Amazon Web Services Hit the Concrete Jungle

Reporter's Notebook: Amazon software engineers and their startup customers talk Web services security.

NEW YORK—Web platforms, systems designed to allow programmers to build applications using the Internet as the primary infrastructure, are getting a lot of buzz, with vendors such as Google, Amazon, and Facebook leading the way.

But its clear that security remains one of the top concerns for prospective customers of these platforms, as I learned during a question-and-answer session at an Amazon Web Services event here on Sept. 26.

Amazon Web Services include a number of Web services APIs for developers to build on. The idea behind the Seattle companys offering is to significantly pare the costs associated with multiple hardware servers and storage arrays, essentially delivering the infrastructure on demand across the Internet.

Core services include S3 (Simple Storage Service), EC2 (Elastic Compute Cloud) and SQS (Simple Queue Service). S3 offers unlimited storage through the Web at 15 cents per GB of data consumed; EC2 provides computing power that can be dialed up or down based on need for 10 cents per instance per hour; SQS stores messages that travel between computers.


Click here to read more about Amazon opening up its Web services platform.

New York City-based Animoto, a startup that lets users quickly create high-quality video on the Internet, presented at the event, which was designed to educate companies about the benefits of Amazon Web Services over traditional infrastructure.

During the ensuing Q&A session, a member of the audience asked the presenting vendors whether any of the vendors had security concerns with regard to Amazon Web Services, which has been kicking around since 2002.

"No, not really," said Animoto co-founder and Chief Technology Officer Stevie Clifton, whose company uses Amazons S3, EC2 and SQS. "I mean, obviously, protecting our customer data is very important to us, but we dont really have to do that much besides locking down our instances, making sure our security policies are okay. Outside of that, I have very little concern. If I was a company that wanted to have a consumer back-end to hold personal financial data, Id definitely want to look into it more than I have already."

Cliftons answer nicely summed up the way Amazon Web Services, Web platforms and new Internet technologies are perceived. Distilled, the answer to the question is: "It depends what youre doing." But if we really wanted to make brevity the soul of wit, we could infer that Clifton meant Amazon Web Services security was "good enough" for Animoto.

We hear that so often these days with Internet technologies. The general consensus is that the Internet, overall, is unsafe. So if youve got highly sensitive data that someone with malicious intent may want to steal, such as that customer financial data Clifton alluded to or classified government info, the general Web may not be the place to harbor it.

The folks at Animoto, clearly, are happy enough with their security measures that Amazon Web Services security is a non-issue. But the financial service firm du jour may take a less sanguine view.

Amazon Web Services Evangelist Mike Culver had this to say about the matter: "Ultimately, a lot of folks are asking, Can I be certain that my data is really for my eyes only? Assuming that you dont want to make it publicly available, the most effective way ... to increase security is to encrypt it before you put it on the layer."

For what its worth, this Web platform security is not an Amazon Web Services-centric issue. Google, and Facebook all have to be concerned about this.

Google and Facebook, in particular, must tread lightly because of all of the consumer data they corral. This makes them more susceptible to targeting by hackers, and at the least, raises their profiles to government offices concerned about consumer privacy.


Read more here about Facebooks travails with the New York Attorney General.

Other things I learned from the event: Amazon Web Services is working on making static IP, which means that your site will be assigned a unique and unchanging IP address. This is a departure from the current method, where sites get unique URLs.

Andy Jassy, senior vice president of Amazon Web Services, told the audience that the offering was currently working on static IP technology.

Also, Animotos Clifton said he would love it if the Amazon Web Services team added a database layer. Jassy didnt comment on that.

Asked about whether Amazon Web Services would offer a database service, a spokesperson told eWEEK that, "Amazon Web Services are built to be very flexible, which means there is an opportunity to continue to enhance and provide more features. As you heard, Andy and the team are really attuned to what developers need and we will continue to develop on their behalf."

I take that as a yes.


Check out eWEEK.coms for the latest news, reviews and analysis in programming environments and developer tools.