Dome9 triple protects AWS infrastructure, but is it necessary?

That old "is the cloud secure?" discussion has been reopened, and another vendor hopes to plug the gaps

Dome9 triple protects AWS infrastructure, but is it necessary?

A couple of years ago I wrote a story critiquing what I saw as some very emotive reporting. Essentially a technology vendor went bust as a direct result of their data being compromised while sited on Amazon Web Services (AWS) servers. The article in question essentially suggested that because of that particular incident, we should all be aware that the cloud isn't a safe place to store our data. As I said in my piece:

“I’ve visited data centers that host cloud infrastructure. They have by far the highest level of physical and virtual security available. They are exemplars of due process. Compare this with the vast majority of organization’s IT resources. I’ve seen enough servers in cleaning cupboards or under desks to know what the norm is for organizations. To glibly suggest that penetrating a cloud platform is easier than a corporate data center is plain wrong.”

Clearly over the years there have been some issues around data breaches in the cloud. But there are two points to remember here: first, often these breaches are caused by poor security not at the cloud provider's end, but rather with the customer. Second, the number of data security issues in the cloud pales in comparison to all of the (often untold) stories of data breaches in traditional infrastructure.

So, I bristle a little bit when someone pitches me on “a solution to solve the issues with the cloud.” The way I see it, even if today an issue exists with a cloud vendor's security or process, the opportunity to resolve that issue before the vendor does is limited, to say the least. That's why I'm a bit skeptical about Dome9 and its promise to shield AWS’ Identity Access Management (IAM) solution with “three layers of protection.”

Why is there an issue here, and why is this important? The way Dome9 sees it, large AWS deployments offer benefits in terms of scalability, availability and cost. No disagreement there from me. But Dome9 goes on to suggest that these deployments also add HUGE (capitalization theirs) complexity to enabling developers with limited and timely access to the core AWS account. IAM keys can easily get passed into the wrong hands and result in a ransomed or shut down cloud. IAM Safe prevents this from evening happening with three layers of protection.

Dome9 certainly has the security credentials here. The company provides enterprise IAM protection, network security and compliance for public clouds, primarily AWS. This new offering, “IAM Safe,” sets role-based privileges, detects compromised accounts and contains the attack impact by adding a layer of defense to organic IAM policies. “IAM Safe” offers three layers of IAM protection, enabling AWS users to:

  • Activate an enhanced layer of defense for organic IAM policies. Dome9 lists all IAM users and their roles and enables admins to restrict their ability to perform critical actions with on-demand elevated privileges.
  • Prevent unauthorized IAM operations with IAM tamper protection. Dome9 analyzes IAM users and roles for suspicious activity and notifies admins when an unauthorized IAM operation is attempted.
  • Contain compromised account blast radius. Dome9 restricts IAM user and role permissions, thereby minimizing the potential harm caused by compromised credentials to the bare minimum.

“Our vision is to enable enterprises to securely move more mission-critical workloads to AWS,” said Zohar Alon, CEO and co-founder of Dome9. “Our IAM protection solution adds another critical layer of security to make this vision a reality for AWS customers.”


OK, I get that some customers get a little nervous about the cloud and want both added protection and the security blanket that a third-party vendor can bring. But I just don't see this as a long-term opportunity—if there is really massive enterprise demand for this sort of functionality, you can bet that AWS will introduce it soon. If there isn't, and it's only relevant for a small subset of AWS users, then I wonder how big the opportunity for Dome9 really is.

This is a company that certainly understands its security. I just have less faith in their understanding of the nuances around large technology ecosystems and the risks around building a business based on being an add-on tool to a large ecosystem player. Add to that the fact that many prospective customers will be nervous about adding yet another company into their inner sanctum, and I see a battle ahead for Dome9.

Copyright © 2016 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022