I’ve listened to Amazon Web Services security architect Steve Riley explain how Amazon Web Services manages its EC2 data centers. It does such a thorough job of minimizing exposure to hackers and intruders that he concluded they are probably at least as secure as the average data center.
I’ve watched Terremark and Savvis produce enterprise-oriented cloud environments that were inherently more secure than the public cloud environment, but even so, I know that there’s no provision for either virtual machines or cloud computing in the current 1.2.1 version of the PCI Data Security Standard. So on the face of it, their environments can’t be PCI compliant. That’s the standard for keeping the data of credit card customers private and secure. Nevertheless, Savvis and Cisco, among other parties, recently published a white paper describing how you can construct a PCI-compliant operation in the cloud. It requires the addition of HyTrust security appliances and other measures, but the white paper suggests there’s no permanent technical barrier.
I am seeing a growing body of professional opinion that, while the public cloud typically doesn’t guarantee the same level of security as the enterprise, it doesn’t have to be viewed as being that way forever. Steps can be taken to apply new architectures and impose more controls.
Now another chunk of evidence has come in. Amazon Web Services has been certified as ISO 27001 compliant, meaning its security practices and procedures have been united under a single information security management system. Instead of point solutions or piecemeal approaches, it’s been audited and found compliant in all AWS availability zones and data centers. The certification applies to the S3 storage service and Virutal Private Cloud.
AWS is demonstrating a commitment to security through "third party audits and certifications such as SAS 70 Type II and ISO 27001," said Stephen Schmidt, chief information security officer, in the announcement on Tuesday.
ISO 27001 is a standard established by a joint working group of the International Organization for Standardization and the International Electrotechnical Commission. It’s goal is to unite a broad set of security and privacy protections under one management system so that implementation is consistent and automatically enforced. Administration of the system is supposed to reinforce its strengths, collect feedback, spot trouble spots and take corrective actions.