With Snowball, AWS Brings Security Layer to the Edge

With updates to its Snowball device this week, AWS looks to address concerns about how security works at the edge, as well as within the cloud itself.

NEW YORK -- When Amazon Web Services hosts conferences, the company overwhelms customers with updates to existing products and new features for its public cloud platform.
The AWS Summit this week was no exception.
One of the main updates presented by AWS CTO Werner Vogels at the July 17 show was an update to Snowball, the companys edge device that allows customers to transfer data from their on-premises data center to the companys cloud. To bolster this service, Amazon added support for full instances of its EC2 compute engine. (See
Unknown Document 744775
.)
However, theres a bit more to Snowball, specifically in the security realm.
In an interview, Mark Ryland, director of the Office of the CISO for AWS, explained how the company added a layer of security to a device that could travel across the country or around the world, taking with it critical company data on its way to the cloud.
AWS CTO Werner Vogels introducing the upgraded Snowball device in New York City
(Source:
Security Now
)
We put a lot of thought into the security of those devices, Ryland told Security Now. So, theres a whole elaborate kind of cryptographic element to the Snowball device, which involves a combination of tamper resistant and tamper evident physical devices [and] cases.
The whole notion of security, whether its within the cloud infrastructure itself or out on the edge where Snowball is deployed, formed part of Vogels address at the AWS Summit. He noted that security is now the job of everyone and its too crucial to be siloed any longer. (See
AWS Werner Vogels: Security Is Everyones Job
.)
To a certain extent, the rules of cloud security still apply: The service provider takes responsibility for the integrity of the infrastructure, while the customer ultimately is responsible for the data sent to the cloud. However, Ryland noted that AWS is trying to put as many security tools in the hands of clients as possible, with reminders along the way that security is part of the equation.
We gave the customers a lot of tools and a lot of capabilities, but we did hear that feedback, which is, This is great, but come across that shared security boundary and help me out here, Ryland said. And there is much we can do. Theres always going to be some final judgment that customers apply, and theres no way that we can say with certainty that certain configurations are inherently insecure. They might be exactly right for that situation, right? So, we do warn people -- weve got a bunch of tools that warn people about open S3 buckets. We send out emails to customers periodically and say, Hey, you can respond and turn off this email, but until you do, were going to email and tell you that you have open S3 buckets.
Its that same attention to detail that AWS offers for Snowball, both en route to the customer and on the return trip.
At the heart is cryptography, which helps secure the Snowball devices, and comes in handy for AWS customers, which include the US Defense Department, oil and gas firms, shipping companies, as well as businesses using it on the manufacturing floor.
Boost your understanding of new cybersecurity approaches at Light Readings
Automating Seamless Security event
on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!
AWS Snowball devices contain a number of different compute modules, including ones for storage of customer data, one for the virtual machine running inside, as well as one that supports the Trusted Platform Modules (TPMs). In turn, TPMs have their own private key.
As Ryland explains:

Theyre able to scan before the device leaves the cloud, [and] all of the information is double encrypted on the device, using a combination of the keys that are embedded in the TPMs and a key thats stored in our [Key Management Service] KMS system in the cloud. So now, in order to decrypt that device, those two keys have to come together again somehow.

When the device is in transit, even if someone could hack the TPM -- not an easy task on its own -- the crucial key to de-encrypt the data remains in the cloud. Its not until the device is delivered and verified by AWS that the customer manifest file is sent.
So literally, if that device is compromised along the way, and even assuming they could somehow access the customers AWS account, the manifest file you need to decrypt the device isnt present in their cloud account until UPS or FedEx or someone tells us that the device has been delivered, Ryland explained.
Thats only to open and ship Snowball. It also has encryption embedded at the storage layer for additional protection.
As with anything related to cloud, AWS provides the secure infrastructure, whether in the cloud itself or out on the edge, but its the customer who must ultimately protect the data. However, the Snowball security setup shows how companies are prodding customers along when it comes to security.
Its our obligation to deliver secure infrastructure for your use, Ryland added. And its our obligation to advise and help and guide you to use it in a secure way. But, theres not, I dont think, any situation with absolute certainty that, this use is valid, this ones invalid -- no you can never do x, y and z.
Related posts:
Attackers Increasingly Turning Attention to the Cloud
How the Cloud Is Changing the Identity & Access Management Game
Seamless Cloud Security Depends on Encryption Done Right
Cloud-Based Identity Management Systems: What to Look For
— Scott Ferguson is the managing editor of Light Reading and the editor of
Security Now
. Follow him on Twitter
@sferguson_LR
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
With Snowball, AWS Brings Security Layer to the Edge