Amazon Agrees: Cloud Customers Must Do Their Part For Security


Dec, 12

Amazon Agrees: Cloud Customers Must Do Their Part For Security

During the inaugural Amazon Web Services conference held last week, AWS leadership boasted about the vendor’s security record, and its ongoing effort to provide a secure public cloud infrastructure for customers. But that said, Chad Woolf, AWS Director of Rick and Compliance, reminded customers that security is a two-way street during the event.

While the vendor has been diligent in earning a widespread set of security compliance certifications (Its original security designation of SAS 70 has grown to include SOC 1, SOC 2, ISO 27001, PCI DSS and more), AWS stressed that it leverages a “shared” security model, meaning AWS manages some responsibilities, but each customer must secure its own platforms, applications and data. And while the vendor has taken the step of creating education around compliance rules and what responsibilities lie with it or its customer, many in the channel question whether the position is truly “shared.”

In an online article, TechTarget shared a great quote from an attendee, Derrick Burton, an IT director for a consulting firm: “Executives from AWS say, ‘We’re building this platform for you to sit on, but you’re in charge of securing what’s in it,'” he said. “That doesn’t sound like ‘shared responsibility’ to me.”

I agree. But … I would reiterate what I said yesterday – solution providers need to assume security is their responsibility. From their clients’ environments right up to the minute that data hits the cloud vendor’s infrastructure. Let’s be honest, you don’t expect your Internet providers to encrypt email, so why should you approach cloud any differently?

1 Comment

  1. I’m amazed that people don’t realize that, compared to other big name providers, AWS is a very secure-able platform. Others don’t even have the hooks and controls in place – Basic stuff like no multi-admin console, no 2-factor authentication and no firewall hooks…

    Nevertheless we see many AWS customers that come to us with very very bad security policies, as the people touching these AWS controls have never managed security or because the controls are basic so you can easily “shoot yourself in the leg”.
    That’s why the eco-system around cloud security should step up and help bridge that gap! And its happening for our customers leveraging @Dome9 SecOps for AWS 🙂

Drop a comment

Your email address will not be published. Required fields are marked *

COLOR SCHEME Unlimited color options are avaliable via Options Panel.