Gartner: Best practices for Amazon AWS security
- 26 June, 2014 06:08
The Amazon AWS cloud service is fine for enterprise workloads and applying security controls such as encryption and firewalls is possible, though more security vendors need to step up to support Amazon's EC2 service, according to the Gartner analysis presented today.
In his presentation at the Gartner Security and Risk management Summit 2014, analyst Neil MacDonald said there's a misperception among many IT managers that Amazon's EC2 is somehow a consumer-grade cloud service. "It's designed for enterprise use," he said, noting the Amazon platform continues to develop beyond simply an infrastructure-as-a-service to include Elastic Block Storage and other services. But companies do need to architect in any high-availability they want from Amazon's EC2, he noted.
Amazon has a built-in firewall but it is fairly "coarse-grained" and many enterprise managers using Amazon choose to include third-party software host-based firewalls, though some vendor products fit more gracefully as they were designed for it, MacDonald said.
Check Point, Sophos, and Trend Micro all have their own software-based firewall/IPS for Amazon EC2, said MacDonald, but he added it would be hard to run a Palo Alto Networks firewall in Amazon. "Where's Cisco's firewall in the cloud for Amazon?" MacDonald said he's wondering about Cisco, plus other vendors, too.
Several vendors have encryption agents for Amazon, including Porticor, Safenet, Voltage and Vormetric, among others. Amazon offers encryption as well. AlienVault and Splunk have security information and event management products for Amazon's EC2. CloudPassage, Trend Micro, Dome9 and McAfee (the security division of Intel) offer varieties of server-based security for Amazon. MacDonald says he recommends a white-listing-based server protection strategy with continuous monitoring. He advises avoiding use of SSH keys.
While this all represents a growing ecosphere of vendors supporting Amazon EC2 for enterprise workloads, there are still some improvements that Amazon itself could make, MacDonald said.
Amazon now offers CloudTrail to audit activities. But MacDonald said one of the main things is that Amazon needs to provide its customers with a view related to the activities of Amazon's systems administrators to know what they are doing. That's because enterprises remain concerned about the danger of "snapshotting" of data resources held there. This "snapshotting" concern is guiding some decision-making.
"If data is so sensitive that snapshotting is keeping you up at night, don't put it in the cloud," said MacDonald. He added he's urging Amazon to add more features and capabilities, such as a dedicated storage option, and "there's no way to achieve a network tap today," said MacDonald, which makes use of agent software the alternative.
Despite these criticisms, Amazon AWS was the IaaS that came out on top as the market leader in the recent Gartner Magic Quadrant, with Microsoft somewhat behind. CenturyLink, IBM SoftLayer, Verizon Terramark and CSC earned their spots as "visionaries" in the report but VMware, Rackspace, and GoGrid, among others, were ranked by Gartner as simply "niche players."