As enterprises look to achieve greater operational efficiency and gain a competitive advantage, they are increasingly turning to cloud service providers like Amazon Web Services to offload their IT infrastructure and computing needs. The advantages afforded by divesting their datacenters in favor of moving to AWS are too many and too impactful to ignore, despite the loss of partial control over data and the accompanying security risks. At the same time, cloud services providers like AWS continue to make significant investments in the security of their services, leading some IT leaders to argue the public cloud may actually be more secure than what can be achieved on premises.
Cloud service providers are software and infrastructure specialists, and have their own dedicated teams responsible for the security of their product. They also have sizable budgets dedicated to security and hire leading IT security experts. Microsoft, as an example, spends $1 billion a year on the security of its products. Not even the largest enterprises are able to match this level of cybersecurity investment. However, despite the near limitless resources Amazon has at its disposal to enhance the security of AWS, directly comparing the security risk facing AWS with that of an on-premises IT infrastructure is misleading.
Like most cloud providers, Amazon focuses on the security “of” its cloud offering. Once the customer starts using AWS, Amazon shares the responsibility of securing the data in AWS with its customers, making AWS security a shared responsibility. This concept, known as the shared responsibility model of cloud security, was created in order for IT security teams to adapt to the adoption and proliferation of cloud services.
In practice, this means Amazon protects the underlying infrastructure of AWS from vulnerabilities, intrusions, fraud, and abuse, and provide its customers with necessary security capabilities that can be configured as needed. As an example, Amazon has built one of the most advanced identity and access management services (IAM) that gives customers granular control over user permissions and provisioning. Amazon encourages its customers to follow all the AWS security best practices around IAM configuration and settings. However, it’s incumbent on the AWS customer, then, to make the most of an AWS service like IAM.
Gartner underscored the importance of the shared responsibility when they stated, “Through 2020, 95% of cloud security failures will be the customer’s fault.” Gartner’s prediction implies that the vast majority of enterprises using cloud services will fail to uphold their responsibilities for the security their data in the cloud.
Division of responsibility of AWS security
Since Amazon offers so many different cloud services, it’s imperative for enterprises to understand the division of responsibility between Amazon and its customers. AWS customers are responsible for protecting customer data stored in AWS as well as the custom applications deployed in AWS.
Customers are also responsible for implementing appropriate access control policies using AWS IAM, configuring AWS Security Groups (firewall) to prevent inappropriate access to ports, and enabling AWS CloudTrail. Customers are also responsible for enforcing appropriate data loss prevention policies to ensure compliance with internal and external policies, as well as detecting and remediating threats arising from stolen account credentials or malicious/accidental misuse of AWS.
Amazon is focused on securing its software, hardware, and the facilities where AWS services are located. Amazon’s responsibilities include securing its computing, storage, networking, and database services, as well as the security configuration of AWS managed services like Amazon DynamoDB, RDS, Redshift, Elastic MapReduce, Workspaces, etc.
Shared responsibility model at a glance
|Preventing or detecting when an AWS account has been compromised||x|
|Preventing or detecting a privileged or regular AWS user behaving in an insecure manner||x|
|Configuring AWS services (except AWS Managed Services) in a secure manner||x|
|Restricting access to AWS services or custom applications to only those users who require it||x|
|Updating Guest Operating Systems and applying security patches||x|
|Ensuring AWS and custom applications are being used in a manner compliant with internal and external policies||x||x|
|Ensuring network security (DoS, MITM, port scanning)||x||x|
|Configuring AWS Managed Services in a secure manner||x|
|Providing physical access control to hardware/software||x|
|Providing environmental security assurance against things like mass power outages, earthquakes, floods, and other natural disasters||x|
|Protecting against AWS zero day exploits and other vulnerabilities||x|
|Business continuity management (availability, incident response)||x|