Amazon Web Services (AWS) is a suite of cloud computing services that many organisations, ranging from governmental institutions to Fortune 500 companies, use to store and manage data. In 2012, Amazon established an AWS program in Australia, but people have raised privacy and security concerns over the use of AWS in Australia.
For Australian organisations contemplating using AWS, it is important to differentiate the responsibilities that the client assumes and those that Amazon agrees to assume.
AWS Australia operates under the shared responsibility model. Since customers fully control the content that is transferred to the cloud, they bear responsibility for what content is uploaded and how that content is used. Upon signing AWS's contract, the client assumes responsibility for monitoring content and informing their own customers of any necessary legal disclaimers.
Meanwhile, since Amazon manages the data storage infrastructures, the company bears responsibility for securing the Cloud. As described in an Oct 2015 AWS whitepaper, the AWS client bears responsibility for what happens "in" the Cloud, whereas Amazon is responsible for the security "of" the Cloud.
AWS currently operates 11 physical data storage regions. A client in Australia can choose to store its data in the Australian centre or any of the other the 11 data centres.
Although having multiple data centres provides flexibility, it also complicates data sovereignty issues. Often times, clients question which laws apply to their operations, and raise concerns over data sovereignty.
Most often, both laws pertaining to the location where the data is stored, and those pertaining to where the company is based, need to be considered. In some cases, even if data is stored in a different country, the "home country", in which the company is incorporated, can access stored files. In particular, Australia has pre-existing laws that allow governmental bodies and officials to access information in the Cloud. However, the Australian government must present a valid reason for accessing this information, and historically, access grants have generally been related to law enforcement and counter-terrorism initiatives.
If a company is unsure of which data storage laws it must follow, AWS advises the firm to seek legal support.
In 2014, NJOY SECURITY was commissioned to conduct an Information Security Registered Assessors Program (IRAP) assessment of AWS, in order to examine AWS's privacy standards and its adherence to Australian privacy laws. NJOY conducted a two-part audit, testing whether AWS's system architecture was based on "sound security", and whether AWS had the controls necessary to secure their Cloud centres.
The report found that all the necessary controls and security measures were implemented and have been operating "effectively". All areas that were under scrutiny, which include risk assessment, documentation framework, vulnerability management, communications security, and cryptographic security, have all been deemed to be "effective" by NJOY.