The shared responsibility environment of Cloud computing is a scenario where both parties, the customer and the Cloud provider, have the responsibility for managing the IT environment. Customers have the responsibility to manage the guest Operating Systems including updates and Security, other associated application software as well as the configuration of any software security features provided by the provider such as, the firewall configuration provided by the Cloud provider. However, customers are encouraged to add additional security by installing host based firewalls, host based intrusion detection/prevention systems, encryption and key management. These requirements vary with the services offered and applicable laws and regulations.
This article focuses on Amazon’s Web Services: Risk and Compliance white paper published in May 2011
Amazon provides AWS control and compliance documentation which customers can use and integrate with their own mechanisms (which Amazon calls the new distributed control environment), however, Amazon does not expose or make public its security platform configurations as customer don’t and shouldn’t communicate their use and configurations to AWS.
The AWS SAS 70 Type II certification provides reasonable assurance that information security policies have been implemented and communicated throughout the organization. These include appropriate access restrictions both at logical and physical levels, patch management at all levels, and data handling procedures such as, change management, integrity and redundancy. This means that internal employees are also under a stringent access control mechanism. Environmental safeguards are also implemented and provide the necessary assurance in case of major physical disasters. In an SAS 70 type report that AWS publishes, one can verify the operating effectiveness of controls that fall under this certification. These controls are checked by external auditors so if your provider is SAS 70 Type II certified then you know which controls are in place by verifying the audit report.
In case of AWS, the same applies to other certifications such as, ISO 27001 and PCI DSS. With the ISO 27001 certification AWS complies with a broad, comprehensive security standards and general control compliance. With PCI DSS (Payment Card Industry, Data security Standard) AWS complies with a wide range of specific controls required by the US government agencies. In addition, AWS has been certified as compliant with certain FISMA (Federal Information Security Management Act).
Who owns which controls for cloud-deployed infrastructure?
AWS controls the physical part of the deployment according to SAS 70 Type requirements. The customer controls the remaining parts of the setup including connections and transmission. Customers can request an SAS 70 Type II report that details all physical and environmental controls, after signing a non-disclosure agreement with Amazon. Hence, customers cannot visit the data center but need to rely on what’s written down in the SAS 70 report. This report and the ISO 27001 are the only artifacts the customer can review for audit and compliance purposes. This also applies to SOX (Sarbanes-Oxley) and HIPAA compliance, while the rest of controls or better the logical controls must be taken care of by the customer.
Customer Data location
The customer has full control of the movement of data within AWS regions. Data replication for S3 data objects is done within the regional cluster in which the data is stored and is not replicated to other data centers clusters in other regions.
Customers’ data and servers are logically isolated from other customers by default. The isolation or segregation is driven by security control features which prevent customers from accessing the physical layer. This architecture is found to be compliant with all requirements of PCI DSS version 2.
Customers are responsible for the legal implications involving the identification, collection, processing, analysis, and production of electronic documents they store or process, however, AWS can assist customers upon requests.
Only independent and competent auditors are allowed to visit and inspect the data center’s compliance to the above mentioned standards. A third-party auditor can be engaged by customers to perform such checks. Customer with non-disclosure agreement with Amazon may request a copy of the SAS 70 Type II report.
AWS commits to an annual uptime percentage of at least 99.95% and a monthly uptime of at least 99.99%. Data stored in S3 is designed to provide 99.999999999% durability and 99.99% availability of objects over a given year. Service credits are provided in the case these availability metrics are not met. Note, that AWS operates a business continuity program and provides customers with the necessary capabilities to implement a robust continuity plan.