LAS VEGAS â€" The top security executive at Amazon Web Services understands that information security is the No. 1 concern voiced by potential customers and worry of existing customers.
It's important that we differentiate what we do from what you can choose to do. Stephen Schmidt, CISO, Amazon Web ServicesÂ
His response is simple: secure customers' systems and data better than they ever could themselves.
During a session Tuesday at the inaugural AWS re:Invent conference, AWS CISO Stephen Schmidt offered an insider's look at the AWS security strategy, highlighting the painstaking detail that encompasses the cloud computing giant's overall approach to security and its day-to-day practices.
Early on, however, Schmidt was careful to outline that security in the cloud is a shared responsibility. "It's important that we differentiate what we do from what you can choose to do," Schmidt said, noting that customers themselves have to decide how to secure their platforms, applications and ultimately access to their data, but that AWS takes responsibility for securing everything that sits below the operating system.
That way, Schmidt said, "you can spend your time and attention on the pieces of the security puzzle that are important to you, choosing your applications, configuring your systems, and monitoring access your employees have to that data."
That's not to say that role isn't without its challenges. In talking about direct denial-of-service (DDoS) attacks, he said AWS often mitigates hundreds of DDoS attacks against its customers on any given day, typically without customers ever being affected. However, it's not always easy to determine what is or isn't a DDoS attack.
"For example, when Michael Jackson passed away, a record label associated with him put a tribute site up on AWS, and we saw a huge spike in traffic going after those resources," Schmidt said. "To us, it looked like a DDoS attack. The important thing is we didn't shut off that traffic without figuring out what was going on."
AWS offers both stateful and stateless firewalls based on the type of infrastructure being used. As standard operating procedure, Schmidt said AWS requires every virtual machine it hosts to have a firewall installed on it, and it starts off closed. That way, he said, customers have the opportunity to choose good firewall rulesets, which can often close off broad avenues of potential attacks.
One of the most common security questions customers have, Schmidt said, is around packet flow and whether one customer can use promiscuous scanning to see another customer's traffic on the same physical machine. It's not possible, he said, because traffic has to flow through the firewall and hypervisor layers before it can be passed anywhere else, regardless of whether that's off that physical machine or to another virtual machine sharing the same hardware.
With such a large, distributed infrastructure -- five global regions, 15 availability zones and dozens of stand-alone facilities â€" change management is managed carefully. Schmidt said any software or configuration change is deployed first to a test environment, then a beta environment, then a single production machine, and finally across all the machines in a single availability zone, which may span several physical locations in the same geographic area. If all goes well, the change is then deployed to a different availability zone in a different region.
"We don't change two availability zones in the same region at the same time," Schmidt said. "Customers expect to be able to depend on multiple availability zones."
Regarding data integrity specifically of Amazon's S3 Simple Storage Service, Schmidt said every data object that goes into the store gets an MD5 encryption hash, which the company uses to validate that the data remains intact throughout its life in S3.
Schmidt emphasized the transparency of the AWS security program. He said not only can AWS customers run API scans as often as every minute to confirm the status of all their cloud assets, but the company also relies on a number of third-party auditors to validate its security posture.
"It's a series of independent audits by third parties that have a reputation in the industry, and it allows you to depend on their judgment regarding whether we're practicing security efficiently or not," Schmidt said. "It's impossible to have 9,000 customers traipse through the data centers themselves. The auditors do that for you."
The independent auditors certify AWS's adherence to a number of standards, including SOC1 and SOC2, ISO 27001, FISMA and PCI DSS.
"PCI is obviously something that's really important to one of our biggest customers, Amazon.com," Schmidt said. "You can run your business on AWS just as effectively as Amazon.com does."
Regarding physical security, which Schmidt called "fundamentally important to everything else we do," he said not only does AWS not advertise the exact locations of its data centers, but most of its own employees don't know where the locations are.
"Employees can give you a geographic region, and we do expose the cities in our audit process, but they won't tell you the street addresses because they don't know them to do their jobs," Schmidt said. "If our employees don't require access to information to do their jobs, why give it to them? It just exposes you."
Interestingly enough, the same rigor applied to the AWS security program is applied to its security staff. Schmidt said potential employees undergo background checks "to the fullest extent that's permissible" including review of credit history, criminal records, and residence history, and then those who are brought on board are rechecked on a regular basis.
Attendee Joe Stevensen, a security manager with a well-known software company, said he found the session comprehensive, but mostly covered information that existing AWS customers already know.
However, he lauded AWS for its security program, particularly what it's doing in the area of identity and access management, which he called "a really key feature that separates AWS from competitors."