AWS Shares Details of Cloud Security Practices by Joining CSA Registry

Add Your Comments

Cloud giant Amazon Web Services announced on Tuesday it has joined the Cloud Security Alliance‘s Security, Trust & Assurance Registry, and in doing so, gives further details about the security features of its IaaS cloud platform, according to a report by Network World.

The move comes the same week Datapipe joined Amazon Web Services‘ Partner Network as an avanced consulting partner.

The CSA launched the STAR program in August 2011 as a way for users to analyze the security practices of cloud providers. Though enrollment was initially slow, the registry now has 12 members including cloud providers Microsoft Azure, Terremark and

In joining the STAR program, AWS released an updated, 42-page whitepaper that detailed its security practices, including any certifications and compliances for the cloud and the answers to more than 190 questions from the STAR program’s questionnaire.

In the report, AWS says its certifications and compliances include SAS70 Type II audits, ISO 27001 certification, a SOC1 report under SSAE16, Payment Card Industry Level 1 Service provider authority, and a “moderate” level listing for its Federal Information Security Management Act controls.

AWS also provided many insights into its security practices, such as providing SOC Type II reports to customers to view under nondisclosure agreements.

Additionally, AWS says it curbs data leakage by using virtualization software that isolates customer data in multi-tenant environments, which stops customers from accessing any information that is not assigned to them.

The company also says that while customers can decide on the region as to where in the AWS cloud data is stored, “AWS will not move customers’ content from the selected Regions without notifying the customer unless required to comply with the law or requests of governmental entities.”

It adds that customers have the option of using their own encryption mechanisms or the company’s own server-side encryption for its Simple Storage Service and virtual private cloud.

Finally, AWS says that since customers have full control of their guest operating systems, software and applications, they “are responsible for performing vulnerability scans and patching of their own systems”.

AWS customers can also ask to perform scans of the cloud infrastructure personally assigned to them as long as it does not affect other users’ instances.

CSA officials have said they expect additional providers to join the program in coming months. When the CSA announced STAR, it said big-name tech companies such as Google, Intel and McAfee had plans to join STAR, but they still have not.

In the second quarter, the CSA established an Asia Pacific headquarters, and decide on the specific location.

Talk back: How do you feel about Amazon sharing details about its cloud security practices? Do you think this will lead to other cloud providers joining CSA and revealing their own cloud security practices? Let us know in a comment.

Add Your Comments

  • (will not be published)