Data Center Security and Reliability

0
Jason Danner of CloudCandle interviews Simon Elisha from Amazon Web Services on Data Center Security and Reliability. Learn how your cloud services are housed and delivered, and how to get started hosting your own web applications in the cloud.

Captions available

Jason Danner on LinkedIn
Simon Elisha on LinkedIn
Amazon Web Services website

 

Transcript

Jason – 00:01 Hi, I’m Jason here with Cloud Candle, and today we have Simon Alicia who’s the principal solutions architect at AWS. How are you doing today, Simon?
Simon – 00:10 Great, thanks for having me here today.
Jason – 00:11 Oh. We’re very glad to have you. So just a quick question so that people can understand a little bit. So what exactly is AWS?
Simon – 00:20 So Amazon Web Services is a part of Amazon that many people may know and hopefully love. We provide Infrastructure Web services to hundreds of thousands of customers in over 190 countries around the world. So this lets them deploy their applications and their software in a global location to service their customers and service their needs. So we’ve been in business since about 2006, and are really excited to be part of a revolution the way IT is produced and consumed in the world.
Jason – 00:51 You guys are the data center people, among other things, and that’s the backbone of this whole Cloud revolution but before we get into that, maybe we need to get just a couple of basic definitions out of the way. So what do you guys consider to be the Cloud?
Simon – 01:06 We like to categorize what the Cloud is by the benefits that the customers get from the Cloud. So there are a few different elements. Firstly, the Cloud is a no-upfront expense model, which means you don’t have to pay to start to use it, you don’t have to buy any physical hardware, you don’t have to keep anything for a long period of time, which is nice when you’re getting started. Also, it’s pay-as-you-use. So you pay for what you use, when you use it. For example, you can purchase compute time by the hour, you can pay for storage in a dollars per gig per month type model. And as soon as you no longer use those resources, you stop paying for them as well. Another element is agility, so the ability to move really quickly. So instead of having long purchasing cycles and massive negotiations etcetera, everything’s on demand. So if you need a new server, you can get one straight away. If you need 10, you can get them straight away as well. If you need a terabyte of storage you can get that. If you ten terabytes of storage you get that. So you get that straight away. And finally it’s flexibility. The ability to really deploy the applications you want, as you want in as elastic way as you need to. So that means they can get bigger and smaller based on whatever you’re doing with them, based on your customer demand as well. So really these outcomes that customers get is what is really appealing about Cloud for them.
Jason – 02:22 So essentially, the customers instead of running their own infrastructure house and sort of having the servers sitting in their office, they’re using the internet to connect to the servers that you’re hosting. Is that correct?
Simon – 02:32 Correct.
Jason – 02:33 Excellent. Excellent. So these are all based in data centers which are the sort of backbone of the Cloud. Can you tell us a little bit about these data centers? What are they?
Simon – 02:42 Yes, data centers are very highly specialized facilities that are designed to host and house the infrastructure required to provide their services. So typically these are servers or computers, network components – so switches and routers and the like, all the cabling, all the power supplies, the storage devices as well – but done at a very large scale. This means that there are potentially thousands of these devices in very neatly, well-organized racks with appropriate air conditioning and multiple power supplies and multiple internet feeds. So it’s real [inaudible], being able to specialize on the care and feeding of this infrastructure, if you like, because there is so much of it there, and we can have those specialized teams doing that.
Jason – 03:24 In a big sense, this is the same sort of thing that they are familiar with at home, right? So it’s the computers that they’ve got in their office, the servers that they’ve got in their office, the networking gear, but you guys just do it at a much, much bigger scale. And because you’re doing it at a much bigger scale, you’ve got the experts who can optimize it and look after it as it’s needed.
Simon – 03:44 Well, certainly, yes. It’s at a far bigger scale using obviously far more robust equipment than maybe people could afford on their own and done at an economy of scale with teams that are very specialized. So, because we’re doing this at a very large scale, we can create this virtuous cycle for our customers. And this is where we can build things at scale, and deliver them at a very low cost, because we’re operating at a high volume. It also means that we can hire experts in their field around engineering, around networking management, around solution design, etcetera, who can apply all their knowledge and know-how into the platform which our customers benefit from in turn. So, as a small business owner you probably can’t afford to buy a security specialist 24/7, or a team of operational experts who can manage the data center 24/7. We have those, and our customers benefit from that.
Jason – 04:31 So these are essentially all the same things that people are familiar with because, to a lot of people, the internet almost seems like this sort of magical thing and so whatever runs it must be absolutely amazing, but, in truth, it’s actually the same sort of computers that we’re used to interacting with everyday. You guys are just running them at a massive scale.
Simon – 04:50 That’s correct, at a high scale with a large level of operation efficiency.
Jason – 04:54 So, another big concern that a lot of people seem to have is around security. So, when your average user looks at a computer and they look at how information is put together on a computer, they look through and they see a file system that is all sorts of different files. And so a lot of people seem to think that information, on say Amazon Web Services or in the Cloud in general, must be stored in a very similar way and they say if it’s very easy to go from one file to another on my computer , what sort of assurance do I have that say, Joe’s file doesn’t get mixed with my file and that you guys can’t see either file.
