Report Title – size and position text box to center Report Title in the blue bar

12 December 2014

Stratecast Analysis by

Michael P. Suby

Stratecast Perspectives & Insight for Executives (SPIE)

Volume 14, Number 45

Breaking the Cloud Security Barrier

with Amazon Web Services

SPIE #45, December 2014 © Stratecast | Frost & Sullivan, 2014 Page 2

Breaking the Cloud Security Barrier with Amazon Web Services

Introduction1

The cloud market is moving forward as reflected in both the evolving perspectives voiced by IT decision-makers and by the business success of cloud service providers. On perspectives, Stratecast’s recurring annual surveys reveal that public cloud adoption has now reached a much-awaited tipping point with 50% of the 2014 survey respondents stating that they currently use public cloud Infrastructure as a Service (IaaS), and another 30% stating they will too within the next 24 months.2 On cloud service providers, the business results of Amazon Web Services (AWS), now in its eighth year and still rapidly growing, make a similar statement. Late-2014 results for AWS include the following:

Number of AWS active subscribers is over 1 million.

Revenues for this multi-billion dollar Amazon entity grew more than 40% year-over-year.

Core compute and storage services’ usage is accelerating, as demonstrated by a 99% year-over-year increase in Amazon Elastic Compute Cloud (EC2) instance usage and a 137% year-over-year increase in data transfers to and from Amazon Simple Storage Service (S3).

This noteworthy growth at AWS is occurring despite lingering concerns over security in cloud adoption. In the same 2014 Stratecast survey, inability to control access and meet regulatory requirements were noted as “very important” reasons in not adopting public cloud services by 50% or more of the survey respondents. Yet, conversely, AWS’s customer base continues to diversify, including a growing number of government agencies and commercial companies subject to data governance regulations. As further evidence of strengthening confidence in using AWS when sensitive data and critical applications are involved, Johnson & Johnson, a global pharmaceutical, healthcare and baby products company, will be equipping 25,000 of its employees and business partners with Amazon WorkSpaces, a desktop-as-a-service application, in 2015. Amazon WorkSpaces, like other desktop-as-a-service offerings, is relatively young in market availability—all the more impressive in consideration of the large-scale plans of Johnson & Johnson. Following a five-month limited preview period, general availability for WorkSpaces commenced in March of this year. As will be described later, a secure foundation for hosting WorkSpaces is a contributor.

In this SPIE, Stratecast describes how AWS is breaking the “cloud not secure enough” adoption barrier and, in the process, injecting innovation into the competitive dynamics of the security market.

1 In preparing this report, Stratecast attended AWS re:Invent in November 2014.

Please note that the insights and opinions expressed in this assessment are those of Stratecast and have been developed through the Stratecast research and analysis process. These expressed insights and opinions do not necessarily reflect the views of the company executives interviewed.

2 For additional insight, see Stratecast report: SPIE 2014-26, Cloud Adoption Reaches a Long-Awaited Tipping Point – 2014 Cloud User Survey, July 18, 2014. To obtain a copy of this report or any other Stratecast | Frost & Sullivan report, please contact your account executive or email inquiries@stratecast.com.

SPIE #45, December 2014 © Stratecast | Frost & Sullivan, 2014 Page 3

AWS Self-Perpetuating Growth & Innovation Model

Long-term business sustainability in a dynamic market, such as information technology, requires an operating model that self-perpetuates growth and innovation. Companies lacking this self-perpetuation eventually cede market opportunities to those that do. Moreover, in a cyclical manner, ceding market opportunities restrains the funding needed to jump-start innovation. This deceleration, in turn, challenges a company’s market execution in attracting new customers and maintaining stable financial margins within its existing customer base.

The AWS growth and innovation model, as interpreted by Stratecast, and illustrated in Exhibit 1, is built on three complementary and self-perpetuating whirlpools. In this model, each whirlpool attracts (i.e., pulls in) customers through economic and new capability incentives, which correspondingly contribute to the self-perpetuating customer attraction in the other two whirlpools. As a catalyst is necessary to prime and re-fuel momentum, each whirlpool’s catalyst is stated at the top, that is: reduce prices; expand and enhance AWS services and features; and open and expand AWS Partner Network (APN) and AWS Marketplace.

