+ All Categories
Home > Documents > AWS Cloud Security - Bitpipedocs.media.bitpipe.com/io_11x/io_118192/item_987399...aWS cloud Security...

AWS Cloud Security - Bitpipedocs.media.bitpipe.com/io_11x/io_118192/item_987399...aWS cloud Security...

Date post: 13-Mar-2020
Category:
Upload: others
View: 16 times
Download: 0 times
Share this document with a friend
18
Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA Tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com AWS Cloud Security by Ed Ferrara, February 5, 2014 | Updated: February 21, 2014 For: Security & Risk Professionals KEY TAKEAWAYS AWS Is Serious About Information Security ere has been too much hype about cloud security being different and inherently insecure. Cloud security is no different from other solutions we deploy. Security pros should apply the same security standards to cloud workloads applied to on-premises workloads. In The AWS World, Security Is A Shared Responsibility AWS is not going to secure your applications or soſtware infrastructure for you. AWS’ responsibility stops at the abstraction point between its services and the applications you deploy. It’s up to security and risk pros to engineer the correct security atop AWS. AWS provides key security building blocks, but it’s still your responsibility. AWS Demonstrates Strong Cloud Security Processes And Controls AWS has a very comprehensive security program for its platform. AWS has foundational security controls for its services that enable customers to build secure applications. Where AWS does not have a solution, third parties are working to provide security technology as SaaS and virtual appliances for the AWS environment.
Transcript

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA

Tel: +1 617.613.6000 | Fax: +1 617.613.5000 | www.forrester.com

AWS Cloud Securityby Ed Ferrara, February 5, 2014 | Updated: February 21, 2014

For: Security & Risk Professionals

Key TaKeaways

aws Is serious about Information securityThere has been too much hype about cloud security being different and inherently insecure. Cloud security is no different from other solutions we deploy. Security pros should apply the same security standards to cloud workloads applied to on-premises workloads.

In The aws world, security Is a shared ResponsibilityAWS is not going to secure your applications or software infrastructure for you. AWS’ responsibility stops at the abstraction point between its services and the applications you deploy. It’s up to security and risk pros to engineer the correct security atop AWS. AWS provides key security building blocks, but it’s still your responsibility.

aws Demonstrates strong Cloud security Processes and ControlsAWS has a very comprehensive security program for its platform. AWS has foundational security controls for its services that enable customers to build secure applications. Where AWS does not have a solution, third parties are working to provide security technology as SaaS and virtual appliances for the AWS environment.

© 2014, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email [email protected]. For additional information, go to www.forrester.com.

For Security & riSk ProFeSSionalS

why ReaD ThIs RePoRT

Security to and from the cloud is a hot topic. The notion that cloud technologies should not be used by large enterprises due to security concerns is rapidly fading. Security still ranks as the No. 1 impediment to full-scale cloud adoption, but cloud service providers (CSPs) are quickly responding to these concerns. Amazon Web Services (AWS), for example, provides a significant number of security services to clients through a model of shared responsibility. Using AWS companies can build infrastructures as secure as, and possibly more secure than, those they can build on-premises. The move to cloud will force security and risk pros to consider the options they have for securing cloud workloads. Companies like Amazon that provide necessary security services will fast become leaders in the cloud platform space. This report is a first look at the types of security controls available from AWS. Security and risk pros should use this document as a primer on the security services available from AWS and to compare those with the security services offered by competitive cloud providers.

table of contents

s&R Pros Need To Understand Cloud services and security Controls

Like any Provider, Get To Know The Basics of aws offerings First

For aws, security Is an Uneven handshake

The aws environment adheres To Industry Best security Practices

aws Core Compute and storage offers security extensions

WHat it MeanS

security and Risk Pros should Not Fear aws or The Cloud

supplemental Material

notes & resources

Forrester spoke extensively with aWS technology leadership on the extent of their security capabilities for the purposes of this research.

related research Documents

Predictions For 2014: cloud computingDecember 4, 2013

Security’s cloud revolution is upon usaugust 2, 2013

Make the cloud enterprise readyJune 1, 2012

aws Cloud securityaWS takes important Steps For Securing cloud Workloadsby ed Ferrarawith christopher Mcclean, James Staten, andras cser, Heidi Shey, and thayer Frechette

2

2

3

8

11

14

14

February 5, 2014 uPDateD: February 21, 2014

For Security & riSk ProFeSSionalS

aWS cloud Security 2

© 2014, Forrester Research, Inc. Reproduction Prohibited February 5, 2014 | Updated: February 21, 2014

s&R PRos NeeD To UNDeRsTaND CLoUD seRvICes aND seCURITy CoNTRoLs

There has been a lot of discussion about whether cloud vendors provide sufficient data and network security with their service offerings. This was a tough question to answer because the cloud service providers (CSPs) were not always willing to publish their security controls, giving rise to suspicion that security controls were lax or missing.1 A lot has changed, however; the best CSPs, such as AWS, are going to great lengths and expense to secure their environments and to educate customers and prospects about the security controls they have in place.

