- [Blaine] Let's talk security (tapping helmet). We're using the metaphor of building your house. Well, not many people want outsiders wandering freely through the various rooms in their home, it could lead to some awkward moments. So when it comes to securing your home, who is responsible for making sure your home is secure? Is it A, you, the resident or B, the contractor building your home? Well, the correct answer is yes, both. The contractor must have a reliable plan to build strong walls and windows, and doors that lock, and the contractor must deliver on that plan. But then once she hands you the keys to the door, it's up to you to lock the door. Now, of course, that's a choice, and sometimes you might want an open house. Well, it could be the time for the neighborhood picnic, or you just like showing strangers your art collection? I'm not judging here. You choosing to leave the front door open is nothing that contractor has, or should ever have, control over. This is your choice entirely. Now, other people will certainly want to lock the front door and not let anyone in, ever, no matter how much they want to be part of your life...Dad. The point is, it takes both parties to make a secure home. When it comes to securing your business on AWS, we asked a similar question. Who is ultimately responsible for this security? Is it A, you, the customer or B, AWS? And the correct answer, again, is yes, both. Both are ultimately responsible for making sure that you are secure. Now, if there are any IT security experts watching this right now, you're probably shaking your head saying, you can't have two different entities with the same ultimate responsibility over a single object. That's not security, that's wishful thinking. At AWS, we agree completely. Just like the responsibility to secure your home, we don't look at securing your cloud environment as a single task or a single object. Instead, we see it as a collection of parts that build on each other. AWS is responsible for the security of some of the objects and responsible 100 percent for those, just like your contractor was 100 percent responsible for building the walls in your home. The other parts, like locking the front door, you are responsible 100 percent for that security. This is what's known as the shared responsibility model. So how does the shared responsibility model work for you? Take Amazon EC2, for instance. EC2 is the virtualized compute engine that you'll use to replace your physical servers. The hardware that runs EC2 lives in a physical building, a data center that must be secured. And it has a network and a hypervisor that supports your instances and their individual operating systems. On top of the operating systems, you have your application and that supports your data. So for EC2 and every service AWS offers, there are a similar stack of parts that build on top of each other. AWS is 100 percent responsible for some, and you are then responsible for all the others. So starting with the physical layer for all AWS services, well, this is the data center itself. This is iron and concrete and fences and security guards. Someone has to own the concrete. Someone has to staff the physical perimeter, 24/7. This is AWS. On top of the physical layer, we have our networks and our hypervisor. Now I'm not going to go into the details on how all of this is secured, but basically we've reinvented those technologies to make them faster, stronger, tamper proof. But you do not have to take our word for it. Don't just trust Blaine. We have numerous third-party auditors who have gone through the code and the way we build our infrastructure. And they can provide the right documentation you need for your security compliance structures. This is a critical element for those of you managing regulated workloads. AWS Artifact is a one-stop shop for your compliance officers to get all the reports they might need. For example, if you need ISO or PCI documentation, that can be found in AWS Artifact. SOC reports, CLOUD Act, FedRAMP, IRAP, many other global and regionally specific compliance artifacts can be found there as well. That is the AWS half of the shared responsibility model. Now on top of that, on EC2, you now get to pick what operating system you want to run on. This becomes the magic dividing line that separates our responsibility, AWS' responsibility, and your responsibility. This is your operating system. You are 100 percent in charge of this. AWS does not have any back door into your system here. You, and you alone, have the only encryption key to log on to the root of this OS, or to create any user accounts there, I mean, no more than your contractor would keep copies of your front door key. AWS cannot enter your operating system. Without that key, no one can enter, and AWS will never ask you for that key. Here's a helpful tip. If someone from AWS calls and asks you for your operating system key, you can be sure that's not actually a call from AWS. Now, on top of that operating system, you can run whatever applications you want. You own them, you maintain them, which takes us to the most important part of the stack, your data, data, this is always your domain to control. And sometimes you might want to have your data open for everyone to see, like pictures on a retail website. Other times, like banking, healthcare, regulated workloads, yeah, not so much, not so much. AWS provides everyone with the toolset they need for their data to open it up to some authorized individuals, to everyone, to just a single person under specific conditions, or even lock it down so no one can access it. Plus, the ability to encrypt, encrypt everything. Ubiquitous encryption, end-to-end for the entire process, in transit and at rest. That way, even if someone on your team accidentally left your front door open to your data storage, but all anyone from the outside could see is unreadable encrypted content. The AWS shared responsibility model is about making sure both sides understand exactly what tasks are each sides'. Basically, AWS is responsible for the security of the cloud, and you are responsible for the security in the cloud. Together, you have an environment you can trust. So when it comes to procurement, take the time to understand where security is owned by your provider and where you are responsible. Making sure you're asking potential providers where the shared responsibility model will apply, because just like your home builder will provide a solid door as part of the construction, she won't actually lock your front door for you. You need to know that the doors can be locked securely, but then the responsibility is yours to turn the key.
