By John Paul Mueller

To use AWS (Amazon Web Services), you must risk the security of your computer in a major way. Administrators and security professionals can quickly drive themselves crazy trying to keep these interconnected computers safe, but that’s part of the job description.

You must follow best practices in securing the computer systems, the data they contain, your local network, and any third-party products you use. In addition, you must consider user training and the fact that users undoubtedly forget everything you tell them the second they leave the classroom, so diligent oversight is required.

The Amazon view of security

Given that even the best efforts on the part of any vendor will likely provide only moderate security, the vendor should maintain a proactive stance on security. Amazon does spend a good deal of time trying to track and fix known security issues with its APIs, but it also realizes that some vulnerabilities are likely to escape notice, which is where you come into play. Amazon has a stated policy of encouraging your input on any vulnerabilities you find.

Be sure to read Amazon’s evaluation process. The process leaves room for Amazon to pass the blame for an issue onto a third party, or do nothing at all. Even though Amazon is proactive, you need to realize that you may still find vulnerabilities that Amazon does nothing to fix. As a result, security for AWS will always prove less than perfect, which means you also need to maintain a strong, proactive security stance and not depend on Amazon to do it all. The most important thing you can do when working with a cloud service vendor such as Amazon is to continue monitoring your own systems for any sign of unexpected activity.

The expert view of security

As you work through your plan for using AWS to support your organization’s IT needs, you need to read more than the Amazon view of issues such as security. Expecting Amazon to tell you about every potential security issue isn’t unreasonable — it’s just that Amazon deals with only those issues that it has proof are real. To get the full security story, you must rely on third-party experts, which means that you have to spend time locating this information online.

A recent story serves to illustrate that Amazon is less than forthcoming about every security issue. In this case, white-hat hackers have managed to hack into a third party’s EC2 instance from another instance. After gaining access to the third-party instance, the researchers were able to steal the security keys for that instance. Amazon is unlikely to tell you about this sort of research, so you need discover it yourself.

The problem with many of these stories is that the trade press tends to sensationalize them — making them appear worse than they really are. You need to balance what you know about your organization’s setup, what Amazon has actually reported about known security issues, and what the trade press has published about suspected security issues when determining the security risks of using AWS as your cloud solution. As part of your planning process, you also need to consider what other cloud vendors provide in the way of security. The bottom line is that using the cloud will never be as secure as keeping your IT in-house because more connections always spell more opportunities for someone to hack your setup.

Discovering the reality of Amazon security

The previous two sections discuss what Amazon is willing to admit when it comes to security and what researchers are trying to convince you is the actual state of security for AWS. These two opposing views are critical to your planning process, but you also need to consider real-world experiences as part of the mix. The security researchers at Worcester Polytechnic Institute created a condition under which AWS could fail. However, it hasn’t actually failed in this way in the real world. The way in which AWS has actually failed is with its backup solutions.

The story tells of a company that is no longer operational. It failed when someone compromised its EC2 instance. This isn’t a contrived experiment — it happened in the real world, and the hackers involved did real damage, so this is the sort of story to give greater credence to when you plan your use of AWS.

Another story relates how unexpected data dumps on AWS made third-party information available. In this case, the data included personal information garnered from police injury reports, drug tests, detailed doctor visit notes, and social security numbers. Given the implications of this data breach, the organizations involved could be liable for both criminal and civil charges. When working with AWS, you must temper the need to save money now with the need to spend more money later defending yourself against a lawsuit.

Employing AWS security best practices

Amazon does provide you with a set of security best practices and it’s a good idea for you to read the associated white paper as part of your security planning process. The information you get will help you understand how to configure your setup to maximize security from the Amazon perspective, but as the previous sections show, even a great configuration may not be enough to protect your data. Yes, you should ensure that your setup follows Amazon’s best practices, but you also need to have plans in place for the inevitable data breach. This statement may seem negative, but when it comes to security, you must always assume the worst-case scenario and prepare strategies for handling it.