The possibility of achieving security that is comparable between public cloud and private datacenters has been around for an IT lifetime (I use metric months; imperial years are for analysts). Amazon did a great job of showing-off how organizations can get much better datacenter security at their re:Invent conference – and not just small to medium organizations. The security that Amazon applies to their infrastructure service is commendable, but it doesn’t let organizations off the hook entirely.
The Really Great Security
What Amazon Web Services (AWS) has achieved in their datacenters is amazing. Read here, and especially this part. If you scroll down through the compliance list, you’ll quickly find that the AWS Assurance Program includes an impressive list of achievements:
• HIPAA
• SOC 1/SSAE 16/ISAE 3402 (formerly SAS70)
• SOC 2 / SOC 3
• PCI DSS Level 1
• ISO 27001
• FedRAMPSM
• DIACAP and FISMA
• ITAR
• FIPS 140-2
• CSA
• MPAA
This is a list of standards, certifications, and other checkboxes that would be difficult to achieve in many large-enterprise datacenters. For an organization to have all of this compliance in their own datacenters wouldn’t make sense because the certifications span verticals that few, if any, global giants cover. For cost reasons, organizations seek only compliance with the standards that they need to. Of course, from a security perspective, there is no downside to attaining as many as possible.
How Your Organization Benefits
A key component of the Amazon business model is having a highly standardized infrastructure. Creating islands of differing infrastructure would be counter to this key part of their strategy. Amazon gained their expertise in disrupting low-margin markets as on online retailer. Their continued success was in no small part dependent on their ability to eke-out every last fraction of a percent on margin. As the story goes, they treated IT as an in-house service. That led to Amazon having the idea of selling that service to other organizations.
From a cut-rate, disruptive alternative to standing-up servers in-house, where did all of this security stuff at Amazon come from? It’s actually a simple story. When very large organizations approach Amazon, put a bunch of money on the table, and politely ask that Amazon meet their security requirements before taking the money, Amazon complies. How they comply, and how that affects others on Amazon’s infrastructure, is interesting.
If Amazon modifies their infrastructure-hosting practices to achieve the audit requirements of a customer, they adopt those practices across their estate. To do otherwise would break their model. That means that the smallest Amazon customer benefits from the demands being met for the largest Amazon customers. It also eases the entry of other large customers into Amazon, so it’s a win all-around.
Security is Still A Shared Responsibility
Amazon does great things. For example, they degauss and shred disks and they grind SSD’s into pulp before they leave a datacenter. They have a wide array of controls and procedures designed to protect customer data. The physical and operational aspects of the infrastructure are as tight as a drum. They do at least as much to secure the infrastructure before, during, and after use as anyone out there. After all, a security problem at Amazon would reverse years of trust-building efforts.
You can use tons of value-add features to increases redundancy, span availability zones to assure uptime, route traffic globally. There are myriad services that are, frankly, really cool. It’s infrastructure as a service, and a very secure infrastructure, but that’s not all of the security that is needed to get a good night’s sleep.
After you get a shiny new instance on Amazon, it’s still up to you to secure the software stack on that instance. Rest assured, if your system or your neighbor’s is compromised to the point that it becomes a threat to other AWS customers, it will be detected by Amazon. However, if you use Amazon to hose a web application that is chalk-full of SQL Injection flaws, it’s not their problem. Someone can quietly punch some extra software onto your unpatched Windows server, and so long as they do it right, it’s also not Amazon’s problem. Most everything in the stack from the operating system and above is still yours to worry about.
Everyone on Amazon benefits from the demands of the largest organizations, and the security of the infrastructure is undeniable. We need to keep in-mind that even the organizations that push Amazon to move their offering toward higher security also have their own security regimens stacked on top of the infrastructure. From the most basic elements, like timely patching and endpoint security, to web application firewalls and network intrusion detection/prevention, everything from the operating system and higher is your part of the shared responsibility.
An analogy that I like to use is real-time strategy (RTS) games. In games of that sort, building quickly provides the advantage of giving you offensive capabilities to defeat opponents (and wiping your opponent off the map is the whole point!). However, you must also defend your base or you will quickly lose the game as your brilliantly executed offence runs out of resources. Amazon provides a pre-built base, letting organizations jump to delivery faster than ever, but forgetting basic security will leave you vulnerable. During one of the keynotes at re:Invent, a speaker mentioned that companies are very happy when twenty-five percent of their audits are completed simply by using Amazon infrastructure. As a security person, my first thought was “That still leaves seventy-five percent up to those companies”. To get a good night’s sleep, make sure that you’re holding-up your end of the shared-security bargain.