Exhibit 1: AWS Perpetual Growth & Innovation Model

Source: Stratecast

Long-term business sustainability in a dynamic market, such as information technology, requires an operating model that self-perpetuates growth and innovation.

SPIE #45, December 2014 © Stratecast | Frost & Sullivan, 2014 Page 4

These three whirlpools are categorized by:

Service Type – AWS core services (i.e., compute and storage) versus non-core services, where non-core services either leverage the strength of the core services in creating new customer value or are augmentation services that strengthen the customer value proposition of the core services, other non-core services, or a combination of both.

Service Provider – AWS versus technology partners and third-party providers.

Below, provided by Amazon, are AWS’s current service categories.

Evidence of the self-perpetuating nature of each whirlpool includes the following late-2014 measurements:

Price Reductions – Forty-seven price reductions since 2006, occurring on top of initial competitive prices.

Services and Features – Annually across all of AWS, a near doubling of new service and feature introductions, feature enhancements, and availability expansions has occurred in each of the last three years (2011 – 82; 2012 – 159; 2013 – 280; and 2014 – 470, through November). In terms of security services, features, and availability, as will be discussed later, the pace has been equally impressive (2011 – 20; 2012 – 51; 2013 – 71; and 2014 – 117).

AWS Partner Network and AWS Marketplace – APN has nearly 7,000 system integrators and over 3,000 Independent Software Vendors (ISVs). AWS Marketplace has over 1,600 listings across 25 product categories, and customer consumption of hourly software increased 800% over the last 12 months.

SPIE #45, December 2014 © Stratecast | Frost & Sullivan, 2014 Page 5

AWS’s Growth & Innovation Model in Lowering the Cloud Security Adoption Barrier

To assure customers that AWS can address their organization’s security requirements, the complementary whirlpool approach is also relevant, but with one variation. Although price is a consideration in security, it is one of many dimensions that determine customer value. For this reason, price and price reductions in security services are moved into the two services whirlpools. In its place is another “infrastructure” whirlpool. This whirlpool, “AWS as a Trusted & Secure Environment,” defines the security foundation of the AWS environment, confirms this security foundation for AWS customers, and provides AWS customers visibility into the operations of their AWS-hosted instances.

Exhibit 2: AWS’s Growth & Innovation Model in Security

Source: Stratecast

AWS as a Trusted & Secure Environment

There are three principal contributing elements to this whirlpool: assignment, certification, and visibility.

Assignment

Cloud service providers (CSPs) procure and manage an environment for the hosting of their customers’ workloads. Their environments, consisting of physical assets, systems, personnel, and

SPIE #45, December 2014 © Stratecast | Frost & Sullivan, 2014 Page 6

processes, correspond to the same elements in a private enterprise data center. The primary difference between the enterprise and the CSP is that the enterprise’s customers are internal to that enterprise, whereas the cloud provider’s customers are a dynamic mix of external customers.

Common between the two is that each owner of the workload-hosting environment, enterprise or CSP, must demonstrate that its environment has the security foundation suitable for hosting the customers’ workloads. To accomplish this, a clear delineation must be made on which aspects of security the CSP has responsibility for versus what falls under the responsibility of the customers. This is the same as in an enterprise internal data center, but with the delineation of “us versus them” typically parceled among individuals across multiple internal departments (e.g., IT, security, and network

administration) or their proxies (e.g., managed services providers). For this assignment of security responsibilities, AWS adheres to a shared responsibility model, as shown in the table at left.

Certification

The shared responsibility model, from Stratecast’s perspective, is a sound model, as the CSP-customer delineation: (1) reduces uncertainty; (2) helps in identifying responsibility gaps; and (3) when security events and incidents occur, supports incident investigations and resolutions. The positive aspects of the shared responsibility model notwithstanding, customers want more than a “model” and the CSP’s assurances that its responsibilities are taken seriously, can withstand cyber-attacks, and can accommodate compliance auditors. Customers want validation. To that end, AWS has been earning certifications from a widening array of trusted sources. The listing below, provided by Amazon, shows AWS’s current certifications, with the last one, ISO 9001, being the most recently earned.3

