One of Amazon Web Service’s top priorities right now are security and compliance.  We have all touched on that subject here.  It has been clear in everything they’re communicating right now, it was clear at the Amazon Web Services summit in San Francisco a couple of weeks ago.  To those ends the AWS Security Blog popped up a couple of weeks ago.  Steve Schmidt, AWS Chief Information Security Officer posted the introduction and the mission for the communications are pretty clear.  They are featuring all the information they can about security and compliance and AWS, including How-to guides, Compliance Milestones, Customer and Partner Stories, and security best practices for all AWS services.  The industry has kept pressure on Amazon as they venture into the enterprise on security and compliance issues, so there is little surprise that Amazon is focusing on this.

The idea of sensitive enterprise, mission-critical data in the cloud is one that instantly summons security and compliance questions, that’s the big hang-up for the enterprise.  Taking on these concerns, following best practices, and getting news about the AWS proposition is a critical element of AWS strategy in order to work through those hang-ups.  Without a doubt, many in the industry will keep watch of this information as it pertains to risk, privacy, compliance, confidentiality and so on.  Hopefully it will be an outlet that also explains post-mortem when events do come up.

This past week, a pair of announcements from AWS compliance have emerged on the blog, and thus have the attention of cloud customers throughout the industry.  First, AWS has announced a newly available report on SOC 3.  SOC 3 is an independently audited trust service report that in this case indicates that AWS services are in line with the American Institute of Certified Public Accountants (AICPA) standards, also known as SysTrust reports.  They also have SOC 1 reports available which addresses controls around finaancial statements and reporting.  SOC 2 reports are also available and they address security and governance.   AWS also announced a broader scope for all the SOC reports:

Moreover, we’re happy to announce the following are now in scope for all our SOC reports:

• AWS’s Sydney, Australia region
• Amazon Elastic MapReduce (EMR)
• Amazon Redshift
• AWS Identity & Access Management (IAM)

Through these reports the vendor (AWS) has gone through an extensive examination of the entire environment, meaning infrastructure, Personnel, Procedural, and Infrastructure.  It’s all found in the report.  It includes many issues such as downtime data access, protections, monitoring, and more.  SOC reports are in demand as cloud computing grows and this is big news for AWS.

What are customers saying about the AWS SOC Reports?

“The report exceeded my expectation in regards to the presentation of data.  It was very easy for me to find the information I needed quickly.  Additionally, the information itself was presented clearly and straight-forward.  I was able to complete my task more efficiently as a result.”

– Scott Young, Internal Audit Manager at Zagg, Inc., responding to the AWS SOC 1 report

The idea here is that AWS is communicating these developments through what hopes to be a rich source of information for the business and security community.   It should be a place to watch as Amazons AWS Enterprise goals grow.