This story appeared on Network World at
http://www.networkworld.com/news/2009/111309-amazon-cloud-security.html
Amazon called out over cloud security, secrecy
Amazon's cloud computing service should not be used for applications that require advanced security and availability, the Burton Group analyst firm says in a report accusing Amazon of secrecy regarding its cloud data centers.
10 cloud computing companies to watch
Amazon has helped define the cloud computing market with its Elastic Compute Cloud (EC2), a service offering access to virtual server capacity over the Web. There are many things to like about EC2 and related platforms such as Amazon's Simple Storage Service (S3), but there are also numerous unanswered questions about Amazon's cloud infrastructure, according to the Burton Group.
Amazon seems to do a good job of network and physical security, but overall Burton Group gives the company "low marks for enterprise availability and security" because of a lack of transparency.
"Amazon maintains a strict 'will not discuss' policy regarding specific data center details. In Burton Group's opinion, this position is unacceptable because it prevents organizations from assessing the risk posed by placing enterprise applications in EC2," states a report titled "Amazon EC2: Is it ready for the enterprise?" written by Burton Group analyst Drue Reeves.
Amazon says its data centers meet Tier 4 specifications, with fully redundant power, backup power, networking and HVAC systems.
"However, no outside firm has inspected or audited Amazon's data centers to verify these claims," Reeves writes. "Due to lack of available information and audited inspection regarding Amazon's data centers, Burton Group cannot verify Amazon's availability claims."
Specifically, Burton Group says Amazon customers have no way of determining the "physical redundancy level and data protection" of physical components such as servers, storage devices, network and power infrastructure. Burton Group also faulted Amazon for replication rates in its Simple Storage Service and a lack of failover between data center regions.
Amazon spokeswoman Kay Kinton said the Burton Group report contains inaccurate statements. For example, the report says Amazon lacks SAS 70 security certification, when in fact Amazon does have that certification, Kinton writes in an e-mail to Network World.
"In terms of reliability, we often hear from our customers that AWS [Amazon Web Services] can achieve higher degrees of performance than they've been able to achieve on their own," Kinton writes. "Additionally, AWS gives users a great deal of control and visibility into a user's environment. Users can choose where to place their data, they can run their applications and back up to multiple availability zones and in the event of any service interruptions, they have access to a service health dashboard that gives regular updates on the service health. We also have features that provide monitoring, Auto Scaling and Elastic Load Balancing for even greater resilience in building applications. One of the main reasons customers use our services is the reliability that we're able to provide."