Amazon Web Services is attempting coax businesses into the cloud by touting the security credentials of its Virtual Private Cloud (VPC).
Despite the potential cost savings associated with cloud computing, many organisations are still put off by security concerns. In a survey of 300 end user organisations by the Cloud Industry Forum in 2011, 62 percent cited data security as one of their most significant concerns about cloud adoption.
While the public cloud is widely considered to be unsuitable for business-critical applications, some organisations are starting to make greater use of private clouds, which are often on-premise data centres that use cloud-style technology.
In the case of Amazon VPC, however, the computing infrastructure is housed within Amazon's own EC2 public cloud. Users can carve off an isolated portion of the cloud and link it up to their own data centre via an Internet gateway, a virtual private network (VPN) or a dedicated network using AWS Direct Connect.
Unlike EC2, which randomly assigns a public IP address to any instance that is launched, instances in VPC have private addresses.
“Any resources that you place in your Virtual Private Cloud can only communicate back to your own data centre,” explained Amazon CTO Werner Vogels at an event in London yesterday. “This allows your on-premise environment to grow and shrink.”
Amazon general manager and CISO Steve Schmidt, who used to work for the FBI, said that the company's VPC offering has generated a significant amount of interest from enterprises since its launch in 2009.
One of the biggest attractions, according to Schmidt, is the ability for organisations to use the same control structure for their VPC as they use for their on-premise infrastructure. This includes network-layer firewalls, IP address configurations and management infrastructure.
“Many customers ask how the firewalls work in VPC and how they are different from EC2,” said Schmidt. “EC2 offers mandatory inbound firewalls for all instances, and those firewalls are stateless. VPC requires mandatory inbound firewalls and they're stateful – and it also has outbound firewalls. So you can establish rules for what can exit your machine just as much as what can enter.”
Amazon's VPC offers network-level access control lists (ACLs), that control interactions between web servers, applications servers and databases. AWS also offers an option for customers who want to be the only tenant on a physical piece of hardware to have dedicated instances.
“If the CSO says everything must be dedicated on a particular set of machines, we will enforce that for you so that you're able to bring up and bring down machines to your heart's content, and they're only going to live on that hardware,” said Schmidt.
However, Schmidt added that Amazon was very clear about the dividing line of responsibility between AWS and the customer. While Amazon takes responsibility for “the hypervisor down to concrete,” it is up to the customer to decide what their level of tolerance for exposure of information is, and consequently what security tools they choose to implement.
“We'll give them a suite of tools that they can use to secure their information and systems appropriately; we give them a set of best practices that establish how we suggest you configure and use the tools that are available; but then it's up to you to decide how you implement them in your own environment,” he said.
At Amazon's Cloud Computing for the Enterprise event, Vogels also said that startups and small companies are stealing a march on their larger enterprise counterparts by employing analytics at the heart of their businesses, thereby making better use of Big Data.