Amazon will not tell you this but they think AWS security and compliance practices are way better than yours. And they would be spot on.
How would I know? I’ve been working with service providers running on AWS since 2010. I helped a fintech startup born on AWS infrastructure win deals with mammoth financial services firms to proxy traffic between AWS and their internal networks back in the stone ages of the cloud, 2012. In that same year we completed a SOC 2 Type 2 Audit, one of the first cloud service providers running on AWS to do so.
Alas this is not a story about me. This is a story about continuous improvement about what can be accomplished over time and at scale. This is a story about a company that understood very early the importance of security, invested appropriately and now stands to reap the rewards of a tipping point tipped as a deluge of cloud migrations and associated revenue fills their coffers.
My perspective is simply as an AWS customer and partner that cares about security and has chosen to go deep to better understand what it takes to create a company that used infrastructure to change the world. I have no magic beans only my compounded experience of many years in the cloud to guide me.
But we warned. If you drink the Kool-Aid and decide to host infrastructure on AWS do NOT think you are off the hook for your own security and compliance efforts. I have a special dark place in my heart for organizations that HIDE behind the security and compliance of their cloud provider.
Security logos copied and pasted from a cloud provider to a marketing website are a poor defense against poorly secured applications and data.
What evidence do I have to make my claim that AWS security is better than yours?
Attestations, Standards and Frameworks Galore
AWS does not have the luxury of serving one particular industry or vertical. They provide infrastructure services to everyone from startups working on the latest useless social media app to three-letter government agencies which may or may not be spying on us. This is an incredibly high bar and requires a massive investment in security and compliance.
Yes compliance is not equal to security… blah blah blah… If you actually do your diligence and READ these reports you get a sense as to the true investment in security that goes way beyond check boxes.
You can gain insight as much by what does not happen as what does. Anyone that tells me their availability is as good as AWS (or Azure) for that matter gets my respect. And my skepticism. I immediately wonder if they are trying to fool me, themselves or both.
In late 2016 do we not have better things to do with our time than hug iron and troubleshoot blinky lights? Do you really think you can build resiliency to remotely equal the capabilities of multiple geographically disparate AWS Regions available at the push of a button?
DDoS mitigation anyone? Short of being an infrastructure provider why would you want to hassle with having to manage fighting this beast? Amazon has your back. Relax. Sort of. Obviously any applications or infrastructure you manage must be architected in such a way as to be resilient against DDoS attacks. DDoS Best Practices Guide here.
Tools and Extensive Partner Network
It just makes sense that the longest tenured cloud company would have the most robust partner solutions and tools. AWS CloudTrail, Trusted Advisor, IAM, Inspector, WAF, HSM, KMS, Directory Service, etc. More here.
A key takeaway is that it took AWS years to get to this position. In 2011 AWS compliance efforts were nascent in comparison. Most of the tools and partners mentioned above either did not exist or if they did functionality was “limited”. (read sucked)
The significance of AWS’ strong leadership position in security cannot be understated. A public cloud provider is now the security reference from which all others can aspire. We have come a long way baby.