we began engaging with these customers to understand their views on data security and validate our designs for a BYOK option. Moneytree had a compelling business need and a deep technical understanding of how they wanted it to work. Their guidance was instrumental in the feature set and experience released today:
“Moneytree uses Heroku’s new BYOK feature to meet the security and compliance requirements of our Financial Institution clients. The simplicity of it kept our team’s overhead down while meaningfully improving our security.” — Ross Sharrott, Chief of Technology and Founder, Moneytree
Designed to Share Responsibility Seamlessly
Enterprises create the key and manage the full lifecycle in AWS KMS. To use a key with a new Heroku Data service, copy the key’s ARN from the AWS CLI or Console, and then pass the ARN when creating a new add-on in the Heroku CLI:
$ heroku addons:create heroku-postgresql:shield-0 --app sushi --encryption-key [arn:aws:kms:...]
See the Dev Center articles for encrypting a new Heroku Postgres database with your encryption key and migrating an existing Postgres database to one using your own encryption key, as well as Heroku Key-Value Store and Apache Kafka on Heroku.
Once we receive the provisioning request, we encrypt all data stored at rest (including backups) with the encryption key. Forks and followers inherit this key too. Our Managed Data Services work the same as before, with minor limitations.
As part of incident response or breach containment playbook, enterprises can revoke access to the key in the AWS CLI or Console. Within minutes, Heroku detects it, shuts down all data services that use the key, and stops all servers that run those services. Data in the database(s) and the backup file(s) are inaccessible, no one can access them without the key, but no data is deleted or lost.
Properly coded apps can detect this as downtime and go into maintenance mode.
When the threat has passed, enterprises can restore access to the key in the AWS CLI or Console. Within minutes, Heroku detects it and brings everything back online. All apps work as before without intervention.
Note that we do not store the Customer Master Key (CMK) from AWS KMS or deal with its management in any way. We gain access to it at the time of creation. We periodically check its status and act when needed.
Built with the Strengths of Heroku and AWS
Like our previous Private Link integrations, this integration combines the strengths of Heroku and AWS into a simple and straightforward developer experience. BYOK is another step forward for our combined investments in developer agility and enterprise security. We can’t wait to see all our customers using it.
Please send any feedback our way.
Want to learn more about Bring Your Own Key for Heroku Managed Data Services? Contact sales