This content is part of the Essential Guide: Enterprise cloud security best practices for locking down your cloud
News Stay informed about the latest enterprise technology news and product updates.

Amazon security, compliance worries still major enterprise obstacles

Fear of the public cloud is alive and well in heavily regulated industries. Amazon has some work to do to broaden AWS' appeal in these shops.

Security-sensitive and compliance-conscious organizations still shy away from Amazon Web Services, despite its booming business and compelling value proposition.

I just can't get past the legal hurdles, the compliance hurdles, the audit hurdles.

Chris Steffen,
principal technical architect, Kroll Factual Data Inc.

This hesitancy remains despite case studies, testimonials from partners and other evidence that says compliance with even stringent regulations, such as the Payment Card Industry Data Security Standard, or PCI DSS, and the Health Insurance Portability and Accountability Act (HIPAA), is possible in today's Amazon Web Services (AWS) environment. As a result of these Amazon security concerns, a gulf remains between the premier public cloud computing service and its potentially richest audience.

"They still need to get people less afraid of public cloud," said David Linthicum, chief technology officer and founder of Blue Mountain Labs, a cloud advisory and development firm.

As Amazon prepares to host its first end-user conference, AWS re:Invent, later this month, its cloud service is doing just fine; Analysts at Morgan Stanley estimate AWS' run rate to be somewhere between $1 billion and $1.5 billion per year. But AWS could be competing for a much larger slice of the pie: Gartner Inc. sized the overall data center hardware market at $100 billion last year and predicted it will reach $120 billion by 2015.

"AWS has some business use cases out on their website … but as far as full-blown, 'I depend my enterprise on it' use, that's not occurring," Linthicum said.

Amazon security fear, uncertainty and doubt

Among security-conscious enterprises, such as financial services companies, AWS is seen as the purview of Web-based startups, not corporations that have to answer to the Securities and Exchange Commission. Henry Mayorga, manager of network technology for New York investment firm Baron Funds, said he's not aware of any specific prohibition on public clouds by the SEC -- but he'd rather not take the risk, because he doesn't trust an environment in which his data shares space with other tenants. "Security would be a huge concern for us," he said. offers virtual private cloud services that segregate data from other tenants, but that can take away from some of public cloud computing's other benefits. "If it's not shared, then you're not talking true cloud," Mayorga said.

Special report: Amazon's enterprise image problem

Part 2: Customers, partners say Amazon's public cloud  is ready for prime time

Part 3: More education, integration will boost Amazon adoption

The biggest benefit of public cloud services is their potential cost savings, but for Wall Street firms, money is no object when it comes to secure data, Mayorga said. "If I somehow compromise the integrity of our data, and I go back to the CFO [chief financial officer] or CEO and told them that … they're going to look at me like I have three heads and say, 'You just saved me a couple thousand dollars but exposed us to millions of dollars in liability. What the hell are you thinking?'" he said.

Other IT professionals in highly regulated industries see the value in AWS and continue to evaluate the service, but they can't get auditors to approve its use.

"If I could move my data center to the public cloud, I would do it tomorrow -- not even next week; tomorrow," said Chris Steffen, principal technical architect at Kroll Factual Data Inc., a Loveland, Colo., firm that processes data for big banks. "But I just can't get past the legal hurdles, the compliance hurdles, the audit hurdles."

Another obstacle is that public cloud hosters, including, aren't willing to assume the level of liability Kroll would need if it were to adopt their services, he said.

Beyond AWS security concerns

Other enterprise shops have supportability and integration concerns, in addition to compliance worries, when they consider AWS.

Mark Schwartz, director of IT for a large insurance company based in the Northeast, said he probably wouldn't consider AWS because of the protected health information his company deals with, which is regulated by HIPAA. End users at the company also are used to a high level of customer support, something Schwartz said he doesn't think he could expect from In addition, the firm has a number of mainframe-integrated appliances that wouldn't migrate easily to Amazon's Elastic Compute Cloud, or EC2.

That said, Schwartz is optimistic Amazon will address these issues. "I believe firmly that all security and integration challenges will eventually be resolved" he said. "It's just a matter of time."

Beth Pariseau is a senior news writer for and Write to her at or follow @PariseauTT on Twitter.

Dig Deeper on Amazon Web Services

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Is Amazon Web Services secure enough for your production workloads?
A hybrid environment utilizing both VPC and elastic services for public facing utility makes perfect sense. My experience is that most organizations current security posture is at best, par with AWS. Change, control, and being first are the biggest challenges for AWS adoption.
We'd love to migrate to the cloud, but until the services can pass several current compliance hurdles then we cannot move in this direction.
We need a service that provides deeper security -- not Amazon, Symantic, or even Microsoft -- something truly secure and not capitalized.
virtual private is good enough. if need dedicated private, i'll build it my self on premise.
for non-sensitive business processes it certainly is, but not for all our business purposes.