New Amazon Blog Tackles Web Services Security Concerns


Amazon is attempting to help its cloud users boost their security prowess with the launch of a blog focusing on information security best practices.

Stephen Schmidt, chief information security officer of Amazon Web Services, unveiled the blog Monday. In the first blog post, Schmidt said the company planned to feature how-to guides, compliance milestones, and customer and partner stories.

"This blog will feature information for customers interested in AWS security and compliance," Schmidt wrote. "You'll see content from many AWS team members covering a range of topics."

[Related: 6 Devastating Cloud Outages Over The Last 6 Months]

AWS' security has been under increased scrutiny following a new study that found the complexity of managing Amazon S3 opened up security weaknesses that potentially exposed confidential data. S3 storage service configuration problems made some sensitive data publicly accessible and could contain data used in a future network attack, according to a review conducted by Boston-based vulnerability management vendor Rapid7.

The Amazon S3 storage service is a popular way to cheaply store server backups, company documents and Web logs. But files are organized into buckets, and wrongfully assigning data to a bucket can result in it being made publicly available. A random sampling of 40,000 publicly visible files found many containing sensitive data, Rapid7 said.

The first how-to guide posted to the new AWS security blog outlines how to use multifactor authentication to better secure AWS resources. The content, written by Jim Scharf, director of AWS Identity and Access Management, recommends using multifactor authentication for root access, which provides unlimited privileges to resources and privileged users who have access to sensitive data.

Enterprise IT security professionals have been looking for additional resources to protect sensitive data being migrated to the cloud, according to the Cloud Security Alliance, a nonprofit organization that promotes cloud security assurance best practices.

AWS is listed in the organization's STAR registry, an initiative to encourage the transparency of security practices among cloud providers, and provides users with a risk and compliance overview. AWS publishes a Service Organization Controls 1 (SOC 1), Type II report. The information can also be accessed at the AWS Security and Compliance Center.

Enterprises have had a variety of concerns surrounding data integrity, confidentiality and availability in the cloud, according to Justin Somaini, chief trust officer at Los Altos, Calif.-based cloud storage and file sharing firm Box. In a recent interview with CRN, Somaini, formerly the chief information security officer at Yahoo, said cloud service providers should be dedicated to transparency and engaging users in an open dialogue about security and privacy.

"At Box, it's not only about security and compliance internally but definitely focusing on the customer landscape, and listening to their needs to ensure it is facilitated," Somaini said. "I've never been in [the] camp of complete fear and paranoia, so the real question is how to secure data and what are the things we can do."

PUBLISHED APRIL 30, 2013