Amazon Web Services and Data Security – Why This Tech-Giant Recommends Encryption
This article has been updated in August 2021.
It is not really news that Werner Vogels, CTO of Amazon, recommends encryption. In 2015, in an interview with the German newspaper “Die Zeit” he asked everybody using the cloud to encrypt their data, at the very least their sensitive data. In 2016, he repeated this demand to Business Insider: “We really want to be in the position where only the customer has access to the data […]. Not us and not anybody else.” What is the motivation behind this request? It turns out that encrypted data is not only a minimized risk for the owner of the data, but also for the cloud provider that stores it.
Market Leader in Cloud Services: Amazon Web Services
Amazon is the uncontested market leader in cloud services at this moment, with nearly two third of market shares. Microsoft Microsoft (19%) and Google (7%) come in second and third (last checked July 2021, Source: Statista). Amazon Web Services (AWS) started its services back in July 2002. They are not only about cloud storage, but also offer server capacity, networks, databases, and administration tools. We have explained in detail in another blog post what falls under the term cloud.
Extensive cloud solutions, such as AWS, are especially relevant for large companies and enterprises. The streaming provider Netflix, for example, stores all its data (an estimate of more than 1 petabyte/1000 terabyte in movie files) at Amazon S3, a branch of AWS. Other platforms, such as Airbnb, Pinterest, or Expedia are using Amazon’s cloud as well. However, Amazon also has a lot to offer for small to medium-sized businesses.
Encryption and International Compliance
At the 2016 Mobile World Congress in Barcelona, Vogels stated that
You cannot have a connected business, or an Internet-connected business and not make security and protection of your customers your number one priority.
By now, the vast majority of business are Internet-connected, so neglecting the issue of security is very risky. However, the security of their customers is not the only reason for Amazon pushing encryption. Amazon, as well as any other international company, faces a huge dilemma in terms of privacy. Amazon has to comply with privacy laws in every country in which they are active. It is an American enterprise with server locations spread worldwide. When Amazon collaborates with a European company they have to honor the GDPR. At the same time, American laws have to be abode. This can lead to conflicts, in the case of American authorities demanding data of a European company, for example for ongoing investigations.
Encryption is the key for this dilemma: If the provider has no access to the customer’s data, it is not able to hand information over to authorities. It is in the interest of Amazon not to get negative press through such conflicts. To comply with different national privacy laws is easier if the data is encrypted before it gets uploaded and the users manage the keys.
Amazon for SMEs and Private Use
For smaller and medium-sized companies as well as private use, the storage service S3 (Amazon Simple Storage Service) and Amazon Cloud Drive are most relevant. At S3 you only pay for the storage you actually use. The offer is very flexible in this respect and can of course be used in combination with other cloud offers by Amazon. The customer can also choose in which country the data should be stored. This is especially relevant for companies with compliance regulations that require storage in certain countries. AWS offers a global infrastructure, with a list of 60 availability zones in 20 geographical regions to choose from.
For compliance reasons it is very convenient for companies to be able to choose. This is why e.g. Box also offers storage zones.
S3 is designed as a cost-efficient storage solution, not for working with your data in the cloud. This is the main difference to other providers, such as Dropbox, Google Drive, or OneDrive. These use a sync-client so you can share, edit, and sync your data in the cloud comfortably.
Compared to that, Amazon Cloud Drive is connected to your Amazon account and is designed mainly to store and use music, images, and videos. 5 GB are free, so you can store about 1000 songs. Amazon Prime customers can store all their pictures at Amazon Cloud Drive, without any additional costs.
AWS and Cloud Encryption
Amazon is promoting encryption, and of course they offer it themselves, too. But an independent encryption solution adds another layer of security with “zero knowledge” standard. You can use Amazon S3 and Amazon Cloud Drive with additional encryption by Boxcryptor.
The Amazon.com chief technology officer said he supported “zero knowledge” hosting in which encryption allows the cloud provider to have no knowledge of what the customer uses the services for. “It's something we've been pushing our customers for years now,” he said.
In general, AWS makes a basic distinction between security “of” the cloud and security “in” the cloud. With the following graphic, the company makes it clear where it expects its customers to be proactive:
A reliable and user friendly solution for the encryption of cloud data is Boxcryptor, which is also particularly distinguished by the quality feature “Made in Germany”. With Boxcryptor, you alone manage the keys. Your data is encrypted before you upload it to the cloud. We have no access to your password or encryption key at any time. Your password arrives securely hashed (and thus unidentifiable) on our servers and the keys are generated directly in your browser. You retain full control, as neither we nor AWS can ever see your data or keys in their plain-text form.
Encryption is performed using a combination of AES-256 and RSA-4096 encryption. The former is one of the most frequently used and most secure encryption techniques. In combination with asymmetric RSA encryption, which additionally enables secure collaboration, your data is protected at the highest possible standards.