LAS VEGAS â€" The top security executive at Amazon Web Services understands that information security is the No. 1 concern voiced by potential customers and worry of existing customers.
It's important that we differentiate what we do from what you can choose to do. Stephen Schmidt, CISO, Amazon Web ServicesÂ
His response is simple: secure customers' systems and data better than they ever could themselves.
During a session Tuesday at the inaugural AWS re:Invent conference, AWS CISO Stephen Schmidt offered an insider's look at the AWS security strategy, highlighting the painstaking detail that encompasses the cloud computing giant's overall approach to security and its day-to-day practices.
Early on, however, Schmidt was careful to outline that security in the cloud is a shared responsibility. "It's important that we differentiate what we do from what you can choose to do," Schmidt said, noting that customers themselves have to decide how to secure their platforms, applications and ultimately access to their data, but that AWS takes responsibility for securing everything that sits below the operating system.
That way, Schmidt said, "you can spend your time and attention on the pieces of the security puzzle that are important to you, choosing your applications, configuring your systems, and monitoring access your employees have to that data."
That's not to say that role isn't without its challenges. In talking about direct denial-of-service (DDoS) attacks, he said AWS often mitigates hundreds of DDoS attacks against its customers on any given day, typically without customers ever being affected. However, it's not always easy to determine what is or isn't a DDoS attack.
"For example, when Michael Jackson passed away, a record label associated with him put a tribute site up on AWS, and we saw a huge spike in traffic going after those resources," Schmidt said. "To us, it looked like a DDoS attack. The important thing is we didn't shut off that traffic without figuring out what was going on."
AWS offers both stateful and stateless firewalls based on the type of infrastructure being used. As standard operating procedure, Schmidt said AWS requires every virtual machine it hosts to have a firewall installed on it, and it starts off closed. That way, he said, customers have the opportunity to choose good firewall rulesets, which can often close off broad avenues of potential attacks.
One of the most common security questions customers have, Schmidt said, is around packet flow and whether one customer can use promiscuous scanning to see another customer's traffic on the same physical machine. It's not possible, he said, because traffic has to flow through the firewall and hypervisor layers before it can be passed anywhere else, regardless of whether that's off that physical machine or to another virtual machine sharing the same hardware.
With such a large, distributed infrastructure -- five global regions, 15 availability zones and dozens of stand-alone facilities â€" change management is managed carefully. Schmidt said any software or configuration change is deployed first to a test environment, then a beta environment, then a single production machine, and finally across all the machines in a single availability zone, which may span several physical locations in the same geographic area. If all goes well, the change is then deployed to a different availability zone in a different region.
"We don't change two availability zones in the same region at the same time," Schmidt said. "Customers expect to be able to depend on multiple availability zones."
Regarding data integrity specifically of Amazon's S3 Simple Storage Service, Schmidt said every data object that goes into the store gets an MD5 encryption hash, which the company uses to validate that the data remains intact throughout its life in S3.
Schmidt emphasized the transparency of the AWS security program. He said not only can AWS customers run API scans as often as every minute to confirm the status of all their cloud assets, but the company also relies on a number of third-party auditors to validate its security posture.
"It's a series of independent audits by third parties that have a reputation in the industry, and it allows you to depend on their judgment regarding whether we're practicing security efficiently or not," Schmidt said. "It's impossible to have 9,000 customers traipse through the data centers themselves. The auditors do that for you."
The independent auditors certify AWS's adherence to a number of standards, including SOC1 and SOC2, ISO 27001, FISMA and PCI DSS.
"PCI is obviously something that's really important to one of our biggest customers, Amazon.com," Schmidt said. "You can run your business on AWS just as effectively as Amazon.com does."
Regarding physical security, which Schmidt called "fundamentally important to everything else we do," he said not only does AWS not advertise the exact locations of its data centers, but most of its own employees don't know where the locations are.
"Employees can give you a geographic region, and we do expose the cities in our audit process, but they won't tell you the street addresses because they don't know them to do their jobs," Schmidt said. "If our employees don't require access to information to do their jobs, why give it to them? It just exposes you."