To operate smoothly with cloud providers, security and risk pros will need to understand the basics of these firms’ architecture and how they allocate compute, network, and storage resources. Even if your organization has lagged behind cloud adoption, it’s worth investing the time and energy now to become experts on cloud environments and what’s needed to secure them — it’s just a matter of time before it becomes relevant, either in your current or future role.

Case in point: The CIO of a large human resources company tasked his security team to take point on the company’s cloud deployment efforts — to become the in-house experts on all things cloud. As such, members of the security team are now seen as key partners in the adoption of cloud and champions for its ongoing use. This approach turned security from the department of “No” to the department of “Heck yeah.”

LIKe aNy PRovIDeR, GeT To KNow The BasICs oF aws oFFeRINGs FIRsT

AWS is an infrastructure provider, and when deploying workloads to AWS, apply the same rules that you would for any other colocation or third-party hosting project. Some cloud providers are further along than others when it comes to security, but a detailed look at AWS’ approach will help guide the way you engage other providers.

aws Uses a Tiered approach To support Its Customers

AWS data centers located in North America, Europe, Latin America, and Asia compose Tier one of the AWS infrastructure. Each geographic region has one to five availability zones. AWS availability zones (AZs) make up the second tier of the AWS infrastructure. Each AZ is made up of one or more data centers. These are physically located in separate buildings, on separate power grids, in separate environmental disaster zones, with distinct network access points and separate electrical generator support. AWS uses edge zones for local content delivery (see Figure 1).2 When planning a deployment with AWS, make certain you understand the connectivity that exists between the different AWS infrastructure locations. Network latency will be an important consideration for AWS deployments.3

For Security & riSk ProFeSSionalS

aWS cloud Security 3

© 2014, Forrester Research, Inc. Reproduction Prohibited February 5, 2014 | Updated: February 21, 2014

aws Provides Infrastructure Plus a wide set of IT services

AWS provides a significant number of application and infrastructure tools, but using AWS services is like eating at an à la carte restaurant. Every item on the menu is individually priced, and not all items on the menu are available in all regions (see Figure 2).4

FoR aws, seCURITy Is aN UNeveN haNDshaKe

The AWS philosophy sees security as a shared responsibility, or what Forrester terms “an uneven handshake” (see Figure 3).5 However, with improved transparency, the handshake is evening out quite a bit. With this approach, AWS provides the building blocks for a complete infrastructure but shares responsibility for securing this infrastructure with customers.

AWS’ portion of the uneven handshake lies below the point of abstraction its services expose for direct customer control. For example, in EC2, AWS presents customers with a virtual server and takes responsibility for the operation and control of the hypervisor, its host operating system, and the physical security of the facilities in which this service operates. Customers assume responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of the AWS-provided security group firewall. AWS security responsibilities vary depending on the AWS service but always follow this same rule — whatever the customer can control is their responsibility; whatever they can’t control, AWS owns.

To secure the applications they deploy into AWS EC2 VMs, customers can leverage other AWS services such as those listed above or you can provide your own solutions, such as host-based firewalls, intrusion detection/prevention, and encryption solutions. Many of these can also be pulled out of AWS’ library of Amazon Machine Images, which are commercial and open source solutions that have been packaged for quick deployment to EC2.6

For Security & riSk ProFeSSionalS

aWS cloud Security 4

© 2014, Forrester Research, Inc. Reproduction Prohibited February 5, 2014 | Updated: February 21, 2014

Figure 1 AWS Global Region/Zone/Edge Location

Source: Forrester Research, Inc.110341

Region/Availability zone Edge locations

Region/Availability zone Edge locations

Region/Availability zone Edge locations

Region/Availability zone Edge locations

• US East (NorthernVirginia) region• EC2 availability

zones: 5*• US West (Northern

California) region• EC2 availability

zones: 3*• US West (Oregon)

region• EC2 availability

zones: 3• AWS GovCloud

(US) region• EC2 availability

zones: 2

Atlanta, Ga.Ashburn, Va. (3)Dallas/Fort Worth (2)Hayward, Calif.Jacksonville, Fla.Los Angeles (2)MiamiNew York (3)Newark, N.J.Palo Alto, Calif.San Jose, Calif.Seattle, Wash.South Bend, Ind.St. Louis, Mo.