Simon – 05:38 So it’s an important question and security and operational excellence are our number one priority and we focus on those very carefully. So in terms of storing data, when you store data it resides only in your account. You control who has access to that data within your account  and from outside of your account as well. You control where that data is placed, so you physically, or geographically decide where you’d like it to be. Would you like it to be in Sydney or in Singapore or in Oregon, for example? And you maintain complete control. There’s no control [inaudible] underlying that that anyone can get your data. Certainly other customers can’t see your data, and it’s very carefully segmented and also the devices after they’re finished being used are carefully scrubbed so that data can’t escape in any accidental way as well.
Jason – 06:21 People can’t access my data from necessarily within the AWS infrastructure. But what about these hackers, these nefarious people who are computer geniuses? What sort of security measures do you guys have to keep them from getting in here, because they’re clearly going to access my bank account details. How do you guys protect my business information?
Simon – 06:42 There’s a couple of elements to that. Firstly, when customers use our services, we have what is called a shared responsibility model, and this means that there are components that we look after and there are components that our customers look after. So we look after everything from the virtualization of hypervisor layer down:  so the computers, the [net?], the storage, who has access to those, how they’re managed, where they’re physically located, who can get in and out, etcetera, all those components. We also provide tools to our customers to allow them to control what’s happening from a traffic perspective. So they can control where can requests come from on the internet, where can data go back to, they can control which types of traffic will be accepted. They can lock
down access to particular parts of storage or particular servers as well. And then customers can do, of course, their own standard best practice type security things. They can employ encryption. They can employ access control. They can do all the best practice things that you would do, no matter where your data is located, they can do that equally as well on the cloud. In fact, many customers find that their security posture actually improves when they move to the cloud.
Jason – 07:43 So you guys handle some aspects of security, but you also give your customers the tools to enable a very secure environment from their perspective.
Simon – 07:53 Exactly. Customers can make it as secure as they like and secure as they need to meet their own requirements. That’s really important. We want customers to have the flexibility to do things the way they need to do them, rather than to be dictated to.
Jason – 08:04 I think that that’s a very important point in Cloud services and perhaps computing in general; that really, things are only as secure as you make them. If you go through and you make your password password for all of your accounts, no matter what sort of security that the provider has implementing, it’s not going to be very secure. And so, to a large degree, it’s not only up to you guys but it’s also up to the customers themselves to create these secure environments.
Simon – 08:30 That’s right. That shared responsibility is very important.
Jason – 08:32 I think that we’ve all decided that you guys have great electronic security. What’s to stop someone from walking in to one of these data centers and walking out with a computer or a hard drive or something?
Simon – 08:44 Yes, certainly the physical security of the data centers is exceptionally carefully managed. So, for a start, we don’t publicize where the data centers are. We don’t show photos of them, etcetera. They’re in nondescript facilities, because when you’re considering a cloud service, where the physical data center is, is not relevant so why show where it is? So we don’t want people just dropping by for a visit. Certainly we control very tightly who can access the inside of the data centers, so who can interact and do any management things, etcetera. Staff have to use multi-factor authentication multiple times to get into the equipment. So, they need to be showing swipe cards and special codes and numbers, etcetera, to even gave the facility, all the activity they do is logged and tracked. It’s all tied to particular [inaudible] that you need to take place. Similarly, if there are any contractors that need to replace some equipment, etcetera, that [inaudible] with full escorting at all times; no one is left unattended. So there is a very strong focus on people only entering the data center if they have a specific business need to do so, tracking what they do while they’re there, and then having them leave as soon as they’re finished.
Jason – 09:46 Speaking about security, there are all these different security certifications that are out there. You got ISO 27001, SOC 1, SOC 2 and they sound very impressive but what do they actually mean?
Simon – 10:00 Yes, it’s all a bit of an alphabet soup of certifications there but they’re really important to the customers and they’re important because they provide an independent third party view of what that provider is doing. For example, with many of those certifications that we hold, what this means is that a third party has come in and audited how we manage our environment, how we control access to systems, that the processes and procedures that we put in place to keep data safe are in fact operating, are in fact being executed on appropriately. These are very in-depth and thorough checks. They’re very difficult to get these
certifications. They take a long time and they’re also not a one-time deal. They get reviewed on a very regular basis, so they get inspected on a regular basis, so it’s not just that you met the requirement at this point in time but on an ongoing way you’re displaying capability. So from a customer perspective, it means, hey, I don’t have to go and inspect this data center, because these data center inspection experts have done it on my behalf and they’ve given it the stamp of approval and that’s what I can use to actually feel comfortable.
Jason – 10:59 It’s essentially people who– a third party that comes through and makes sure that you’re actually implementing the security that you say you’re implementing.
Simon – 11:06 Exactly.
