Last week, the CSA announced that AWS joined the Security, Trust & Assurance Registry (STAR). A customer of ours mentioned this and asked the obvious question: what does it mean?
Well, on a purely practical level, it means that we now have the IaaS leader staking out its position on a large number of security and compliance issues. For example, the submission commits AWS to maintaining that its customers retain their full data control and complete ownership, to maintaining customer data within the customer specified regions, and to insuring no customer or 3rd party has access to AWS’ physical facilities. While all of these (and most of the other 30 pages of AWS commitments) were already assumed, the fact that the commitment is now formal and public is important. AWS’s unparalleled strength makes these commitments the new de facto IaaS standard. We at CCI expect the entire IaaS space to transition toward these standards.
The AWS submission also shows the continuing development and maturation of the IaaS public cloud space. Just as we saw a large competitor enter into the IaaS realm in June (see Google, AWS, and IaaS), we now see another sign of the space’s increasing importance. AWS’ submission shows that there are an increasing number of enterprises interested in public cloud usage. It also shows that a lack of clarity is inhibiting adoption. Without these factors – increasing demand coupled with a trepidation caused by a lack of transparency – it seems likely that AWS would have continued to maintain its privacy. Instead, AWS recognized that market was large enough and the reward great enough for it to release its information.
Finally, and critically important for both our customers and ourselves, the AWS submission again makes it explicitly clear that compliance and security are a partnership between both the IaaS provider and user. As AWS succinctly puts it, IaaS is a “shared responsibility environment.”
In other words, IaaS customers must endeavor to maintain the security and compliance within their environments. They should not solely rely on AWS (or another provider) to do it for them.
We here at CCI have recognized and premised CloudCheckr upon this reality. Our customers can be assured that we have tailored our offering to pick-up where the provider leaves off.
Keep up with the Latest in Cloud
Check out our Resources Center for cloud industry news, research, webinars, and more.