Security experts are giving Amazon Web Services (AWS) faint praise for its updated "Overview of Security Processes" white paper, released late last week. Earlier versions of the document also came in for sharp criticism, and while this update has much more information, it still doesn't appear very convincing.
In the final analysis, security through obscurity will backfire on AWS.
Chenxi Wang, principal analyst for Forrester Research,
"The issue is that while many end users don't care much about security past a certain point, larger enterprise-class customers expect a level of detail on security processes and won't move without that detail," said Dr. Mladen Vouk, head of the computer science department at North Carolina State University, speaking generally and not about the AWS white paper per se. Vouk built and runs cloud-based infrastructure for the school.
The AWS document sketches out basic security procedures used by AWS to protect its data center deployments and computing infrastructure from online and real-world threats. It lists some of the metrics it looked at as part of its SAS 70 II audit, which Amazon evangelist and security expert Steve Riley termed "insanely rigorous."
"I'm incredibly proud of what we've done," Riley told SearchCloudComputing.com in June. At that time, he said that he was well aware that most people considered SAS 70 II audits a paper tiger. The audits consist of an organization setting its own security goals and metrics and then having an auditing firm assess how well it has done in meeting the self-selected criteria. That means there is no truly objective criteria for what constitutes good security, although most auditing firms set their own standards for what they will and will not consider.
"I don't think people comprehend what we've really done here," Riley said. He explained that AWS set the highest bar it possibly could in getting the SAS 70 II certification and that the process was both intense and exhausting, involving a review of every level of Amazon's operation. He said the end result was world-class security, on par or better than the most highly secured environments in the world. To boot, Amazon's track record reflected that, with no major breaches to its infrastructure and online threats like distributed denial of service (DDOS) attacks being handled with ease.
The updated security white paper reflects all that hard work; it's the story Amazon is telling its customers about how it protects their critical assets. This version is also much more detailed than past versions.
So what's the problem?
The new version is better, but still not good enough, experts said.
"I thought it was surprisingly devoid of content. There's not much in-depth technical discussion," said Chenxi Wang, PhD and principal analyst for Forrester Research on security. Wang said she was pleased to read about new developments by Amazon, such as the new Security Center that provides links to security tools and guidelines for users, but there was little real information on how Amazon does what it says it's doing.
For instance, in the Security Center, there is a paragraph explaining key rotation, a means of periodically changing the special codes customers use to access AWS. It is an excellent prophylactic against misuse by unauthorized users. However, Wang said, there is absolutely no information on how Amazon accomplishes key rotation when it's requested by a user. Wang said that without understanding how they perform the task, she can't judge how secure it is and therefore can't trust it.
She pointed to apparent gaps in understanding in other areas. The whitepaper says AWS uses SSL to protect against man-in-the-middle (MITM) attacks between a user and AWS: "All of the AWS APIs are available via SSL-protected endpoints which provide server authentication … Customers are encouraged to use SSL for all of their interactions with AWS," (p.11).
"That's just BS," said Wang. She said SSL provides server-side authentication, true, but not client-side authentication. Therefore, saying SSL endpoints prevented MITM was flatly wrong. A user on a compromised machine, or a user sending traffic through insecure channels, was still vulnerable no matter what AWS did. Wang said it was possible that AWS knows this, but it wasn't clear; the information was too vague to judge whether AWS was aware of how SSL operated.
"They address that at no point in the paragraph," she said.
Waiting for straight security answers from Amazon
Her biggest concern is that clients find it hard to get straight answers about security -- a primary stumbling block when looking at using AWS.
"I have clients that want to use HIPAA and have gone through multiple rounds with Amazon, and Amazon simply will not sign the data protection agreement," she said. HIPAA requires service providers to hold contracts governing data access and management standards, like who is able to access data.
Wang said that Amazon had also changed its story, telling clients at one point that it would never, under any circumstances, access a customers' data and would assume no responsibility for it. Later, it said it could access user data under certain conditions.
"I would like to see very granular detail on technical details, like who actually has access," she said. Even case studies were not impressive.
Wang is not entirely negative on the new information; she just finds it inadequate, especially from the perspective of enterprises that consider proper security controls and access to IT infrastructure a feature worth paying for. Such enterprises have many options for hosting these days, Wang said, and while Amazon Web Services is an incredible achievement, it's not striking the right notes with those customers.
