LAS VEGAS -- Amazon Web Services LLC is proud of its commitment to securing its infrastructure and enabling its customers to meet compliance mandates, but a top AWS security and compliance manager says the cloud provider simply can't shoulder the compliance burden without customers doing their part.
Speaking to attendees Thursday at the inaugural AWS re:Invent conference, AWS Director of Risk and Compliance Chad Woolf touted the pledge the Seattle-based cloud infrastructure provider has made to securing its infrastructure and undergoing numerous third-party audits, internal audits and risk assessments to ensure its customers can meet any necessary government or industry mandate.
Woolf said that when he joined AWS about three years ago, the provider didn't have any certifications it could show customers to prove its due diligence, other than a limited SAS 70. Today, it holds Soc 1 and Soc 2, ISO 27001, PCI DSS (Payment Card Industry Data Security Standard) and many other designations that customers inherently recognize as signs of its commitment to a sound cloud security model.
"We have an extremely audited environment and a very secure environment," Woolf said. "In many companies, the compliance drives the security. … At AWS, we do everything the right way. On the back end, we make sure we have everything covered."
Woolf indicated, however, that many AWS customers don't understand that the provider relies on a shared security model, meaning that AWS manages some specific responsibilities related to the underlying security of the environment, but each customer must secure its own platform instances, applications and data.
"I spend 70% of my time explaining, directly with customers, the differences of what we're responsible for and what the customer is responsible for in managing security in the cloud," Woolf said. "AWS is responsible for the physical hardware, the infrastructure, the data centers themselves and the virtualization infrastructure -- the hypervisor. The customers are responsible for everything on top of that."
Woolf shared a story about a merchant customer that built its cardholder data environment on AWS shortly after AWS earned its designation as a PCI-validated service provider. Unfortunately, the customer didn't understand that it needed to undergo the same steps to secure its systems as it would in an on-premises environment, including hardening operating systems, implementing firewall rules and monitoring network traffic.
"They put it out there and it was basically exposed," Woolf said. "The company's QSA [Qualified Security Assessor] came to town and said, 'What are you doing?'"
To help its customers avoid those kinds of mistakes, AWS created documentation that details each of the controls PCI DSS calls for, and whether responsibilities lie with AWS or the customer, Woolf said. "The shared responsibility model is definitely something you should understand really well before building or even evaluating a deployment into AWS," he said.
Attendee Derrick Burton, a Washington D.C.-based IT director for a consulting firm, expressed some skepticism regarding the amount of responsibility AWS is willing to accept for security. He said that his clients put their trust in his firm to support or manage their information security, but in turn his organization has to trust AWS, which, based on its statements, tries to shed as much security responsibility as it can.
"Executives from AWS say, 'We're building this platform for you to sit on, but you're in charge of securing what's in it,'" he said. "That doesn't sound like 'shared responsibility' to me."
Burton credited AWS for its transparency, as well as for helping advance the state of cloud computing to the point where so many companies now use it. Nevertheless, he said he'd like to see AWS change its language a bit and work with its customers' IT and information security teams more actively to ensure they understand how to keep their cloud implantations secure.
Woolf's organization is committed to helping customers meet compliance mandates while using AWS, he said. A bank using AWS recently underwent an audit by federal banking regulators, he added, and as part of that process, he spent a full day meeting with the regulators, talking about the provider's backup and recovery processes and its baseline security policies and procedures and offering a look at the infrastructure. As a result of that experience, he said, his team is in the final stages of creating a new reference document that will help government regulators audit a customer's use of AWS.
Woolf also highly recommended that customers read through the considerable industry guidance on cloud security, particular the National Institute of Standards and Technology's advice on security and privacy in public cloud computing and the Cloud Security Alliance's guidance for critical areas of focus in cloud computing.
"I'm entirely confident that what we do can meet the needs of any customer that's regulated or that has compliance requirements," Woolf said. "Not only have we done this before with many different customers, but also we're continually putting out new reports and new things that will make it easier for customers to do that."