2009年11月16日月曜日

Burton Groupによると、Amazon Web Serviceはセキュリティに課題アリ、と報告=>

企業の中で簡易なアプリケーション開発等には向いているが、基幹業務に近いセキュリティ性の高い業務は向かない、と報告。  Amazonは自社内のデータセンタに関する情報を開示しない、という厳しいルールと持っており、これが企業の要件と会わないのでは、という指摘。 
Amazon自身は、Tier 4 の仕様でデータセンタを構築している事や、SAS70に準拠しているなど、セキュリティ面についてはさまざまな表明をしているが、実際にその検証が出来無い事が問題である、と指摘している。

From Network World:

This story appeared on Network World at
http://www.networkworld.com/news/2009/111309-amazon-cloud-security.html

Amazon called out over cloud security, secrecy

Amazon EC2 lacks many enterprise features, Burton Group says
By Jon Brodkin , Network World , 11/13/2009

Amazon's cloud computing service should not be used for applications that require advanced security and availability, the Burton Group analyst firm says in a report accusing Amazon of secrecy regarding its cloud data centers.

10 cloud computing companies to watch

Amazon has helped define the cloud computing market with its Elastic Compute Cloud (EC2), a service offering access to virtual server capacity over the Web. There are many things to like about EC2 and related platforms such as Amazon's Simple Storage Service (S3), but there are also numerous unanswered questions about Amazon's cloud infrastructure, according to the Burton Group.

Amazon seems to do a good job of network and physical security, but overall Burton Group gives the company "low marks for enterprise availability and security" because of a lack of transparency.

"Amazon maintains a strict 'will not discuss' policy regarding specific data center details. In Burton Group's opinion, this position is unacceptable because it prevents organizations from assessing the risk posed by placing enterprise applications in EC2," states a report titled "Amazon EC2: Is it ready for the enterprise?" written by Burton Group analyst Drue Reeves.

Amazon says its data centers meet Tier 4 specifications, with fully redundant power, backup power, networking and HVAC systems.

"However, no outside firm has inspected or audited Amazon's data centers to verify these claims," Reeves writes. "Due to lack of available information and audited inspection regarding Amazon's data centers, Burton Group cannot verify Amazon's availability claims."

Specifically, Burton Group says Amazon customers have no way of determining the "physical redundancy level and data protection" of physical components such as servers, storage devices, network and power infrastructure. Burton Group also faulted Amazon for replication rates in its Simple Storage Service and a lack of failover between data center regions.

Amazon spokeswoman Kay Kinton said the Burton Group report contains inaccurate statements. For example, the report says Amazon lacks SAS 70 security certification, when in fact Amazon does have that certification, Kinton writes in an e-mail to Network World.

"In terms of reliability, we often hear from our customers that AWS [Amazon Web Services] can achieve higher degrees of performance than they've been able to achieve on their own," Kinton writes. "Additionally, AWS gives users a great deal of control and visibility into a user's environment. Users can choose where to place their data, they can run their applications and back up to multiple availability zones and in the event of any service interruptions, they have access to a service health dashboard that gives regular updates on the service health. We also have features that provide monitoring, Auto Scaling and Elastic Load Balancing for even greater resilience in building applications. One of the main reasons customers use our services is the reliability that we're able to provide."