Amazon's EC2 Gains Key ISO Security Certification

I’ve listened to Amazon Web Services security architect Steve Riley explain how Amazon Web Services manages its EC2 data centers. It does such a thorough job of minimizing exposure to hackers and intruders that he concluded they are probably at least as secure as the average data center.

I’ve watched Terremark and Savvis produce enterprise-oriented cloud environments that were inherently more secure than the public cloud environment, but even so, I know that there’s no provision for either virtual machines or cloud computing in the current 1.2.1 version of the PCI Data Security Standard. So on the face of it, their environments can’t be PCI compliant. That’s the standard for keeping the data of credit card customers private and secure. Nevertheless, Savvis and Cisco, among other parties, recently published a white paper describing how you can construct a PCI-compliant operation in the cloud. It requires the addition of HyTrust security appliances and other measures, but the white paper suggests there’s no permanent technical barrier.

I am seeing a growing body of professional opinion that, while the public cloud typically doesn’t guarantee the same level of security as the enterprise, it doesn’t have to be viewed as being that way forever. Steps can be taken to apply new architectures and impose more controls.

Now another chunk of evidence has come in. Amazon Web Services has been certified as ISO 27001 compliant, meaning its security practices and procedures have been united under a single information security management system. Instead of point solutions or piecemeal approaches, it’s been audited and found compliant in all AWS availability zones and data centers. The certification applies to the S3 storage service and Virutal Private Cloud.

AWS is demonstrating a commitment to security through "third party audits and certifications such as SAS 70 Type II and ISO 27001," said Stephen Schmidt, chief information security officer, in the announcement on Tuesday.

ISO 27001 is a standard established by a joint working group of the International Organization for Standardization and the International Electrotechnical Commission. It’s goal is to unite a broad set of security and privacy protections under one management system so that implementation is consistent and automatically enforced. Administration of the system is supposed to reinforce its strengths, collect feedback, spot trouble spots and take corrective actions.Terremark Europe and Rackspace, both infrastructure-as-a-service providers, like AWS, are both ISO 27001 certified. Salesforce.com’s and Microsoft’s software as a service are also ISO 27001 certified as well, said Chenxi Wang, Forrester analyst.

In that sense, Amazon Web Services is playing catch up to smaller providers. Wang called ISO certification “an important step for AWS” but added it didn’t guarantee “a free pass to the ‘absolutely secure’ land.”

User password management is governed by one part of the standard, section A.11.2.3. It states: “The allocation of passwords shall be controlled through a formal management process.” It doesn’t specify what processes constitute adequate control.

“As you can imagine,” said Wang, “a fairly wide range of practices can be qualified as ISO compliant. As such, ISO only guarantees that certain types of controls are in place; it does not guarantee what exactly those controls are.”

Google’s App Engine cloud is going through Federal Information Security Management Act certification, an unrelated but similar standard. There’s a roughly 80% overlap between FISMA and ISO 27001, Wang noted.

So the cloud is still outside the firewall in no man’s land between the population on the Internet, including its hackers, would-be intruders and malware writers, and the interior of the enterprise. It’s not as hazardous as the unregulated jungle but it’s still a DMZ between opposing parties. Even Amazon's Riley warned, workloads sent to EC2 must be composed in a secure manner and arrive intact. The cloud as a whole is being made more secure and perhaps it’s just a matter of time before that secure enterprise perimeter bulges outward to embrace some carefully architected and certified unit inside the cloud.