Amazon Web Services - Cloud computing and security

Cloud computing is a buzzword gaining traction especially in today's tough economic conditions. Cloud computing is a way to offer software as a service (SaaS). For example, I was reading an article recently that appeared in one of the leading money magazines that boldly predicted that Apple was going to be in trouble soon (of course telling everyone to dump their Apple stocks). Apple's big money maker is their IPod line. And for a user to use their IPod they have to do these things in order:

1. Burn the CD to a list of MP3 files or download from ITunes.
2. Plug in your IPod to the computer.
3. Launch ITunes and sync your music to the IPod.
4. Listen and enjoy.

The author was asking why listeners have to go through all of this stuff just to enjoy their favorite music? And what if the listener wanted to listen to something that they didn't physically own?

The author explained that services like Rhapsody offers music "in the clouds". All a listener has to do is log into their account and for $15 a month or so, you can listen to anything, at any time or day whether or not you have bought the actual album.

Apple has been slow to catch onto this concept and therefore the days of the IPod are numbered.

Amazon now offers "Amazon Web Services" - a cloud computing platform that offers users a wide variety of applications. Since cloud computing is one of the new things and security for traditional methods of software delivery are still a work in progress, how does security work in the clouds? If you go to http://aws.amazon.com on the right hand side of the page will be a link to the Security Whitepaper for AWS.

AWS breaks down security concerns for its cloud within this whitepaper. Here are the major areas and my comments for each section:

1. Physical security. AWS's physical security plan involves using non descript data centers with extensive secure access for all employees. Audit logs show who enters and exits the facilities. [Fred: this makes good sense. A company does not have to worry about salaries of security personnel around their server farm. Backups and fire alarms also are controlled by a cloud service. ]
2. Host operating system security. - AWS uses specially designed bastion hosts that log AWS employees access.
3. Guest operating system security - AWS creates virtual OS's that guests have full access control over but AWS employees do not. AWS recommends that guest admins disable the password based access and use token or key based authentication to gain access.
4. Firewalls - AWS configures the firewall to be default deny all and the customer admin has to open ports to allow inbound traffic. Traditional web application configurations can be configured like Port 80 and 443 for http and https traffic for example.
5. API calls - calls to API to AWS services or client created APIs use X.509 certificates for digital signatures. Calls can be encrypted using SSL and customers are advised to make their endpoints SSL protected.
6. Network security - AWS uses the same security infrastructure that has been implemented by their main website so attacks such as DDoS, man in the middle, and IP spoofing are not possible by AWS endpoints.

All in all, pretty interesting stuff.