RSSAmazon addresses enterprise security concerns
Perhaps reacting to recent intimations that security, or the inability to adequately quantify security, in cloud environments is a substantial block to enterprise adoption of cloud computing services, Amazon today has announced a limited beta of a new feature of its EC2 computing platform: Virtual Private Clouds.
The VPC product allows customers to define and partition a private sector of EC2 instances, within user defined subnets, that can then be integrated with the existing customer environment over a VPN. Amazon claims this will allow existing corporate security systems to function seamlessly with the EC2 products, and ease the transition from internal to external infrastructure for processing services.
While the additional concern with security and efforts to implement it are welcome, it's unclear to me whether or not this really does much to address the underlying issues. It's a bit like Amazon has taken a motel room with an exterior door that is already locked, and added a fenced-off path to that door from your parking space. Meanwhile, there may be one of those doors inside that lead from room to room, and you can't tell what sort of lock it has; were you really concerned with the front door, or with the guy in the next room stumbling in drunk at 3AM and opening the connecting door instead of the one to his bathroom? EC2 instances are already supposedly isolated from one another on the processing side; if Amazon is truly dedicating physical resources to specific, private customers for additional security, what does that do to the economic model and how then would it differ from what a company could do itself, or from what other, more conventional hosting companies can provide? And if not, how have they really dealt with that internal door problem that seems to be the underlying security concern that hasn't been addressed yet?
It's also unclear how useful this will be without the availability of a similarly secured version of S3; presumably many of the enterprises which might use EC2 have their own storage systems, but the efficiencies between EC2 and S3 have always been part of the attraction of AWS.
I can't find answers to any of these questions in the details page, or in Werner Vogel's post on the subject (although Vogels does give a good use scenario for the product). I imagine there is something I'm just not seeing so far, but at the moment, I don't think this announcement actually changes the fact that very little is known or can be accounted for with cloud security. Of course, Amazon undoubtedly provides more detail of those matters to potential enterprise customers than to random bloggers, so perhaps the only test we'll ever really see is how many enterprise customers in fact sign up for the service.
