Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Do You Get Sleep-at-Night Security from Public Cloud?

The possibility of achieving security that is comparable between public cloud and private datacenters has been around for an IT lifetime (I use metric months; imperial years are for analysts). Amazon did a great job of showing-off how organizations can get much better datacenter security at their re:Invent conference – and not just small to medium organizations.

The possibility of achieving security that is comparable between public cloud and private datacenters has been around for an IT lifetime (I use metric months; imperial years are for analysts). Amazon did a great job of showing-off how organizations can get much better datacenter security at their re:Invent conference – and not just small to medium organizations. The security that Amazon applies to their infrastructure service is commendable, but it doesn’t let organizations off the hook entirely.

The Really Great Security

What Amazon Web Services (AWS) has achieved in their datacenters is amazing. Read here, and especially this part. If you scroll down through the compliance list, you’ll quickly find that the AWS Assurance Program includes an impressive list of achievements:

Benefits of Cloud Security

• HIPAA

• SOC 1/SSAE 16/ISAE 3402 (formerly SAS70)

• SOC 2 / SOC 3

• PCI DSS Level 1

• ISO 27001

Advertisement. Scroll to continue reading.

• FedRAMPSM

• DIACAP and FISMA

• ITAR

• FIPS 140-2

• CSA

• MPAA

This is a list of standards, certifications, and other checkboxes that would be difficult to achieve in many large-enterprise datacenters. For an organization to have all of this compliance in their own datacenters wouldn’t make sense because the certifications span verticals that few, if any, global giants cover. For cost reasons, organizations seek only compliance with the standards that they need to. Of course, from a security perspective, there is no downside to attaining as many as possible.

How Your Organization Benefits

A key component of the Amazon business model is having a highly standardized infrastructure. Creating islands of differing infrastructure would be counter to this key part of their strategy. Amazon gained their expertise in disrupting low-margin markets as on online retailer. Their continued success was in no small part dependent on their ability to eke-out every last fraction of a percent on margin. As the story goes, they treated IT as an in-house service. That led to Amazon having the idea of selling that service to other organizations.

From a cut-rate, disruptive alternative to standing-up servers in-house, where did all of this security stuff at Amazon come from? It’s actually a simple story. When very large organizations approach Amazon, put a bunch of money on the table, and politely ask that Amazon meet their security requirements before taking the money, Amazon complies. How they comply, and how that affects others on Amazon’s infrastructure, is interesting.

If Amazon modifies their infrastructure-hosting practices to achieve the audit requirements of a customer, they adopt those practices across their estate. To do otherwise would break their model. That means that the smallest Amazon customer benefits from the demands being met for the largest Amazon customers. It also eases the entry of other large customers into Amazon, so it’s a win all-around.

Security is Still A Shared Responsibility

Amazon does great things. For example, they degauss and shred disks and they grind SSD’s into pulp before they leave a datacenter. They have a wide array of controls and procedures designed to protect customer data. The physical and operational aspects of the infrastructure are as tight as a drum. They do at least as much to secure the infrastructure before, during, and after use as anyone out there. After all, a security problem at Amazon would reverse years of trust-building efforts.

You can use tons of value-add features to increases redundancy, span availability zones to assure uptime, route traffic globally. There are myriad services that are, frankly, really cool. It’s infrastructure as a service, and a very secure infrastructure, but that’s not all of the security that is needed to get a good night’s sleep.

After you get a shiny new instance on Amazon, it’s still up to you to secure the software stack on that instance. Rest assured, if your system or your neighbor’s is compromised to the point that it becomes a threat to other AWS customers, it will be detected by Amazon. However, if you use Amazon to hose a web application that is chalk-full of SQL Injection flaws, it’s not their problem. Someone can quietly punch some extra software onto your unpatched Windows server, and so long as they do it right, it’s also not Amazon’s problem. Most everything in the stack from the operating system and above is still yours to worry about.

Everyone on Amazon benefits from the demands of the largest organizations, and the security of the infrastructure is undeniable. We need to keep in-mind that even the organizations that push Amazon to move their offering toward higher security also have their own security regimens stacked on top of the infrastructure. From the most basic elements, like timely patching and endpoint security, to web application firewalls and network intrusion detection/prevention, everything from the operating system and higher is your part of the shared responsibility.

An analogy that I like to use is real-time strategy (RTS) games. In games of that sort, building quickly provides the advantage of giving you offensive capabilities to defeat opponents (and wiping your opponent off the map is the whole point!). However, you must also defend your base or you will quickly lose the game as your brilliantly executed offence runs out of resources. Amazon provides a pre-built base, letting organizations jump to delivery faster than ever, but forgetting basic security will leave you vulnerable. During one of the keynotes at re:Invent, a speaker mentioned that companies are very happy when twenty-five percent of their audits are completed simply by using Amazon infrastructure. As a security person, my first thought was “That still leaves seventy-five percent up to those companies”. To get a good night’s sleep, make sure that you’re holding-up your end of the shared-security bargain.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...