Amazon CTO counters skepticism on cloud security

Amazon pushed to reveal more details about its own security practices

Amazon's cloud computing division is planning to "raise the bar" on security, and claims it can provide better security than most enterprises achieve on their own.

Amazon's cloud computing division is planning to "raise the bar" on security, and provide better security than most enterprises can achieve on their own, says Amazon CTO Werner Vogels.

But some analysts believe Amazon is not transparent enough about its internal security practices, judging by comments after a presentation Vogels made at the Burton Group Catalyst conference in San Diego Wednesday.

Amazon called out over cloud security, secrecy

Vogels provided an optimistic view of cloud security, saying that cloud networks such as Amazon's already provide better security, and disaster recovery, than most enterprises are capable of. "I believe the cloud is the area where we have to raise the bar for enterprise security," Vogels said.

Amazon has already achieved SAS70 Type II certification for its Elastic Compute Cloud and other cloud services, and is hoping to comply with the ISO 27001 information security standard before the end of the year, Vogels said.

But the Burton Group has previously challenged Amazon to provide more information on its data center security practices, and said that Amazon's cloud should not be used for enterprise applications that require advanced security and availability.

Burton Group analyst Drue Reeves repeated some of those concerns on stage at Catalyst, in front of an audience of IT professionals.

"We don't feel like there's enough transparency in Amazon," Reeves said. "We would like to trust you [but need more information]."

Vogels noted that in SAS70 Amazon described processes such as how it destroys disks and erases data, and is working on eventually providing "fully automated policy driven access control." For example, that means customers in the future could allow certain users to start virtual machines, but not stop them, or let certain developers make copies of objects but not manipulate them.

Today, Amazon offers the Virtual Private Cloud service, which lets customers cordon off a piece of the cloud network for its own use, eliminating some of the risks inherent in multi-tenant services. Amazon also has various levels of physical and network security, and data redundancy, Vogels said, without describing them in too much detail.

But he acknowledged that there are various threats from denial-of-service attacks, man-in-the-middle exploits, IP spoofing and the like. Hackers move fast, and aren't burdened by "rigorous software development processes that take years to develop services," Vogels said.

"At Amazon [security] is our priority, No. 1. It has always been, in the retail business as well," he said. But "there is no finish line in security. The world of security is not stable. The bad guys are evolving."

If Amazon's security is better than the systems in a typical enterprise, it's because it has to be. Amazon presents a much larger, more lucrative target to hackers than any business that is smaller and less well-known, and thus needs stronger protection.

Customers are just beginning to figure out the legal aspects of cloud computing. While the services may be cheap up front, the cost of failure is high and service-level agreements don't necessarily cover the cost of a data breach.

"Most cloud agreements … cap the monetary damages at the value of the contract, which is usually an extremely small fraction of the real value of the data," Drew Bartkiewicz of The Hartford, another speaker at Catalyst, said during an interview. Bartkiewicz runs The Hartford's business to insure companies against cyber risk.

With Reeves of the Burton Group pushing Amazon to reveal more about its data security practices, Vogels said that Amazon is willing to answer any questions customers pose. One IT pro in the audience complained that hosting vendors simply tell customers to "trust us," but Vogels said "you will never hear Amazon say 'don't ask us about security because we are SAS70 compliant, or whatever that means.'

"We will continuously and always work with customers to get them the information they need. There is no desire to not be transparent with respect to security."

Reeves also challenged Vogels to open up Amazon's virtual machine image format, or adopt the OVF (open virtualization format) to allow more portability of workloads between Amazon and competing cloud services.

Vogels countered that interoperability of virtual machine formats is less important than Amazon's ability to innovate, but stressed that Amazon is intent on allowing data move from one provider to another.

"I haven't heard that many requests from customers to standardize our APIs," Vogels said. "They're way more interested in making sure we can meet their needs by evolving the APIs."

Reeves did not seem satisfied with the answer, replying that "I'm not sure I buy that innovation and interoperability are mutually exclusive."

Follow Jon Brodkin on Twitter:

Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022