This tip is a part of the SearchCloudSecurity.com AWS security and Amazon EC2 security tutorial
A new risk and compliance whitepaper from Amazon Web Services (AWS) spells out what cloud customers should already know: They can’t hand over cloud computing compliance obligations to their provider.
The Amazon Web Services: Risk and Compliance document provides information about Amazon’s IT control environment and the company’s certifications and third-party attestations, such as PCI DSS, ISO 27001 and FISMA. It emphasizes the concept of security and compliance being a shared responsibility between AWS and its customers.
AWS operates and manages the components from the host operating system and virtualization layer down to the physical facilities; the customer’s responsibilities include the guest operating system, other associated application software and configuration of the AWS-supplied security group firewall, according to the paper.
The document also includes a list of cloud computing compliance issues, including SOX and HIPAA, that details how much of the compliance burden is on the customer. For example, according to AWS, the customer controls most GLBA requirements: “AWS provides means for customers to protect data, manage permissions and build GLBA-compliant applications on AWS infrastructure.”
“They basically are telling you compliance is all up to you regardless of the regulation,” said Joe Granneman, an information security professional with experience in the heavily regulated industries of health care and financial services. “This makes a lot of sense because there is no good way for Amazon to guarantee compliance when it only provides the infrastructure. The customer connects the infrastructure together and builds on top of it, which Amazon cannot guarantee. This document drives home the fact that compliance is still up to the customer and not the IaaS provider.”
Amazon also recently released an updated version of its AWS security document, which describes its physical and operational security processes. The paper also stresses a shared responsibility model.
At the AWS Summit in San Francisco last week, Amazon.com CTO Werner Vogels referred to the security and compliance whitepapers in his keynote and said security is AWS’ top concern. “You can’t be in business if security isn’t your number one priority,” he said.
“We are taking care of the compliance and certification for pieces that are under our control,” he said, adding that compliance requirements go up the stack. “We need to work together,” Vogels told the audience.