It is also unclear from the white paper just how AWS operates its firewalls. It says that virtual machines (VMs) are closed to outside traffic until ports are opened by the user, but is there a layer within AWS where that is no longer true?
"What technique [is AWS] using to accomplish that? Is it virtual firewall, is it homegrown technology?" she asked.
Other questions revolve around how the host operating systems are secured, and whether those security configurations match enterprise policy needs. What about guest VMs? Amazon says that ring 0 access (the ability of a computer instruction to talk directly to hardware) is restricted for virtual instances, but Wang wants to know how, and so do her enterprise clients.
Wang was more charitable on other aspects of Amazon's security. She liked multi-factor authentication, something very few, if any, cloud providers have today. And the status dashboard now has much more detailed information on outages and updates.
"I'm glad they are least putting out a little information. I would like to see them have a channel for more discussion," she said.
Other cloud providers also fall short
And while Amazon is in the crossfire here, it is by no means the only cloud-oriented provider that faces such issues, Vouk added.
"You ought to be able to give end users the option to choose the level of security," he noted. Cloud providers have to be up to answering these security questions, even if the answer is to provide different levels of security as pre-defined services. "At the very least you need a very firm guarantee [that] you are protected from other users," he said.
So far, few cloud providers rise to that challenge, he noted. NCSU had to negotiate with Google for many months before the search giant agreed to guarantee that the school's email data wouldn't leave the state, per state law. "Try getting them to tell you where your data is," he said. "They're not equipped to handle the question."
Thirst for AWS security info goes unquenched
But Amazon remains on another plane of existence; AWS's information updates are widely watched.
"I await each new Amazon white paper with bated breath." said Ted Julian, principal analyst at the Yankee Group. It is entertaining to see what Amazon will come out with, Julian added, as the company struggles to answer critics.
The issue may be cultural: Amazon's natural tendency as a retail organization is for business secrecy, but this isn't a viable model in the IT services world, and the company was having a hard time adapting to a different attitude.
Julian agreed there is a great deal more information in the newer white paper, but he also understands the frustration it engendered. The technical details that really matter still aren't there, despite Amazon's repeated attempts to satisfy the enterprise crowd.
I have clients that want to use HIPAA and have gone through multiple rounds with Amazon, and Amazon simply will not sign the data protection agreement.
Some of the problems stem from what he calls Amazon's maturity issue. The fact that these questions come up at all signify the company's success; everyone lauds Amazon's technical accomplishments, and its track record on security is astonishingly good. But Amazon will continue to get brickbats on this issue until it figures out a way to open up and satisfy the thirst for veracity that security practitioners and CIOs simply can't do without, Julien said.
"They don't have anyone to go to bat for them on this, and they won't until they fix it," he said. "There's plenty of people [in IT organizations] who want to go to bat for them, but they just can't like this."
"What is Amazon's liability in the event its security measures are breached or otherwise compromised?" asked Scott Crawford, research director for Enterprise Management Associates, via email. The document is a good, high-level overview: it clearly delineates Amazon's and a customer's areas of responsibility. But it lacks crucial detail on accountability and the bottom line, he said. There is nothing about how Amazon would handle indemnification if customers were damaged through a breach of Amazon's operations, rather than their own carelessness.
Crawford said Amazon probably felt that it had to stand on its automation and one-size-fits all approach; after all, that's the point of using a public cloud environment, but the company will have to come to grips with real-world security needs at some point.
"It seems likely that this issue will continue to be one of the most substantial roadblocks to cloud adoption, regardless of its promise," he said.
"The whole 'Amazon Web service as cloud' is a really a leap of innovation, and they have great minds working for them," said Forrester's Wang. But in the final analysis, she added, security through obscurity will backfire on AWS. Becoming more transparent may invite criticism in some technical areas, along with more scrutiny, but if AWS security is as good as it claims to be, the additional scrutiny will only help polish their operations.
In the meantime, Wang said, enterprises and analysts have a simple request to improve the security picture Amazon is trying to paint: "Go a step further and show us how you do those things."
Amazon did not respond for comment on the new white paper.
Carl Brooks is the Technology Writer for SearchCloudComputing.com. Contact him at firstname.lastname@example.org.