During the inaugural Amazon Web Services conference held last week, AWS leadership boasted about the vendor’s security record, and its ongoing effort to provide a secure public cloud infrastructure for customers. But that said, Chad Woolf, AWS Director of Rick and Compliance, reminded customers that security is a two-way street during the event.
While the vendor has been diligent in earning a widespread set of security compliance certifications (Its original security designation of SAS 70 has grown to include SOC 1, SOC 2, ISO 27001, PCI DSS and more), AWS stressed that it leverages a “shared” security model, meaning AWS manages some responsibilities, but each customer must secure its own platforms, applications and data. And while the vendor has taken the step of creating education around compliance rules and what responsibilities lie with it or its customer, many in the channel question whether the position is truly “shared.”
In an online article, TechTarget shared a great quote from an attendee, Derrick Burton, an IT director for a consulting firm: “Executives from AWS say, ‘We’re building this platform for you to sit on, but you’re in charge of securing what’s in it,'” he said. “That doesn’t sound like ‘shared responsibility’ to me.”
I agree. But … I would reiterate what I said yesterday – solution providers need to assume security is their responsibility. From their clients’ environments right up to the minute that data hits the cloud vendor’s infrastructure. Let’s be honest, you don’t expect your Internet providers to encrypt email, so why should you approach cloud any differently?