Over the past several months have been two key announcements from Amazon. The first was that AMS achieved ISO 27001 certification. The second was that it had undergone PCI validation. Almost a month later these announcements continue to drive additional press including recent articles from InformationWeek and one from Redmond Magazine.
The FAQs on the Amazon cite reference ISO 27001 certification for Amazon’s security program while PCI validation specifically cites: Amazon Elastic Compute Cloud (EC2), the Amazon Simple Storage Service (S3), Amazon Elastic Block Storage (EBS), and the Amazon Virtual Private Cloud (VPC).
Late last year Amazon was criticized for announcing that it had undergone a Type 2 SAS 70 audit without specifying what the underlying control objectives were. While this is normal to an auditor who knows that SAS 70 reports are auditor to auditor communication, the security community wanted more specifics. While not going to the degree of disclosing all of the its security controls to the public, Amazon has taken steps to leapfrog many of its competitors with respect to independent audits and certifications.
Key points when considering Amazon’s recent announcements:
- Like all audits and certifications, the PCI DSS and ISO 27001 certification have defined scope.
- In the case of PCI, the report on compliance (ROC) should include an explicit scope statement which defines what controls AWS is responsible for versus its customers.
- The ISO 27001 certification is not as prescriptive as some may expect. The certification focuses on the process of managing Amazon’s Information Security Management System (ISMS) and that it consider 133 controls that are listed in Appendix A of the ISO standard.
- These 133 controls are aligned with the best practices laid out in the ISO 27002. Many do not understand that ISO 27002 is a code of practice or guideline and not something that an organization can be certified against.
Still, this is a very significant milestone for Amazon. If you look at the marketplace today, SAS 70 audits have become the price of entry. Most cloud providers that handle data that impact their customers’ financial statements undergo a SAS 70 audit. PCI was the next phase of adoption for providers wishing to service companies that handle cardholder data. AWS has achieved both of these as well as ISO 27001 certification, a distinction held by very few organizations within the US. In addition, they early adopted against the PCI DSS 2.0 standard which includes requirements to scope and assess any underlying virtualization technology that is in use.