Manage Learn to apply best practices and optimize your operations.

Are dedicated EC2 instances enough for compliance?

A review of Amazon’s new dedicated instances and whether they make the cloud safe for highly regulated companies.

This tip is a part of the AWS security and Amazon EC2 security tutorial

There is a mountain of advice against a company that runs sensitive services requiring some level of regulatory compliance using a cloud-based infrastructure. This stems from the fact that regulations contain requirements that are difficult to address with shared virtual servers.  Sarbanes Oxley, for example, has stipulations for data lineage and data providence. Data lineage -- “where did the data come from?” -- can be difficult to prove in the cloud if multiple tenants occupy the same database instance.  Data providence -- “how is the data checked for accuracy?” -- can also be challenging using a multitenant cloud-based infrastructure.  Regulations like the PCI Data Security Standard raise the stakes even further by requiring physical separation of the network segments and physical servers, which directly violates the multitenant nature of cloud services.

Amazon, recognizing that some of their clients could not move to the cloud for compliance reasons, has come up with what sounds like an ideal solution -- in theory – in which a company can have dedicated, physical instances to maintain a higher level of security and compliance. Digging a little deeper, Amazon’s new dedicated EC2 instances make the grade in some respects, but there’s room for improvement in other areas.

Compliance -- “A”

Amazon has taken compliance seriously, obtaining multiple security certifications for its cloud services.  The SAS 70 Type II report, which is often overvalued with cloud providers, gets comprehensive treatment from Amazon (see “Amazon and SAS70”). In addition, Amazon  achieved the more demanding ISO 27001 certification and PCI DSS Level 1 compliance.  The company even offers an overview of how to achieve HIPAA compliance when running on its platforms.

Businesses that are highly regulated or host highly sensitive information require complete physical isolation for the highest level of security.  Most previous cloud solutions couldn’t accommodate this highly stringent requirement because multiple customers shared the same hardware.  The dedicated server solution offers that last, missing option, which allows even highly regulated busines ses to host servers in the cloud.  Together with all of the accreditations and certifications, Amazon  gets an “A” for their effort in the compliance realm. 

Security -- “A”

Amazon continues to impress with the security technologies it’s implemented.  Network attacks like distributed denial-of-service (DDoS) are difficult against Amazon services due to proprietary mitigation techniques and multi-path routing.  This technology was put to the test back in November 2010 when Wikileaks moved its website to Amazon in order to evade massive DDoS attacks.  Other network defenses include protection against man in the middle (MITM) and IP spoofing attacks.  Amazon servers will not permit the transmission of traffic with a source IP or MAC address other than its own.  So it earns an “A” for network security features that have been validated in the real world.

Availability -- “F”

Amazon has the documentation to suggest it’s taken all of the steps possible to provide reliable service,, offering four  regions where hosted services can run:

1.      U.S. East Region (North Virginia)

2.      U.S. West Region (Northern California)

3.      EU West Region ( Ireland)

4.      APAC Region (Singapore)

However, the dedicated server instance is only available in the U.S. East Region.  This region is divided into four separate zones; however, this may not provide the level of availability necessary, as demonstrated by the massive April 21 failure, which lasted for three days.  Amazon was not able to recover 0.07% of the data in the volumes, leaving customers that did not utilize backup services out of luck. 

Even without this outage, Amazon does not build confidence in the availability of its services,  guaranteeing only 99.95% uptime, which calculates out to just over four hours of outage per year.  Most data centers strive for service levels of at least 99.99%, which is required for mission-critical applications. To make matters worse, Amazon is not on the hook financially if it doesn’t meet its 99.95% guarantee; it will only credit you for 10% of your bill and won’t reimburse any dedicated hosting fees. 

Complexity -- “D”

There is an axiom in information security: “Complexity is the enemy of security.”  This is one of the biggest disadvantages of using Amazon or any other cloud-based hosting solution.  The infrastructure required to support huge numbers of users and massive amounts of storage is inordinately complex. The April 21 outage was caused by a routine capacity upgrade where network traffic was incorrectly routed, which isolated the affected nodes.  This type of outage also can occur in much smaller, less complicated environments, but  is less likely and easier to recover from. 

The promise of cloud infrastructure is to provide dynamic expandability and flexibility while maintaining simple management and fixed operating costs.  Configuring a dedicated server instance on Amazon’s service is not as simple as this promise would suggest.  There is a plethora of options that must be selected, including operating system type, processor and memory utilization, storage amount and bandwidth utilization.  After that is complete, there are options for service monitoring, termination protection and then finally the firewall configuration.  This firewall is securely configured by default, only allowing the minimum of services to communicate to the outside world.  The configuration of this firewall to enable other ports and services is just as complex as any commercial firewall on the market today. 

Amazon offers some amazing technology and flexibility, but falls short in making it accessible for the non-technical customer.  This increases the risk of failure in the infrastructure itself as well as accidental customer security risks caused by complex configuration tools.

Cost -- “D”

Achieving compliance with cloud-based infrastructure can be in direct conflict with the economies of scale that makes cloud solutions financially attractive. These economies of scale exist because each customer runs in a virtual slice of physical infrastructure.  The Amazon service requires dedicated physical hardware, which negates the financial advantage of cloud-based hosting.   The dedicated instances require an up-front fee and a multiyear contract in order to cover the costs of this physical infrastructure. These costs quickly escalate based on usage and become comparable to internal physical hosting.  The complexity mentioned above does allow for any savings in IT administration costs;  IT staff will still be required to open firewall ports and configure hardware.

Overall -- “C”

The Amazon dedicated server instances offer incredible technology features, security controls and accreditations.  These features and specifications would finally allow companies requiring a high level of regulatory compliance to utilize cloud-based infrastructure.  However, they may not be financially competitive with other co-located or internally hosted solutions, and they introduce a high level of complexity and may not provide the availability required for mission-critical applications. 

Organizations should not get overly excited about cloud-based services as a way to solve every IT problem.  These services certainly have their place just like any other tool in the IT toolbox, but  remember they aren’t the only option..  Companies shouldn’t use an expensive, multipurpose wrench like the Amazon dedicated server instances when they simply need a hammer to pound in a nail.

Joseph Granneman, CISSP, has over 20 years in information technology and security with experience in both healthcare and financial services.  He has been involved in the Health Information Security and Privacy Working Group for Illinois, the Certification Commission for Health Information Technology (CCHIT) Security Working Group, and is an active InfraGard member.

Dig Deeper on Cloud Compliance: Federal Regulations and Industry Regulations

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.