This article focuses on Amazon’s Web Services: Risk and Compliance white paper published in May 2011

Amazon provides AWS control and compliance documentation which customers can use and integrate with their own mechanisms (which Amazon calls the new distributed control environment), however, Amazon does not expose or make public its security platform configurations as customer don’t and shouldn’t communicate their use and configurations to AWS.

The AWS SAS 70 Type II certification provides reasonable assurance that information security policies have been implemented and communicated throughout the organization. These include appropriate access restrictions both at logical and physical levels, patch management at all levels, and data handling procedures such as, change management, integrity and redundancy. This means that internal employees are also under a stringent access control mechanism. Environmental safeguards are also implemented and provide the necessary assurance in case of major physical disasters. In an SAS 70 type report that AWS publishes, one can verify the operating effectiveness of controls that fall under this certification. These controls are checked by external auditors so if your provider is SAS 70 Type II certified then you know which controls are in place by verifying the audit report.

In case of AWS, the same applies to other certifications such as, ISO 27001 and PCI DSS. With the ISO 27001 certification AWS complies with a broad, comprehensive security standards and general control compliance. With PCI DSS (Payment Card Industry, Data security Standard) AWS complies with a wide range of specific controls required by the US government agencies. In addition, AWS has been certified as compliant with certain FISMA (Federal Information Security Management Act).

Who owns which controls for cloud-deployed infrastructure?

AWS controls the physical part of the deployment according to SAS 70 Type requirements. The customer controls the remaining parts of the setup including connections and transmission. Customers can request an SAS 70 Type II report that details all physical and environmental controls, after signing a non-disclosure agreement with Amazon. Hence, customers cannot visit the data center but need to rely on what’s written down in the SAS 70 report. This report and the ISO 27001 are the only artifacts the customer can review for audit and compliance purposes. This also applies to SOX (Sarbanes-Oxley) and HIPAA compliance, while the rest of controls or better the logical controls must be taken care of by the customer.

Customer Data location

The customer has full control of the movement of data within AWS regions. Data replication for S3 data objects is done within the regional cluster in which the data is stored and is not replicated to other data centers clusters in other regions.

Customers’ data and servers are logically isolated from other customers by default. The isolation or segregation is driven by security control features which prevent customers from accessing the physical layer. This architecture is found to be compliant with all requirements of PCI DSS version 2.

Legal

Customers are responsible for the legal implications involving the identification, collection, processing, analysis, and production of electronic documents they store or process, however, AWS can assist customers upon requests.
Only independent and competent auditors are allowed to visit and inspect the data center’s compliance to the above mentioned standards. A third-party auditor can be engaged by customers to perform such checks. Customer with non-disclosure agreement with Amazon may request a copy of the SAS 70 Type II report.

AWS commits to an annual uptime percentage of at least 99.95% and a monthly uptime of at least 99.99%. Data stored in S3 is designed to provide 99.999999999% durability and 99.99% availability of objects over a given year. Service credits are provided in the case these availability metrics are not met. Note, that AWS operates a business continuity program and provides customers with the necessary capabilities to implement a robust continuity plan.

The new AWS Risk and Compliance White Paper is made up of a number of important topics and information about certifications and third-party verifications. It includes a section that addresses generic cloud computing compliance issues specifically for AWS which is a must read for Amazon customers!

The white paper has the following topics:

• Risk and Compliance Overview
• Shared Responsibility Environment
• Strong Compliance Governance
• Evaluating and Integrating AWS Controls
• AWS Risk and Compliance Program
• Risk Management
• AWS Control Environment
• Information Security
• AWS Certifications and Third-party Attestations
• SAS 70 Type II
• PCI DSS Level 1
• ISO 27001
• FISMA
• Key Compliance Issues and AWS

To read the White Paper in its entirety go here.

 
So what is SAS 70 (Statement on Auditing Standard 70) Audit? – The AICPA (American Institute of Certified Public Accountants) responsible body defines it as “Report on the Processing of Transactions by Service Organizations” where professional standards are set up for a service auditor that audits and assesses internal controls of a service organization. At the end of the audit, the service auditor issues an important report called the “Service Auditor’s Report”

Now there two types of SAS 70 audits, Type I and Type II. Type I focuses on the validity of the controls in operation and that they according the specified control objectives objectives while Type II enhances Type I by checking that these controls are actually in place and being executed by the service provider.

In other words, a SAS 70 Audit is an in-depth examination of a service provider control objectives and control activities, including IT controls! Briefly, a service provider must have adequate controls and safeguards over their customers’ data in order to be able to achieve this certificate. However, SAS 70 Audit is slightly flexible and service provider/auditor dependant. That is, you may have customers that may agree or disagree with Amazon’s control objectives or operational standards!

 SAS 70 Type II may be seen as the basis for future more rigid certifications. It may lack some important aspects of security but surely it examines operational performance and the service’s ability to safeguard customer data and many hosting organizations are achieving it.

I have read many expert articles stating that SAS 70 is limited to policies and procedures inside data centers and it does not cover major security weaknesses, such as, personnel unintentional errors. This is quite a pro cloud computing statement. Why? Would an organization (with in-house solutions) take their IT staff (individual) to court in the event of data mishandling? They might and if they do, do they will be able to be paid for the lost revenue/damages from an individual? However, an organization being a customer of a service provider would take that service provider to court in case their data is mishandled. With cloud computing providers, you have higher assurance of getting something back when terrible incidents happen.