Modernizing Authentication — What It Takes to Transform Secure Access
One of the most common concerns of the cloud era has been security. After all, the cloud is a shared environment, with multiple organizations making virtual use of the same physical infrastructure.
But far from being insecure, the cloud will improve the security postures of most organizations, said Amazon CTO Werner Vogels at this week's Amazon Web Services (AWS) Summit.
"You can actually move to the cloud to improve your security, compliance and governance," he said.
Amazon's level of investment in and focus on security is why Vogels is so confident in AWS cloud security. Amazon has invested intellectual property as well as human capital to make sure its infrastructure is secure for users, he said, pointing out Amazon has achieved "a very broad range of accreditations and certifications" in its data centers.
PCI-DSS, HIPAA and Other Certs
The certifications include PCI-DSS and U.S federal government certifications like FedRAMP. Vogels is especially proud of Amazon's certification for HIPAA (Health Insurance Portability and Accountability Act).
"HIPAA is a really important certification as it allows health care applications to be built on top of AWS," he said.
Additionally Amazon has built a whole range of tools for users to secure their applications and data on top of AWS' own secure infrastructure. The tools help provide granular visibility into the usage and resources consumed by AWS cloud deployments.
Importance of Encryption
Amazon has a Virtual Private Cloud (VPC) offering that enables organizations to create and utilize an isolated segment of the AWS cloud. It also offers a key management service that allows organizations to bring their own encryption keys to AWS. The keys can only be accessed by the organization, Vogels emphasized.
"It is absolute good security hygiene to at least encrypt personally identifiable information as well as critical business data, but if you're really smart you just encrypt everything," he said.
Encrypting everything is a much easier approach to security, Vogels said, as organizations no longer need to think about what's encrypted and what's not. Five years ago there were many conversations about the performance impact of running encrypted HTTPS for websites, he said, but with modern computing speeds and power the performance impact of encryption is no longer a major concern.
"With the tools we have been building at AWS it becomes easier for you to actually use encryption," he said. "There is no excuse anymore not to encrypt the personally identifiable information of your customers and, if you do so, you are the only one that decides who has access to the data."
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.