Security is a common concern of organizations adopting cloud services and so it was interesting to hear from end users at the AWS Summit in London on November 17th how some organizations have addressed these concerns.
Financial services is a highly regulated industry with a strong focus on information security. At the event Allan Brearley, Head of Transformation Services at Tesco Bank, described the challenges they faced exploiting cloud services to innovate and reduce cost, while ensuring security and compliance. The approach that Tesco Bank took, which is the one recommended in KuppingerCole Advisory Note: Selecting your Cloud Provider, is to identify and engage with the key stakeholders. According to Mr Brearley it is important adopt a culture to satisfy all of the stakeholders’ needs all of the time.
In the UK the government has a cloud first strategy. Government agencies using cloud services must follow the Cloud Security Principles, first issued by UK Communications- Electronics Security Group’s (CESG) in 2014. These describe the need to take a risk based approach to ensure suitability for purpose. Rob Hart of the UK DVSA (Driver & Vehicle Standards Agency), that is responsible for road safety in UK, described the DVSA’s journey to the adoption of AWS cloud services. Mr Hart described that the information being migrated to the cloud was classified according to UK government guidelines as “OFFICIAL”. That is equivalent to commercially sensitive or Personally Identifiable Information. The key to success, according to Mr Hart, was to involve the Information Security Architects from the very beginning. This was helped by these architects being in the same office as the DVSA cloud migration team.
AWS has always been very open that the responsibility for security is shared between AWS and the customer. AWS publish their “Shared Responsibility Model” which distinguishes between the aspects of security that AWS are responsible for, and those for which the customer is responsible.
Over the past months AWS has made several important announcements around the security and compliance aspects of their services. There are too many to cover in here and so I have chosen 3 around compliance and 3 around security. Firstly announcements around compliance include:
- ISO/IEC 27018:2014 – AWS has published a certificate of compliance with this ISO standard which provides a code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
- UK CESG Cloud Security Principles. In April 2015 AWS published a whitepaper to assist organisations using AWS for United Kingdom (UK) OFFICIAL classified workloads in alignment with CESG Cloud Security Principles.
- Security by Design – In October 2015 AWS published a whitepaper describing a four-phase approach for security and compliance at scale across multiple industries. This points to the resources available to AWS customers to implement security into the AWS environment, and describes how to validate controls are operating.
Several new security services were also announced at AWS re:Invent in October. The functionality provided by these services is not unique however it is tightly integrated with AWS services and infrastructure. Therefore these services provide extra benefits to a customer that is prepared to accept the risk of added lock-in. Three of these include:
- Amazon Inspector – this service, which is in preview, scans applications running on EC2 for a wide range of known vulnerabilities. It includes a knowledge base of rules mapped to common security compliance standards (e.g. PCI DSS) as well as up to date known vulnerabilities.
- AWS WAF Web Application Firewall – this is a Web Application Firewall that can detect suspicious network traffic. It helps to protect web applications from attack by blocking common web exploits like SQL injection and cross-site scripting.
- S2N Open Source implementation of TLS – This is a replacement created by AWS for the commonly used OpenSSL (which contained the “Heartbleed” vulnerability). S2N replaces the 500,000 lines code in OpenSSL with approximately 6,000 lines of audited code. This code has been contributed to Open Source and is available from S2N GitHub Repository.
AWS has taken serious steps to help customers using its cloud services to do so in a secure manner and to assure that they remain compliant with laws and industry regulations. The customer experiences presented at the event confirm that AWS’s claims around security and compliance are supported in real life. KuppingerCole recommends that customers using AWS services should make full use of the security and compliance functions and services provided by AWS.