All posts by Becca Crockett

AWS Security profiles: Michael South, Principal Business Development Manager for Security Acceleration

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-michael-south-principal-business-development-manager-for-security-acceleration/

Author

In the weeks leading up to the Solution Days event in Tokyo, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been with AWS since August 2017. I’m part of a team called SeCBAT — the Security and Compliance Business Acceleration Team. I lead customer-focused executive security and compliance efforts for the public sector in the Americas, from Canada down to Chile, and spanning federal government, defense, state and local government, education, and non-profit verticals. The team was established in 2017 to address a need we saw in supporting our customers. While we have fantastic solution architects who connect easily with our customers’ architects and engineers, we didn’t have a readily available team in our World Wide Public Sector organization to engage customers interested in security at the executive level. When we worked with people like CISOs — Chief Information Security Officers — there was a communication gap. CISOs have a broader scope than engineers, and are oftentimes not as technically deep. Technology is only one piece of the puzzle that they’re trying to solve. Other challenging pieces include policy, strategy, culture shift, staffing and training, and the politics of their entire organization. SeCBAT is comprised of prior government CISOs (or similar roles), allowing us to establish trust quickly. We’ve been in their shoes, so we understand the scope of their concerns, we can walk them through how they can meet their security and compliance objectives in AWS, and we can help remove barriers to cloud adoption for the overall customer.

These customer engagements are one of my primary functions. The team also spends a lot of time on strategic communications: presenting at conferences and tradeshows, writing whitepapers and blogs, and generally providing thought leadership for cloud security. Lastly, we work closely with Amazon Public Policy as subject matter experts to assist in reviewing and commenting on draft legislation and government policies, and in meetings with legislators, regulators, and policy-makers to educate them on how security in the cloud works so they can make informed decisions.

What’s the most challenging part of your job?

Customers who are new to the cloud often grapple with feelings of fear and uncertainty (just like I did). For me, figuring out how to address that feeling is a challenge that varies from person to person. It isn’t necessarily based on facts or data — it’s a general human reaction to something new. “The cloud” is very mysterious to people who are just coming into it, and oftentimes their sources of information are inaccurate or sensationalized news articles, combined with a general overuse of the word “cloud” in marketing materials from traditional vendors who are trying to cash in on this industry shift. Once you learn what the cloud really is and how it works, what’s the same and what’s different than what you’re used to on-prem, you can figure out how to manage it, secure it, and incorporate it into your overall strategy. But trying to get past that initial fear of the unknown is challenging. Part of what I do is educate people and then challenge some of the assumptions they might have made prior to our meeting. I want people to be able to look at the data so that they can make an informed decision and not lose an opportunity over a baseless emotion. If they choose not to go to the cloud, then that is absolutely fine, but at least that decision is made on facts and what’s best for the organization.

What’s the most common misperception you encounter about cloud security and compliance?

Visibility. There’s a big misperception that customers will lose visibility into their data and their systems in the cloud, and this becomes a root cause of many other misconceptions. It’s usually the very first point that I focus on in my briefs and discussions. I walk customers through my cloud journey, including my background in traditional security in an on-prem environment. As the Deputy CISO for the city of Washington, DC, I was initially very nervous about transitioning to the cloud, but I tasked my team and myself to dive deep and learn. It didn’t take long for us to determine that not only could we be just as secure and compliant in the cloud as on-prem, but that we could achieve a greater level of security and compliance through resiliency, continuous monitoring, and automated security operations. During our research, we also had to deal with a few on-prem issues, and that’s when it dawned on me that the cloud gave me something that I’d been lacking for my entire IT career — essentially 100% visibility! It didn’t matter if a server was on or off, what network segment it was on, whether the endpoint agent was installed or reporting up, or any other state — I had absolute visibility into every asset we had in the cloud. From here, we could secure and automate with much greater confidence, which resulted in fewer “fires” to put out. Security ended up being a driving force behind the city’s cloud adoption strategy. The security and governance journey can take a while at first, but these factors will enable everyone else move fast, safely. The very first step is understanding the visibility that the cloud allows.

