|

More on Amazon’s SAS70 Type II

Posted on November 20, 2009 by Randy Bias

 

Amazon hasn’t been forthcoming since my last post on their control and control objectives, which is disappointing, but expected.  I still believe that transparency here is more important than security through obscurity.  Hiding the controls and control objectives doesn’t provide much in the way of particular security benefits, although I’m certain some will argue that it does.  Consider however, that while the SAS70 controls would tell what is being audited, that doesn’t necessarily translate to all of the controls in place.

Regardless, a bit more light has been shed on Amazon’s controls and measures in their recent security webinar.  You can access it here.

At a high level, CJ Moses, who presents the webinar talks to the core areas they covered in the control objectives, which are:

  1. Security organization
  2. Amazon employee lifecycle
  3. Logical security
  4. Physical security
  5. Environmental safeguards
  6. Change management
  7. Data integrity, availability, and redundancy
  8. Incident handling

This looks pretty reasonable at a high level.  Of course, it would be nice to see the actual controls and objectives, but at least they are covering the appropriate areas of security.  I do notice that there isn’t much around perimeter or related security.  I’m guessing they are trying to gloss over the AWS distributed firewall.  It would be nice if someone besides Amazon was vetting the way this was built.  They appear to consider it a piece of core intellectual property despite the fact it would be trivial to reproduce.  I’m not exactly certain why.

This entry was posted in Cloud Computing and tagged , , , , , , . Bookmark the permalink.

|

Required Reading

Recent Posts

Categories

Discussion


Tags

Administrivia amazon api audits Automation aws cio cloud Cloud Applications cloud futures series cloudscaling commoditization conferences databases decentralization devops EC2 elastic compute cloud enterprise GoGrid hadoop iaas infrastructure Internet Operations Just Plain Cool Lew Tucker Networking open OpenStack paas performance predictions presentations private cloud Rackspace Randy Bias saas scaling Security standards Storage Swift Virtualization vmware web-scale

Cloudscaling Successes

Cloudscaling delivers on open cloud solutions that meet our customers business needs

Open clouds for cloud storage solutions
Open clouds provide cost-competitive public cloud offerings

Cloudscaling Careers

Open clouds are changing the game. You can too, by joining the world's most innovative cloud engineering team. Hack on OpenStack, work with other brilliant minds, and have fun while doing it!
Take a look at our career openings.

May

21

OSBC

OSBC Hyatt Regency San Francisco
San Francisco CA

The 2012 Computerworld Open Source Business Conference will once again present current ideas and implementation case studies bringing open source technologies to broad application. Cloudscaling's Troy Angrignon will present a session on the lessons that market leaders like AWS have to teach, and how those concepts can be applied in open frameworks.

May

22

Open Storage Summit EMEA

Open Storage Summit EMEA Mercure Hotel Amsterdam Aan de Amstel
1096 CJ Amsterdam

This year's Nexenta EMEA gathering will feature in-depth technical tutorials on OpenStorage. Our talk is titled, "Clouds are Complex, But Simplicity Scales." Join us in Amsterdam May 22-24.

© 2012 Cloudscaling   |  
Simplicity scales.