Evaluator Group Take on AWS Storage Day Data Protection Announcements
AWS and the Shared Responsibility Model
AWS Storage Day 2022 highlighted data protection, and in particular the differences and simultaneous need for both application and data resiliency. This topic is important for two key reasons. The first reason is because ransomware has elevated cyber-resiliency to a board-level concern. The second reason is because, in the cloud, the line separating what the cloud provider is responsible for and what the customer is for, in terms of availability and protection of applications and their data, is blurry. Simply put, cloud providers are responsible for maintaining the uptime of cloud services, including infrastructure-as-a-service (IaaS), but customers are still responsible for the protection of their data and the security of their applications, just as they are on-premises. On more than one occasion, AWS emphasized – and ultimately went into detail, breaking down – this “shared responsibility model” between cloud providers and customers:
AWS Shared Responsibility Model
AWS not only detailed where ownership and responsibility lies, it also detailed what it is doing to uphold its end, and what tools it is providing to help customers uphold their end. In addition to providing customers with in-depth discussion of key checklist items for both application and data resiliency per the AWS Well-Architected Framework. Given today’s cyber-resiliency concerns, the prominent and commonly accepted National Institute of Standards and Technology (NIST) Cybersecurity Framework for identifying, protecting against, detecting, responding to and recovering from a cyber-attack, was often used to frame discussion.
Elastic Block Storage (EBS) Snapshot Capabilities
In addition to walking through “checkbox,” table stakes data protection capabilities that exist in AWS storage services, including S3 Object Lock for immutability and data encryption, AWS provided a deep dive into enhanced snapshot capabilities for its Elastic Block Storage (EBS) cloud storage service. AWS has added the ability to create crash consistent snapshots for subsets of EBS volumes that are tied to a single Amazon Elastic Compute Cloud (EC2) instance. Previously, users could create a snapshot of a single volume or of all volumes tied to the EC2 instance, but not a subset of multiple volumes. The multi-volume snapshots can be created through an API call, through the EC2 console, or through AWS Data Lifecycle Manager policies.
AWS Backup and Elastic Disaster Recovery
Complementing storage-level features, AWS also offers data protection services including AWS Backup and AWS Elastic Disaster Recovery (DR). AWS highlighted how these core backup and recovery services can be used in conjunction with services such as AWS Backup Audit Manager and AWS Fault Injection Simulator, to validate recoverability (for example, through DR testing). This is a very important conversation, because IT teams are pressured to validate and demonstrate that application and data resiliency can withstand ransomware and other malicious attacks.
Evaluator Group Comments
In-line with the NIST framework, Evaluator Group sees the role of data protection evolving beyond strictly backing up and recovering data – extending to preventing and detecting attacks. During its Storage Day, AWS walked through its GuardDuty threat detection, Security Hub security posture management, and Detective security analytics services can help customers to uncover attacks. For customers seeking additional support in boosting their cyber-resiliency, AWS also offers managed services, for instance for system patching, which is one of the top ways that attackers gain entry into their victims’ IT environments.
AWS Storage Day 2022 underscored the ongoing confusion in the industry regarding ownership over data protection. The content was valuable for IT professionals and cloud architects looking for perspective on the resiliency features that AWS is building into its services, as well as the services that AWS is providing to help them mitigate data loss and repercussions from cyber-attacks. This includes reference material in terms of how AWS recommends architecting networking, the cloud implementation, and data protection policies for security. AWS has added new badges for Data Protection/DR and for Data Migration to further support user training. Although still limited in its scope (most enterprises need to protect and have resiliency for a variety of resources, beyond AWS services), AWS is adapting to and working to help customers navigate data protection requirements that are evolving and becoming more critical in tandem with the imminence and impact of cyber-attacks such as ransomware.
Evaluator Group offers free and premium research on public cloud storage solutions as well as data protection software and systems. To learn more about AWS Backup-as-a-Service, download the free “Enterprise BUaaS Product and Vendor Landscape” Technical Insight report.