Werner Vogels, in his blog on the subject, says: Amazon Virtual Private Cloud customers will be able to "seamlessly extend their IT infrastructure into the cloud while maintaining the levels of isolation required for their enterprise management tools to do their work."
Companies making use of Amazon to establish their external "private cloud" will access resources over their own routers, which will be configured to go only to IP addresses in a particular company-owned address block. Amazon will set up a Virtual Private Cloud that serves that address block, Vogels explained.
"These resources are fully isolated and can only communicate with other resources in the same Virtual Private Cloud…" he continued.
That may be true, in one sense. But I'm wondering if "isolation" as Vogels uses it means the physical server resources being used are dedicated to the customer's Virtual Private Cloud, or just the network access is isolated by the VPN. Amazon might answer that the isolation provided by the VPN is enough. There may be additional Amazon measures that try to insure that it is enough. But he's going a long ways down the "private" descriptive path if these resources are multi-tenant, perhaps even existing EC2 servers that have been co-assigned the task of supplying the Virtual Private Cloud.
Werners notes in the blog, it's already spent "$2 billion in developing technologies that could deliver security, reliability and performance at tremendous scale and at low cost."
Fair enough. But does that mean if an intruder succeeded somehow in getting into my Virtual Private Cloud, my data would still be protected, highly sensitive virtual machine operations would be shielded from less sensitive virtual machine operations, and suspicious activity, such as an irregular fund transfer, would stand out as an exception and be reported swiftly by the Virtual Private Cloud's monitoring service?
If the answer is, "If you configure your end right, then no intruder can get in," that's a red flag. To keep my data secure, Virtual Private Cloud security is going to have to amount to more than network isolation. There will need to be intruder protection and virtual firewalls built into each virtual machine that isolates it from traffic with other virtual machines; in some cases, isolated it from other VMs even though they are inside the same Virtual Private Cloud. More detail needs to emerge on this offering. But I think what we have in Amazon's latest service is not a private cloud as I understand it but a "virtual" private cloud, a private cloud, maybe, a private cloud that mostly secures the data but can't do everything the typical chief security officer does inside the data center.
My questions: Will I remain in full compliance if I mingle use of my most secure, private data between the data center and the Virtual Private Cloud? Where has the security boundary moved to? It used to be at the perimeter of the data center. Is it still there or did it move into the cloud, with the data? Who's now responsible for that boundary, Amazon or me?