Policies governing data sovereignty, data residency and data security are evolving rapidly and adding layer upon layer of complexity to customer environments.
Tommie Francis, senior manager: security assurance at AWS, says for the cloud to realise its full potential, it is essential for customers to have control over their data.
This is the core message that AWS will communicate to delegates attending the 2023 ITWeb Security Summit from 6-8 June in Johannesburg and on 15 June in Cape Town.
Francis says empowering customers with this sovereignty has been a part of the company’s DNA since inception.
“At AWS, we’ve always believed that for the cloud to realise its full potential, it would be essential that customers have control over their data. Giving customers this sovereignty has been a priority for AWS since the very beginning, when we were the only major cloud provider to allow customers to control the location and movement of their data. The importance of this foundation has only grown over the last couple of years as cloud has become mainstream, and government and standards bodies continue to develop new security, data protection standards and privacy regulations.”
The company’s approach to data security is to continue to make AWS cloud sovereign by design, adds Francis. “This has been the case since day one… and we will continue to architect and build AWS to deliver features and controls that empower customers to use our services and meet their regulatory requirements.”
He stresses that the company is well-positioned to meet customer demands as the cloud investment and adoption increase.
“We have to recognise that organisations of every type, industry and size are using cloud for a variety of use cases, such as data backup, disaster recovery, e-mail, virtual desktops, software development and testing. For example, healthcare companies, are using cloud to develop more personalised treatments for patients, whereas financial services companies are using cloud to power real-time fraud detection and prevention,” Francis adds.
“These and other sensitive workloads require customers to apply an approach in line with their regulatory and security requirements, their risk appetite and their business strategy.”
Whatever the use case, AWS places a premium on the security and protection of customer data.
“If you talk about how much control customers have over their data, at AWS specifically, security is our top priority and we are vigilant about our customers’ privacy. Because our customers care deeply about data and data security, we’ve invested in a world-class team of security experts to monitor those systems 24x7,” Francis says.
AWS customers always maintain the control and visibility of their data, he says.
“Our customers know they always own their data – they make the decision of where the data resides, how the data is encrypted, whether it’s encrypted at rest or in transit. We provide them with the capability to monitor, encrypt and move the data and manage its retention.”
Shared responsibility
AWS emphasises that when it comes to the cloud, it is critical for businesses to realise that security and compliance are a shared responsibility between service provider and customer.
“Security at AWS is our top priority… we are responsible for protecting the infrastructure that all AWS services run on. We implement sophisticated technical and physical measures against unauthorised access, customers can validate those security controls in place within their AWS environment, through their certifications and reports,” Francis adds.
The cloud security environment is heavily regulated and AWS refers to several compliance frameworks and regulations that have been put in place to ensure system and operational control. Healthcare technology pioneer A2D24 is a prime example of a client at the coalface of security and compliance. The purpose-driven firm aims to use technology to save lives in a way that protects sensitive patient data and complies with local and international regulations. A data breach in any one of A2D24’s solutions, such as its M-Health suite of HIV self-testing products, would have major implications on patients’ lives. To reduce the risk of a breach, A2D24 breeds a culture of data security based on principles such as security in depth and the principle of least privilege (POLP), and assigns internal red teams to help stress test and evaluate its applications.
“AWS allows us to focus our energy on areas that need our attention, such as user experience and security, with the assurance that our cloud infrastructure will run like clockwork. Our access to incredible AWS resources, from documentation to skilled practitioners, have helped us overcome and adapt regulatory best practices across geographies,” says Muhammad Simjee, co-founder and CEO of A2D24.
AWS applies a shared responsibility model based on a no-compromise approach to data security and control.
AWS adheres to the SOC1, 2 and 3 reports, compliance frameworks like ISO27001, 27107/18 and 9001 certifications.
Francis explains: “These frameworks and certifications help customers satisfy those compliance requirements and understand where we apply the control and how we take care of our part of the shared responsibility model.”
For customers, the responsibility is determined by the cloud services they choose to use.
“This determines the amount of configuration work customers would need to perform as part of their security responsibility in this shared responsibility model. Customers are responsible for their own data, including encryption options, classifying assets and using the identity and access management tools to apply the appropriate access and permissions to those resources.”
Francis says when a customer understands the level of control and ownership they have over the information that resides in AWS in the cloud, and they understand how they can apply security controls to maintain ownership, to ensure the confidentiality and integrity of that data, it becomes an easier discussion with customers around how they can provide assurance for data security, data sovereignty as well as data protection.
“Customers tell us that what they struggle with from a security perspective is cloud skills – it is something we believe is everyone’s responsibility. Security needs to be everyone’s responsibility within the value chain – be it engineers, developers, IT ops team, business – security must be front of mind. So those cloud skills and the security knowledge around that are really key to enforce or enable a successful cloud migration journey,” he says.
Share