Enterprise cloud security best practices for locking down your cloud
A comprehensive collection of articles, videos and more, hand-picked by our editors
Security-sensitive and compliance-conscious organizations still shy away from Amazon Web Services, despite its booming business and compelling value proposition.
I just can't get past the legal hurdles, the compliance hurdles, the audit hurdles.
principal technical architect, Kroll Factual Data Inc.
This hesitancy remains despite case studies, testimonials from partners and other evidence that says compliance with even stringent regulations, such as the Payment Card Industry Data Security Standard, or PCI DSS, and the Health Insurance Portability and Accountability Act (HIPAA), is possible in today's Amazon Web Services (AWS) environment. As a result of these Amazon security concerns, a gulf remains between the premier public cloud computing service and its potentially richest audience.
"They still need to get people less afraid of public cloud," said David Linthicum, chief technology officer and founder of Blue Mountain Labs, a cloud advisory and development firm.
As Amazon prepares to host its first end-user conference, AWS re:Invent, later this month, its cloud service is doing just fine; Analysts at Morgan Stanley estimate AWS' run rate to be somewhere between $1 billion and $1.5 billion per year. But AWS could be competing for a much larger slice of the pie: Gartner Inc. sized the overall data center hardware market at $100 billion last year and predicted it will reach $120 billion by 2015.
"AWS has some business use cases out on their website … but as far as full-blown, 'I depend my enterprise on it' use, that's not occurring," Linthicum said.
Amazon security fear, uncertainty and doubt
Among security-conscious enterprises, such as financial services companies, AWS is seen as the purview of Web-based startups, not corporations that have to answer to the Securities and Exchange Commission. Henry Mayorga, manager of network technology for New York investment firm Baron Funds, said he's not aware of any specific prohibition on public clouds by the SEC -- but he'd rather not take the risk, because he doesn't trust an environment in which his data shares space with other tenants. "Security would be a huge concern for us," he said.
Amazon.com offers virtual private cloud services that segregate data from other tenants, but that can take away from some of public cloud computing's other benefits. "If it's not shared, then you're not talking true cloud," Mayorga said.
Special report: Amazon's enterprise image problem
Part 2: Customers, partners say Amazon's public cloud is ready for prime time
Part 3: More education, integration will boost Amazon adoption
The biggest benefit of public cloud services is their potential cost savings, but for Wall Street firms, money is no object when it comes to secure data, Mayorga said. "If I somehow compromise the integrity of our data, and I go back to the CFO [chief financial officer] or CEO and told them that … they're going to look at me like I have three heads and say, 'You just saved me a couple thousand dollars but exposed us to millions of dollars in liability. What the hell are you thinking?'" he said.
Other IT professionals in highly regulated industries see the value in AWS and continue to evaluate the service, but they can't get auditors to approve its use.
"If I could move my data center to the public cloud, I would do it tomorrow -- not even next week; tomorrow," said Chris Steffen, principal technical architect at Kroll Factual Data Inc., a Loveland, Colo., firm that processes data for big banks. "But I just can't get past the legal hurdles, the compliance hurdles, the audit hurdles."
Another obstacle is that public cloud hosters, including Amazon.com, aren't willing to assume the level of liability Kroll would need if it were to adopt their services, he said.
Beyond AWS security concerns
Other enterprise shops have supportability and integration concerns, in addition to compliance worries, when they consider AWS.
Mark Schwartz, director of IT for a large insurance company based in the Northeast, said he probably wouldn't consider AWS because of the protected health information his company deals with, which is regulated by HIPAA. End users at the company also are used to a high level of customer support, something Schwartz said he doesn't think he could expect from Amazon.com. In addition, the firm has a number of mainframe-integrated appliances that wouldn't migrate easily to Amazon's Elastic Compute Cloud, or EC2.
That said, Schwartz is optimistic Amazon will address these issues. "I believe firmly that all security and integration challenges will eventually be resolved" he said. "It's just a matter of time."