Certifications, however, are not a security panacea; they have a structural limit in the building of trust. Certifications are an attestation of meeting defined guidelines at a point in time, and are dependent on the quality and comprehensiveness of audit-supporting information. Moreover, as defined standards, security certifications are not the ultimate barometer of real-time risk mitigation. The sophistication and adaptability of motivated cyber attackers cannot be fully contemplated in an

3 Additional information on AWS compliance is available at: http://aws.amazon.com/compliance/.

SPIE #45, December 2014 © Stratecast | Frost & Sullivan, 2014 Page 7

established set of guidelines. Thus, reference customers add to the real-life attestation of the CSP’s risk management integrity and customer trust of the CSP’s security competency. Also, consistent with the shared responsibility model, reference customers may also confirm the CSP-supported means to overlay security mechanisms the customer requires for its CSP-hosted workloads. The aforementioned AWS adoption by government agencies, security-conscious companies, and Johnson & Johnson’s planned rollout of Amazon WorkSpaces points to growing customer trust in AWS’s security integrity and competency.4

Visibility

In the security discipline, visibility forms the foundation of control and response. Without visibility, the means to detect unacceptable and potentially malicious activities is negatively impacted. This constraint takes on higher importance as threat actors continue to elevate their levels of sophistication, patience, and subtleness. The devil, per se, is in the details; but if the details are inaccessible, the devil continues to play.

For AWS customers, complimentary, out-of-the-box visibility services are available. Two notable services are:

AWS CloudTrail – AWS CloudTrail records and logs all AWS application programming interface (API) calls for each customer account. AWS CloudTrail output can be integrated into AWS partner solutions to support tracking, troubleshooting, and security analysis.

AWS CloudWatch – AWS CloudWatch monitors individual customer use of AWS resources. Available metrics with AWS CloudWatch support simple graphing and alerting. The customer can also write its own custom metrics for use in CloudWatch.

AWS will continue to provide more centralized reporting and monitoring services, which will expand customers’ visibility into their AWS usage, including resource inventories, configuration histories, and configuration changes. Currently in a customer preview stage, AWS Config will be introduced with initial pricing of $0.003 per Configuration Item (a record of a resource, or a configuration change to a resource) recorded per month (Amazon S3 storage of the records is an extra fee). From a security perspective, AWS Config will assist customers in auditing and troubleshooting configuration changes, and in conducting incident forensics. Like AWS CloudTrail, AWS Config records can be fed into partner solutions.

AWS is also watching, but in a good way. AWS Trusted Advisor inspects customers’ AWS environments against AWS-defined best practices, to uncover opportunities to save money, improve system performance and reliability, and assist in closing security gaps. Accessible from the AWS Management Console, AWS Trusted Advisor has a free version that includes a limited number of security checks (e.g., a check for security groups with unrestricted port permissions, and checks for use of two AWS-recommended security services: Identity and Access Management (IAM) and Multi-Factor Authentication (MFA) on root accounts). AWS IAM and AWS MFA with the Virtual MFA Device form factor (a soft token) are also complimentary. A fee-based version of AWS Trusted Advisor is available to conduct additional automated security inspections on behalf of the customer.

4 A more extensive flavor of AWS clients can be found in the Keynote presentations under AWS re:Invent 2014 at https://www.youtube.com/user/AmazonWebServices.

In the security discipline, visibility forms the foundation of control and response. Without visibility, the means to detect unacceptable and potentially malicious activities is negatively impacted.

SPIE #45, December 2014 © Stratecast | Frost & Sullivan, 2014 Page 8

AWS Security Services

From Stratecast’s perspective, development and enhancement of AWS security services addresses two correlated customer needs: manage risk and offer choice. Furthermore, this direction is a logical outgrowth of customers moving sensitive data and workloads into AWS (i.e., self-perpetuating). As

customers make these migrations, they need flexibility to match the level of security capabilities with the sensitivity of data and the business-criticality of the workloads involved. Just like online shopping, where the degree of privacy that consumers expect in shopping is different than when they move to check out and enter payment information, AWS customers’ security needs vary. Additionally, security functionality is not free. In some cases, the costs are relatively small, such as with additional computational processing to support encryption or, with AWS Config, storage of records. In other cases, the costs are more, for

example, in moving from a shared and virtualized environment to a dedicated and isolated environment. Regardless of the magnitude of incremental costs associated with security, as most cost-conscious companies do, they economize.

