This content is part of the Essential Guide: AWS re:Invent 2015: A guide to Amazon's sold-out event

Mitigating AWS compliance and security risks

Public cloud providers can suffer server failures like any other business. Startups need to be aware of their own risk tolerance while maintaining security standards.

Public cloud generally carries a degree of business risk because cloud use depends on systems and services that the business does not control. Businesses must understand their own vulnerabilities and work to improve upon them. In addition, companies need to provide extra security measures to meet compliance requirements.

Amazon Web Services (AWS) offers many helpful security tools and configurations, but it's important to know where to draw the line on particularly sensitive workloads.

Know your tolerance to risk. Cloud and WAN connectivity outages are real and unavoidable, and disruptions could render your cloud workloads and data inaccessible until a disruption is resolved. Resolution might take just a few minutes, but it can also take hours or days, depending on the extent of the underlying problem. In this case, a business can only wait for the service provider(s) to do their jobs; losing productivity and perhaps even some customers in the process.

Cloud computing does not absolve a business from its regulatory obligations, so it's critical that each workload slated for the cloud still meets every applicable regulatory requirement.

Every CIO or business leader needs to understand the importance of each application and data set that the business uses. Some applications and data can reside in a public cloud and the business can continue for hours or even days without access. But it's even more important to recognize the applications and data that are just too important to trust in the cloud -- as some tools and data can cost the company real money every minute while unavailable. Those are the instances that should probably remain on local servers and storage -- at least for now -- in order to mitigate and manage risk.

Recognize that one size does not fit all. Prudent IT leaders must match workloads to the platform that best ensures adequate performance, availability and cost-effectiveness. And it's completely acceptable to move workloads back and forth between on-premises and cloud resources as needs, budgets and risk tolerance evolve over time.

Know your AWS compliance risks and security obligations. Virtually all corporations are subject to some form of regulatory oversight implemented through the government or industry bodies. This may involve compliance obligations in financial reporting, protecting personally-identifiable information through encryption and monitoring and auditing the IT infrastructure using strong authentication and logging. Cloud computing does not absolve a business from its regulatory obligations, so it's critical that each workload slated for the cloud still meets every applicable regulatory requirements.

For example, customer records stored in AWS S3 would almost certainly need to be encrypted -- both at rest and in flight -- and coupled with audit-quality user access logging. Simultaneously, the same records or other sensitive workloads might not be allowed to run in certain geographic regions, so AWS needs to guarantee geofencing or implement other location-specific limits supported by a service-level agreement. Otherwise, your business bears the full responsibility -- with financial and legal penalties -- for security breaches and other serious compliance violations.

If the public cloud provider cannot promise the encryption and logging to meet compliance requirements, it's probably best to relegate sensitive workloads and data to local hardware.

Next Steps

Elevate to the cloud with AWS startup program

Manage AWS resources for an efficient cloud

Mitigating the risks of cloud service outages

Dig Deeper on AWS case studies and startups