AWS Security Is Better Than Yours

Amazon will not tell you this but they think AWS security and compliance practices are way better than yours. And they would be spot on.

AWS re:Invent 2012 Leading with Security

How would I know? I’ve been working with service providers running on AWS since 2010. I helped a fintech startup born on AWS infrastructure win deals with mammoth financial services firms to proxy traffic between AWS and their internal networks back in the stone ages of the cloud, 2012. In that same year we completed a SOC 2 Type 2 Audit, one of the first cloud service providers running on AWS to do so.

Alas this is not a story about me. This is a story about continuous improvement about what can be accomplished over time and at scale. This is a story about a company that understood very early the importance of security, invested appropriately and now stands to reap the rewards of a tipping point tipped as a deluge of cloud migrations and associated revenue fills their coffers.

My perspective is simply as an AWS customer and partner that cares about security and has chosen to go deep to better understand what it takes to create a company that used infrastructure to change the world. I have no magic beans only my compounded experience of many years in the cloud to guide me.

But we warned. If you drink the Kool-Aid and decide to host infrastructure on AWS do NOT think you are off the hook for your own security and compliance efforts. I have a special dark place in my heart for organizations that HIDE behind the security and compliance of their cloud provider.

Security logos copied and pasted from a cloud provider to a marketing website are a poor defense against poorly secured applications and data.

What evidence do I have to make my claim that AWS security is better than yours?

Attestations, Standards and Frameworks Galore

AWS does not have the luxury of serving one particular industry or vertical. They provide infrastructure services to everyone from startups working on the latest useless social media app to three-letter government agencies which may or may not be spying on us. This is an incredibly high bar and requires a massive investment in security and compliance.

Yes compliance is not equal to security… blah blah blah… If you actually do your diligence and READ these reports you get a sense as to the true investment in security that goes way beyond check boxes.


You can gain insight as much by what does not happen as what does. Anyone that tells me their availability is as good as AWS (or Azure) for that matter gets my respect. And my skepticism. I immediately wonder if they are trying to fool me, themselves or both.

In late 2016 do we not have better things to do with our time than hug iron and troubleshoot blinky lights? Do you really think you can build resiliency to remotely equal the capabilities of multiple geographically disparate AWS Regions available at the push of a button?

DDoS mitigation anyone? Short of being an infrastructure provider why would you want to hassle with having to manage fighting this beast?  Amazon has your back.  Relax. Sort of. Obviously any applications or infrastructure you manage must be architected in such a way as to be resilient against DDoS attacks.  DDoS Best Practices Guide here.

Tools and Extensive Partner Network

It just makes sense that the longest tenured cloud company would have the most robust partner solutions and tools. AWS CloudTrail, Trusted Advisor, IAM, Inspector, WAF, HSM, KMS, Directory Service, etc.  More here.

Layer on partners that have offered cloud security solutions for many years. Companies like; Alertlogic, Sumologic, OneLogin, Ping, CloudPassage, Cavirin, and more.

The End

A key takeaway is that it took AWS years to get to this position. In 2011 AWS compliance efforts were nascent in comparison. Most of the tools and partners mentioned above either did not exist or if they did functionality was “limited”. (read sucked)

The significance of AWS’ strong leadership position in security cannot be understated. A public cloud provider is now the security reference from which all others can aspire. We have come a long way baby.

A Monkey and a Gun. Netflix’ Latest OSS Project – Security

Operating a highly available, secure SaaS solution in the AWS cloud is hard.  The problems faced by both large and small organizations are roughly the same.  Therefore it may be logical to assume that the solutions are as well.  The only real difference is scale.
Enter Netflix.  I have always been impressed by the depth and openness of Netflix relative to internally developed open source tools they make available through their Open Source Software Center.  Startups and emerging companies typically lack resources to utilize best of breed paid solutions for security, availability, cloud management etc.

Netflix has made a conscious decision to pay it forward and I for one appreciate their commitment.

Enter “Security Monkey“.  A Netflix security and audit tool for aggregating and reporting on configuration, specifically as it relates to state.  The last is important. As explained by Netflix:

“CloudTrail provides verbose data on API calls, but has no sense of state in terms of how a particular configuration item (e.g. security group) has changed over time. Security Monkey provides exactly this capability.”

Security Monkey adds another tool to the AWS security practitioners tool-belt to help mitigate operational risk and prove up our security posture at audit time.  Win-Win.

But never give a monkey a gun…  BAD security practice.



Out of Control? – AWS and Shared Responsibility

Key Takeaways:  The AWS shared responsibility model is a vehicle for explaining security control responsibilities between AWS and customer and is not a security panacea for vendors developing on the platform.  Closely examine vendor governance controls, specifically vendor management programs to determine if the additional responsibilities of shared responsibility are accounted for in their security program.

In 2012 Amazon pioneered a cloud security concept they now call the “Shared Responsibility Model”.  This concept was borne out of the need to clearly communicate the line of demarcation between AWS security responsibilities and ours (loyal AWS customers).

The concept is as obvious as it is useful, if used for good rather than evil.

I use the term frequently to explain to auditors, engineers, c-level folks and basically anyone who will listen that Amazon is responsible for technical security controls from the “concrete through the hypervisor” and explain that as an AWS customer we are responsible for everything else.  Everything else includes; the operating system, network and firewall configuration, our software/platform, and of course our data.  Here is a diagram taken from the AWS Security Best Practices whitepaper available here.  (Evil follows the diagram.)

AWS Shared Responsibility Model Screen

AWS Shared Responsibility Model Screen

Now for the evil.  I’ve noted on more than one occasion vendors invoking the AWS shared responsibility model to absolve themselves of any responsibility for the security layers that Amazon is responsible for.   This is flat wrong and irresponsible.

The vendor is most certainly still responsible for security throughout the entire AWS stack, but what has changes is the type of control.  What was a technical control now becomes a governance control.

Scrutiny of their vendor management program (if they have one) should ferret out whether they have a clue as to the difference.

Amazon, Zocalo and the death of

As widely reported today Amazon officially announced Zocalo. According to the website: “Amazon Zocalo is a fully managed, secure enterprise storage and sharing service with strong administrative controls and feedback capabilities that improve user productivity.”
The Register’s take on the new disruptive AWS product highlights the potential negative effect on Box’s IPO prospects and overall business.

I agree.  Box still lacks peer to peer file sharing a critical basic functionality that has always precluded any interest that I have in either their product or company.  Does Box understand that not everyone lives in the land of unlimited Internet, even in 2014?

Supporting Link: