AWS Cloud Security. by Ed Ferrara, February 5, 2014 Updated: February 21, 2014

For: Security & Risk Professionals AWS Cloud Security by Ed Ferrara, February 5, 2014 Updated: February 21, 2014 Key Takeaways AWS Is Serious About Information Security There has been too much hype about cloud security being different and inherently insecure. Cloud security is no different from other solutions we deploy. Security pros should apply the same security standards to cloud workloads applied to on-premises workloads. In The AWS World, Security Is A Shared Responsibility AWS is not going to secure your applications or software infrastructure for you. AWS responsibility stops at the abstraction point between its services and the applications you deploy. It s up to security and risk pros to engineer the correct security atop AWS. AWS provides key security building blocks, but it s still your responsibility. AWS Demonstrates Strong Cloud Security Processes And Controls AWS has a very comprehensive security program for its platform. AWS has foundational security controls for its services that enable customers to build secure applications. Where AWS does not have a solution, third parties are working to provide security technology as SaaS and virtual appliances for the AWS environment. Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA Tel: +1 617.613.6000 Fax: +1 617.613.5000 www.forrester.com

February 5, 2014 Updated: February 21, 2014 AWS Cloud Security AWS Takes Important Steps For Securing Cloud Workloads by Ed Ferrara with Christopher McClean, James Staten, Andras Cser, Heidi Shey, and Thayer Frechette Why Read This Report Security to and from the cloud is a hot topic. The notion that cloud technologies should not be used by large enterprises due to security concerns is rapidly fading. Security still ranks as the No. 1 impediment to full-scale cloud adoption, but cloud service providers (CSPs) are quickly responding to these concerns. Amazon Web Services (AWS), for example, provides a significant number of security services to clients through a model of shared responsibility. Using AWS companies can build infrastructures as secure as, and possibly more secure than, those they can build on-premises. The move to cloud will force security and risk pros to consider the options they have for securing cloud workloads. Companies like Amazon that provide necessary security services will fast become leaders in the cloud platform space. This report is a first look at the types of security controls available from AWS. Security and risk pros should use this document as a primer on the security services available from AWS and to compare those with the security services offered by competitive cloud providers. Table Of Contents 2 2 3 8 11 14 S&R Pros Need To Understand Cloud Services And Security Controls Like Any Provider, Get To Know The Basics Of AWS Offerings First For AWS, Security Is An Uneven Handshake The AWS Environment Adheres To Industry Best Security Practices AWS Core Compute And Storage Offers Security Extensions WHAT IT MEANS Security And Risk Pros Should Not Fear AWS Or The Cloud Notes & Resources Forrester spoke extensively with AWS technology leadership on the extent of their security capabilities for the purposes of this research. Related Research Documents Predictions For 2014: Cloud Computing December 4, 2013 Security s Cloud Revolution Is Upon Us August 2, 2013 Make The Cloud Enterprise Ready June 1, 2012 14 Supplemental Material 2014, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To purchase reprints of this document, please email clientsupport@forrester.com. For additional information, go to www.forrester.com.

AWS Cloud Security 2 S&R Pros Need To Understand Cloud Services ANd SEcurity Controls There has been a lot of discussion about whether cloud vendors provide sufficient data and network security with their service offerings. This was a tough question to answer because the cloud service providers (CSPs) were not always willing to publish their security controls, giving rise to suspicion that security controls were lax or missing. 1 A lot has changed, however; the best CSPs, such as AWS, are going to great lengths and expense to secure their environments and to educate customers and prospects about the security controls they have in place. To operate smoothly with cloud providers, security and risk pros will need to understand the basics of these firms architecture and how they allocate compute, network, and storage resources. Even if your organization has lagged behind cloud adoption, it s worth investing the time and energy now to become experts on cloud environments and what s needed to secure them it s just a matter of time before it becomes relevant, either in your current or future role. Case in point: The CIO of a large human resources company tasked his security team to take point on the company s cloud deployment efforts to become the in-house experts on all things cloud. As such, members of the security team are now seen as key partners in the adoption of cloud and champions for its ongoing use. This approach turned security from the department of No to the department of Heck yeah. Like Any Provider, Get To Know the Basics of AWS offerings first AWS is an infrastructure provider, and when deploying workloads to AWS, apply the same rules that you would for any other colocation or third-party hosting project. Some cloud providers are further along than others when it comes to security, but a detailed look at AWS approach will help guide the way you engage other providers. AWS Uses A Tiered Approach To Support Its Customers AWS data centers located in North America, Europe, Latin America, and Asia compose Tier one of the AWS infrastructure. Each geographic region has one to five availability zones. AWS availability zones (AZs) make up the second tier of the AWS infrastructure. Each AZ is made up of one or more data centers. These are physically located in separate buildings, on separate power grids, in separate environmental disaster zones, with distinct network access points and separate electrical generator support. AWS uses edge zones for local content delivery (see Figure 1). 2 When planning a deployment with AWS, make certain you understand the connectivity that exists between the different AWS infrastructure locations. Network latency will be an important consideration for AWS deployments. 3

AWS Cloud Security 3 AWS Provides Infrastructure Plus A Wide Set Of IT Services AWS provides a significant number of application and infrastructure tools, but using AWS services is like eating at an à la carte restaurant. Every item on the menu is individually priced, and not all items on the menu are available in all regions (see Figure 2). 4 For AWS, SECURITY IS AN UNEVEN HANDSHAKE The AWS philosophy sees security as a shared responsibility, or what Forrester terms an uneven handshake (see Figure 3). 5 However, with improved transparency, the handshake is evening out quite a bit. With this approach, AWS provides the building blocks for a complete infrastructure but shares responsibility for securing this infrastructure with customers. AWS portion of the uneven handshake lies below the point of abstraction its services expose for direct customer control. For example, in EC2, AWS presents customers with a virtual server and takes responsibility for the operation and control of the hypervisor, its host operating system, and the physical security of the facilities in which this service operates. Customers assume responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of the AWS-provided security group firewall. AWS security responsibilities vary depending on the AWS service but always follow this same rule whatever the customer can control is their responsibility; whatever they can t control, AWS owns. To secure the applications they deploy into AWS EC2 VMs, customers can leverage other AWS services such as those listed above or you can provide your own solutions, such as host-based firewalls, intrusion detection/prevention, and encryption solutions. Many of these can also be pulled out of AWS library of Amazon Machine Images, which are commercial and open source solutions that have been packaged for quick deployment to EC2. 6

AWS Cloud Security 4 Figure 1 AWS Global Region/Zone/Edge Location Region/ Availability zone US East (Northern Virginia) region EC2 availability zones: 5* US West (Northern California) region EC2 availability zones: 3* US West (Oregon) region EC2 availability zones: 3 AWS GovCloud (US) region EC2 availability zones: 2 Edge locations Atlanta, Ga. Ashburn, Va. (3) Dallas/Fort Worth (2) Hayward, Calif. Jacksonville, Fla. Los Angeles (2) Miami New York (3) Newark, N.J. Palo Alto, Calif. San Jose, Calif. Seattle, Wash. South Bend, Ind. St. Louis, Mo. Region/ Availability zone EU (Ireland) region EC2 availability zones: 3 Edge locations Amsterdam (2) Dublin Frankfurt, Germany (3) London (3) Madrid Marseilles, France Milan, Italy Paris (2) Stockholm Warsaw Region/ Availability zone Edge locations Region/ Availability zone Edge locations São Paulo region EC2 availability zones: 2 Rio de Janeiro São Paulo, Brazil Asia Pacific (Singapore) region EC2 availability zones: 2 Asia Pacific (Tokyo) region EC2 availability zones: 3 Asia Pacific (Sydney) region EC2 availability zones: 2 Chennai, India Hong Kong (2) Mumbai, India Osaka, Japan Seoul Singapore (2) Sydney, Australia Taipei, Taiwan Tokyo (2) 110341 Source: Forrester Research, Inc.

AWS Cloud Security 5 Figure 2 AWS Data Center Services With Security Implications Compute and networking CloudHSM. CloudHSM offers dedicated hardware devices to provide higher levels of encryption management within the AWS cloud. Customers can securely generate, store, and manage the cryptographic keys used for data encryption. Customers provide CloudHSM inside an AWS VPC using customer-defined IP addresses. 1 Direct Connect. AWS Direct Connect service provides private connectivity from an on-premises or colocated site and AWS. AWS Direct Connect creates a dedicated VLAN connection of 1 Gb or 10 Gb per second. 2 Elastic Compute Cloud (EC2). EC2 provides the ability to flexibly deploy a variety of server types called instances. EC2 also provides preconfigured open source, and licensed Amazon Machine Images (AMIs) include operating systems, security applications and appliances, application servers, databases, and application stacks to speed infrastructure deployment. 3 Amazon Virtual Private Cloud (VPC). VPC provides traditional network services similar to what would be deployed in an on-premises-based data center. 5 Route 53. AWS Route 53 is comprehensive domain solution that allows the customer to use the service as the firm s primary DNS, as the DNS for subdomain(s), or alias resources pointing to AWS services such as Amazon S3 storage buckets, CloudFront content sites, and Elastic Load Balancing. 4 Database DynamoDB. DynamoDB is a NoSQL data store service capable of data distribution across AWS regions and zones. 6 Relational Database Service (RDS). RDS provides a SQL database with automated administration. 8 ElastiCache. ElastiCache provides application performance improvement by caching information in memory. 7 Redshift. Redshift is a petabyte scale data warehouse service that stores information in clusters built on a set of computer nodes. 9 Deployment, management, and monitoring CloudFormation. CloudFormation is an infrastructure deployment tool that provides infrastructure template creation. 10 CloudTrail. CloudTrail provides the ability to track API execution. 11 CloudWatch. CloudWatch provides operational and performance metrics for AWS cloud resources and applications. 12 Identity and access management Identity and Access Management (IAM). The service controls access to all AWS services and resources, supporting password, key pairs, and X.509 certificates. 13 Multi-Factor Authentication (MFA). Multi-Factor Authentication (MFA) is an additional layer of security for accessing AWS services, supporting the use of both hardware tokens and virtual MFA devices. 14 Storage and content delivery CloudFront. The CloudFront leverages the AWS edge locations to provide local delivery of content. 15 Simple Storage Service (S3). S3 provides the ability to store any amount of data. 17 110341 Glacier. Amazon Glacier provides secure and durable storage for data archiving and backup. 16 Storage Gateway. Storage Gateway uses on-premises software appliances to connect on-premises IT environments and the Amazon Web Services (AWS) storage infrastructure. 18 Source: Forrester Research, Inc.

AWS Cloud Security 6 Figure 2 AWS Data Center Services With Security Implications (Cont.) 1 Source: AWS CloudHSM Getting Started Guide (http://awsdocs.s3.amazonaws.com/cloudhsm/latest/hsm-gsg.pdf). 2 Source: AWS Direct Connect User Guide (http://awsdocs.s3.amazonaws.com/directconnect/latest/dc-ug.pdf). 3 The service also supports an AWS DNS extension called alias resource records. When Route 53 receives a DNS query that matches the name and type in an alias resource record set, Route 53 follows the pointer and resolves the address to AWS region, zone, availability edge addressing scheme. Source: Amazon Elastic Compute Cloud (http://docs.aws.amazon.com/awsec2/latest/userguide/using-regions-availability-zones.html). 4 Source: Amazon Route 53 Developer Guide (http://awsdocs.s3.amazonaws.com/route53/latest/route53-dg.pdf). 5 Source: Amazon Virtual Private Cloud Getting Started Guide (http://awsdocs.s3.amazonaws.com/vpc/latest/vpc-gsg.pdf). 6 Source: Amazon DynamoDB Developer Guide (http://awsdocs.s3.amazonaws.com/dynamodb/latest/dynamodb-dg.pdf). 7 Source: Amazon ElastiCache User Guide (http://awsdocs.s3.amazonaws.com/elasticache/latest/elasticache-ug.pdf). 8 Source: Amazon Relational Database Service User Guide (http://awsdocs.s3.amazonaws.com/rds/latest/rds-ug.pdf). 9 Source: Amazon Redshift Getting Started Guide (http://s3.amazonaws.com/awsdocs/redshift/latest/redshift-gsg.pdf). 10 Source: AWS CloudFormation User Guide (http://awsdocs.s3.amazonaws.com/awscloudformation/latest/cfn-ug.pdf). 11 Source: AWS CloudTrail User Guide (http://awsdocs.s3.amazonaws.com/awscloudtrail/latest/awscloudtrail-ug.pdf). 12 Source: Amazon CloudWatch Developer Guide (http://awsdocs.s3.amazonaws.com/amazoncloudwatch/latest/acw-dg.pdf). 13 Source: AWS Identity And Access Management Using IAM (http://awsdocs.s3.amazonaws.com/iam/latest/iam-ug.pdf). 14 Source: Amazon Web Services: Overview of Security Processes, Amazon Web Services, November 2013 (http://media.amazonwebservices.com/pdf/aws_security_whitepaper.pdf). 15 Source: Amazon CloudFront Developer Guide (http://s3.amazonaws.com/awsdocs/cf/latest/cf_dg.pdf). 16 Source: Amazon Glacier Developer Guide (http://awsdocs.s3.amazonaws.com/glacier/latest/glacier-dg.pdf). 17 Source: Amazon Simple Storage Service Getting Started Guide (http://s3.amazonaws.com/awsdocs/s3/latest/s3-gsg.pdf). 18 Source: AWS Storage Gateway User Guide (http://s3.amazonaws.com/awsdocs/storagegateway/latest/storagegateway-ug.pdf). 110341 Source: Forrester Research, Inc.

AWS Cloud Security 7 Figure 3 An Uneven Handshake Vendor responsibilities Business responsibilities Facilities management Basic monitoring Physical support infrastructure (facilities, rack space, power, etc.) Abstract infrastructure services (hypervisor, virtual firewall, etc.) Physical infrastructure security and availability Shared responsibilities Element management Your application Enterprise integration Architectural views (e.g., scalability, availability, recovery, data quality, and security) Governance (who has authority/responsibility to make changes and how) Life-cycle management (birth, growth, failure, and recovery) Network of metadata (categories, capabilities, configurations, and dependencies) Testing, monitoring, diagnosis, and verification 110341 Source: Forrester Research, Inc.

AWS Cloud Security 8 The AWS Environment Adheres To Industry Best Security Practices For its portion of the uneven handshake, AWS has implemented and documented a significant number of security capabilities in support of its various services. Many of AWS processes and controls map to industry compliance standards, and where available, AWS has earned certifications and independent third-party attestations, including certificates and other compliance documentation. There are several tangible results of these efforts: Broadly implemented security control frameworks. The AWS control environment uses an information security control framework based on COBIT. It also incorporates ISO 27001/2, the AICPA Trust Services Principles, PCI-DSS v2.0, NIST 800-53, and other security standards and certifications (see Figure 4). Physical and environmental security. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Staff must pass two-factor authentication a minimum of two times to access data center floors. AWS revokes access when an employee or contractor no longer has a need for these privileges. All physical access to data centers by AWS employees is logged and audited routinely. Global business continuity and availability plans. AWS clusters its data centers in various global regions, meaning all data centers are online and serving customers, and no data center is cold. In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites. Emergency planning and incident response. AWS has a global incident management and response team. This team employs industry-standard diagnostic procedures, and staff operators provide 24x7x365 coverage to detect incidents and to manage the impact and resolution.

AWS Cloud Security 9 Figure 4 United Sates Government And Global Security Standards FedRAMP. AWS is a Federal Risk and Authorization Management Program (FedRAMP) compliant cloud service provider. AWS completed testing performed by a FedRAMP accredited Third Party Assessment Organization (3PAO) and holds two Agency Authority to Operate (ATO) declarations sanctioned by the US Department of Health and Human Services (HHS). AWS qualified by demonstrating compliance with FedRAMP requirements at the Moderate impact level. This allows all US government agencies to consider deployment of workloads to Amazon s GovCloud. The Federal Information Processing Standard (FIPS) Publication 140-2. FIPS 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. Amazon Virtual Private Cloud (VPC) VPN endpoints and SSL terminating load balancers support customers with FIPS 140 2 requirements. GovCloud (US) operates using FIPS 140 2 validated hardware. AWS will work closely with AWS GovCloud (US) customers to provide the necessary information to help manage compliance with this requirement when using the AWS GovCloud (US) environment. FISMA and DIACAP. Independent assessors evaluated the AWS infrastructure for a variety of government systems as part of their system owners approval process. Federal Civilian and Department of Defense (DoD) organizations have successfully achieved security authorizations for systems hosted on AWS in accordance with the Risk Management Framework (RMF) process defined in NIST 800 37 and DoD Information Assurance Certification and Accreditation Process (DIACAP). HIPAA. Amazon provides the ability for customers subject to the US Health Insurance Portability and Accountability Act (HIPAA) to use the AWS environment to process and store protected health information. AWS will sign business associate agreements with these customers. ISO 27001. AWS is ISO 27001 certified. AWS is ISO 27001 certified. The certified Information Security Management System (ISMS) covers the primary services and the infrastructure and data centers worldwide. AWS has established a formal program to maintain the certification. AWS provides additional information and frequently asked questions about its ISO 27001 certification on its website. ITAR. AWS GovCloud supports US International Traffic in Arms Regulations (ITAR) compliance requirements, which require that companies control unintended exports of protected data and restrict the physical location of that data to locations in the United States.* PCI DSS Level 1. AWS is Level 1 compliant under the Payment Card Industry (PCI) Data Security Standard (DSS). AWS customers can run applications on PCI-Compliant infrastructure. AWS also incorporates new PCI DSS cloud computing guidelines into an AWS PCI compliance package. The AWS PCI Compliance Package includes the AWS PCI Attestation of Compliance (AoC), which shows that AWS has been successfully validated against standards applicable to a Level 1 service provider under PCI DSS Version 2.0, and the AWS PCI Responsibility Summary, which explains how compliance responsibilities are shared between AWS and the company s customers. AWS provides additional information and frequently asked questions about its ISO 27001 certifications on its website. Cloud Security Alliance (CSA). AWS documents its security controls using the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ). The questionnaire provides a set of over 140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. *The ITAR regulation covers a specific class of information that is defense- or military-related or commercial information that could have military applications, and this includes hardware and software. Source: Subchapter M International Traffic In Arms Regulations, US Department of State: The Directorate of Defense Trade Controls (DDTC) (http://www.pmddtc.state.gov/regulations_laws/documents/official_itar/2013/itar_part_120.pdf). 110341 Source: Forrester Research, Inc.

AWS Cloud Security 10 AWS Has Strong Technical Security Fundamentals AWS networks provide customers the ability to design application and infrastructure workloads with different levels of security and resiliency. Dedicated AWS staff continuously monitors these networks for both security and operational issues. AWS also provides: Access control list (ACL) and security group capabilities. AWS provides ACLs to let customers control inbound and outbound access for any network instance they manage. This capability is native to the AWS architecture and may be offered in addition to any access controls the customer engineers in its own infrastructure. Continuous monitoring of network security devices and controls. AWS has monitored firewalls deployed across its infrastructure, and the company uses a relatively small number of strategically placed access points (APIs) for comprehensive network access monitoring. APIs provide HTTPS communication sessions with customer storage or compute instances. The ability for customers to scan their cloud infrastructure. Customers can request to perform vulnerability scans of their own cloud infrastructure within the assigned IP address range. Amazon provides an online form, which customers can fill out to kick off the formal scan request process. Customer-specific IP ranges. All compute instances are located in a virtual private cloud (VPC) with a specified IP range. Customers decide which instances are exposed to the Internet and which remain private. All are private by default. Network segregation and segmentation. AWS operates three separate networks the AWS customer network, the Amazon EC2 control plane network, and the Amazon.com corporate network used by AWS and non-aws employees. Each of these networks is segregated from the others using a complex set of network security/segregation devices. Access is tightly controlled; AWS employees must explicitly request access to the AWS service owner before they can access the production network. AWS staff connects to the production network via bastion hosts that restrict access to AWS cloud components. 7 Regularly scheduled vulnerability assessments. AWS regularly scans all AWS-operated Internet-facing endpoint IP addresses for vulnerabilities. Independent auditors perform external vulnerability/threat assessments as well. 8 Service Organization Control Reports (SOC). AWS has gone through the SOC audit and attestation process with its auditor, and AWS provides the SOC 3 report publicly and SOC 1 and SOC 2 reports under nondisclosure consistent with the nature of the information held in these documents. 9

AWS Cloud Security 11 AWS CORE COMPUTE AND STORAGE OFFERS SECURITY EXTENSIONS The overall impression is that AWS designed the AWS architecture to be secure against attacks and resilient against failure. This is especially true for the Amazon EC2 compute offering and the company s storage and database services. In addition to the industry best practices and broad technical controls, some AWS core services offer security extensions as options. Depending on your organization s business needs, these additional services may be an important part of the package. AWS provides a number of additional security controls you can leverage as part of the EC2 service: Dedicated instances. AWS offers specialized EC2 instances that are physically isolated on their own server. This means that the servers offering these instances are not shared by or accessible by other AWS customers. They do not, however, have dedicated network or storage offerings those remain multitenant services. Multiple levels of security. The EC2 service provides multiple levels of security, including the host platform operating system (OS), the virtual instance OS, the firewall, and signed API calls used to access computing resources. Each security level builds on the capabilities of the others, protecting data contained within Amazon EC2 from theft or tampering by unauthorized systems or users. Hypervisor security. EC2 uses a highly customized version of the open source Xen hypervisor, taking advantage of paravirtualization (in the case of Linux guests). Because paravirtualized guest operating systems rely on the hypervisor to support operations that normally require privileged access, the guest OS has no elevated access to the CPU. This explicit virtualization of the physical resources leads to a clear separation between guest and hypervisor, resulting in additional security separation between the two. Instance isolation. Different instances running on the same physical machine are isolated from each other via the Xen hypervisor. The AWS firewall resides within the hypervisor layer, between the physical network interface and the instance s virtual interface. All packets must pass through this layer, thus an instance s neighbors have no more access to it than any other host on the Internet; you can treat them as if they are on separate physical hosts. Physical RAM in these systems is virtually separated using similar mechanisms. Customer control over guest operating systems. AWS does not have any access rights to customers Amazon Machine Images (AMIs). Instead, AWS recommends a base set of security best practices when operating AMIs, which are consistent with industry best practices for operating system hardening. AWS provides these recommendations for both Windows and Linux systems, the two server platforms supported by AWS.

AWS Cloud Security 12 Mandatory firewalls for all AWS instances. AWS requires that customers explicitly open any ports they need on the mandatory firewall deployed for all AWS instances; the default configuration is deny-all mode. AWS firewalls let you restrict network traffic by protocol, service port, and source IP address (individual IP or Classless Inter-Domain Routing [CIDR] block). The firewall requires an X.509 certificate and key to authorize changes, adding additional security. Various Data Security Capabilities Are Available For Different AWS Storage Services Data security, like all aspects of AWS security, is a shared responsibility between customer and provider. Customers should consider which combination of AWS storage options and security capabilities are right for their business: Storage access control. One storage option is AWS Elastic Block Storage (EBS); EC2 instances can support EBS volumes from 1 GB to 1 TB. Storage volumes behave like raw, unformatted block devices, with user-supplied device names and a block device interface. Only the AWS account that creates the volume has access to that volume. AWS Simple Storage Service (S3) stores data objects in buckets, and the system allows customers to assign access based on individual or group membership. 10 S3 restricts access to storage by default. Storage redundancy. Both Amazon EBS and S3 redundantly store data in multiple physical locations as part of normal operations. Additionally, Amazon S3 redundantly stores objects in multiple facilities in an Amazon S3 region. EBS replicates data in the same availability zone, not across multiple zones; therefore, based on the application, AWS recommends that customers take regular snapshots of their data. Data encryption. S3 supports SSL encryption for upload and download as well as a client encryption library that lets customers manage their own encryption keys. 11 AWS can also manage encryption keys for clients using S3 Server Side Encryption (SSE). Storage durability and availability. AWS designed the S3 service to provide 99.999999999% durability and 99.99% availability of objects over a given year. S3 PUT and COPY operations synchronously store customer data across multiple facilities before returning SUCCESS. AWS VPC Provides High Levels Of Security For AWS Services The normal configuration for AWS services is a randomly assigned public IP address for each AWS instance. 12 VPC options enable customers to create an isolated portion of the AWS cloud and launch EC2 instances that have private (RFC 1918) addresses, such as 10.0.0.0/16. 13 Customers can define subnets within the VPC by grouping similar kinds of instances based on IP address range, then set up routing and security to control the flow of traffic in and out of the instances and subnets.

AWS Cloud Security 13 Security features within VPC environments include security groups, network ACLs, routing tables, and external gateways. Each security control complements the others to isolate the network and compute environment. EC2 instances running within a VPC have all of the benefits of host OS, guest OS, and hypervisor security as well as instance isolation and protection against packet sniffing. Customers can also create logical extension from their on-premises data centers to VPC environments using AWS Direct Connect (see Figure 5). 14 Figure 5 AWS VPC Conceptual Network Architecture AWS VPC Availability Zone A Customer gateway Customer data center Virtual private gateway EC2 EC2 EC2 EC2 Private subnet Customer regional office Router Internet Internet gateway NAT EC2 EC2 EC2 EC2 Private subnet @ Availability Zone B Amazon S3 Amazon SES AWS region DynamoDB 110341 Source: Forrester Research, Inc.

AWS Cloud Security 14 What it Means SECURITY AND RISK PROS SHOULD NOT FEAR AWS Or THE CLOUD Cloud is here to stay. The economics and flexibility of these environments are too attractive to ignore; more and more businesses will jump to take advantage of these features, and cloud adoption rates are accelerating. Security and risk pros really have two options: 1) They can say AWS is insecure and be swept over by the sea change cloud presents, or 2) they can dive into AWS capabilities and learn how to use them to secure new workloads, and in the process enable the business to take advantage of what cloud providers provide. Using AWS, or any other cloud platform for that matter, is another form of outsourcing, and they should view the offering as such. Security and risk pros should apply the same security controls to cloud workloads they apply to on-premises and outsourced IT workloads. Security and risk pros should avoid the hype, focus on the basics of security, and evaluate cloud providers on that basis. AWS investment in security is significant for a number of reasons. The company recognizes that security is critical for cloud adoption, and fewer workloads will deploy to AWS if their customers can t secure these workloads. AWS takes a portfolio approach to its security controls, allowing its customers to choose the controls that make the most sense for their application. This provides flexibility for application developers and security pros alike. Security is a differentiator and an enabler in this new cloud-driven IT world. The AWS offerings will force the broader security market, both buyers and sellers, to look at security differently. Security needs to be as flexible and as elastic as the cloud platforms that support the workloads. The AWS security approach is a good step forward and will accelerate the cloud security disruption and change the game for IT departments globally. Even if these departments don t adopt AWS services, they will be looking to other cloud providers to provide similar or improved services. Supplemental Material Company Interviewed For This Report Amazon Endnotes 1 In the past, CSPs such as Microsoft and AWS did not publish their security controls. CSPs recognized that lack of security is a significant impediment to companies moving workloads to the cloud. Forrester s own Forrsights research shows that security concerns are the No. 1 impediment for cloud adoption. For more information, see the August 2, 2013, Security s Cloud Revolution Is Upon Us report.

AWS Cloud Security 15 2 Edge zones are specifically purposed for the AWS CDN service. If a client is not subscribed to the CDN service, edge locations are not available. Source: Amazon Web Services (http://aws.amazon.com/). 3 Alon Swartz mapped the distance between data centers to determine which centers made the most sense to host a global backup solution for TurnKey Linux. The map shows the interconnectedness of the AWS infrastructure. Source: Alon Swartz, Mapping AWS data centers for fastest connection, TurnKey Linux, December 29, 2011 (http://www.turnkeylinux.org/blog/aws-datacenters). 4 Figure 2 is not an exhaustive list of all AWS services but those with security implications. To understand how the company s security capabilities might impact your organization, security and risk pros will need to review the security services AWS offers, determine the service s availability, and then estimate the operating cost for the service. AWS has other services to support solution development including services for applications (Amazon CloudSearch, Amazon Elastic Transcoder, Amazon Simple Workflow Service [SWF], Amazon Simple Queue Service, Amazon Sample Notification Service [SNS], Amazon Simple Email Service [SES], Amazon AppStream), and payments and billing (Amazon Flexible Payment Service [FPS], Amazon Simple Pay, Amazon DevPay). AWS also provides software development kits (Android, ios, Java, JavaScript,.NET, PHP, Python [boto], Ruby), and developer toolkits (Eclipse, Visual Studio). AWS is currently deploying a virtual desktop offering built on the AWS infrastructure as well, and the list of services continues to expand. Source: Amazon Web Services (http://aws.amazon.com/documentation/). 5 Forrester developed the concept of the uneven handshake in 2008 before AWS came up with shared responsibility. The idea is the same: Cloud vendors provide infrastructure services and their clients develop applications to deploy on these infrastructures. For more information, see the June 1, 2012, Make The Cloud Enterprise Ready report. 6 Source: Amazon Web Services: Overview of Security Processes, Amazon Web Services, November 2013 (http://media.amazonwebservices.com/pdf/aws_security_whitepaper.pdf). 7 Only AWS staff (not Amazon.com staff) can access the AWS admin network. And only AWS employees to whom you grant access can access your virtual network. 8 EY is an AWS audit firm. EY attests to AWS security controls for SOC 1, SOC 2, and SOC 3 reports. 9 SOC 3 reports are designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but do not provide the level of detail of the much more detailed and confidential SOC 1 and SOC 2 reports. Accounting firms prepare these reports using the AICPA/CPA Canada (formerly Canadian Institute of Chartered Accountants) Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 3 reports are general use reports; AWS can freely distribute and post this report on its website. Source: AICPA (http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/ Pages/AICPASOC3Report.aspx). 10 S3 storage has a variety of uses and is known for its flexibility and scalability. When Phil Porras discovered the Conficker worm, the only way to deal with the infection was to create a very large list of Internet domain names. As the list of domain names grew, the team fighting Conficker rented S3 storage space from

AWS Cloud Security 16 Amazon to park the domains and sinkhole the millions of requests from the worm that poured in each day. The requests were simply routed to a dead-end location. Source: Mark Bowden, Worm: The First Digital World War, Grove Press, 2011. 11 Bring-your-own encryption is a major trend for cloud deployments. Cloud encryption gateways for AWS and salesforce.com are top topics with Forrester clients. Encryption covers a multitude of sins, and by encrypting the data before it hits the cloud, companies effectively strip the toxicity (and the liability) from the data. For more information, see the December 4, 2013, Predictions For 2014: Cloud Computing report. 12 Conceptually, this is AWS version of DHCP. However, this is a proprietary AWS approach that takes the AWS region, availability zone, and edge topology of the Amazon infrastructure. Instance names have system-generated internal names such as i-eec68595 and a public DNS name such as ec2-54-227-78-204. compute-1.amazonaws.com and are assigned a random public IP address. 13 RFC 1918 is a document published in the Internet Engineering Task Force (IETF) describing the engineering standards for IP address allocation for private internets. This document describes address allocation for private internets. The allocation permits full network layer connectivity among all hosts inside an enterprise as well as among all public hosts of different enterprises. Source: Internet Engineering Task Force (IETF), Network Working Group Request For Comments: 1918. (1996). (http://tools.ietf.org/ pdf/rfc1918.pdf). 14 Source: Amazon Web Services: Overview of Security Processes, Amazon Web Services, November 2013 (http://media.amazonwebservices.com/pdf/aws_security_whitepaper.pdf).

About Forrester A global research and advisory firm, Forrester inspires leaders, informs better decisions, and helps the world s top companies turn the complexity of change into business advantage. Our researchbased insight and objective advice enable IT professionals to lead more successfully within IT and extend their impact beyond the traditional IT organization. Tailored to your individual role, our resources allow you to focus on important business issues margin, speed, growth first, technology second. for more information To find out how Forrester Research can help you be successful every day, please contact the office nearest you, or visit us at www.forrester.com. For a complete list of worldwide locations, visit www.forrester.com/about. Client support For information on hard-copy or electronic reprints, please contact Client Support at +1 866.367.7378, +1 617.613.5730, or clientsupport@forrester.com. We offer quantity discounts and special pricing for academic and nonprofit institutions. Forrester Focuses On Security & Risk Professionals To help your firm capitalize on new business opportunities safely, you must ensure proper governance oversight to manage risk while optimizing security processes and technologies for future flexibility. Forrester s subject-matter expertise and deep understanding of your role will help you create forward-thinking strategies; weigh opportunity against risk; justify decisions; and optimize your individual, team, and corporate performance. «Sean Rhodes, client persona representing Security & Risk Professionals Forrester Research (Nasdaq: FORR) is a global research and advisory firm serving professionals in 13 key roles across three distinct client segments. Our clients face progressively complex business and technology decisions every day. To help them understand, strategize, and act upon opportunities brought by change, Forrester provides proprietary research, consumer and business data, custom consulting, events and online communities, and peer-to-peer executive programs. We guide leaders in business technology, marketing and strategy, and the technology industry through independent fact-based insight, ensuring their business success today and tomorrow. 110341