Andrea Danti - Fotolia

AWS security looks to avoid cloud reboots with s2n

A slimmed-down, Amazon-created version of the Transport Layer Security standard has been open sourced. Will it head off future cloud reboots?

AWS security may get a boost and avoid future cloud reboots with a newly open-sourced Amazon creation called s2n.

Amazon Web Services (AWS) unveiled s2n on its security blog this week. Signal to Noise (s2n) is meant to be a simplified, more easily managed version of Transport Layer Security (TLS).

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are the primary means of securing Web traffic, but recent vulnerabilities in OpenSSL such as the Heartbleed bug have led to cloud computing reboots that caused downtime and caught customers by surprise.

"In the wake of all the security breaches over the last year, it makes sense that Amazon wants to take some ownership of the open-source security technology that the cloud so heavily relies upon," said Daniel Heacock, a consultant with c3/consulting, an IT consulting and managed services firm based in Nashville, Tenn. "I'm really not sure about adoption, though, and I think it remains to be seen."

Part of the reason for TLS's troubles, according to Amazon's blog post, is bloated, overly complex code -- some 500,000 lines of it in OpenSSL, which Amazon calls the de facto reference implementation of TLS. By contrast, s2n has 6000 lines of code, making it less prone to vulnerabilities and more easily auditable by companies who may use it.

Amazon will integrate s2n with its other cloud services, though a time frame and which services were not disclosed. TLS is used with every AWS API and is also available with AWS services including Elastic Load Balancing (ELB), Elastic Beanstalk, CloudFront, the Simple Storage Service, Relational Database Service and Simple Email Service.

IT pros say the prospect of not having to rotate certificates after more TLS implementation vulnerabilities are discovered is appealing, and some hope s2n improves specific services. 

"I am hoping…that it will accelerate the timeframe for the ELB support of Server Name Indication [(SNI)], which was expected to be released in 2014," said Alexi Papaleonardos, senior security operations engineer for Sony Network Entertainment based in Los Angeles.

Without SNI, AWS security pros have to tell people the Common Names (CNs) of the services running behind ELBs, Papaleonardos said. With SNI, clients have to provide a name for the endpoint where they want to send the traffic.

"You can filter out a lot of noisy attacks if the bad guys don’t know what CN your services are on," he said.

AWS will need rock-solid security to attract more enterprise applications to its cloud, according to Edward Haletky, CEO and principal analyst with The Virtualization Practice, LLC, in Austin, Texas.

"Amazon has to lead the way -- if they want to dominate, they have to lead the field," Haletky said.

In order for s2n to see widespread use beyond AWS, it will have to be pulled in to one of the major open source Web servers such as Apache or Nginx, Haletky said.

Beth Pariseau is senior news writer for SearchAWS. Write to her at [email protected] or follow @PariseauTT on Twitter.  

Dig Deeper on AWS security