Securing Amazon Web Services

On September 17, 2013, Quocirca attended the Amazon Web Services (AWS) Enterprise Summit in London. The rate of growth of the vendor’s online infrastructure is remarkable if its own figures are to be believed. Using itself as a yardstick, AWS says it is adding enough new infrastructure a day to support its Amazon.com retail business as it was in 2003, then worth over $5B (Amazon.com is AWS’s biggest customer).

The event was packed with hundreds of developers and other IT types whose organisations are committed to using AWS’s increasingly broad range of on-demand services at some level. The growing list includes EC2 (compute power), S3 (storage), RDS (database), CloudFront (content delivery). Two recently added ones discussed at the event were RedShift; a data warehousing service, priced at $999 per terabyte per year and Glacier, a backup and archive service priced, at $0.01 per gigabyte per month.

These last two underline why cloud services are becoming so compelling for many business. The economies of scale that cloud service providers can achieve, especially one the size of AWS, can drive down the cost of procuring IT infrastructure so far that the cost of in-house deployments start to look absurd. However, nearly all relevant research reports, including Quocirca’s, show that many are holding back because of the perceived security issues around cloud based services.

AWS is acutely aware of this. There were two keynotes at the London event, one about AWS in general, delivered by Andy Jassy, Senior VP for AWS and the second focused purely on security delivered by Stephen Schmidt, VP Security Engineering and CISO. Schmidt went through many aspects of AWS security including the vigorous data destruction process when hardware is refreshed. He was also careful to point out the shared security model:

AWS takes responsibly for securing its facilitates, server infrastructure, network infrastructure, virtualization infrastructure
The customer is free to choose its operating environment, how it should be configured and set up its own security groups and access control lists.

This all underlines an important finding in a recent Quocirca research report “The adoption of cloud-based services”, which is freely available HERE. Whilst there are many benefits to be had from making use of cloud services, there is a need to invest in improved levels of security and this is exactly what the most progressive users of cloud computing are doing.

The research identified four main groupings of organisations with regard to their attitude to cloud computing. These ranged from “enthusiasts” who belief they should use cloud services whenever possible (22% of the sample), through to “avoiders” that make little use of them (23%). An analysis of the enthusiasts versus avoiders shows that the latter lack confidence in their ability to secure the use cloud services rather than dismissing them outright as a way to deliver their IT requirements.

To overcome these concerns they need to take a leaf out of the enthusiasts’ book. These organizations are far more likely to have put various security measures in place that better facilitate the use for cloud services. For example, 97% of enthusiasts have an identity and access management (IAM) system in place compared to just 26% of avoiders. Interestingly, this is also more likely than not to be a cloud-based IAM service; cloud feeds on cloud!

The net result of all this is that cloud enthusiasts spend a higher proportion of their overall IT budget on security. This reflects two things, first the need just outlined to invest in security to overcome the concerns about using cloud services, second, the use of cloud services will bring down top line IT costs anyway.

Organizations that have the confidence to make widespread use of cloud services will find their IT costs will drop and their businesses will become more competitive as their IT staff focus on application delivery rather than infrastructure management. The ultimate message, upgrade your security and join the party, with AWS or one of the other growing band of cloud service providers.

Securing Amazon Web Services

Bob Tarzey

You may also like

AWS: Security Not a Priority For a Third of SMBs

AWS to Mandate Multi-Factor Authentication from 2024

Cloud Security is the Greatest Area of Concern for Cybersecurity Leaders According to EC-Council’s Certified CISO Hall of Fame Report 2023

Understanding the Shared Responsibility Model, Critical Step to Ensure Cloud Security

Organizations Warned of New Attack Vector in Amazon Web Services

What’s hot on Infosecurity Magazine?

Insider Threats Surge 14% Annually as Cost-of-Living Crisis Bites

Cybersecurity Pros Urge US Congress to Help NIST Restore NVD Operation

FBI Warns of Massive Toll Services Smishing Scam

Russia and Ukraine Top Inaugural World Cybercrime Index

How to Backup and Restore Database in SQL Server

How to Open and View OST Files Without Outlook

Banning Ransomware Payments Will Do More Harm Than Good

Palo Alto Networks Warns About Critical Zero-Day in PAN-OS

Cybersecurity Pros Urge US Congress to Help NIST Restore NVD Operation

Women Experience Exclusion Twice as Often as Men in Cybersecurity

CISA Urges Immediate Credential Reset After Sisense Breach

Windows: New 'BatBadBut' Rust Vulnerability Given Highest Severity Score

Is MFA Enough? Strategies for Next-Level Identity Security in 2024

Beyond Passwords: Securing the Digital Age with MFA, 2FA, and Passwordless Authentication

Disinformation Defense: Protecting Businesses from the New Wave of AI-Powered Cyber Threats

Adapting to Tomorrow's Threat Landscape: AI's Role in Cybersecurity and Security Operations in 2024

Untangling the Web: Navigating Third-Party Risk in a Hyperconnected World

Bouncing Back: Building Organizational Resilience in the Face of Cyber-Attack

Infosecurity Magazine Spring Online Summit 2024: Day One

Infosecurity Magazine Spring Online Summit 2024: Day Two

Russia’s Midnight Blizzard Accesses Microsoft Source Code

I-Soon GitHub Leak: What Cyber Experts Learned About Chinese Cyber Espionage

LockBit Takedown: What You Need to Know about Operation Cronos

Women in Cybersecurity at Infosecurity Europe 2024

Securing Amazon Web Services

Written by

You may also like

What’s hot on Infosecurity Magazine?