The challenges of securing Amazon Web Services
Amazon Web Services is the world's most popular infrastructure as a service (IaaS) platform and is built to suit enterprises of all sizes looking to reduce their computing costs by shifting to the cloud.
One of the key considerations in such a move is keeping data secure and AWS has various free and chargeable mechanisms to help with this. A new report from NSS Labs looks at the advantages of AWS as well as some of the challenges organizations face when moving to an (IaaS) environment.
Among the findings of the report are that Amazon is gaining popularity thanks to offering key baseline security attributes and controls as well as the availability of security options from Amazon and other vendors.
Report author Rob Ayoub writes, "The deployment of IaaS is straightforward -- customers purchase access to virtual machines directly in the cloud. However, this simple act opens up a host of opportunities for outsourcing, allowing organizations the ability to practice true utility computing -- adding or subtracting servers, storage, and other services on demand".
AWS offers basic security controls including a firewall, groups and virtual private cloud infrastructures, but doesn’t yet offer a full suite of security tools. However NSS notes that many end users don't fully understand the security implications of moving their operations to an IaaS provider and may not be implementing secure practices.
It also says that it isn't enough for organizations to simply port applications and data to the cloud and assume that compliance will be addressed.
Recommendations for companies moving to AWS include assessing the security controls offered by AWS and evaluating the additional controls available from third-party technology partners. This will ensure that security policies will remain consistent as data is shifted to the cloud.
It's also important to evaluate and understand the gaps in security between on-premise systems and IaaS. Enterprises should incorporate AWS implementations into the life cycle management process used for other systems.
Companies need to have procedures in place to ensure end users aren’t creating AWS instances without IT approval. Finally they need to ensure any regulated data moved to AWS is still in line with compliance policies.
If you're considering the use of AWS for your business, or you're using it already, you can access the full report on the NSS Labs website.