• EU (Ireland) region• EC2 availability

zones: 3

Amsterdam (2)DublinFrankfurt, Germany (3)London (3)MadridMarseilles, FranceMilan, ItalyParis (2)StockholmWarsaw

• São Paulo region• EC2 availability

zones: 2

Rio de JaneiroSão Paulo, Brazil

• Asia Paci�c(Singapore) region• EC2 availability

zones: 2• Asia Paci�c (Tokyo)

region• EC2 availability

zones: 3• Asia Paci�c (Sydney)

region• EC2 availability

zones: 2

Chennai, IndiaHong Kong (2)Mumbai, IndiaOsaka, JapanSeoulSingapore (2)Sydney, AustraliaTaipei, TaiwanTokyo (2)

For Security & riSk ProFeSSionalS

aWS cloud Security 5

© 2014, Forrester Research, Inc. Reproduction Prohibited February 5, 2014 | Updated: February 21, 2014

Figure 2 AWS Data Center Services With Security Implications

Source: Forrester Research, Inc.110341

CloudFormation. CloudFormation is aninfrastructure deployment tool that providesinfrastructure template creation.10

CloudWatch. CloudWatch provides operationaland performance metrics for AWS cloud resourcesand applications.12

CloudTrail. CloudTrail provides the ability to trackAPI execution.11

Deployment, management, and monitoring

DynamoDB. DynamoDB is a NoSQL data storeservice capable of data distribution across AWSregions and zones.6

ElastiCache. ElastiCache provides applicationperformance improvement by caching information inmemory.7

Relational Database Service (RDS). RDSprovides a SQL database with automatedadministration.8

Redshift. Redshift is a petabyte scale datawarehouse service that stores information in clustersbuilt on a set of computer nodes.9

Database

Compute and networking

CloudHSM. CloudHSM offers dedicatedhardware devices to provide higher levels ofencryption management within the AWS cloud.Customers can securely generate, store, andmanage the cryptographic keys used for dataencryption. Customers provide CloudHSM inside anAWS VPC using customer-de�ned IP addresses.1

Direct Connect. AWS’ Direct Connect serviceprovides private connectivity from an on-premisesor colocated site and AWS. AWS Direct Connectcreates a dedicated VLAN connection of 1 Gb or10 Gb per second.2

Elastic Compute Cloud (EC2). EC2 provides theability to �exibly deploy a variety of server typescalled instances. EC2 also provides precon�gured open source, and licensed Amazon Machine Images(AMIs) include operating systems, securityapplications and appliances, application servers,databases, and application stacks to speedinfrastructure deployment.3

Route 53. AWS’ Route 53 is comprehensive domainsolution that allows the customer to use the serviceas the �rm’s primary DNS, as the DNS forsubdomain(s), or alias resources pointing to AWSservices such as Amazon S3 storage buckets,CloudFront content sites, and Elastic LoadBalancing.4

Amazon Virtual Private Cloud (VPC). VPCprovides “traditional” network services similar towhat would be deployed in an on-premises-based data center.5

Storage and content delivery

CloudFront. The CloudFront leverages the AWSedge locations to provide local delivery of content.15

Glacier. Amazon Glacier provides secure anddurable storage for data archiving and backup.16

Simple Storage Service (S3). S3 provides theability to store any amount of data.17

Storage Gateway. Storage Gateway useson-premises software appliances to connecton-premises IT environments and the Amazon WebServices (AWS) storage infrastructure.18

Identity and Access Management (IAM). Theservice controls access to all AWS services andresources, supporting password, key pairs, andX.509 certi�cates.13

Multi-Factor Authentication (MFA). Multi-FactorAuthentication (MFA) is an additional layer of securityfor accessing AWS services, supporting the use ofboth hardware tokens and virtual MFA devices.14

Identity and access management

For Security & riSk ProFeSSionalS

aWS cloud Security 6

© 2014, Forrester Research, Inc. Reproduction Prohibited February 5, 2014 | Updated: February 21, 2014

Figure 2 AWS Data Center Services With Security Implications (Cont.)

Source: Forrester Research, Inc.110341

1Source: AWS CloudHSM Getting Started Guide(http://awsdocs.s3.amazonaws.com/cloudhsm/latest/hsm-gsg.pdf).

2Source: AWS Direct Connect User Guide(http://awsdocs.s3.amazonaws.com/directconnect/latest/dc-ug.pdf).

3The service also supports an AWS DNS extension called alias resource records. When Route 53 receivesa DNS query that matches the name and type in an alias resource record set, Route 53 follows thepointer and resolves the address to AWS’ region, zone, availability edge addressing scheme.Source: Amazon Elastic Compute Cloud(http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html).

4Source: Amazon Route 53 Developer Guide(http://awsdocs.s3.amazonaws.com/Route53/latest/route53-dg.pdf).

5Source: Amazon Virtual Private Cloud Getting Started Guide(http://awsdocs.s3.amazonaws.com/VPC/latest/vpc-gsg.pdf).

6Source: Amazon DynamoDB Developer Guide(http://awsdocs.s3.amazonaws.com/dynamodb/latest/dynamodb-dg.pdf).

7Source: Amazon ElastiCache User Guide(http://awsdocs.s3.amazonaws.com/ElastiCache/latest/elasticache-ug.pdf).