You’ll be giving a keynote at AWS Solution Days, in Tokyo. Is this the first time you’ve been to Japan?

No, my family and I were very fortunate to have lived in Yokosuka, Japan for a few years. I served in the U.S. Navy for 25 years prior to joining AWS, where I enjoyed two tours in Japan. The first was as the Seventh Fleet Information Assurance Manager, the lead for cybersecurity for all U.S. Naval forces in Asia. The second was as the Navy Chief Information Officer (CIO) for all U.S. Naval forces in Japan. Those experiences were some of the best of my career and family life. We would move back to Japan in a heartbeat!

The keynote is called “U.S. government and U.S. defense-related security.” What implications do U.S. government and defense policies have for AWS customers in Japan?

The U.S. and Japan are very strong political and military allies. Their governments and militaries share common interests and defense strategies, and collaborate on a myriad of socio-economic topics. This all requires the sharing of sensitive information, which is where having a common lexicon, standards, and processes for security benefit both parties. I plan to discuss the U.S. environment and highlight things that are working well in the U.S. that Japan might want to consider adopting, plus some things that might not be a good fit—coupled with recommendations on what might be better opportunities. I also plan to demonstrate that AWS is able to meet the high standards of the U.S. government and military with very strict, regulated security. I hope that this will give Japanese customers confidence in our ability to meet the similarly rigorous requirements they might have.

In your experience, how does the cloud security landscape differ between US and Japanese markets?

From my understanding, the Japanese government is in the very early stages of cloud adoption. Many ministries are assessing how they might use the cloud and secure their sensitive data in it. In addition to speaking at the summit, one of my reasons for visiting Japan is to meet with Japanese government customers to learn about their efforts. They’re very much interested in what the U.S. government is doing with AWS. They would like to leverage lessons learned, technical successes, and processes that are working well, in addition to learning about things that they might want to do differently. It’s a great opportunity to showcase all the work we’re doing with the U.S. government that could also benefit the Japanese government.

Five years from now, what changes do you think we’ll see across the security and compliance landscape?

My hope is that we’ll see a better, more holistic method of implementing governance with security engineering and security operations. Right now, globally across the cybersecurity landscape, there are silos: development security, governance, compliance, risk management, engineering, security operations, etc. They should be more mutually supportive and interconnected, and as you implement a plan in one area, it should go into effect seamlessly across the other areas.

Similarly, my hope is that five years from now we’ll start seeing a merge between the technologies and people and processes. Right now, the cybersecurity industry seems to try to tackle every problem with a technological solution. But technology is really the easiest part of every problem. The people and the processes are much more difficult. I think we need to devote a lot more time toward developing a holistic view of cybersecurity based on business risk and objectives.

Why should emerging markets move to the cloud now? Why not wait another five years in the hope that the technology will mature?

I’d like to challenge the assumption that the cloud is not mature. At least with AWS and our near competitors, I’d say the cloud is very mature and provides a level of sophistication that is very difficult and costly to replicate on-prem. If the concern is about technical maturity, you’re already late.

In addition, the waiting approach poses two problems: First, if you’re not engaged now in learning how the cloud works, you’ll just be further behind the curve in five years. Second, I see (and believe I’ll continue to see) that the vast majority of new technologies, services, and concepts are being born in the cloud. Everything is hyper-converging on the cloud as the foundational platform for all other emerging technologies. If you want to be successful with the next big idea in five years, it’s better to get into the cloud now and become an expert at what it can do—so that you’re ready for that next big idea. Because in some way, shape, or form, it’s going to be in or enabled by the cloud.

What are your favorite things to do when you’re visiting Japan?

