Securing Amazon Web Services

Written by

On September 17, 2013, Quocirca attended the Amazon Web Services (AWS) Enterprise Summit in London. The rate of growth of the vendor’s online infrastructure is remarkable if its own figures are to be believed. Using itself as a yardstick, AWS says it is adding enough new infrastructure a day to support its retail business as it was in 2003, then worth over $5B ( is AWS’s biggest customer).

The event was packed with hundreds of developers and other IT types whose organisations are committed to using AWS’s increasingly broad range of on-demand services at some level. The growing list includes EC2 (compute power), S3 (storage), RDS (database), CloudFront (content delivery). Two recently added ones discussed at the event were RedShift; a data warehousing service, priced at $999 per terabyte per year and Glacier, a backup and archive service priced, at $0.01 per gigabyte per month.

These last two underline why cloud services are becoming so compelling for many business. The economies of scale that cloud service providers can achieve, especially one the size of AWS, can drive down the cost of procuring IT infrastructure so far that the cost of in-house deployments start to look absurd. However, nearly all relevant research reports, including Quocirca’s, show that many are holding back because of the perceived security issues around cloud based services.

AWS is acutely aware of this. There were two keynotes at the London event, one about AWS in general, delivered by Andy Jassy, Senior VP for AWS and the second focused purely on security delivered by Stephen Schmidt, VP Security Engineering and CISO. Schmidt went through many aspects of AWS security including the vigorous data destruction process when hardware is refreshed. He was also careful to point out the shared security model:

  • AWS takes responsibly for securing its facilitates, server infrastructure, network infrastructure, virtualization infrastructure
  • The customer is free to choose its operating environment, how it should be configured and set up its own security groups and access control lists.
This all underlines an important finding in a recent Quocirca research report “The adoption of cloud-based services”, which is freely available HERE. Whilst there are many benefits to be had from making use of cloud services, there is a need to invest in improved levels of security and this is exactly what the most progressive users of cloud computing are doing.
The research identified four main groupings of organisations with regard to their attitude to cloud computing. These ranged from “enthusiasts” who belief they should use cloud services whenever possible (22% of the sample), through to “avoiders” that make little use of them (23%). An analysis of the enthusiasts versus avoiders shows that the latter lack confidence in their ability to secure the use cloud services rather than dismissing them outright as a way to deliver their IT requirements.
To overcome these concerns they need to take a leaf out of the enthusiasts’ book. These organizations are far more likely to have put various security measures in place that better facilitate the use for cloud services. For example, 97% of enthusiasts have an identity and access management (IAM) system in place compared to just 26% of avoiders. Interestingly, this is also more likely than not to be a cloud-based IAM service; cloud feeds on cloud!
The net result of all this is that cloud enthusiasts spend a higher proportion of their overall IT budget on security. This reflects two things, first the need just outlined to invest in security to overcome the concerns about using cloud services, second, the use of cloud services will bring down top line IT costs anyway.
Organizations that have the confidence to make widespread use of cloud services will find their IT costs will drop and their businesses will become more competitive as their IT staff focus on application delivery rather than infrastructure management. The ultimate message, upgrade your security and join the party, with AWS or one of the other growing band of cloud service providers.

What’s hot on Infosecurity Magazine?