Amazon S3’s Enhanced Cloud Storage Security is Nice But Not Good Enough
Amazon announced security improvements for accessing S3 buckets last week, giving customers new ways to share between and restrict access to cloud storage pools. We’re happy to see Amazon and our other cloud storage partners evolving and adding new features. Unfortunately they’re overlooking a core business requirement: user-level access control within an S3 account. Without this, there is no practical way to distribute S3 storage to the employees of an organization.
Let’s back up. Cloud storage is all about scale. In one of our Amazon test buckets, for example, we have 70 million objects and growing. For businesses, this can be tremendous – unlimited storage at a fraction of the cost. But businesses also have employees. And since you don’t usually want to allow everyone in the company to have access to all your data, you need to manage who can read, write, or delete which files.
If your data is stored in a cloud like Amazon, this isn’t easy. In their own words: “Amazon S3 access can be granted based on AWS Account ID, DevPay Product ID, or open to everyone.” You can’t give different users of your own organization access to different sections of the same bucket. You either open the door to everything or you set up different storage accounts for every user.
Access to those accounts is based on credentials, and Amazon’s security strategy presumes that no one else will have access to your credentials. This means that you can’t share them, so you have to set up individual accounts. Suddenly you’re looking at a different account for every employee, or at least every department, and managing all that. Since Amazon has no true tenant/subtenant model and just a lightweight consolidated billing concept this would rapidly become unmanageable.
But this isn’t the way it has to work. Amazon’s new features are focused on facilitating sharing between accounts. What enterprises need, however, is the ability to share securely within accounts.
Think about this in terms of computers. It used to be that you had one personal computer in the house and everyone had access to all the same files. They could read, write, delete whatever they wanted. Then machines with multiple accounts came along, and Mom, Dad, and the kids all had their own usernames and passwords. They each had access to different data within that one computer.
Instead of going this route, we’re still stuck in the 80’s and the vendors are essentially suggesting that you buy the cloud storage version of a computer for everyone in the house, and then share files between those computers. Sure, it can work, but it’s a hassle. It would be way more efficient, and less expensive, to have a single pool of cloud storage and give your employees different levels of access to the data within that pool.
Amazon S3 is a fantastic product that has stood the test of time and has handled billions of objects. While the vendors have their differences in APIs and implementation, this casual approach to security within an account is not unique to Amazon – they all suffer from this issue.
Even if you only have 20 employees, you don’t want 20 Amazon accounts. You want a single account, with the ability to manage who can read and write what data within that account.
So, how do you make this happen? Active Directory, the industry standard for at least the last decade, easily manages these kinds of end user authentication needs. And most businesses are familiar with it and already have it deployed. But the clouds don’t support Active Directory authentication, so if you’re considering cloud storage and allowing multiple users to access it you will be faced with creating unique accounts with the provider or looking for a better solution – one that brings the trusted Active Directory model to cloud storage.
Oh, and by the way, you can only do this sort of authentication natively with a NAS-to-cloud type solution. Take, for example, block based cloud solutions. In theory they’re more universal and you can store “anything” with block storage. Just format a file system on them and off you go. But you also lose many things, including any real user level authentication ability. The solution for this is to put a server between the users and the technology to add security, but this adds cost and complexity.
When considering cloud storage we encourage people to think of the whole problem and check if the product they’re looking at is a point solution or if it brings everything they need in a tight package at a reasonable price.
We’ve been writing a lot about security in the cloud storage space these past few weeks to help educate people and dispel the fears, but this isn’t the only issue you need to think about when considering cloud storage. To learn more about cloud storage and its challenges sign up for our newsletter, read our white papers or subscribe to our blog. You’re sure to learn a ton and we’ll try to keep it fun with security challenges, great images, videos, and prizes.