"Amazon.com is a really demanding customer of ours," said Stephen Schmidt, chief information security officer for AWS , during a keynote Wednesday at the Interop Conference & Expo in New York City. Schmidt, who was formerly with the Federal Bureau of Investigation, outlined a number of ways that the cloud provider works to keep customers' data safe and their operations up and running.
1. Certifications and standards. Amazon adheres to a number of internationally recognized standards and protocols for data protection, privacy, and security. Beyond ensuring that information is protected in a methodical, repeatable way, standards also keep AWS and its customers, no matter where they are in the world, on the same page when it comes to talking about security. "The conversation must occur in a common language," said Schmidt.
Among the standards and regulations AWS adheres to, depending on the customer's location and industry, are Sarbanes-Oxley rules, ISO 27,000, SAS 70, and the Federal Information Security Management Act (FISMA).
[ AWS's role extends beyond earthly limits. Read about how the cloud service is helping to manage data from the Curiosity Mars mission. NASA Mars Mission Fueled By Amazon Web Services. ]
2. Separation of powers. AWS employees are given access to customer systems only on an as-needed basis. For instance, a storage manager might not need access to certain virtual machine tools. Beyond increasing security, the practice carries another benefit, according to Schmidt: "It reduces the number of people who can make mistakes."
3. Crush and destroy. Amazon has obliterated a good number of its brick and mortar competitors--just ask Circuit City. AWS does the same thing to old discs containing customer data. Before they are sent out for disposal, the discs are either shredded to pieces smaller than an inch in size or are made to look like Swiss cheese by a machine punch. "No hard drive ever leaves intact," said Schmidt.
4. Surprise inspections. To ensure that AWS security personnel are performing up to par, Schmidt borrows a method from his federal law enforcement days in a drill he calls Game Days. Company engineers randomly inject foreign code into systems to see if security staffers catch it. "We inject virtual firearms," said Schmidt, referring to how TSA inspectors test whether they can get a fake gun past airport security.
5. Continuous updates. AWS strives to keep customers up and running around the clock by making sure its own operations are up 24-7. One way it does this is to continuously update its systems so that it never has to take them down for a major upgrade. "All our services have to be available all the time," said Schmidt.
Amazon groups its servers into what it calls Availability Zones--bundles of hardware that can be located in multiple buildings but that act as a single data center. Another way it ensures continuity: "We never touch multiple Availability Zones at once," said Schmidt.
It doesn't always work perfectly. An AWS outage in July took down Netflix, Pinterest, Instagram, and a number of other services. But Schmidt said AWS, and all IT organizations, need to strive to be perfect when it comes to information security and availability. "A lot of large businesses are dependent on us to function."
Find out the nine questions you must ask before migrating apps to the public cloud in the Cloud Ready? special issue of InformationWeek. Also in this issue: It's time to lay to rest two common myths of the cloud computing era. (Free registration required.)