8Source: Amazon Relational Database Service User Guide(http://awsdocs.s3.amazonaws.com/RDS/latest/rds-ug.pdf).

9Source: Amazon Redshift Getting Started Guide(http://s3.amazonaws.com/awsdocs/redshift/latest/redshift-gsg.pdf).

10Source: AWS CloudFormation User Guide(http://awsdocs.s3.amazonaws.com/AWSCloudFormation/latest/cfn-ug.pdf).

11Source: AWS CloudTrail User Guide(http://awsdocs.s3.amazonaws.com/awscloudtrail/latest/awscloudtrail-ug.pdf).

12Source: Amazon CloudWatch Developer Guide(http://awsdocs.s3.amazonaws.com/AmazonCloudWatch/latest/acw-dg.pdf).

13Source: AWS Identity And Access Management Using IAM(http://awsdocs.s3.amazonaws.com/IAM/latest/iam-ug.pdf).

14Source: “Amazon Web Services: Overview of Security Processes,” Amazon Web Services, November2013 (http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf).

15Source: Amazon CloudFront Developer Guide (http://s3.amazonaws.com/awsdocs/CF/latest/cf_dg.pdf).16Source: Amazon Glacier Developer Guide(http://awsdocs.s3.amazonaws.com/glacier/latest/glacier-dg.pdf).

17Source: Amazon Simple Storage Service Getting Started Guide(http://s3.amazonaws.com/awsdocs/S3/latest/s3-gsg.pdf).

18Source: AWS Storage Gateway User Guide(http://s3.amazonaws.com/awsdocs/storagegateway/latest/storagegateway-ug.pdf).

For Security & riSk ProFeSSionalS

aWS cloud Security 7

© 2014, Forrester Research, Inc. Reproduction Prohibited February 5, 2014 | Updated: February 21, 2014

Figure 3 An Uneven Handshake

Source: Forrester Research, Inc.110341

Vendorresponsibilities

Facilities management

Basic monitoring

Physical support infrastructure(facilities, rack space, power, etc.)

Abstract infrastructure services(hypervisor, virtual �rewall, etc.)

Physical infrastructure securityand availability

Your application

Enterprise integration

Architectural views (e.g., scalability, availability,recovery, data quality, and security)

Governance (who has authority/responsibility tomake changes and how)

Life-cycle management (birth, growth, failure,and recovery)

Network of metadata (categories, capabilities,con�gurations, and dependencies)

Testing, monitoring, diagnosis, and veri�cation

Sharedresponsibilities

Elementmanagement

Businessresponsibilities

For Security & riSk ProFeSSionalS

aWS cloud Security 8

© 2014, Forrester Research, Inc. Reproduction Prohibited February 5, 2014 | Updated: February 21, 2014

The aws eNvIRoNMeNT aDheRes To INDUsTRy BesT seCURITy PRaCTICes

For its portion of the uneven handshake, AWS has implemented and documented a significant number of security capabilities in support of its various services. Many of AWS’ processes and controls map to industry compliance standards, and where available, AWS has earned certifications and independent third-party attestations, including certificates and other compliance documentation. There are several tangible results of these efforts:

■ Broadly implemented security control frameworks. The AWS control environment uses an information security control framework based on COBIT. It also incorporates ISO 27001/2, the AICPA Trust Services Principles, PCI-DSS v2.0, NIST 800-53, and other security standards and certifications (see Figure 4).

■ Physical and environmental security. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Staff must pass two-factor authentication a minimum of two times to access data center floors. AWS revokes access when an employee or contractor no longer has a need for these privileges. All physical access to data centers by AWS employees is logged and audited routinely.

■ Global business continuity and availability plans. AWS clusters its data centers in various global regions, meaning all data centers are online and serving customers, and no data center is

“cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.

■ Emergency planning and incident response. AWS has a global incident management and response team. This team employs industry-standard diagnostic procedures, and staff operators provide 24x7x365 coverage to detect incidents and to manage the impact and resolution.

For Security & riSk ProFeSSionalS

aWS cloud Security 9

© 2014, Forrester Research, Inc. Reproduction Prohibited February 5, 2014 | Updated: February 21, 2014

Figure 4 United Sates Government And Global Security Standards

Source: Forrester Research, Inc.110341

FedRAMP. AWS is a Federal Risk and Authorization Management Program (FedRAMP) compliant cloud service provider. AWS completed testing performed by a FedRAMP‐accredited Third Party AssessmentOrganization (3PAO) and holds two Agency Authority to Operate (ATO) declarations sanctioned by the US Department of Health and Human Services (HHS). AWS quali�ed by demonstrating compliance with FedRAMP requirements at the Moderate impact level. This allows all US government agencies to consider deployment of workloads to Amazon’s “GovCloud.”

