I’ve taken AWS out to the woodshed in the past on security questions, but have always done so with valid points and concerns.  Having watched this past week’s AWS Summit on theCUBE, it’s clear that security is a top priority in the game today, and the shift in thinking that was required by the pure cloud proposition is well on its way.  One example of this shift was illustrated in Jeff Frick’s discussion with Mark Nunnikhoven, VP of Cloud & Emerging Technologies at Trend Micro.  Nunnikhoven discussed how the notion that cloud services lacked security was a misconception, a myth he called it and a lack of understanding.  The gist here is that the AWS proposition is one of a shared security model, one that has increasingly migrated to what has been an increased focus in what is emerging as a data-centric security model.  This shared responsibility security model is what AWS espouses as its soundest model, and it means that up to a certain level, AWS takes care of all the security.  The customer is responsible for their own security beyond that level (from the hypervisor).  That includes securing the operating system, applications and data.

Security is fundamental

If this sounds fundamental that’s because it is — most security can be abstracted to a very fundamental level.  That does not mean it’s easy to pull off, or simple at all.  That’s where AWS is working to change the conceptions, pulling in services and options through partnerships and the partner ecosystem to deliver solutions like monitoring, anti-malware, intrusion protection and many more towards delivering a world of holistic security options that help the security bottom line.

Trend Micro is one of those products designed to work well with AWS, and their pre-approved status is indicative of the tremendous amount of work they have done to get their solution ready for the enterprise.  Everything from global intelligence, to application and data scanning, are part of the Trend Micro-AWS proposition.  Trend Micro has long been an enterprise-level security player and this offering in the AWS ecosystem is a play to that same customer.

Back to the philosophy of security, it harkens to the continuing trend of protecting data.  Data at rest, data in transit, data within an application – all critical to a thorough, multi-level approach to security.  This is a necessary migration in strategy, and the introduction of cloud as an architecture itself means a disruption to the classic four-walled firewall, perimeter-based security models of old.  The truth is that all security is moving this way, forced by the dynamics of mobility, the dynamics of cloud, the increasing reliance on a wider selection of apps than ever before.

On the AWS security ecosystem

Here’s the deal, there are industries where if your security requires absolute vetting throughout the AWS cloud environment, there is an answer for you.  It’s something that you have to implement in the AWS environment somewhere between your budget, the shared responsibility model and the myriad of AWS services from AWS itself and its increasingly large partner network.   Almost every type of security product out there has been converted into some kind of service, be it threat intelligence, SIEM and analytics, encryption and certificate security, IDS, IPS, everything.  You should be able to find or implement any security requirements you may require within this cloud system.

If there were any exceptions that the enterprise may see today, it would come down to those that are in regulated industries.  Various requirements of auditing, encryption and non-shared resources still require access to resources that are underneath the hypervisor level, and that is something that jibe with the security model that AWS employs for its regular cloud.

Regulations, however, are slow to modernize and perhaps with continued practice and improvement of data protection principles they will eventually accommodate suitable cloud standards.  That is not to say a healthcare organization, a banking organization, or the energy industry should be averse to such a robust world of cloud capability and security that goes with it.  It only means that decisions to move to pure cloud platforms are likely to be strategic, placing only certain types of elements in the cloud because of their compliance needs.

photo: Adam_T4 via photopin cc