Security and AWS

The AWS public cloud is already in use by a number of high profile organisations. Customers who have given permission to AWS to be referenced as customers, include:

  • Healthcare Providers: HealthDirect Australia
  • Universities: Uni of Melbourne, Uni of Western Australia, Monash University, Open Universities

These organisations all treat security seriously, and in some cases, (e.g. Banks and Government Departments), they have conducted security audits of the AWS infrastructure.  In building the case for securing their data on the AWS, these organisations have relied on independent third party certifications of the AWS infrastructure, including: SOC1, SOC2, ISO27001, PCI-DSS, MPAA and FedRAMP. Further information can be found here:


Options available

In securing research data and compute workloads on the AWS cloud, there is a range of options available, including:

  • Sovereignty: AWS operates a data center within Sydney. As such the AWS-Sydney region is subject to Australian law, including Australian Privacy Laws.  AWS also has a policy of not moving data offshore.
  • Protection of Data in Transit:  Data should be encrypted when being transmitted using an SSL connection.
  • Protection of Data at Rest: AWS has recently announced a new encrypted volume feature, which can be used to encrypt all research content held of AWS disks while it is being computed over.
  • Protection of AWS Accounts: AWS offers a service called Identity and Access Management (IAM), which allows individual accounts to be set up for roles such as administrators, developers and managers. Each of these accounts can have 2 factor authentication enabled to ensure only users with the correct physical token can access the appropriate account.
  • Protection of Private Keys: If researchers are concerned about private keys being compromised, AWS offers a hardware security module (HSM) option which physically secures private keys.  If the HSM is tampered with by data center staff the HSM will destroy all private keys.
  • Audit: AWS offers a service called CloudTrail, which will record a history of access to AWS services via either the AWS Dashboard or via an API.  This history can be used to determine who accessed which AWS service when.

 

Getting approval

Security requirements for research projects are often set by ethic committees.  If you need support in developing your ethics proposal, we are able to help you. Please contact Andrew Goodchild (email: andrew.goodchild@qcif.edu.au).