How NASA lab, Amazon share security responsibilities in the cloud
- By Rutrell Yasin
- Oct 19, 2011
When it comes to security in the cloud, Amazon Web Services takes a shared-responsibility approach with government and business users.
“We’re going to be responsible for some things, and you’re going to be responsible for some things,” C.J Moses, deputy chief information security officer with Amazon Web Services Security, told an audience of government and industry representatives at the Amazon Cloud Summit II in Washington, D.C., Oct 18.
“Everything from the hypervisor down is my problem,” everything above is the customer’s responsibility, Moses said.
In the cloud, security is easy, perfection is impossible
Would automated cloud security catch a 75-cent error?
A hypervisor is an operating system that has been described as a “traffic cop” that manages various virtualization tasks within a cloud environment to ensure that things happen in an orderly manner. The hypervisor sits at the lowest levels of the hardware environment.
AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate.
Agencies or companies using the AWS service assume responsibility and management of the guest operating system, which includes updates and security patches. They also are responsible for other associated application software, as well as the configuration of the AWS-provided group firewall.
“When we started talking to Amazon about cloud computing, early on we saw that there was a separation of concerns,” said Khawaja Shams, a senior solutions architect with NASA’s Jet Propulsion Laboratory, which runs software for the Mars Rover program in the Amazon EC2 cloud. “It is important for us to understand the separation of concerns because it helps us focus on what our responsibilities are,” Shams said.
Shams agreed that everything above the hypervisor is his organization’s responsibility, including the operating system, file system and applications. Using hardened Amazon virtual machines, JPL can turn off services, encrypt file systems and track data.
“We are literally virtually extending our data center into Amazon’s data center by using technologies” like Amazon’s VPC Architecture, Shams said.
Amazon Virtual Private Cloud is like having a data center on a stick that can be dynamically scaled, Moses noted. VPC lets users create subnets within their environments, a public-facing subnet for Web servers with access to the Internet or a private subnet with no Internet access.
Rutrell Yasin is senior editor for GCN covering cloud computing.