More on Amazon's SAS70 Type II
Amazon hasn’t been forthcoming since my last post on their control and control objectives, which is disappointing, but expected. I still believe that transparency here is more important than security through obscurity. Hiding the controls and control objectives doesn’t provide much in the way of particular security benefits, although I’m certain some will argue that it does. Consider however, that while the SAS70 controls would tell what is being audited, that doesn’t necessarily translate to all of the controls in place.
Regardless, a bit more light has been shed on Amazon’s controls and measures in their recent security webinar. You can access it here.
At a high level, CJ Moses, who presents the webinar talks to the core areas they covered in the control objectives, which are:
-
Security organization
-
Amazon employee lifecycle
-
Logical security
-
Physical security
-
Environmental safeguards
-
Change management
-
Data integrity, availability, and redundancy
-
Incident handling
This looks pretty reasonable at a high level. Of course, it would be nice to see the actual controls and objectives, but at least they are covering the appropriate areas of security. I do notice that there isn’t much around perimeter or related security. I’m guessing they are trying to gloss over the AWS distributed firewall. It would be nice if someone besides Amazon was vetting the way this was built. They appear to consider it a piece of core intellectual property despite the fact it would be trivial to reproduce. I’m not exactly certain why.