Amazon Releases AWS Cloud Security Practices
While many cloud service providers have been reluctant to publicly disclose details that would better explain how they secure and ensure availability of their datacenters, some have pointed to Amazon Web Services (AWS) as the most distinguished holdout. However, last week Amazon took an important step toward discrediting that claim by publically documenting its security practices.
Amazon submitted a 42-page page document to the Cloud Security Alliance's (CSA) Security, Trust & Assurance Registry (STAR) that details its security practices. That Amazon has made its security practices is significant in its own right. However the fact that Amazon did so in line with the CSA's detailed questionnaire and filed it in the registry could motivate numerous other holdouts to answer the same questions. Cloud providers have dragged their feet on publicly disclosing their security controls seemingly because they didn't want to give away any competitive secrets. But the largest public cloud provider taking this step diminishes that rational.
Since it was launched last year, only a handful of companies have submitted profiles to STAR, among them Box, Microsoft, SHI International and Verizon's Terremark unit. Jim Reavis, the CSA's executive director, recently told me while he was hoping to see more participation by now, he anticipates most major cloud providers will start to contribute later this year.
The CSA believes STAR will be a key step forward, though not the end-all, in adding transparency on a level playing field how providers are implementing security controls. The appeal of STAR is it's a publicly available registry available to any prospective customers and cloud providers are all expected to answer the same 140 questions.
"In being added to the registry, Amazon Web Services is now among those recognized as a security conscious organization, and will gain added exposure to information security, assurance and risk management professionals who are a key part of the cloud service procurement process," the CSA said in a statement.
The document discloses Amazon's approach to risk management. For example, Amazon re-evaluates its controls to mitigate risks at least twice per year. Security policies are based on the Control Objectives for Information and related Technology (COBIT) framework and ISO 27001/27002 controls, PCI DSS, the National Institute of Standards and Technology (NIST) Publication 800-53 Rev 3 (the latter is recommended security and controls for federal information systems).
On a general level, Amazon said it addresses risk management by providing security training to employees and conducting app security reviews aimed at ensuring confidentiality, integrity and data availability. Moreover, according the filing, Amazon regularly scans all IP addresses that connect to the Internet for vulnerabilities, though the scans do not include customer instances.
When it discovers and remediates threats, Amazon alerts third parties. The company conducts its assessments both internally and uses outside security firms. Amazon warned that the security scans are intended to address the health of its infrastructure and should not replace the need for customers to conduct their own inpsections.
Instead of the common SAS 70 Type II audit, the report noted Amazon now publishes the accepted evolved replacement Service Organization Controls 1 (SOC 1), Type II report, performed via the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) standards.
The SOC 1 section of the report describes a number of controls including user access, logical security, data handling, physical and environmental safeguards, change management, data integrity and availability and incident handling.
The STAR filing also outlines key compliances issues including control ownership, how IT can audit the cloud provider, how Sarbanes-Oxley compliance is achieved, HIPAA, data location, e-discovery, multi-tenancy, hypervisor vulnerabilities, encryption, data ownership, server security, identity and access management, availability, denial of service attacks, business continuity and access to the datacenter. To that last point (and fairly well-known), Amazon does not allow customers to tour its datacenters and third-party and internal employee access is limited.
Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.