In a presentation to AWS Summit 2012 Australia attendees earlier this month and just posted to YouTube, Amazon Web Services General Manager & Chief Information Security Officer Stephen E. Schmidt preemptively answers the single most common question around the public cloud – security – by introducing the concept of the “shared responsibility” model.
It’s a long presentation( about forty minutes, in fact), and there’s too much content there to reasonably go over in this space. But as I noted above, the real highlight is Schmidt’s explanation of how AWS expects its customers to meet Amazon halfway when it comes to cloud security.
“We’re responsible for the security of the hypervisor down to the concrete of the data center,” Schmidt says.
Anything after that – the operating system, applications, network configuration/management and so forth – are up to customer choice, so customers had better choose wisely. It’s absolutely critical that users of Amazon Web Services understand this, because the worst-case scenario for Schmidt’s office is a customer blaming him for security practices that were really theirs all along.
From there, Schmidt goes into detail about how Amazon secures its own data centers, including the fact that Amazon doesn’t publicize where exactly those data centers are. Hard drives simply don’t leave AWS data facilities at least not intact. Amazon doesn’t offer anyone from the public a tour of its data centers, ever. And most intriguingly:
“I run security for the company. I don’t have access to our data centers because I don’t need to be there on a regular basis.”
It’s all interesting, and definitely food for thought. But the takeaway for the CIO is simply that you need to be aware of who you’re going into business with when it’s time to go cloud. Amazon’s shared responsibility for security is definitely pragmatic for the public at large, and seems to be a codification of a very common security practice. But if that doesn’t work for you, you need to look elsewhere or else look into tools that can lock down the public cloud.
Schmidt’s presentation in its entirety can be watched here: