As mentioned in prior posts, Cloud security and addressing the risks that exist (the new risks and the new tools to address these risks) is fundamental to ensuring a successful and beneficial use of the Cloud provider environments. The RSA London conference held several strong documents highly to help approach the best practices for cloud security. The two most commonly referenced were:
- Cloud Security Alliance – Security Document
- NIST 800-117 “DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP)“
A nice article (October 2009 “Amazon EC2 attack prompts customer support changes“) posted on TechTarget highlights the Denial of Service Attack against a hosted website on AWS EC2. Check out the article here. Overall the results from this attack were very promising for instilling confidence in Amazon AWS, but also highlights the duties and next steps in evolving beyond simply “starting instances” on the Cloud. A few of the key points that jumped from the screen, and should be carefully considered include:
- “The problem was that no one could see the complete picture…” AWS took 18 hour to respond to attack – primarily the result that the backend AWS environment (internal IP traffic) was just fine, but the outside public facing IP was bogged down.
- AWS responded immediately to fix the issue – demonstrating their dedication to ensuring a great operating environment
The target organization acknowledged that “they weren’t taking full advantage of AWS’s unique characteristics.” to reduce the impact of this type of attack. Indeed it is the availability of new enterprising environments and access to a broad set of resources that makes the Cloud such a rich platform.
- There are ways and means of improving the operational integrity of solutions leveraging the Cloud but it requires, Peter DeSantis VP of AWS EC2 states that “customers take proactive measures, such as distributing instances for redundancy and safety. He said that there were distinct advantages in a cloud computing environment that many weren’t aware of or haven’t learned about…We are underplaying tools that are at people’s disposal…”
- A great set of lessons are further elaborated in the article. An additional observation – no other customer operating environments were reportedly impacted, which speaks very positively for Amazon’s architecture and current deployment.
Other thoughts and concerns?
James DeLuccia IV