The history and tradition of Kyoto makes it my favorite city in Japan. But since we’ll be in Tokyo, there a few things there that I’d recommend. First, the 100-Yen sushi-go-rounds. To Americans, I’d explain it as paying one US dollar for a small plate (2 pieces of nigiri or 4 roll slices) of fantastic sushi. You can eat thirty plates for thirty bucks! Places in Tokyo to visit are Harajuku for people-watching, with all the costumes and fashion, Shibuya for shopping, and of course Tokyo tower. I also recommend Ueno park, somewhat close to where our event will be held, which has a pond and zoo.

Japan is one of the safest and politest countries I’ve been to — and I’ve visited about 40 at this point. The people I’ve met there have all been extraordinarily nice and are what really makes Japan so special. I’d highly recommend visiting.

What’s your favorite thing to do in your hometown?

I’m originally from Denver, Colorado. If you’re in Denver, you’ve got to go up to the mountains. If you’re there in the summer, you can hike, camp, go white-water rafting, or horseback riding. If you’re there in the winter, you can go skiing or snowboarding, or just sit by the fire with a hot toddy. It really doesn’t matter. Just go up to the mountains and enjoy the beautiful scenery and wildlife.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Michael South

Michael joined AWS in 2017 as the Americas Regional Leader for public sector security and compliance business development. He supports customers who want to achieve business objectives and improve their security and compliance in the cloud. His customers span across the public sector, including: federal governments, militaries, state/provincial governments, academic institutions, and non-profits from North to South America. Prior to AWS, Michael was the Deputy Chief Information Security Officer for the city of Washington, DC and the U.S. Navy’s Chief Information Officer for Japan.

AWS Security Profile (and re:Invent 2018 wrap-up): Eric Docktor, VP of AWS Cryptography

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profile-and-reinvent-2018-wrap-up-eric-docktor-vp-of-aws-cryptography/

Eric Docktor

We sat down with Eric Docktor to learn more about his 19-year career at Amazon, what’s new with cryptography, and to get his take on this year’s re:Invent conference. (Need a re:Invent recap? Check out this post by AWS CISO Steve Schmidt.)


How long have you been at AWS, and what do you do in your current role?

I’ve been at Amazon for over nineteen years, but I joined AWS in April 2015. I’m the VP of AWS Cryptography, and I lead a set of teams that develops services related to encryption and cryptography. We own three services and a tool kit: AWS Key Management Service (AWS KMS), AWS CloudHSM, AWS Certificate Manager, plus the AWS Encryption SDK that we produce for our customers.

Our mission is to help people get encryption right. Encryption algorithms themselves are open source, and generally pretty well understood. But just implementing encryption isn’t enough to meet security standards. For instance, it’s great to encrypt data before you write it to disk, but where are you going to store the encryption key? In the real world, developers join and leave teams all the time, and new applications will need access to your data—so how do you make a key available to those who really need it, without worrying about someone walking away with it?

We build tools that help our customers navigate this process, whether we’re helping them secure the encryption keys that they use in the algorithms or the certificates that they use in asymmetric cryptography.

What did AWS Cryptography launch at re:Invent?

We’re really excited about the launch of KMS custom key store. We’ve received very positive feedback about how KMS makes it easy for people to control access to encryption keys. KMS lets you set up IAM policies that give developers or applications the ability to use a key to encrypt or decrypt, and you can also write policies which specify that a particular application—like an Amazon EMR job running in a given account—is allowed to use the encryption key to decrypt data. This makes it really easy to encrypt data without worrying about writing massive decrypt jobs if you want to perform analytics later.

But, some customers have told us that for regulatory or compliance reasons, they need encryption keys stored in single-tenant hardware security modules (HSMs) that they manage. This is where the new KMS custom key store feature comes in. Custom key store combines the ease of using KMS with the ability to run your own CloudHSM cluster to store your keys. You can create a CloudHSM cluster and link it to KMS. After setting that up, any time you want to generate a new master key, you can choose to have it generated and stored in your CloudHSM cluster instead of using a KMS multi-tenant HSM. The keys are stored in an HSM under your control, and they never leave that HSM. You can reference the key by its Amazon Resource Name (ARN), which allows it to be shared with users and applications, but KMS will handle the integration with your CloudHSM cluster so that all crypto operations stay in your single-tenant HSM.

