Conclusion - Logical Separation on AWS


The AWS approach shows that properly configured, multi-tenant, logically separated environments can provide a level of security superior to dedicated private cloud deployments, while providing significant advantages in availability, scalability, and lower cost. Modern cloud technology from leading providers offers novel solutions that can meet the objective of traditional security based on physical isolation as long as accreditation approaches are flexible enough to accommodate alternative implementations.

Although reviewing security controls can be valuable for demonstrating compliance, experience has shown that organizations that focus primarily (and in some instances exclusively) on traditional controls implementation can inadvertently limit their access to best-in-class security solutions. As public and private sector organizations evaluate whether CSPs meet requirements based on legacy concepts and on-premises architectures, they should step back and first clearly articulate desired security outcomes. Mapping those outcomes to CSP capabilities and understanding how to properly address those needs leads to a deeper understanding of how to most efficiently design a solution as well as clarifies the risk that needs to be accepted while operating in the cloud.

As security assurance programs mature and scale to keep up with the rapid pace of cloud feature and security innovation, traditional control implementation details will become increasingly irrelevant relative to the capabilities CSPs have in place today and will likely enhance very quickly. The desired end-state – robust cloud security, based on a framework defined by customer security outcomes and CSP-determined security capabilities to meet those outcomes – can only come about as a result of continuous dialogue across the cloud assurance stakeholder community. AWS believes this approach will continue to provide significant improvements in maintaining assurance of a CSP’s security posture.