facebook noscript

How the AWS Shared Responsibility Model Revolutionized Compliance and Data Security

August 27, 2021
How the AWS Shared Responsibility Model Revolutionized Compliance and Data Security

There’s no doubt about it: Compliance and data security are expensive, time-consuming, and stressful. And there’s a reason for that.

Traditional methods don’t make it easy for companies to become compliant and protect user data. For crypto startups like Gem or leading marketing platforms like Fivestars, securing customer data security is mandatory – but it’s often cost-prohibitive and distracting.

And, no matter how good your in-house system is, you will always be liable in the event of a breach.

VGS is changing that paradigm by building its data protection service in conjunction with the AWS Shared Responsibility Model. This takes away the cumbersome requirement of building data security architecture from scratch and the liability of a cyber threat.

Why In-House Compliance Just Doesn’t Cut It

Traditionally, businesses have had to shoulder the entire weight of compliance by building their own compliant system – a costly and time-consuming journey that varies for different compliance types.

Take PCI DSS compliance, for example. Depending on your required compliance level, the initial cost can range from tens of thousands of dollars to a million. On top of those initial costs, companies encounter yearly maintenance costs and lost time and productivity.

The reason in-house compliance solutions are so labor-intensive is that companies have to build everything from scratch. This can include crafting policies, setting access controls, securing networks, finding encryption solutions, and building physical infrastructure. The entire process of becoming PCI compliant can take up to a year.

PCI requirements apply to all businesses handling card/payments data and are especially burdensome for startups and small businesses that aim to launch new products and grow quickly. Startups and fintech companies need to move fast, and they often don’t have enough capital to commit to compliance. Delays in product launches can kill their business. But, at the same time, many of these companies handle sensitive data.

In other words, they can’t afford not to be compliant.

The Challenge of Data Security for Gem

Gem is a mobile app that allows users to interact with their cryptocurrency assets seamlessly. Due to compliance regulations, Gem requires a substantial amount of personally identifiable information (PII) and other PCI data. Despite having an in-house solution, the Gem team knew they were at risk – and liable in case of a data breac h. Not only can cryptocurrency be stolen and not recovered, but user data could be at risk in case of a breach.

For peace of mind, Gem brought on VGS as a second layer of security.

Data Portability with Fivestars

Fivestars is a leading marketing platform for local businesses with over 14,000 clients nationwide. They needed to achieve PCI compliance when they decided to include payment processing to enhance their customer experience.

The problem is that most solutions would lock Fivestars with a specific vendor, which limits their ability to control and fully tap into the underlying payments data. In addition, they would have had to create expensive in-house data security infrastructure.

Like Gem, Fivestars decided to bring VGS on board as a data security partner.

Both companies were quickly and efficiently able to achieve PCI compliance while saving money and time. In the case of Fivestars, they saved up to $1 million dollars.

Both companies were able to generate such cost savings because of how VGS is built, which makes it easier and more cost-effective to achieve various types of compliance certifications beyond just PCI DSS.

Building on AWS’ Shared Responsibility Model

Fortunately, more and more companies are able to outsource their entire compliance needs successfully. One solution to building a reliable data security posture entails working within the Amazon Web Services (AWS) Shared Responsibility Model.

The Shared Responsibility Model involves AWS providing the high-level cloud security controls while customers are still responsible for securing the actual data that sits in the cloud. Essentially, AWS provides a secure and reliable house while the customer is responsible for securing the belongings inside the house.

VGS is built on AWS infrastructure to enable mutual AWS-VGS customers to achieve data security and compliance via the AWS Shared Responsibility Model.

There are three layers to the AWS Shared Responsibility Model:

  • Core infrastructure services
  • Container services
  • Abstract services

The core infrastructure services include items like foundational services, global infrastructure, IAM, and API endpoints. Container services shift the responsibility of managing your operating system, platforms, and applications to AWS. Finally, AWS’ abstract services also provide some basic data protection services and availability.

If all three services are used, the only remaining thing you need to focus on is collecting and storing your data. You will still need to customize items like network controls, access points, and company policies around data security. You can even use AWS documentation for your external audits, but the overall burden of compliance infrastructure is not entirely lifted.

That’s where VGS comes in.

Adding VGS on top of AWS

VGS is built on the AWS system and provides data aliasing for secure data collection and storage. VGS takes care of what the Shared Responsibility Model doesn’t - customer data protection.

Data aliasing is a type of tokenization that cannot be reverse-engineered or hacked. If a cyber threat happens to get into your system, they will only find useless tokens. This keeps your customer data safe and secure.

Enhancing Data Security for Gem

When customers enter data into the Gem widget, it is collected by VGS first, redacted, and replaced with an alias. These newly generated tokens are stored in a Vault, which then creates a new token for the Gem database.

Access to the Vault is strictly guarded, and only certain services have access to it. These services are only able to get the identifier they need and must communicate with VGS. In addition, only specific systems are allowed to communicate with VGS.

This intricate layer of communication and tokenization creates a second layer of defense for data protection.

“I can sleep at night. Having yet another layer of protection, where that’s all [VGS is] focused on, made me feel much more comfortable with our security posture. It gives us a stamp of security, so customers feel more secure too.” Micah Winkelspecht, CEO and Founder

Saving Time, Money, and Headaches with Fivestars

  1. A customer signs up with Fivestars’ loyalty program with their phone number and payment card.

  2. VGS collects the credit card number and phone number data and replaces them with an alias. The aliased data is then stored in the secure VGS vault, which Fivestars can access with specific controls.

  3. When the customer shops again with the same credit card at any Fivestars merchant, VGS can pull the data based on its alias. The customer immediately receives points and rewards based on their purchase.

Both AWS and VGS do not own the data. This means that Fivestars maintains complete ownership of their customer data without worrying about the liability of collecting and storing it. They can work with any vendor and scale their business accordingly.

“VGS committed to not just providing secure data storage but also providing PCI advisory and compliance support. And that was big for us. None of the other providers could provide an integrated partnership.” - Matt Doka, Co-founder

Turn Compliance into a Business Accelerant

The AWS Shared Responsibility Model enables businesses to streamline their data compliance efforts. Combining AWS’ cloud infrastructure with VGS’ Zero Data offering allows businesses of all sizes to achieve secure data security with minimal effort. And since companies no longer need to spend significant time, effort, or resources on compliance and data security, they can focus on what matters - building their business.

If you’d like to learn more, visit the PCI page or request a demo today.

Stefan Slattery Stefan Slattery

Head of Growth Marketing


You Might also be interested in...

Very Good Security Achieves Amazon Web Services Partner Network Select Technology Partner Status

Very Good Security Achieves Amazon Web Services Partner Network Select Technology Partner Status

Stefan Slattery May 21, 2020


AWS + VGS: Shared Responsibility Model and PCI Compliance


PostgreSQL Deadlock Monitoring in AWS

Max Lobur June 19, 2019