Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Amazon's EC2 Gains Key ISO Security Certification: Page 2 of 2

Terremark Europe and Rackspace, both infrastructure-as-a-service providers, like AWS, are both ISO 27001 certified. Salesforce.com’s and Microsoft’s software as a service are also ISO 27001 certified as well, said Chenxi Wang, Forrester analyst.

In that sense, Amazon Web Services is playing catch up to smaller providers. Wang called ISO certification “an important step for AWS” but added it didn’t guarantee “a free pass to the ‘absolutely secure’ land.”

User password management is governed by one part of the standard, section A.11.2.3. It states: “The allocation of passwords shall be controlled through a formal management process.” It doesn’t specify what processes constitute adequate control.

“As you can imagine,” said Wang, “a fairly wide range of practices can be qualified as ISO compliant. As such, ISO only guarantees that certain types of controls are in place; it does not guarantee what exactly those controls are.”

Google’s App Engine cloud is going through Federal Information Security Management Act certification, an unrelated but similar standard. There’s a roughly 80% overlap between FISMA and ISO 27001, Wang noted.

So the cloud is still outside the firewall in no man’s land between the population on the Internet, including its hackers, would-be intruders and malware writers, and the interior of the enterprise. It’s not as hazardous as the unregulated jungle but it’s still a DMZ between opposing parties. Even Amazon's Riley warned, workloads sent to EC2 must be composed in a secure manner and arrive intact. The cloud as a whole is being made more secure and perhaps it’s just a matter of time before that secure enterprise perimeter bulges outward to embrace some carefully architected and certified unit inside the cloud.