The 800-pound gorilla of the Infrastructure as a Service (IaaS) world -- Amazon Web Services (AWS) -- has joined...
the Cloud Security Alliance’s Security, Trust and Assurance Registry (STAR).
AWS filed its documentation to CSA STAR late last week. Launched by the CSA about a year ago, STAR is an online registry where cloud providers voluntarily submit documentation of their security controls. The registry, which is freely available, has been growing slowly, but with the addition of AWS, it took a big leap forward in its mission to increase cloud provider security transparency and help cloud computing customers make better decisions about the security of their services.
The AWS security STAR entry is a 42-page document (.pdf) on the cloud giant's risk and compliance practices. It includes information on AWS's security certifications (e.g., ISO 27001) and the company's responses to the CSA Consensus Assessments Initiative Questionnaire. The questions cover common security-related concerns for cloud customers, such as data isolation and location.
For example, with regards to its ability to logically segment or encrypt customer data, AWS said it has strong tenant isolation capabilities, but notes that customers retain control and ownership of their data, and it's their responsibility to encrypt it.
On the data location front, Amazon said in its documentation that customers can designate which AWS physical region their data and servers are located; the company won't move the data without notifying the customer unless required to comply with a government request. At the same time, Amazon said it won't hesitate to challenge orders from law enforcement if it thinks the orders lack a solid basis.
With the addition of Amazon, STAR now has 12 entries, including three from Microsoft. Verizon's Terremark subsidiary is another new addition, having added documentation in June.
The participation of AWS may be a sign that STAR is turning into the vehicle for peer pressure that CSA leaders had hoped. One of the CSA's primary goals is to advocate for the security needs of cloud customers and the on-going need for cloud transparency.