As Amazon’s Web Services makes its move into the enterprise, one of the biggest obstacles they face will be in the world of security. The stakes are huge in a mission-critical enterprise environment, the elements of risk, security, and compliance have formed a significant barrier to public cloud adoption. Tactical, strategic, and security professionals throughout the industry are finding difficulties in making this switch. At root of these issues is the outright lack of control and visibility into a cloud provider’s infrastructure; a deal-breaker in case after case because of security and compliance concerns. The amount of transparency that Amazon operates with requires a massive leap of faith that the typical enterprise cannot embrace - even legally in some cases. The AWS Risk and Compliance whitepaper frames an arrangement that lays out a “shared responsibility” security structure, in that AWS controls the physical aspects of the technology to the hypervisor, and all layers beyond that are on the customer.
“For the portion deployed into AWS, AWS controls the physical components of that technology. The customer owns and controls everything else, including control over connection points and transmissions.”
This right here is the Achille’s heel of the AWS enterprise proposition. Within the nature of this cloud business is the oversubscription of physical assets, when it works it works well, when you go over that tipping point, not so well. For small businesses, despite requiring a bit of technological savvy to launch, AWS can provide a tremendous capex and even operating advantage, and for the developer crowd and others of the sort, the ability to spin up resources is a natural winning technology advantage- that market is well-established. However, the shared model can be the source of severe enterprise headaches where many answers are not easy, so I reached out to a number of enterprise industry professionals for their perspectives.
Even if AWS were to embrace some kind of limited visibility and control (however delegated) of the underlying architecture – it poses an untenable security and risk threat. AWS is in an interesting position based on how their systems are architected; the dynamics of multitenant services introduces several elevated risks. One such pain is the “noisy neighbor” situation, where a node becomes saturated with the computing demands of a co-habitating customer and it impacts your performance. We’ve recently seen a number of outages on Amazon services that have brought down scores of sites in a single outage.
When infrastructure is stacked high, a single piece can bring multiple systems down, thatis just a fact. Denver-based Summit Security Consultant and industry veteran Eddie Mize confirmed the elevated risk posture, adding that security could additionally be compromised by faulty or malicious API or other faults (and in some cases it could be Amazon executing this itself), meaning there is no existing way for compliance and security mechanisms to integrate with Amazon’s services as they are. He shares:
“The cloud in various forms, and in any multitenant environment is by nature, insecure…In regards to the enterprise, it is my advice to proceed and pursue benefits in certain situations, but do so with caution and be strategically aware of risks, plan accordingly”
Compliance and Regulations
With architecture is based on shared virtual servers, the difficulties in meeting
compliance and security regulations for businesses that require this are many. AWS does
not let customers do audits of its security. It has been reported that certain customers have been successful in getting insurance regulators into meetings with Amazon’s security team. Large organizations will undoubtedly be staring at some challenges in the AWS
environment. With limited flexibility on what constitutes security incidents, auditing,
and required access, this flies in the face of the risk-averse and responsible
enterprise and will continue to be a significant barrier to large enterprise adoption.
Even in cases of dedicated, physical instances these AWS constructs still apply and
require a leap of faith that a typical large organization may not take.
HP Enterprise Security Services leaders Andrzej Kawalec, Global CTO and Jeremy Ward, Offering Manager touched on this topic in a briefing this week. The group deals with many customers and has witnessed hesitation and delays in cloud adoption based on these very concerns. They confirm that in such cases, many shops are going to alternatives such as managed services. It gives them greater oversight into security controls, management,forensics and more practical tasks in achieving compliance goals. They definitely see a need for AWS and partners to evolve in terms of technology and process, bridging significant gaps, and provide a better product, adding:
“Without at least joint crisis planning and management however, these concerns will continue”
Cloud Alternatives – Better for Enterprise?
Further evidence of the enterprise gravitating away from AWS emerged in a conversation with Brady Ranum, Vice President of Sales Engineering at ViaWest, a super-regional managed services provider. While ViaWest is not a direct competitor to AWS, they do see what insiders call “Amazon graduates” – meaning clients have found they are running into limitations when it comes to their enterprise needs on AWS. The concerns being heard should sound familiar and include compliance, security, rising costs, ‘noisy neighbor’, just to name a few – and these issues bring them to the world of managed services. In some cases customers are locked in to the platform, requiring a significant exit strategy to detach from the service. One client apparently discovered existing personal identifiable information, or “PII” throughout the AWS environment and had to launch a
two-year plan to clean it all up.
“We see are seeing more and more clients that have looked at pure cloud solutions and realized that managed services is the way to go for their needs across the board. Even in cost savings, in that once they need to scale elsewhere, the costs quickly become prohibitive, and that’s where we step in”
Time for New, Better Security
At the end of the day, the obstacle that causes the most concern is security. An
enterprise that is looking to bring their own security simply does not have a lot of
options in doing so. Few true software based security solutions actually exist out
there, but one of the leaders in cloud security is Alert Logic. I reached out to Misha
Govshteyn, Founder and VP of Emerging Products; he also confirmed a number of these
concerns and shared a number of thoughts on this.
“Applications are moving out of the enterprise, but security largely hasn’t made a broad move there yet.”
Govshteyn sees a security industry that needs to rebuild products from the ground up to answer these rapidly more sophisticated cloud needs. This requires a big shift in thinking, before things like DLP and log management in the cloud can become a reality. The responsibility is shared between the security provider and the cloud provider, but it’s something that needs to be ingrained at every possible level with customers
involved, vocal, and ready to make the move. It was this kind of synergy that led Alert
Logic to the industry’s only network-based cloud IDS, a problem that seemed unsolvable
just 3 years ago. He also reports that an emerging strategic dynamic exists where
business owners have gone outside of IT in an effort to get faster delivery and are
utilizing these cloud services. In essence, these organizations are becoming hybrid
architectures and this is happening in instances where business owners can prove the
security is tight, IT response was not as quick, and the business agrees the risk is low.
This is where strategic consideration of cloud-based services steps in, with the advent
of this new perimeter architecture, there are possible ways based on application and
information in the cloud to work and still satisfy several compliance regulations.
Still, Amazon will face a number of enterprise challenges in being competitive ins such fields such as pricing, security, compliance, and risk. The outages haven’t helped, so until some successes come in transforming these deficiencies, the industry will probably be somewhat averse to embracing these services wholesale. Security, risk, and compliance are especially significant in the enterprise, it goes way beyond a mere cost play. Cloud-
based services should be regarded as a strategic tool to gain certain advantages, but for
a continued bevy of unmet enterprise requirements, they should be carefully reviewed and planned for before going mission-critical. This is something CIOs and people across the spectrum are looking at and will be watching as Amazon makes its move for large business.