The Federal Information Processing Standard (FIPS) Publication 140-2. FIPS 140-2 is a USgovernment security standard that speci�es the security requirements for cryptographic modulesprotecting sensitive information. Amazon Virtual Private Cloud (VPC) VPN endpoints and SSL‐terminatingload balancers support customers with FIPS 140‐2 requirements. GovCloud (US) operates using FIPS140‐2 validated hardware. AWS will work closely with AWS GovCloud (US) customers to provide thenecessary information to help manage compliance with this requirement when using the AWS GovCloud(US) environment.

FISMA and DIACAP. Independent assessors evaluated the AWS infrastructure for a variety of governmentsystems as part of their system owners’ approval process. Federal Civilian and Department of Defense(DoD) organizations have successfully achieved security authorizations for systems hosted on AWS inaccordance with the Risk Management Framework (RMF) process de�ned in NIST 800‐37 and DoDInformation Assurance Certi�cation and Accreditation Process (DIACAP).

HIPAA. Amazon provides the ability for customers subject to the US Health Insurance Portability andAccountability Act (HIPAA) to use the AWS environment to process and store protected health information.AWS will sign business associate agreements with these customers.

ISO 27001. AWS is ISO 27001 certi�ed. AWS is ISO 27001 certi�ed. The certi�ed Information Security Management System (ISMS) covers the primary services and the infrastructure and data centers worldwide.AWS has established a formal program to maintain the certi�cation. AWS provides additional information and frequently asked questions about its ISO 27001 certi�cation on its website.

ITAR. AWS GovCloud supports US International Traf�c in Arms Regulations (ITAR) compliancerequirements, which require that companies control unintended exports of protected data and restrict thephysical location of that data to locations in the United States.*

PCI DSS Level 1. AWS is Level 1 compliant under the Payment Card Industry (PCI) Data SecurityStandard (DSS). AWS customers can run applications on PCI-Compliant infrastructure. AWS alsoincorporates new PCI DSS cloud computing guidelines into an AWS PCI compliance package. The AWSPCI Compliance Package includes the AWS PCI Attestation of Compliance (AoC), which shows that AWShas been successfully validated against standards applicable to a Level 1 service provider under PCI DSSVersion 2.0, and the AWS PCI Responsibility Summary, which explains how compliance responsibilities areshared between AWS and the company’s customers. AWS provides additional information and frequently asked questions about its ISO 27001 certi�cations on its website.

Cloud Security Alliance (CSA). AWS documents its security controls using the Cloud Security Alliance(CSA) Consensus Assessments Initiative Questionnaire (CAIQ). The questionnaire provides a set of over 140questions a cloud consumer and cloud auditor may wish to ask of a cloud provider.

*The ITAR regulation covers a speci�c class of information that is defense- or military-related or commercialinformation that could have military applications, and this includes hardware and software. Source:“Subchapter M — International Traf�c In Arms Regulations,” US Department of State: The Directorateof Defense Trade Controls (DDTC)(http://www.pmddtc.state.gov/regulations_laws/documents/of�cial_itar/2013/ITAR_Part_120.pdf).

For Security & riSk ProFeSSionalS

aWS cloud Security 10

© 2014, Forrester Research, Inc. Reproduction Prohibited February 5, 2014 | Updated: February 21, 2014

aws has strong Technical security Fundamentals

AWS’ networks provide customers the ability to design application and infrastructure workloads with different levels of security and resiliency. Dedicated AWS staff continuously monitors these networks for both security and operational issues. AWS also provides:

■ Access control list (ACL) and security group capabilities. AWS provides ACLs to let customers control inbound and outbound access for any network instance they manage. This capability is native to the AWS architecture and may be offered in addition to any access controls the customer engineers in its own infrastructure.

■ Continuous monitoring of network security devices and controls. AWS has monitored firewalls deployed across its infrastructure, and the company uses a relatively small number of strategically placed access points (APIs) for comprehensive network access monitoring. APIs provide HTTPS communication sessions with customer storage or compute instances.

■ The ability for customers to scan their cloud infrastructure. Customers can request to perform vulnerability scans of their own cloud infrastructure within the assigned IP address range. Amazon provides an online form, which customers can fill out to kick off the formal scan request process.

■ Customer-specific IP ranges. All compute instances are located in a virtual private cloud (VPC) with a specified IP range. Customers decide which instances are exposed to the Internet and which remain private. All are private by default.

