AWS: Great Security but can you Trust a US Owned Cloud Service?

Cloud computing provides an unparalleled opportunity for new businesses to emerge and for existing businesses to reduce costs and improve the services to their customer. However the revelations of Snowden and the continuing disclosure of state sponsored interception and hacking undermine confidence in cloud service providers. In this environment CSPs need to go the extra mile to prove that their services are trustworthy.

In general there are two kinds of customers that are adopting cloud computing. The first kind is the so called “born on the cloud” customers who are starting new businesses which depend upon IT but without the need to make large capital investments in IT. The second is the organizations that are already using IT in house and are creating new IT applications in the cloud and moving existing ones to the cloud.

These two different kinds of customers have a different sets of risks to manage. For the born on the cloud the biggest risk is whether or not their business will take off, conventional IT security risks are important but not crucial; (although this may prove to be a mistake in the long run.) However, organizations moving to the cloud may have already invested heavily in IT, to ensure information security, for compliance or to protect intellectual property and, for these organizations, cloud security and governance are critical concerns. From the announcements it appears that AWS is now working to attract enterprise customers that are moving to the cloud.

At their event in London on April 28^th, 2014 AWS produced an impressive list of customers that included start-ups, enterprises and public sector organizations. What was new was the list of enterprises that were moving their IT entirely to the cloud; these included an Australian bank and a German hotel chain. To attract and keep these kinds of customer AWS needs to demonstrate the functionality, security and governance of their offering as well as a competitive price.

AWS claims a high level of IT security and governance for their cloud services and these claims are backed by independent certification. AWS security principles and processes are described in a white paper. In June 2013, KuppingerCole published an Executive View on this: Amazon Web Services – Security and Assurance – 70779. There are many existing features which AWS offers that are of particular interest to enterprises and these include:

The ability to use a dedicated network connection from the enterprise to AWS using standard 802.1q VLANs.
A Virtual Private Cloud - a logically isolated section of the AWS Cloud for the enterprise’s AWS resources.
Control of access to the enterprise’s AWS resources based on the enterprise Active Directory using Active Directory Federation Services (ADFS)
Data encryption using Amazon Cloud HSM – which allows the enterprise to retain control over the encryption keys.
Control of the geography in which the enterprise data is held and processed.

Since then AWS have added AWS CloudTrail. This is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.

An organization adopting the cloud needs to balance the risks against the rewards. Information security and compliance are the main risks that are holding enterprises back from cloud adoption. AWS claims a high level of security and these claims are backed by independent audits – however there is still the problem of trust. The revelations by Snowden of the extent to which the NSA was intercepting communications has made many organizations wary of US based cloud services. The US government unwillingness to permit organizations to publish sufficient data relating to Foreign Intelligence Surveillance Act (FISA) orders added to these concerns. (However – in January 2014 the Obama administration reached a deal, allowing the disclosure of more information on the customer data companies are compelled to share with the US government, albeit with some delay)

The extent to which nation states are eavesdropping on or hacking into commercial enterprises (US justice department charges Chinese with hacking) has added to this concern.

While this may seem unfair on AWS, many European enterprises are choosing not to put business critical application or confidential data into US managed cloud services. To address these concerns will be difficult. AWS CTO Werner Vogels was recently featured in an article in the Guardian newspaper. In this article he writes “Another core value is putting data protection, ownership, and control, in the hands of cloud users. It is essential that customers own and control their data at all times.”KuppingerCole agrees with this sentiment but cloud service providers will need to go the extra mile to prove that their services, their employees and their infrastructure cannot be suborned by national interests or national agencies.