Amazon called out over cloud security, secrecy
- — 14 November, 2009 09:16
Amazon's cloud computing service should not be used for applications that require advanced security and availability, the Burton Group analyst firm says in a report accusing Amazon of secrecy regarding its cloud data centers.
Amazon has helped define the cloud computing market with its Elastic Compute Cloud (EC2), a service offering access to virtual server capacity over the Web. There are many things to like about EC2 and related platforms such as Amazon's Simple Storage Service (S3), but there are also numerous unanswered questions about Amazon's cloud infrastructure, according to the Burton Group.
Amazon seems to do a good job of network and physical security, but overall Burton Group gives the company "low marks for enterprise availability and security" because of a lack of transparency.
"Amazon maintains a strict 'will not discuss' policy regarding specific data center details. In Burton Group's opinion, this position is unacceptable because it prevents organizations from assessing the risk posed by placing enterprise applications in EC2," states a report titled "Amazon EC2: Is it ready for the enterprise?" written by Burton Group analyst Drue Reeves.
Amazon says its data centers meet Tier 4 specifications, with fully redundant power, backup power, networking and HVAC systems.
"However, no outside firm has inspected or audited Amazon's data centers to verify these claims," Reeves writes. "Due to lack of available information and audited inspection regarding Amazon's data centers, Burton Group cannot verify Amazon's availability claims."
Specifically, Burton Group says Amazon customers have no way of determining the "physical redundancy level and data protection" of physical components such as servers, storage devices, network and power infrastructure. Burton Group also faulted Amazon for replication rates in its Simple Storage Service and a lack of failover between data center regions.
Amazon spokeswoman Kay Kinton said the Burton Group report contains inaccurate statements. For example, the report says Amazon lacks SAS 70 security certification, when in fact Amazon does have that certification, Kinton writes in an e-mail to Network World.
"In terms of reliability, we often hear from our customers that AWS [Amazon Web Services] can achieve higher degrees of performance than they've been able to achieve on their own," Kinton writes. "Additionally, AWS gives users a great deal of control and visibility into a user's environment. Users can choose where to place their data, they can run their applications and back up to multiple availability zones and in the event of any service interruptions, they have access to a service health dashboard that gives regular updates on the service health. We also have features that provide monitoring, Auto Scaling and Elastic Load Balancing for even greater resilience in building applications. One of the main reasons customers use our services is the reliability that we're able to provide."
Kinton also noted that Amazon recently launched the Amazon Virtual Private Cloud (VPC), which connects a customer's existing infrastructure to a set of isolated cloud computing resources with a VPN connection.
"Amazon VPC enables enterprises to extend their existing management capabilities such as security services, firewalls, and intrusion detection systems to include their AWS resources," Kinton writes.
The Burton Group did give Amazon high marks for scalability and said it offers adequate performance. EC2's core strength is the ability to easily provision and load-balance virtual machine images, and compute-intensive applications that have small data sets and are built for parallelism will work well in the service, the analyst firm says.
However, Burton Group also says Amazon's management tools do not integrate adequately with the management tools used by enterprises today. EC2 is often a good fit when organizations need to defer large capital expenses, but Burton Group says the service is still not suitable for applications that store sensitive information, require identity management, high degrees of availability and high rates of I/O transactions.
In the Burton Group's opinion, the bottom line is that "Today, EC2 is a good fit for stateless, parallel, transient, scale-out applications. But gaps in EC2's security and availability, poor enterprise management integration, vendor lock-in potential, and input/output (I/O) costs prevent organizations from using EC2 for applications that process vast numbers of transactions, house highly sensitive data, have low recovery point objectives, and require system failover to save application state."
Follow Jon Brodkin on Twitter: www.twitter.com/jbrodkin