You can read our blog post about custom key store for more details.

If both AWS KMS and AWS CloudHSM allow customers to store encryption keys, what’s the difference between the services?

Well, at a high level, sure, both services offer customers a high level of security when it comes to storing encryption keys in FIPS 140-2 validated hardware security modules. But there are some important differences, so we offer both services to allow customers to select the right tool for their workloads.

AWS KMS is a multi-tenant, managed service that allows you to use and manage encryption keys. It is integrated with over 50 AWS services, so you can use familiar APIs and IAM policies to manage your encryption keys, and you can allow them to be used in applications and by members of your organization. AWS CloudHSM provides a dedicated, FIPS 140-2 Level 3 HSM under your exclusive control, directly in your Amazon Virtual Private Cloud (VPC). You control the HSM, but it’s up to you to build the availability and durability you get out of the box with KMS. You also have to manage permissions for users and applications.

Other than helping customers store encryption keys, what else does the AWS Cryptography team do?

You can use CloudHSM for all sorts of cryptographic operations, not just key management. But we definitely do more than KMS and CloudHSM!

AWS Certificate Manager (ACM) is another offering from the cryptography team that’s popular with customers, who use it to generate and renew TLS certificates. Once you’ve got your certificate and you’ve told us where you want it deployed, we take care of renewing it and binding the new certificate for you. Earlier this year, we extended ACM to support private certificates as well, with the launch of ACM Private Certificate Authority.

We also helped the AWS IoT team launch support for cryptographically signing software updates sent to IoT devices. For IoT devices, and for software installation in general, it’s a best practice to only accept software updates from known publishers, and to validate that the new software has been correctly signed by the publisher before installing. We think all IoT devices should require software updates to be signed, so we’ve made this really easy for AWS IoT customers to implement.

What’s the most challenging part of your job?

We’ve built a suite of tools to help customers manage encryption, and we’re thrilled to see so many customers using services like AWS KMS to secure their data. But when I sit down with customers, especially large customers looking seriously at moving from on-premises systems to AWS, I often learn that they have years and years of investment into their on-prem security systems. Migrating to the cloud isn’t easy. It forces them to think differently about their security models. Helping customers think this through and map a strategy can be challenging, but it leads to innovation—for our customers, and for us. For instance, the idea for KMS custom key store actually came out of a conversation with a customer!

What’s your favorite part of your job?

Ironically, I think it’s the same thing! Working with customers on how they can securely migrate and manage their data in AWS can be challenging, but it’s really rewarding once the customer starts building momentum. One of my favorite moments of my AWS career was when Goldman Sachs went on stage at re:Invent last year and talked about how they use KMS to secure their data.

Five years from now, what changes do you think we’ll see within the field of encryption?

The cryptography community is in the early stages of developing a new cryptographic algorithm that will underpin encryption for data moving across the internet. The current standard is RSA, and it’s widely used. That little padlock you see in your web browser telling you that your connection is secure uses the RSA algorithm to set up an encrypted connection between the website and your browser. But, like all good things, RSA’s time may be coming to an end—the quantum computer could be its undoing. It’s not yet certain that quantum computers will ever achieve the scale and performance necessary for practical applications, but if one did, it could be used to attack the RSA algorithm. So cryptographers are preparing for this. Last year, the National Institute of Standards and Technology (NIST) put out a call for algorithms that might be able to replace RSA, and got 68 responses. NIST is working through those ideas now and will likely select a smaller number of algorithms for further study. AWS participated in two of those submissions and we’re keeping a close eye on NIST’s process. New cryptographic algorithms take years of testing and vetting before they make it into any standards, but we want to be ready, and we want to be on the forefront. Internally, we’re already considering what it would look like to make this change. We believe it’s our job to look around corners and prepare for changes like this, so our customers don’t have to.

What’s the most common misconception you encounter about encryption?

