Questions and Answers Regarding Amazon Web

Questions and Answers Regarding Amazon Web Services in
the Cloud for eDiscovery Use​
by Jeffrey Parkhurst, Cavo eD
​
Cavo eD decided to launch our flagship product as an AWS enabled Cloud
Product, using their S3 service offering. This decision was made after careful
consideration of the Cost, Security, Infrastructure Security and Ease of Use for
end-users. We have spent extensive time with AWS staff making sure that their
systems meet the stringent security concerns that are required by our clients in
the eDiscovery market. Nothing is more important to us than the security of
your data. ​
(Cavo eD can also be deployed on any Public or Private Cloud
location as well as behind your firewall.)
Since a number of parties have requested information regarding AWS security
and operations, we have decided to create this document to cover the most
important questions that we get asked on a daily basis. It is our hope that this
information will provide you with the comfort level that you require to
understand how safe your data is in the AWS Cloud. Please feel free to contact
us with any further questions about AWS and how Cavo eD can be implemented
to meet your needs.
General AWS Security Information
The AWS cloud infrastructure has been architected as one of the most flexible
and secure ​
cloud computing​
environments. It provides an extremely scalable,
​
highly reliable platform that enables customers to deploy applications and data
quickly and securely. The following information has been taken directly from
http://aws.amazon.com/security/​
.
World-Class Protection
Infrastructure headaches and costs are removed when using AWS Cloud, as well
as many of the related security issues that are related to them. AWS data
centers are highly secure and use state-of-the-art electronic surveillance and
multifactor access control systems. Each center is staffed 24 X 7 by security
guards and access is restricted on a least privileged bases. Data centers are
environmentally designed to minimize any potential operation disruptions.
Additionally, multiple geographic regions allow users to maintain complete
copies of data (designated only by the user) to avoid disruption, even natural
disasters or system failures.
The AWS virtual infrastructure has been designed to provide optimum
availability while ensuring complete customer privacy and segregation. A
complete list of all the security measures built into the core AWS cloud
infrastructure, platforms, and services, is available at: ​
Overview of Security
Processes​
.
Built-in Security Features
Applications and data are also protected by extensive network and security
monitoring systems. These systems provide basic but important security
measures such as distributed denial of service (DDoS) protection and password
brute-force detection on AWS Accounts. Additional security measures include:
●
Secure access – Customer access points, also called API endpoints, allow
secure HTTP access (HTTPS) so that you can establish secure communication
sessions with your AWS services using SSL.
●
Built-in firewalls – You can control how accessible your instances are by
configuring built-in firewall rules – from totally public to completely private, or
somewhere in between. And when your instances reside within a Virtual
Private Cloud (VPC) subnet, you can control egress as well as ingress.
●
Unique users – The ​
AWS Identity and Access Management (IAM)​
tool allows
you to control the level of access your own users have to your AWS
infrastructure services. With AWS IAM, each user can have unique security
credentials, eliminating the need for shared passwords or keys and allowing
the security best practices of role separation and least privilege.
●
Multi-factor authentication (MFA) – AWS provides built-in support
for ​
multi-factor authentication (MFA)​
for use with AWS Accounts as well as
individual IAM user accounts.
●
Encrypted data storage – Customers can have the data and objects they store
in Amazon S3, Glacier, Redshift, and Oracle RDS encrypted automatically using
Advanced Encryption Standard (AES) 256, a secure symmetric-key encryption
standard using 256-bit encryption keys.
●
Security logs – ​
AWS CloudTrail​
provides logs of all user activity within your
AWS account. You can see what actions were performed on each of your AWS
resources and by whom.
Q&A
Q.​
Does Amazon give itself the right to search a customer’s data if it so
​
chooses?
A.​
No. ​
“Amazon does not search anyone’s data – ever.” “Amazon will
not otherwise access your data for any purpose outside of the Amazon S3
offering, except when required to do so by law.”
(​
http://aws.amazon.com/s3/faqs​
)
Q. Where is my data stored?
A. Amazon S3 offers storage in the US East (Northern Virginia) US West
(Oregon), US West (Northern California), EU (Ireland), Asia Pacific
(Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), South America (Sao
Paulo), and China (Bejing). You specify a region when you create your
Amazon S3 bucket. Within that region, your objects are redundantly
stored on multiple devices across multiple facilities.
Q. If a customer chooses to use servers and store data in a certain country,
can the customer be absolutely assured that the servers and data will reside in
that country?
A. ​
YES.​
AWS provides you with the flexibility to place instances and store
data within multiple geographic regions as well as across multiple
availability zones within each region……Data is not replicated between
regions unless proactively done so by the customer, thus allowing
customers with these types of data placement and privacy requirements
the ability to establish compliant environments.”
Data centers are built in clusters in various global regions. All data centers
are online and serving customers; no data center is “cold.” In case of
failure, automated processes move customer data traffic away from the
affected area. Core applications are deployed in an N+1 configuration, so
that in the event of a data center failure, there is sufficient capacity to
enable traffic to be load-balanced to the remaining sites.
Q. When data is delivered to an AWS regional center for loading onto the AWS
servers, what is the protocol for determining what the status is of the load
request?
A. The Billing Console that is under the control of Cavo eD has a log that
provides instant access to the status of any load job request. Cavo will
monitor this on behalf of our clients and will know as soon as data is
available for client use.
Q. How does AWS insure that the required “Chain of Custody” is followed
when receiving and processing data?
A. AWS uses Amazon employees and 3rd party contractors to securely
process and transport your package. For example, packages shipped to
our specified AWS addresses are transported to our data centers by 3rd
party contractors. Your device is unpackaged only inside an AWS
datacenter and handled by AWS employees who have gone through
extensive background checks.
Q. Does AWS maintain a chain of custody for my package?
Yes, once a shipment arrives at the specified AWS address, AWS maintains
a chain of custody for your package up until the package is delivered to
your return address.
Q. How secure is my data in AWS S3?
A. Amazon S3 is secure by default. Only the bucket and object owners
originally have access to Amazon S3 resources they create. Amazon S3
supports user authentication to control access to data. You can use access
control mechanisms such as bucket policies and Access Control Lists
(ACLs) to selectively grant permissions to users and groups of users. You
can securely upload/download your data to Amazon S3 via SSL endpoints
using the HTTPS protocol. If you need extra security you can use the
Server Side Encryption (SSE) option or the Server Side Encryption with
Customer-Provide Keys (SSE-C) option to encrypt data stored-at-rest.
Amazon S3 provides the encryption technology for both SSE and SSE-C.
Alternatively you can use your own encryption libraries to encrypt data
before storing it in Amazon S3.
Q.​
What is AWS’s data security policy regarding return of devices after
​
Import/Export jobs? (Material is sent to AWS for loading via hard drives)
A. AWS only ships devices out of AWS facilities if the device is completely
erased or the device only contains data encrypted by AWS. For import
jobs, we erase devices after job completion. For export jobs, we will
always encrypt the data being exported onto the device. We use
TrueCrypt software for encryption.
Q. Will selecting the correct region improve connectivity?
A. ​
YES​
. By selecting the correct Region then then Availability Zones within
that Region, you can both protect your data from the failure of a single
location and design the data to be closer to specific customers and
achieve lower latency and higher throughput.