The 800-pound gorilla of the Infrastructure as a Service (IaaS) world â" Amazon Web Services (AWS) -- has joined the Cloud Security Alliance's Security, Trust and Assurance Registry (STAR).
AWS filed its documentation to CSA STAR
The AWS security STAR entry is a 42-page document (.pdf) on the cloud giant's risk and compliance practices. It includes information on AWS's security certifications (e.g., ISO 27001) and the company's responses to the CSA Consensus Assessments Initiative Questionnaire. The questions cover common security-related concerns for cloud customers, such as data isolation and location.
For example, with regards to its ability to logically segment or encrypt customer data, AWS said it has strong tenant isolation capabilities, but notes that customers retain control and ownership of their data, and it's their responsibility to encrypt it.
On the data location front, Amazon said in its documentation that customers can designate which AWS physical region their data and servers are located; the company won't move the data without notifying the customer unless required to comply with a government request. At the same time, Amazon said it won't hesitate to challenge orders from law enforcement if it thinks the orders are without merit.
With the addition of Amazon, STAR now has 12 entries, including three from Microsoft. Verizon's Terremark subsidiary is another new addition, having added documentation in June.
The participation of AWS may be a sign that STAR is turning into the vehicle for peer pressure that CSA leaders had hoped. One of the CSA's primary goals is to advocate for the security needs of cloud customers and the on-going need for cloud transparency.