This was a big year for Amazon Web Services. If you were not following the industry news, many retailers and eCommerce giants migrated major projects to Amazon Web Services (AWS), including Nordstrom, instacart, Time Inc., and Ticketmaster. In a risk-averse industry that tends to follow rather than lead, this is yet another indication of AWS’ market domination.
But how are these companies meeting security challenges on AWS? Is the cloud really secure enough for consumer data?
Security in AWS
As an IT leader, it is your responsibility to conduct a thorough risk assessment of AWS. But before you do, understand that it is crucial to differentiate between the security of the cloud, and security in the cloud.
The security of the cloud, a.k.a. the security of the physical and staff resources of AWS, is usually the biggest worry. Here are some resources to help you gauge AWS’ commitment to security:
- AWS Security Whitepaper – AWS canonical whitepaper on its security practices. Continually updated to address the security specifications for every AWS service.
- Independent security audits of AWS – AWS provides certification reports that describe how AWS infrastructure meets international security standards, including:
- ISO 27001 – a widely recognized international security management standard
- SOC – 3rd party examination reports on AWS security and availability controls
- FedRamp – the security standard for the federal government
- Case studies on AWS security: Financial Industry Regulatory Authority (FINRA), Pfizer, Pacific Life Insurance
Every IT person you talk to will have a different opinion of security on AWS. It is important to trust independent audits over individual opinions, which often reflect concerns over individual SaaS or PaaS products and are not founded by experience in AWS.
Security in the cloud refers to the security of systems built on top of AWS. While AWS provides a simplified system for administrators to both implement and audit standard security measures, it by no means replaces these traditional measures nor promises the security of your systems. Just as in a traditional data center or private cloud, the security of your system is your responsibility.
Some important points to reinforce:
- AWS is not responsible for the security of any system built in AWS, see AWS Shared Responsibility Model
- However, AWS has provided many tools to facilitate the enforcement of security best practices, including audit tools, compliance “checkers” and more, see AWS Security Tools
- Many of the tools you already use to protect your environment — like WAFs, network setup, central authentication, etc. — can be applied to AWS.
- AWS regularly publishes security best practice documentation based on customer experience, see all Security Documentation
Security in the cloud has many of the same features of network and application-level security in a traditional environment, though many organizations enlist outside help in translating traditional protections to AWS.
Is AWS eCommerce “More Secure” than Your Datacenter?
Whenever a CIO or CTO claims that AWS is more secure than their datacenter, as GE did last year, what they usually mean is that the security tools that AWS provides enable greater transparency and reinforcement of traditional security measures.
In other words, datacenters are secure, but migrating applications on AWS led these organizations to tighten security controls and reinforce these controls with automation. Automation is possible though not nearly as simple in bare metal hosting. Organizations of every size can take advantage of the power of security automation.
As an example, rather than relying on an engineer to build your network structure every time you want to expand capacity, your engineer can build a template of your organization’s “best practice” network configuration that gets replicated and improved again and again, usually in an AWS tool called CloudFormation. Automating instance and network configuration significantly reduces the opportunity for engineers to make security mistakes; engineers do not have to manually configure security groups, networks, user access, firewalls, encrypted volumes, DNS names, log shipping, etc. They do not have to “remember” best practices every time they spin up a new instance, which is arguably the most vulnerable time in an instance’s life.
Not incidentally, these automation features are why AWS was created in the first place. Amazon did not just require endless compute power, they wanted a layer of abstraction between their developers and their systems that enabled them to test and ship new features more quickly. Underneath the covers, automation and templatization are what has allowed Amazon to become the eCommerce giant they are today.
What About PCI Compliance?
AWS is PCI Level 1 Compliant, meaning that the underlying physical infrastructure has been audited and approved by an authorized independent Qualified Security Assessor. In fact, AWS was the first cloud platform to earn PCI DSS Level 1 compliance. This covers the compliance “of the cloud.” What about compliance “in the cloud”?
Every retailer that processes credit card payments must be PCI certified. AWS’ certification provides an immediate benefit to retailers by taking care of the compliance of the infrastructure, but retailers must prove that people and processes are also compliant. Numerous organizations have received PCI certification on the AWS platform, and many claim that certification is significantly less costly and time-consuming on AWS than in their own datacenter.
To help ensure best practices are covered, many retailers work with a partner with AWS Commerce Competency, experienced in translating PCI compliance guidelines to AWS, which include security items such as:
- Central authentication in AWS IAM and AD
- Encryption of volumes
- Naming conventions and organization of Security Groups
- Monitoring and logging with AWS CloudTrail, CloudWatch, etc.
- Failure/recovery testing
Expose Your Engineers to AWS, Early and Often
No matter where you host your eCommerce workloads, it will likely be your staff that expose you to security threats, not AWS. (95% of security attacks are the result of human error, according to Gartner.) That is why the most important advice to follow is to expose your staff to AWS early and often, and give them unlimited access to expert PCI and security help.
Enterprises usually accomplish this by running a POC project on AWS using a Managed Service Partner. Running a POC project trains your internal development staff on AWS integration within defined parameters. Using a Managed Service Partner with Commerce Competency that clearly defines PCI responsibilities will reduce the security and compliance risk of your engineering staff. If the MSP is experienced in PCI, they should have controls to ensure that mistakes are automatically corrected — a crucial set of tools for any new AWS team.
If your organization is still skeptical about security in AWS, a POC project is the fastest way to convince business and IT leaders alike. In the end, there are secure AWS environments and unsecure AWS environments; it is the team that controls your AWS environment that makes the difference.