Amazon Web Services
Amazon Web Services (AWS) delivers a highly scalable cloud computing platform with high availability and dependability. In order to provide end-to-end security and end-to-end privacy, AWS builds services in accordance with security best practices, provides appropriate security features in those services, and documents how to use those features. Enabling customers to ensure the confidentiality, integrity, and availability of their data is of the utmost importance to AWS, as is maintaining trust and confidence.
Certifications and Accreditations: AWS has achieved ISO 27001 certification and has successfully completed multiple SAS70 Type II audits. They continue to obtain the appropriate security certifications and conduct audits to demonstrate the security of their infrastructure and services.
PCI DSS Level 1
AWS has achieved Level 1 PCI compliance, and has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). Service providers can now run their applications on PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), Amazon Elastic Block Storage (EBS) and Amazon Virtual Private Cloud (VPC) are included in the PCI compliance validation.
AWS has achieved ISO 27001 certification of their Information Security Management System (ISMS) covering the infrastructure, data centers, and services including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3) and Amazon Virtual Private Cloud (Amazon VPC). ISO 27001/27002 is a widely-adopted global security standard that sets out requirements and best practices for a systematic approach to managing company and customer information that’s based on periodic risk assessments appropriate to ever-changing threat scenarios. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. This certification reinforces Amazon’s commitment to providing transparency into security controls and practices. AWS’s ISO 27001 certification includes all AWS data centers in all regions worldwide and AWS has established a formal program to maintain the certification.
SAS 70 Type II
Amazon Web Services has successfully completed a Statement on Auditing Standards No. 70 (SAS70) Type II Audit and has obtained a favorable unbiased opinion from its independent auditors. SAS70 certifies that a service organization has had an in-depth audit of its controls (including control objectives and control activities), which in the case of AWS relates to operational performance and security to safeguard customer data. Their commitment to SAS 70 is on-going and they will continue to our process of periodic audits.
The flexibility and customer control that the AWS platform provides permits the deployment of solutions that meet industry-specific certification requirements, and customers have built healthcare applications compliant with HIPPA’s Security and Privacy Rules on AWS.
Physical Facility & Security: AWS has many years of experience in designing, constructing and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in non-descript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff.
AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. All physical access is logged and audited routinely.
Network Redundancy & Backup: Data stored in Amazon S3, Amazon SimpleDB is redundantly stored in multiple physical locations as part of normal operation of those services. Amazon S3 and SimpleDB ensure object durability by storing objects multiple times across multiple datacenters on the initial write and then actively doing further replication in the event of device unavailability or detected bit-rot.
Network Security: The AWS network provides significant protection against traditional network security issues and CrownPeak has implemented further protection (see Network Monitoring later). The following are a few examples:
• Distributed Denial Of Service (DDoS) Attacks: AWS Application Programming interface endpoints are hosted on large, Internet-scale, world-class infrastructure that benefits from the same engineering expertise that has built Amazon into the world’s largest online retailer. Proprietary DDoS mitigation techniques are used.
• IP Spoofing – Amazon EC2 instances cannot send spoofed network traffic. The AWS controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than it’s own.
• Packet sniffing by other tenants – It is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for different virtual instances. While customers can place their interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them. Even two virtual instances that are owned by the same customer, located on the same physical host, cannot listen to each other’s traffic. Attacks such as ARP Cache poisoning do not work within Amazon EC2.
Firewall: Amazon EC2 provides a complete firewall solution; this mandatory inbound firewall is configured in a default deny mode and Amazon EC2 customers must explicitly open all ports needed to allow inbound traffic. The traffic may be restricted by protocol, by service port as well as by source IP Address. As a policy CrownPeak only opens necessary ports for the WCO software.