■ Network segregation and segmentation. AWS operates three separate networks — the AWS customer network, the Amazon EC2 control plane network, and the Amazon.com corporate network used by AWS and non-AWS employees. Each of these networks is segregated from the others using a complex set of network security/segregation devices. Access is tightly controlled; AWS employees must explicitly request access to the AWS service owner before they can access the production network. AWS staff connects to the production network via bastion hosts that restrict access to AWS cloud components.7

■ Regularly scheduled vulnerability assessments. AWS regularly scans all AWS-operated Internet-facing endpoint IP addresses for vulnerabilities. Independent auditors perform external vulnerability/threat assessments as well.8

■ Service Organization Control Reports (SOC). AWS has gone through the SOC audit and attestation process with its auditor, and AWS provides the SOC 3 report publicly and SOC 1 and SOC 2 reports under nondisclosure consistent with the nature of the information held in these documents.9

For Security & riSk ProFeSSionalS

aWS cloud Security 11

© 2014, Forrester Research, Inc. Reproduction Prohibited February 5, 2014 | Updated: February 21, 2014

aws CoRe CoMPUTe aND sToRaGe oFFeRs seCURITy eXTeNsIoNs

The overall impression is that AWS designed the AWS architecture to be secure against attacks and resilient against failure. This is especially true for the Amazon EC2 compute offering and the company’s storage and database services. In addition to the industry best practices and broad technical controls, some AWS core services offer security extensions as options. Depending on your organization’s business needs, these additional services may be an important part of the package.

AWS provides a number of additional security controls you can leverage as part of the EC2 service:

■ Dedicated instances. AWS offers specialized EC2 instances that are physically isolated on their own server. This means that the servers offering these instances are not shared by or accessible by other AWS customers. They do not, however, have dedicated network or storage offerings — those remain multitenant services.

■ Multiple levels of security. The EC2 service provides multiple levels of security, including the host platform operating system (OS), the virtual instance OS, the firewall, and signed API calls used to access computing resources. Each security level builds on the capabilities of the others, protecting data contained within Amazon EC2 from theft or tampering by unauthorized systems or users.

■ Hypervisor security. EC2 uses a highly customized version of the open source Xen hypervisor, taking advantage of paravirtualization (in the case of Linux guests). Because paravirtualized guest operating systems rely on the hypervisor to support operations that normally require privileged access, the guest OS has no elevated access to the CPU. This explicit virtualization of the physical resources leads to a clear separation between guest and hypervisor, resulting in additional security separation between the two.

■ Instance isolation. Different instances running on the same physical machine are isolated from each other via the Xen hypervisor. The AWS firewall resides within the hypervisor layer, between the physical network interface and the instance’s virtual interface. All packets must pass through this layer, thus an instance’s neighbors have no more access to it than any other host on the Internet; you can treat them as if they are on separate physical hosts. Physical RAM in these systems is virtually separated using similar mechanisms.

■ Customer control over guest operating systems. AWS does not have any access rights to customers’ Amazon Machine Images (AMIs). Instead, AWS recommends a base set of security best practices when operating AMIs, which are consistent with industry best practices for operating system hardening. AWS provides these recommendations for both Windows and Linux systems, the two server platforms supported by AWS.

For Security & riSk ProFeSSionalS

aWS cloud Security 12

© 2014, Forrester Research, Inc. Reproduction Prohibited February 5, 2014 | Updated: February 21, 2014

■ Mandatory firewalls for all AWS instances. AWS requires that customers explicitly open any ports they need on the mandatory firewall deployed for all AWS instances; the default configuration is deny-all mode. AWS firewalls let you restrict network traffic by protocol, service port, and source IP address (individual IP or Classless Inter-Domain Routing [CIDR] block). The firewall requires an X.509 certificate and key to authorize changes, adding additional security.

various Data security Capabilities are available For Different aws storage services

Data security, like all aspects of AWS security, is a shared responsibility between customer and provider. Customers should consider which combination of AWS storage options and security capabilities are right for their business:

■ Storage access control. One storage option is AWS Elastic Block Storage (EBS); EC2 instances can support EBS volumes from 1 GB to 1 TB. Storage volumes behave like raw, unformatted block devices, with user-supplied device names and a block device interface. Only the AWS account that creates the volume has access to that volume. AWS Simple Storage Service (S3) stores “data objects” in “buckets,” and the system allows customers to assign access based on individual or group membership.10 S3 restricts access to storage by default.

■ Storage redundancy. Both Amazon EBS and S3 redundantly store data in multiple physical locations as part of normal operations. Additionally, Amazon S3 redundantly stores objects in multiple facilities in an Amazon S3 region. EBS replicates data in the same availability zone, not across multiple zones; therefore, based on the application, AWS recommends that customers take regular snapshots of their data.

■ Data encryption. S3 supports SSL encryption for upload and download as well as a client encryption library that lets customers manage their own encryption keys.11 AWS can also manage encryption keys for clients using S3 Server Side Encryption (SSE).

■ Storage durability and availability. AWS designed the S3 service to provide 99.999999999% durability and 99.99% availability of objects over a given year. S3 PUT and COPY operations synchronously store customer data across multiple facilities before returning SUCCESS.

aws vPC Provides high Levels of security For aws services

The normal configuration for AWS services is a randomly assigned public IP address for each AWS instance.12 VPC options enable customers to create an isolated portion of the AWS cloud and launch EC2 instances that have private (RFC 1918) addresses, such as 10.0.0.0/16.13 Customers can define subnets within the VPC by grouping similar kinds of instances based on IP address range, then set up routing and security to control the flow of traffic in and out of the instances and subnets.