Encryption technology itself is decades-old and fairly well understood. That’s both the beauty and the curse of encryption standards: By the time anything becomes a standard, there are years and years of research and proof points into the stability and the security of the algorithm. But just because you have a really good encryption algorithm that takes an encryption key and a piece of data you want to secure and spits out an impenetrable cipher text, it doesn’t mean that you’re done. What did you do with the encryption key? Did you check it into source code? Did you write it on a piece of paper and leave it in the conference room? It’s these practices around the encryption that can be difficult to navigate.

Security-conscious customers know they need to encrypt sensitive data before writing it to disk. But, if you want your application to run smoothly, sometimes you need that data in clear text. Maybe you need the data in a cache. But who has access to the cache? And what logging might have accidentally leaked that information while the application was running and interacting with the cache?

Or take TLS certificates. Each TLS certificate has a public piece—the certificate—and a private piece—a private key. If an adversary got ahold of the private key, they could use it to impersonate your website or your API. So, how do you secure that key after you’ve procured the certificate?

It’s practices like this that some customers still struggle with. You have to think about all the places that your sensitive data is moving, and about real-world realities, like the fact that the data has to be unecrypted somewhere. That’s where AWS can help with the tooling.

Which re:Invent session videos would you recommend for someone interested in learning more about encryption?

Ken Beer’s encryption talk is a very popular session that I recommend to people year after year. If you want to learn more about KMS custom key store, you should also check out the video from the LaunchPad event, where we talked with Box about how they’re using custom key store.

People do a lot of networking during re:Invent. Any tips for maintaining those connections after everyone’s gone home?

Some of the people that I meet at re:Invent I get to see again every year. With these customers, I tend to stay in touch through email, and through Executive Briefing Center sessions. That contact is important since it lets us bounce ideas off each other and we use that feedback to refine AWS offerings. One conference I went to also created a Slack channel for attendees—and all the attendees are still on it. It’s quiet most of the time, but people have a way to re-engage with each other and ask a question, and it’ll be just like we’re all together again.

If you had to pick any other job, what would you want to do with your life?

If I could do anything, I’d be a backcountry ski guide. Now, I’m not a good enough skier to actually have this job! But I like being outside, in the mountains. If there was a way to make a living out of that, I would!

Author photo

Erick Docktor

Eric joined Amazon in 1999 and has worked in a variety of Amazon’s businesses, including being part of the teams that launched Amazon Marketplace, Amazon Prime, the first Kindle, and Fire Phone. Eric has also worked in Supply Chain planning systems and in Ordering. Since 2015, Eric has led the AWS Cryptography team that builds tools to make it easy for AWS customers to encrypt their data in AWS. Prior to Amazon, Eric was a journalist and worked for newspapers including the Oakland Tribune and the Doylestown (PA) Intelligencer.

AWS Security Profiles: Quint Van Deman, Principal Business Development Manager

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-quint-van-deman-principal-business-development-manager/

Amazon Spheres and author info

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I joined AWS in August 2014. I spent my first two and a half years in the Professional Services group, where I ran around the world to help some of our largest customers sort through their security and identity implementations. For the last two years, I’ve parleyed that experience into my current role of Business Development Manager for the Identity and Directory Services group. I help the product development team build services and features that address the needs I’ve seen in our customer base. We’re working on a next generation of features that we think will radically simplify the way customers implement and manage identities and permissions within the cloud environment. The other key element of my job is to find and disseminate the most innovative solutions I’m seeing today across the broadest possible set of AWS customers to help them be more successful faster.

How do you explain your job to non-tech friends?

I keep one foot in the AWS service team organizations, where they build features, and one foot in day-to-day customer engagement to understand the real-world experiences of people using AWS. I learn about the similarities and differences between how these two groups operate, and then I help service teams understand these similarities and differences, as well.

You’re a “bar raiser” for the Security Blog. What does that role entail?