Jason – 11:08 Clearly, it’s important to have that sort of thing, but it seems we’ve also seen a lot of small cloud service providers that perhaps aren’t able to go through that process. Like you were saying, it’s a very rigorous process, you have to have people come in every few months – I’m sure it’s not cheap – and so should people trust cloud services that don’t have security certifications? How should they deal with these providers?
Simon – 11:34 Certainly there are some really good questions they can ask and often people are maybe not in a position of expertise to know quite what questions they should be asking. So I’d point out that there’s an organization called the Cloud Security Alliance – CSA – which is a not-for-profit organization that was put together to help consumers of cloud services understand those types of questions they should be asking. So they’ve put together a questionnaire around security that they encouraged people to ask their particular providers to provide answers to so they can get a good feel for what the service is. We’ve actually gone ahead and answered those questions proactively and we include that as part of our Risk and Compliance White Paper. It is just in the appendix there, it’s a few pages long, and it answers all the key questions that a customer may want to know in terms of how data is handled, policies and procedures, access control. Again, as you mentioned, all those are quite detailed questions, you may think, well, how do I start these? They’re all laid out for you so it’s a good resource to you.
Jason – 12:26 I’m just going to put in a quick pitch there too. Since whoever’s viewing this is already on cloudcandle.com. We also have a bunch of cloud reports that have a lot of this due diligence information on common cloud services. And so if there is something that you’re interested in, you should go and check out those because they have a lot of the information that we’ve already gathered for you, and so you can just check those out. And if there’s something that you’d like to see that’s not out there, just let us know and we’ll sort it for you. But moving on, we’ve sort of determined that a lot of these cloud services – and you guys in particular – are extremely secure, right? So aside from security though, you also need to make sure that whatever you use is very reliable, because if you’re depending on it for your business, you need to make sure that it’s up and running when you need it to be. So what makes the cloud and data centers more reliable than the computer sitting under my desk?
Simon – 13:24 That’s really where the operational efficiency side comes in, is you build that team that is specialized in managing these facilities and keeping them up and operating. That really drives a level and an expectation of availability. And certainly one of the reasons why the services have been so successful is that we do provide that level of availability for our customers, both in terms of the underlying services – for example, on our compute service, we provide a SLI of 99.95% availability – but also we provide additional tools and capabilities so that applications can be deployed to themselves, be very highly available. So this means for example, you can have your application running actively across multiple data centers. And in the event of a data center being affected by some condition – maybe a power outage or a network outage or something – the other data center continues to operate and continues to service your customers.Obviously, it’s a far more complex discussion that you can go into some of the cool things you can do, but what it basically means is that you can have as available a system as you like deliver the outcome you need.
Jason – 14:26 Right, excellent. So essentially, you guys are using– have so many servers and whatnot available to you that even if something goes down, it automatically just transfers over to different resources, is that correct?
Simon – 14:38 Yeah, so because you’ve got so much capacity there available to you, it’s not like you’re sitting there waiting for a replacement server, etcetera. It’s immediately available. And in fact, it can be done proactively so no, adage is seen for the customer at all.
Jason – 14:50 Just some general questions about cloud computing, because you guys are in a very unique– have a very unique perspective and so we’d like to pick your brains on it. So do you think that cloud computing is something that small businesses should consider, or is it just for enterprises or governments? What’s the deal here?
Simon – 15:08 What’s really interesting, we’re seeing dramatic interest and dramatic uptake in really all segments of the market: large enterprise, government . But also the other end of the market, so small business, start-ups have been super popular, internet-based companies, etcetera. Because what they have in common is they all need to do the undifferentiated heavy lifting of IT. They need compute, they need storage, they need network capabilities, they need to be able to deploy applications, they need to be able to service their customers. But once you built that that is really not really a differentiator from a business prospective. So it’s really appealing to be able to off set that and place it somewhere else where they can potentially get a more secure, a more reliable platform at a lower cost far more efficiently without them having to manage it themselves.
Jason – 15:52 Those are very big things especially for the small businesses that tend to be very cost-sensitive. If you are able to take that server that tends to fail every few years, and shift that responsibility onto someone else, like you guys, well, that can be a huge boon to them. Do you have any tips for small businesses that are looking to get into cloud computing, but aren’t quite sure how to start?
Simon – 16:18 Yeah, for sure. So, one of the things we recommend really to all our customers, irrespective of size, is to start small, is to dip your toe in, and experiment a little bit and try [inaudible] that you think may be a good opportunity. For many customers [inaudible] their public website presence, or their e-commerce engine, it may be an internal collaboration tool, it could be sharepoint, for example, it may be the storage of some digitized files that at the moment they’ve got on some kind of hard drives on the side that they think, oh, it’s probably safer and more durable to put it into the cloud. Pick off something nice and small to chew on, give it a go and try it out and get that experience, get that feel for what the service has available to you.
Jason – 16:54 Well, I think that’s about all the questions for you today, Simon. Thanks so much for being here.
Simon – 17:00 My pleasure. Thank you.
Jason – 17:02 This is Jason from Cloud Candle, signing off.