With 'Snowball,' AWS Brings Security Layer to the Edge

NEW YORK -- When Amazon Web Services hosts conferences, the company overwhelms customers with updates to existing products and new features for its public cloud platform.

The AWS Summit this week was no exception.

One of the main updates presented by AWS CTO Werner Vogels at the July 17 show was an update to "Snowball," the company's edge device that allows customers to transfer data from their on-premises data center to the company's cloud. To bolster this service, Amazon added support for full instances of its EC2 compute engine. (See Unknown Document 744775.)

However, there's a bit more to Snowball, specifically in the security realm.

In an interview, Mark Ryland, director of the Office of the CISO for AWS, explained how the company added a layer of security to a device that could travel across the country or around the world, taking with it critical company data on its way to the cloud.

AWS CTO Werner Vogels introducing the upgraded Snowball device in New York City\r\n(Source: Security Now)

"We put a lot of thought into the security of those devices," Ryland told Security Now. "So, there's a whole elaborate kind of cryptographic element to the Snowball device, which involves a combination of tamper resistant and tamper evident physical devices [and] cases."

The whole notion of security, whether it's within the cloud infrastructure itself or out on the edge where Snowball is deployed, formed part of Vogels address at the AWS Summit. He noted that security is now the job of everyone and it's too crucial to be siloed any longer. (See AWS' Werner Vogels: 'Security Is Everyone's Job'.)

To a certain extent, the rules of cloud security still apply: The service provider takes responsibility for the integrity of the infrastructure, while the customer ultimately is responsible for the data sent to the cloud. However, Ryland noted that AWS is trying to put as many security tools in the hands of clients as possible, with reminders along the way that security is part of the equation.

"We gave the customers a lot of tools and a lot of capabilities, but we did hear that feedback, which is, 'This is great, but come across that shared security boundary and help me out here,'" Ryland said. "And there is much we can do. There's always going to be some final judgment that customers apply, and there's no way that we can say with certainty that certain configurations are inherently insecure. They might be exactly right for that situation, right? So, we do warn people -- we've got a bunch of tools that warn people about open S3 buckets. We send out emails to customers periodically and say, 'Hey, you can respond and turn off this email, but until you do, we're going to email and tell you that you have open S3 buckets.' "

It's that same attention to detail that AWS offers for Snowball, both en route to the customer and on the return trip.

At the heart is cryptography, which helps secure the Snowball devices, and comes in handy for AWS customers, which include the US Defense Department, oil and gas firms, shipping companies, as well as businesses using it on the manufacturing floor.

Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

AWS Snowball devices contain a number of different compute modules, including ones for storage of customer data, one for the virtual machine running inside, as well as one that supports the Trusted Platform Modules (TPMs). In turn, TPMs have their own private key.

As Ryland explains:

"They're able to scan before the device leaves the cloud, [and] all of the information is double encrypted on the device, using a combination of the keys that are embedded in the TPMs and a key that's stored in our [Key Management Service] KMS system in the cloud. So now, in order to decrypt that device, those two keys have to come together again somehow."

When the device is in transit, even if someone could hack the TPM -- not an easy task on its own -- the crucial key to de-encrypt the data remains in the cloud. It's not until the device is delivered and verified by AWS that the customer manifest file is sent.

"So literally, if that device is compromised along the way, and even assuming they could somehow access the customer's AWS account, the manifest file you need to decrypt the device isn't present in their cloud account until UPS or FedEx or someone tells us that the device has been delivered," Ryland explained.

That's only to open and ship Snowball. It also has encryption embedded at the storage layer for additional protection.

As with anything related to cloud, AWS provides the secure infrastructure, whether in the cloud itself or out on the edge, but it's the customer who must ultimately protect the data. However, the Snowball security setup shows how companies are prodding customers along when it comes to security.

"It's our obligation to deliver secure infrastructure for your use," Ryland added. "And it's our obligation to advise and help and guide you to use it in a secure way. But, there's not, I don't think, any situation with absolute certainty that, 'this use is valid, this one's invalid -- no you can never do x, y and z.'"

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.