AWS isn’t for everyone (too true!) but they’ve serviced enough customers to have valid observations about common fears and mistakes.
Regardless of cloud service provider, customers often (mis)assume that the provider owns responsibility for security.
But as the AWS CISO makes clear: “It’s a shared responsibility. We [AWS] are responsible for the bottom layer. We are responsible from the floor of the data center up to the hypervisor.”
Summary article by Paul Mah in FierceCIO.
Emphasis in red added by me.
Amazon Web Services CISO on securing the cloud
FierceCIO had the opportunity to speak to Stephen Schmidt, the vice president of security engineering and the chief information security officer of Amazon Web Services, on the sidelines of the re:Invent 2014 conference last month.
We were curious as to what the head of security for the world’s largest public cloud service had to share regarding top enterprise security concerns, as well as what it takes to keep AWS secure.
Top enterprise concerns
“The biggest concern that I hear from customers is that they don’t get the division of responsibility right,” said Schmidt in response to our first question. “It’s a shared responsibility. We are responsible for the bottom layer. We are responsible from the floor of the data center up to the hypervisor,” he said.
What Schmidt means is that deploying a cloud infrastructure doesn’t automatically release the enterprise from duty of managing their security. Indeed, there is certainly a lot of attack surface above the hypervisor that enterprises need to harden.
On this front, Schmidt cautioned that businesses who are used to operating in a hosting company might be the most likely to stumble.
In addition, the importance of proper key management should not be discounted, according to Schmidt.
“They need to make sure that they have a plan in place to rotate their credentials on Amazon. They are the keys to your interaction with us,” he said, using AWS as an example. “They need to properly scope encryption [and] use encryption where it is available.”
Schmidt also noted that Amazon believes in assigning the minimum amount of permission for employees because “it just makes business sense”. This also sounds like good advice for the enterprise IT department.
Keeping AWS secure
The sheer scale (and appeal) of AWS means that the cloud-computing giant has to take security to a whole new level. One way that AWS does that is by adopting a strategy of constantly testing its resources rather than relying on scheduled penetration tests.
“We are constantly testing our own services, rather than like some services that only do so per quarter, we scan our services constantly,” said Schmidt. “We have a couple thousand of scanning machines that constantly scan our resources.”
Of course, few enterprises would have the requisite technical expertise or the hardware to replicate what AWS is doing, underscoring the somewhat uncomfortable notion that enterprise security may not necessarily be able to match that of larger cloud services.
Finally, it appears that stripping away redundant functionality from open source software may be a good idea.
Indeed, Schmidt highlighted how Amazon strips out functionality that they don’t need in open source software that they use. While this has the added benefit of allowing apps to run more efficiently, the more important consideration is that it also improves security by eliminating redundant–and potentially erroneous code.