For Security & riSk ProFeSSionalS

aWS cloud Security 13

© 2014, Forrester Research, Inc. Reproduction Prohibited February 5, 2014 | Updated: February 21, 2014

Security features within VPC environments include security groups, network ACLs, routing tables, and external gateways. Each security control complements the others to isolate the network and compute environment. EC2 instances running within a VPC have all of the benefits of host OS, guest OS, and hypervisor security as well as instance isolation and protection against packet sniffing. Customers can also create logical extension from their on-premises data centers to VPC environments using AWS Direct Connect (see Figure 5).14

Figure 5 AWS VPC Conceptual Network Architecture

Source: Forrester Research, Inc.110341

AWS

EC2EC2

EC2EC2

EC2EC2

EC2EC2

VPC

Private subnet

Private subnetInternetgateway

Internet

Customer regional of�ce

Customer data center

Customer gateway

Amazon S3 Amazon SES

AWS region

DynamoDB

Virtual privategateway

Router

NAT

Availability Zone B

Availability Zone A

@

For Security & riSk ProFeSSionalS

aWS cloud Security 14

© 2014, Forrester Research, Inc. Reproduction Prohibited February 5, 2014 | Updated: February 21, 2014

W h at i t M e a n s

seCURITy aND RIsK PRos shoULD NoT FeaR aws oR The CLoUD

Cloud is here to stay. The economics and flexibility of these environments are too attractive to ignore; more and more businesses will jump to take advantage of these features, and cloud adoption rates are accelerating. Security and risk pros really have two options: 1) They can say AWS is insecure and be swept over by the sea change cloud presents, or 2) they can dive into AWS’ capabilities and learn how to use them to secure new workloads, and in the process enable the business to take advantage of what cloud providers provide. Using AWS, or any other cloud platform for that matter, is another form of outsourcing, and they should view the offering as such. Security and risk pros should apply the same security controls to cloud workloads they apply to on-premises and outsourced IT workloads. Security and risk pros should avoid the hype, focus on the basics of security, and evaluate cloud providers on that basis.

AWS’ investment in security is significant for a number of reasons. The company recognizes that security is critical for cloud adoption, and fewer workloads will deploy to AWS if their customers can’t secure these workloads. AWS takes a portfolio approach to its security controls, allowing its customers to choose the controls that make the most sense for their application. This provides flexibility for application developers and security pros alike.

Security is a differentiator and an enabler in this new cloud-driven IT world. The AWS offerings will force the broader security market, both buyers and sellers, to look at security differently. Security needs to be as flexible and as elastic as the cloud platforms that support the workloads. The AWS security approach is a good step forward and will accelerate the cloud security disruption and change the game for IT departments globally. Even if these departments don’t adopt AWS services, they will be looking to other cloud providers to provide similar or improved services.

sUPPLeMeNTaL MaTeRIaL

Company Interviewed For This Report

Amazon

eNDNoTes1 In the past, CSPs such as Microsoft and AWS did not publish their security controls. CSPs recognized that

lack of security is a significant impediment to companies moving workloads to the cloud. Forrester’s own Forrsights research shows that security concerns are the No. 1 impediment for cloud adoption. For more information, see the August 2, 2013, “Security’s Cloud Revolution Is Upon Us” report.

For Security & riSk ProFeSSionalS

aWS cloud Security 15

© 2014, Forrester Research, Inc. Reproduction Prohibited February 5, 2014 | Updated: February 21, 2014

2 Edge zones are specifically purposed for the AWS CDN service. If a client is not subscribed to the CDN service, edge locations are not available. Source: Amazon Web Services (http://aws.amazon.com/).

3 Alon Swartz mapped the distance between data centers to determine which centers made the most sense to host a global backup solution for TurnKey Linux. The map shows the interconnectedness of the AWS infrastructure. Source: Alon Swartz, “Mapping AWS data centers for fastest connection,” TurnKey Linux, December 29, 2011 (http://www.turnkeylinux.org/blog/aws-datacenters).

4 Figure 2 is not an exhaustive list of all AWS services but those with security implications. To understand how the company’s security capabilities might impact your organization, security and risk pros will need to review the security services AWS offers, determine the service’s availability, and then estimate the operating cost for the service. AWS has other services to support solution development including services for applications (Amazon CloudSearch, Amazon Elastic Transcoder, Amazon Simple Workflow Service [SWF], Amazon Simple Queue Service, Amazon Sample Notification Service [SNS], Amazon Simple Email Service [SES], Amazon AppStream), and payments and billing (Amazon Flexible Payment Service [FPS], Amazon Simple Pay, Amazon DevPay). AWS also provides software development kits (Android, iOS, Java, JavaScript, .NET, PHP, Python [boto], Ruby), and developer toolkits (Eclipse, Visual Studio). AWS is currently deploying a virtual desktop offering built on the AWS infrastructure as well, and the list of services continues to expand. Source: Amazon Web Services (http://aws.amazon.com/documentation/).

