Amazon CTO Counters Skepticism on Cloud Security
Amazon's cloud computing division is planning to "raise the bar" on security, and claims it can provide better security than most enterprises achieve on their own.
Wed, July 28, 2010
Network World — Amazon's cloud computing division is planning to "raise the bar" on security, and provide better security than most enterprises can achieve on their own, says Amazon CTO Werner Vogels.
But some analysts believe Amazon is not transparent enough about its internal security practices, judging by comments after a presentation Vogels made at the Burton Group Catalyst conference in San Diego Wednesday.
Vogels provided an optimistic view of cloud security, saying that cloud networks such as Amazon's already provide better security, and disaster recovery, than most enterprises are capable of. "I believe the cloud is the area where we have to raise the bar for enterprise security," Vogels said.
Amazon has already achieved SAS70 Type II certification for its Elastic Compute Cloud and other cloud services, and is hoping to comply with the ISO 27001 information security standard before the end of the year, Vogels said.
But the Burton Group has previously challenged Amazon to provide more information on its data center security practices, and said that Amazon's cloud should not be used for enterprise applications that require advanced security and availability.Burton Group analyst Drue Reeves repeated some of those concerns on stage at Catalyst, in front of an audience of IT professionals.
"We don't feel like there's enough transparency in Amazon," Reeves said. "We would like to trust you [but need more information]."
Vogels noted that in SAS70 Amazon described processes such as how it destroys disks and erases data, and is working on eventually providing "fully automated policy driven access control." For example, that means customers in the future could allow certain users to start virtual machines, but not stop them, or let certain developers make copies of objects but not manipulate them.
Today, Amazon offers the Virtual Private Cloud service, which lets customers cordon off a piece of the cloud network for its own use, eliminating some of the risks inherent in multi-tenant services. Amazon also has various levels of physical and network security, and data redundancy, Vogels said, without describing them in too much detail.
But he acknowledged that there are various threats from denial-of-service attacks, man-in-the-middle exploits, IP spoofing and the like. Hackers move fast, and aren't burdened by "rigorous software development processes that take years to develop services," Vogels said.
"At Amazon [security] is our priority, No. 1. It has always been, in the retail business as well," he said. But "there is no finish line in security. The world of security is not stable. The bad guys are evolving."