The notion of being a bar raiser has a lot of different facets at Amazon. The general concept is that, as we go about certain activities — whether hiring new employees or preparing blog posts — we send things past an outside party with no team biases. As a bar raiser for the Security Blog, I don’t have a lot of incentive to get posts out because of a deadline. My role is to make sure that nothing is published until it successfully addresses a customer need. At Amazon, we put the best customer experience first. As a bar raiser, I work to hold that line, even though it might not be the fastest approach, or the path of least resistance.

What’s the most challenging part of your job?

Ruthless prioritization. One of our leadership principles at Amazon is frugality. Sometimes, that means staying in cheap hotel rooms, but more often it means frugality of resources. In my case, I’ve been given the awesome charter to serve as the Business Development Manager for our suite of Identity and Directory Services. I’m something of a one-man army the world over. But that means a lot of things come past my desk, and I have to prioritize ruthlessly to ensure I’m focusing on the things that will be most impactful for our customers.

What’s your favorite part of your job?

A lot of our customers are doing an awesome job being bar raisers themselves. They’re pushing the envelope in terms of identity-focused solutions in their own AWS environments. One fulfilling part of my work is getting to collaborate with those customers who are on the leading edge: Their AWS field teams will get ahold of me, and then I get to do two really fun things. First, I get to dive in and help these customers succeed at whatever they’re trying to do. Second, I get to learn from them. I get to examine the really amazing ideas they’ve come up with and see if we might be able to generalize their solutions and roll them out to the delight of many more AWS customers that might not have teams mature enough to build them on their own. While my title is Business Development Manager, I’m a technologist through and through. Getting to dive into these thorny technical situations and see them resolve into really great solutions is extremely rewarding.

How did you choose your particular topics for re:Invent 2018?

Over the last year, I’ve talked with lots of customers and AWS field teams. My Mastering Identity at Every Layer of the Cake session was born out of the fact that I noticed a lot of folks doing a lot of work to get identity for AWS right, but other layers of identity that are just as important weren’t getting as much attention. I made it my mission to provide a more holistic understanding of what identity in the cloud means to these customers, and over time I developed ways of articulating the topic which really seemed to resonate. My session is about sharing this understanding more broadly. It’s a 400-level talk, since I want to really dive deep with my audience. I have five embedded demos, all of which are going to show how to combine multiple features, sprinkle in a bit of code, and apply them to near universally applicable customer use cases.

Why use the metaphor of a layer cake?

I’ve found that analogies and metaphors are very effective ways of grounding someone’s mental imagery when you’re trying to relay a complex topic. Last year, my metaphor was bridges. This year, I decided to go with cake: It’s actually very descriptive of the way that our customers need to think about Identity in AWS since there are multiple layers. (Also, who doesn’t like cake? It’s delicious.)

What are you hoping that your audience will take away from the session?

Customers are spending a lot of time getting identity right at the AWS layer. And that’s a ground-level, must-do task. I’m going to put a few new patterns in the audience’s hands to do this more effectively. But as a whole, we aren’t consistently putting as much effort into the infrastructure and application layers. That’s what I’m really hoping to expose people to. We have a wealth of features that really raise the bar in terms of cloud security and identity — from how users authenticate to operating systems or databases, to how they authenticate to the applications and APIs that they put on AWS. I want to expose these capabilities to folks and paint a vivid image for them of the really powerful things that they can do today that they couldn’t have done before.

What do you want your audience to do differently after attending your session?

During the session, I’ll be taking a handful of features that are really interesting in their own right, and combining them in a way that I hope will absolutely delight my audience. For example, I’ll show how you can take AWS CloudFormation macros and AWS Identity and Access Management, layer a little bit of customization on top, and come up with something far more magical than either of the two individually. It’s an advanced use case that, with very little effort, can disproportionately improve your security posture while letting your organization move faster. That’s just one example though, and the session is going to be loaded with them, including a grand finale. I’ve already started the work to open source a lot of what I’m going to show, but even where I can’t open source, I want to paint a very clear, prescriptive blueprint for how to get there. My goal is that my audience goes back to work on Monday and, within a couple of hours, they’ve measurably moved the security bar for their organization.