Interestingly enough, the same rigor applied to the AWS security program is applied to its security staff. Schmidt said potential employees undergo background checks "to the fullest extent that's permissible" including review of credit history, criminal records, and residence history, and then those who are brought on board are rechecked on a regular basis.
Attendee Joe Stevensen, a security manager with a well-known software company, said he found the session comprehensive, but mostly covered information that existing AWS customers already know.
However, he lauded AWS for its security program, particularly what it's doing in the area of identity and access management, which he called "a really key feature that separates AWS from competitors."
Special Report from Tech Guru and Business Strategist Asish George who dispenses money tips for life at Money Tips For Life
Netgear ProSecure UTM25 VPN and firewall - Rather than buy a separate firewall and vpn gateway, we chose this combination device from Netgear's Unified Threat Management suit of appliances.  This device is price at around $415 and has features that you would expect in a comprehensive security appliance.  The beauty of this device is that it protects your network from web, network, and email vulnerabilities using multiple state of the art technologies and partnerships with leading security firms.  Being a VPN appliance, it also allows remote users to securely connect to your organization's network.  Many VPN appliances geared towards small businesses require remote users to download and configure the VPN software but that's not the case with the UTM25.  Configuring the appli ance does require some know-how (even though the user interface is intuitive and setup is wizard based) but I've always found Netgear's phone support to be helpful.  Lastly, the ProSecure UTM offers Web and email protection subscriptions with no “per-user †licensing and come with 30 day trials of their subscription services.  This appliance is a great solution for growing SMBs with a significant IT infrastructure and multiple remote users.
ZyXEL ZyWALL USG20 Internet Security Firewall â€" For our satellite office, we deployed the ZyWall USG20 by ZyXEL.  This security appliance also serves the dual purpose of firewall and VPN gateway and is a great solution for SOHOs and small businesses up to 5 PC users and is a value at around $145.  For this price point, it offers a ton of features including packet inspection to protect your network from security vulnerabilities.  Some features are subscription based but what you get out of the box is pretty impressive.  We were particularly impressed with the ability to create VLANs and the ability to control bandwidth and network access based on user login.  In addition, as part of advanced QoS, we can prioritize traffic for mission critical applications and VoIP.  The VPN f eatures are also relatively easy to configure and remote users can connect to the network through a web browser.
Buffalo LinkStation Pro Duo 2-Bay 2 TB NAS â€" Every business needs a good local backup solution and the LinkStation Pro Duo is simply great.  Priced at $240, this NAS is a bargain considering that it offers 1 TB of storage with RAID configuration (2 X 1 TB hard drives) to provide data redundancy and protection as well as many advanced features.  I want to note that the NAS arrives with RAID 0 configuration instead of RAID 1 but you can (and should) easily change it in the web management tool.  This NAS is also blazing fast making backup and restore a simple process.  There are 3 features of this NAS that make this an excellent buy.  First, you can remotely access your files on the the NAS via the Web and Web Apps.  Second, it comes with data backup software for both PC s and MACs to ensure that all your devices can be backed up properly.  Third, it has a USB port on the back that you can use to attach a hard drive or camera to easily transfer files or you can even connect a USB printer and turn it into a network printer.  With a simple intuitive user interface, a small form factor, and lots of great features, this is a great investment.
Having the opportunity to do a presentation in front of an audience of just about any size is an absolute privilege.
Today, small businesses have an overwhelming amount of choices in the apps they can use to keep the lights on. This labyrinth of choices, instead of empowering professionals with their own businesses, stymies them. It's very difficult to run your own operation when you don't know where to begin when choosing what you're going to manage your projects and leads with.
Today is Cyber Monday, one of the largest online shopping days of the season. Â With less than a month to go until your customers expect their gifts to arrive, safe and sound, you'll want to ensure that your shipping processes are solid and fool-proof.
If you are NOT ready to BOOST sales this Holiday season, using online marketing strategies and tools, you're probably too late.
As you go through your list of people to get gifts for, it's pretty easy.