Amazon: Debunking The Cloud Computing Myths

Myth 2: Security and Privacy Are Not Adequate in the Cloud

Security is an end-to-end process and companies need to build security at every level of the stack, Selipsky said. Examining Amazon’s cloud, you will see that the same security isolations are employed as would be found in a traditional data centre, he said. These include physical data centre security, separation of the network, isolation of the server hardware, and isolation of storage. On the physical data centre side, well before Amazon launched its cloud services, data centres had already become a frequently shared infrastructure. Companies realised that they could benefit by renting space in a data facility rather than building it, added Selipsky. Indeed, citing security fundamentals, Selipsky said:

• Security could be maintained by providing badge-controlled access, guard stations, monitored security cameras, alarms, separate cages, and strictly audited procedures and processes.
• Amazon Web Services’ data centre security is identical to the best practices employed in private data facilities today. It has the added physical security advantage that customers have no need to access to the servers and networking gear inside. Because of this, access to the data centre is even more strictly controlled than traditional rented facilities.
• At the physical data centre level, the Amazon cloud has equal or better isolation than could be expected from dedicated infrastructure.

Regarding the network, networks long ago ceased to be isolated physical islands, Selipsky noted. As companies found the need to connect to other companies, and then the Internet, their networks became connected with public infrastructure. They used special network functionality, such as firewalls and switch configurations, to prevent bad network traffic from getting in or important traffic from leaking out.

As their network traffic increasingly passed over public infrastructure, companies began using additional isolation techniques, such as Multi-protocol Label Switching (MPLS) and encryption, to maintain the security of every packet on (or leaving) their network. Amazon’s approach to networking in its cloud is the same: maintain packet-level isolation of network traffic and support industry-standard encryption. Because Amazon Web Services’ Virtual Private Cloud allows a customer to establish their own IP address space, customers can use the same tools and software infrastructure they’re already familiar with to monitor and control their cloud networks. Finally, Amazon’s scale allows significantly more investment in security policing and countermeasures than almost any large company could afford.

“Our security is strong and dug in at the DNA level,” Selipsky said.

Meanwhile, on the hardware side, Amazon Web Services invests significantly in testing and validating the security of its virtual server and storage environment. According to Selipsky, these investments include:

• We wipe the server and storage clean after customers release these resources, so there is no possibility of leaving behind important data.
• Each instance has its own customer firewall to prevent intrusion from other running instances.
• Those wanting even more network isolation can use Amazon VPC (which allows you to bring your own IP address space to the cloud and your instances can only be accessed via those IP addresses that only you know)
• For those wanting to run on their own boxes (where no other instances are running), you can purchase extra large instances (an instance size that’s pretty typical for larger customers and workloads) where only that XL instance runs on that server.

Selipsky also argued that Amazon’s scale allows significantly more investment in security policing and countermeasures than almost any large company could afford themselves.  “In fact, we often find that we can improve companies’ security posture when they use AWS,” he said.

“Take the example lots of CIOs worry about – the rogue server under a developer’s desk running something destructive or that the CIO doesn’t want running. Today, it’s really hard (if not impossible) for CIOs to know how many orphans there are and where they might be. With AWS, CIOs can make a single API call and see every system running in their VPC [Virtual Private Cloud].  No more hidden servers under the desk or anonymously placed servers in a rack and plugged into the corporate network.

Finally, AWS is SAS-70 certified; ISO 27001 and NIST are in process, Selipsky said.