Where this combination of risk management and choice, plus the interplay with cost, is visible is in a progression of isolation and privacy choices AWS offers in network, compute, and storage, as shown in the table in Exhibit 3 on the following page. The melding of core and security services supports this progression. Also, AWS customers with data sovereignty requirements can select the home region for data storage and processing, and exercise location control over data replication.

Customers’ security needs can also be addressed by a coordinated use of several AWS and partner services. One relevant instance is in mitigating Distributed Denial of Service (DDoS) attacks. In a presentation at AWS 2014 re:Invent by Adrian Newby, CTO of CrownPeak, an AWS technology partner, he explained how CrownPeak used a number of AWS services to outduel a three-day DDoS attack sequence directed at one of CrownPeak’s AWS-hosted customers.5 During the peak of the attack, the CrownPeak customer’s AWS environment scaled to support 86 million concurrent connections, and processed 20 Gbps of sustained traffic; a point at which the attacker surrendered. Although scaling upward incurs additional AWS fees, the total was marginal, especially relative to the alternative of an out-of-commission Web site: $1,500.

Partially stemming from this customer instance and others, AWS developed a framework for defending against DDoS attacks.6 AWS and partner services included in this framework include the following:

Amazon Virtual Private Cloud (VPC) – Minimizes the publicly-addressable footprint, narrows permissible access, and, as needed, creates and implements new rule sets

Amazon CloudWatch – Monitors and alerts for the existence of DDoS attacks

AWS Elastic Load Balancing – Geographically distributes the traffic load, and executes auto-scaling rules

5 AWS 2014 re:Invent, “Building a DDoS-Resilient Architecture with AWS,” YouTube video, https://www.youtube.com/watch?v=OT2y3DzMEmQ (13 November 2014).

6 This framework is similar in concept to Akamai’s Kona Site Defender service. Analysis on the DDoS mitigation market and solution providers is contained in Frost & Sullivan’s Denial of Service (DDoS) Mitigation Market (NDD2-74), July 2014.

From Stratecast’s perspective, development and enhancement of AWS security services addresses two correlated customer needs: manage risk and offer choice.

SPIE #45, December 2014 © Stratecast | Frost & Sullivan, 2014 Page 9

Amazon CloudFront – Absorbs traffic shocks by serving static Web site objects from AWS content distribution network

Amazon Route 53 – Ensures Domain Name System (DNS) reliability in the translation of domain names into IP addresses

Web Application Firewalls and Proxies – Insulates Web site against application-layer attacks with AWS Marketplace virtualized services

Exhibit 3: AWS Service Combinations Delivering Risk Management and Choice

Network Compute Storage

Service Incremental Fees

Service Incremental Fees Service Incremental Fees

AWS VPC – Software-Defined Private Network within AWS

Per hour for Hardware VPN Connections

AWS IAM – Managing user and system access permissions

Define and manage security groups in AWS IAM, or augment AWS IAM with AWS Directory Service. AWS Directory Service supports connections to customers’ existing Microsoft Active Directories and creating directories in AWS. Fees based on directory size and type

Amazon S3 with encryption feature option

Key storage and management (e.g., create, delete, and rotate) through choice of: customer-conducted, AWS Key Management Service (a fully managed service, fees based on number of keys and requests), or AWS CloudHSM (upfront hardware fee plus usage fees)

AWS Direct Connection - dedicated customer-to-AWS network connection

Per port hour (varies by port speed) and data transfer rate

Amazon EC2 in AWS VPC

Per port hour (varies by port speed) and data transfer rate

Amazon Elastic Block Storage (EBS) with encryption feature option

Same as above

Amazon EC2 Dedicated Instances – Single Tenant Infrastructure and Physical Isolation in a AWS data center

Fees have two components: (1) an hourly per instance usage fee, and (2) a dedicated per region fee

Single Tenant Block Storage

Customized with Amazon EC2 Dedicated Instances

Source: Stratecast

SPIE #45, December 2014 © Stratecast | Frost & Sullivan, 2014 Page 10

Third-Party Security Services

Since opening, the number of security offerings in AWS Marketplace has swelled to 250.7 Some of these offerings are virtualized instances of appliance-based solutions that are conditioned to run in AWS. Of greater interest are security offerings that closely mirror AWS services in terms of provisioning, scalability, usage-based pricing, and visibility. The continuing growth in AWS customers and hosting of business-critical and security-heavy workloads will attract more AWS Marketplace partners and spur greater competition among them. For AWS, this sequence is pleasing as it further chips away at customer reservations in hosting their sensitive workloads in AWS.