5 Forrester developed the concept of the uneven handshake in 2008 before AWS came up with shared responsibility. The idea is the same: Cloud vendors provide infrastructure services and their clients develop applications to deploy on these infrastructures. For more information, see the June 1, 2012, “Make The Cloud Enterprise Ready” report.

6 Source: “Amazon Web Services: Overview of Security Processes,” Amazon Web Services, November 2013 (http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf).

7 Only AWS staff (not Amazon.com staff) can access the AWS admin network. And only AWS employees to whom you grant access can access your virtual network.

8 EY is an AWS audit firm. EY attests to AWS security controls for SOC 1, SOC 2, and SOC 3 reports.

9 SOC 3 reports are designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but do not provide the level of detail of the much more detailed and confidential SOC 1 and SOC 2 reports. Accounting firms prepare these reports using the AICPA/CPA Canada (formerly Canadian Institute of Chartered Accountants) Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 3 reports are general use reports; AWS can freely distribute and post this report on its website. Source: AICPA (http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/AICPASOC3Report.aspx).

10 S3 storage has a variety of uses and is known for its flexibility and scalability. When Phil Porras discovered the Conficker worm, the only way to deal with the infection was to create a very large list of Internet domain names. As the list of domain names grew, the team fighting Conficker rented S3 storage space from

For Security & riSk ProFeSSionalS

aWS cloud Security 16

© 2014, Forrester Research, Inc. Reproduction Prohibited February 5, 2014 | Updated: February 21, 2014

Amazon to park the domains and “sinkhole” the millions of requests from the worm that poured in each day. The requests were simply routed to a dead-end location. Source: Mark Bowden, Worm: The First Digital World War, Grove Press, 2011.

11 Bring-your-own encryption is a major trend for cloud deployments. Cloud encryption gateways for AWS and salesforce.com are top topics with Forrester clients. Encryption covers a multitude of sins, and by encrypting the data before it hits the cloud, companies effectively strip the toxicity (and the liability) from the data. For more information, see the December 4, 2013, “Predictions For 2014: Cloud Computing” report.

12 Conceptually, this is AWS’ version of DHCP. However, this is a proprietary AWS approach that takes the AWS region, availability zone, and edge topology of the Amazon infrastructure. Instance names have system-generated internal names such as i-eec68595 and a public DNS name such as ec2-54-227-78-204.compute-1.amazonaws.com and are assigned a random public IP address.

13 RFC 1918 is a document published in the Internet Engineering Task Force (IETF) describing the engineering standards for IP address allocation for private internets. This document describes address allocation for private internets. The allocation permits full network layer connectivity among all hosts inside an enterprise as well as among all public hosts of different enterprises. Source: Internet Engineering Task Force (IETF), Network Working Group Request For Comments: 1918. (1996). (http://tools.ietf.org/pdf/rfc1918.pdf).

14 Source: “Amazon Web Services: Overview of Security Processes,” Amazon Web Services, November 2013 (http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf).

Forrester Research (Nasdaq: FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and act upon opportunities brought by change, Forrester provides proprietary research, consumer and business data, custom consulting, events and online communities, and peer-to-peer executive programs. We guide leaders in business technology, marketing and strategy, and the technology industry through independent fact-based insight, ensuring their business success today and tomorrow. 110341

«

Forrester Focuses On Security & Risk Professionals To help your firm capitalize on new business opportunities safely,

you must ensure proper governance oversight to manage risk while

optimizing security processes and technologies for future flexibility.

Forrester’s subject-matter expertise and deep understanding of your

role will help you create forward-thinking strategies; weigh opportunity

against risk; justify decisions; and optimize your individual, team, and

corporate performance.

Sean RhodeS, client persona representing Security & Risk Professionals

About Forrestera global research and advisory firm, Forrester inspires leaders,

informs better decisions, and helps the world’s top companies turn

the complexity of change into business advantage. our research-

based insight and objective advice enable it professionals to

lead more successfully within it and extend their impact beyond

the traditional it organization. tailored to your individual role, our

resources allow you to focus on important business issues —

margin, speed, growth — first, technology second.

for More inforMation

To find out how Forrester Research can help you be successful every day, please contact the office nearest you, or visit us at www.forrester.com. For a complete list of worldwide locations, visit www.forrester.com/about.

Client support

For information on hard-copy or electronic reprints, please contact Client Support at +1 866.367.7378, +1 617.613.5730, or [email protected]. We offer quantity discounts and special pricing for academic and nonprofit institutions.


Recommended