It’s true that the number of data breaches are decreasing. But as CEO of CyberRiskPartners Drew Bartkiewicz pointed out, the number of records compromised per breach is increasing. This observation seems to be the contributing factor to what Infosecurity refers to as a product of our economy shifting to more information-based:
Theft of information assets was reported by 27.3% of companies over the past 12 months, up from 18% in 2009. In contrast, reported incidences of theft of physical assets or stock declined slightly from 28% in 2009 to 27.2% in 2010, according to the survey [from the Kroll Annual Global Fraud Report].
So with all of these numbers scaring the enterprise into holding tighter to their users’ information than ever before, is it actually the cloud’s fault? There’s a booming “no” coming from vendors such as Amazon Web Services’ Steve Riley, Rackspace’s Bret Piatt, and founder of Mashery Oren Michels.
One of the theories on where cloud security propaganda comes from is IT execs who don’t want to part with their major IT budgets. “A big security breach that happened in the cloud doesn’t mean a security happened because of the cloud,” Michels clarified.
But just as Randy Bias says that the cloud isn’t a solo services deal, people want to know to what extent additional services are available to help in the deperimeterization of the operating system and the application that happens when moving to the cloud. In other words, how do you harden your application before deployment?
Steve Riley, Senior Technical Program Manager for Amazon Web Services, presented the alternative: If your extremely valuable data is stored in your single data center, the risk of loss is extremely high. Moving to an infrastructure that specializes in minimizing risks means that a single outage goes mostly unnoticed because there are other copies that can quickly be routed to. The key to data security is building to withstand failure and accepting guidance to create your application so that there are fewer risks.
Moving past the “we know what we’re doing” that many vendors tout in the face of questions about their security practices, Amazon Web Services outlined exactly how they ensure your data stays safe, from all angles.
How Does Amazon Web Services Protect Your Data?
- No physical access. No tours of the data centers, all activity logged and monitored.
- They employ the Zen hypervisor with some changes, such as security groups. AWS operates with the mindset that the virtual machines you deploy are your machines. Their operators have no access to your virtual machine.
- There’s no VM to VM path; they enforce traffic via isolation. They know exactly where your data is and do not allow the possibility of overlap or leakage.
- One of the features, security groups, allows you to construct your firewall rules at the console. Rather than opening up your webservers to the internet, you can create a tier above – with all of your security tools – that’s dedicated to scanning incoming traffic before reaching the webserver.
- Virtual Private Cloud: If you’d like to create a virtual private cloud with Amazon, your machines will be stored in AWS, but the end user assigns the IP address via the VPN from the router on your network to the router on AWS’s network. The only way your machines in the AWS can reach the internet is by routing out to your network then back out to the internet. Riley got excited at Amazon’s plans to increase the number of routers that lead into the VPC.
- Amazon S3: In their storage offering, intended for storage and distribution, data analysis, or disaster recovery, they employ separate policies for the container and the object within. The users are expected to define the policies separately, or all at once in the bucket policy.
Riley even had an answer for managing all of the different ways to secure your information: “Encryption is the best possible way to keep sensitive data secure.” Though data encryption has a community of skeptics, Riley proposed creating a flat file with all of your encryption codes, encrypt that file with AWS encryption to which Amazon never grants itself access, and the AWS encryption is deleted with each instance.
How other providers are walking the talk
I’ve since followed up with Rackspace’s Bret Piatt and Mashery’s Oren Michels about how they, too, are demonstrating to their customers that they are securing their data in the cloud and other services. Check back for their responses.