7 See https://aws.amazon.com/marketplace/b/2649363011.

SPIE #45, December 2014 © Stratecast | Frost & Sullivan, 2014 Page 11

Stratecast The Last Word

An intriguing outcome of the AWS growth and innovation model is its potential disruptive influence on traditional security products. Already, product adaptation by established security vendors that have joined the AWS Marketplace is occurring. Operationally, security vendors pursuing an “all-in” approach, in hopes of gaining an early lead with AWS customers, have either rebuilt or retrofitted their existing products to mirror the attributes of AWS services, such as: rapid scalability, usage-based prices (e.g., hourly), and cross-service synergies (i.e., modularity). Essentially, these vendors’ products are now consumable, AWS-friendly, virtual software instances; a significant departure from the legacy of stand-alone, purpose-built security appliances with a year or longer software license. Although beneficial for vendors that succeed in gaining AWS customers, there are consequences. First, customer stickiness is weakened as AWS customers can trade one vendor’s software instance for another with greater ease than in swapping out hardware appliances. Second, profit margins are squeezed as the overage that customers would have paid for a larger appliance or software license, to accommodate peak traffic loads or future growth in bandwidth and users, is lost to scalable (up and down) software instances and usage-based pricing.

The advent of micro-security services is another potential disruptive influence. In the recent history of security products, technology-broad products have gained market appeal based on the value proposition of reducing product- and vendor-sprawl, simplifying management, and improving security efficacy. But in an AWS environment of consumable and modular software instances, might the packaging of multiple security technologies be a non-starter for AWS customers that have grown accustomed to a more customizable, buy-just-what-is-needed service experience? Moreover, facing competition from AWS, with its expanding set of security services and features, and new AWS Marketplace partners with narrowly defined security services, might traditional security vendors need to disassemble their holistic products in order to compete effectively for AWS customers? Last, might AWS partners, like CrownPeak that assist AWS customers in addressing their IT and security problems through optimized configurations and use of AWS and partner services, also place competitive pressure on “too broad” and premium-priced security solutions? To all of these questions, Stratecast says yes.

Even so, the AWS influence today is marginal. In terms of relative size, AWS’s share of total compute and storage is small compared to the vast pockets of single servers, cages, and dedicated buildings, colocation facilities, and hosting centers. Correspondingly, the same is true with AWS’s market share in security solutions. Also, changes in IT and security are never overnight, as the risk of business disruption due to a change is a powerful inhibitor. Nevertheless, AWS is growing rapidly, broadening and refining its capabilities on a daily basis, and has Amazon’s DNA of “overturning the status quo.” Ignoring the future disruptive impact of AWS in security is short-sighted.

Michael P. Suby

VP of Research

Stratecast | Frost & Sullivan

msuby@stratecast.com

SPIE #45, December 2014 © Stratecast | Frost & Sullivan, 2014 Page 12

CONTACT US

For more information, visit www.stratecast.com, dial 877-463-7678, or e-mail inquiries@stratecast.com.

About Stratecast

Stratecast collaborates with our clients to reach smart business decisions in the rapidly evolving and hyper-competitive Information and Communications Technology markets. Leveraging a mix of action-oriented subscription research and customized consulting engagements, Stratecast delivers knowledge and perspective that is only attainable through years of real-world experience in an industry where customers are collaborators; today’s partners are tomorrow’s competitors; and agility and innovation are essential elements for success. Contact your Stratecast Account Executive to engage our experience to assist you in attaining your growth objectives.

About Frost & Sullivan

Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today’s market participants. For more than 50 years, we have been developing growth strategies for the Global 1000, emerging businesses, the public sector and the investment community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and emerging economies? For more information about Frost & Sullivan’s Growth Partnership Services, visit http://www.frost.com.