Any tips for first-time conference attendees?

Be deliberate about going outside of your comfort zone. If you’re not working in Security, come to one of our sessions. If you do work in Security, go to some other tracks, like Dev-Ops or Analytics, to get that cross-pollination of ideas. One of the most amazing things about AWS is how it helps dramatically lower the barrier to entry for unfamiliar technology domains and tools. A developer can ship more secure code faster by being invested in security, and a security expert can disproportionally scale their impact by applying the tools of developers or data scientists. Re:Invent is an amazing place to start exploring that diversity, and if you do, I suspect you’ll find ways to immediately make yourself better at your day job.

Five years from now, what changes do you think we’ll see across the security and compliance landscape?

Complexity versus human understanding have always been at odds. I see initiatives across AWS that have all kinds of awesome innovation and computer science behind them. In the coming years, I think these will mature to the point that they will be able to offload much of the natural complexity that comes with securing large scale environments with extremely fine grain permissions. Folks will be able to provide very simple statements or rules of how they want their environment to be, and we should be able to manage the complexity for them, and present them with a nice, clean picture they can easily understand.

What does cloud security mean to you, personally?

I see possibilities today that were herculean tasks before. For example, the process to make sure APIs can properly authenticate and authorize each other used to be an extremely elaborate process at scale. It became such an impossible mess that only the largest of organizations with the best skills, the best technology, and the best automation were really able to achieve it. Everyone else just had to punt or put a band-aid on the problem. But in the world of the cloud, all it takes is attaching an AWS IAM role on one side, and a fairly small resource-based policy to an Amazon API Gateway API on the other. Examples like this show how we’re making security that would once have been extremely difficult for most customers to afford or implement simple to configure, get right, and deploy ubiquitously, and that’s really powerful. It’s what keeps me passionate about my work.

If you had to pick any other job, what would you want to do with your life?

I’ve got all kinds of whacky hobbies. I kiteboard, I surf, work on massive renovation projects at home, hike and camp in the backcountry, and fly small airplanes. It’s an overwhelming set of hobbies that didn’t align with my professional aptitude. But if the world were my oyster and I had to do something else, I would want to combine those hobbies into one single career that’s never before been seen.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Quint Van Deman

Quint is the global business development manager for AWS Identity and Directory services. In this role, he leads the incubation, scaling, and evolution of new and existing identity-based services, as well as field enablement and strategic customer advisement for the same. Before joining the BD team, Quint was an early member of the AWS Professional Services team, where he was a Senior Consultant leading cloud transformation teams at several prominent enterprise customers, and a company-wide subject matter expert on IAM and Identity federation.

AWS Security Profiles: Henrik Johansson, Principal, Office of the CISO

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-henrik-johansson-principal-office-of-the-ciso/

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

As a Principal for the Office of the CISO, I not only get to spend time directly with our customers and their executives and operational teams, I also get to work with our own service teams and other parts of our organization. Additionally, a big part of this role involves spending time with the industry as a whole, in both small and large settings, and trying to raise the bar of the overall industry together with a number of other teams within AWS.

How do you explain your job to non-tech friends?

Whether or not someone understands what the cloud is, I try to focus on the core part of the role: I help people and organizations understand AWS Security and what it means to operate securely on the cloud. And I focus on helping the industry achieve these same goals.

What’s your favorite part of your job?

Helping customers and their executive leadership to understand the benefits of cloud security and how they can improve the overall security posture by using cloud features. Getting to show them how we can help drive road maps and new features and functions that they can use to secure their workloads (based on their valuable feedback) is very rewarding.

Tell us about the open source communities you support. Why they are important to AWS?

The open source community is important to me for a couple of reasons. First, it helps enable and inspire innovation by inviting the community at large to expand on the various use cases our services provide. I also really appreciate how customers enable other customers by not only sharing their own innovations but also inviting others to contribute and further improve their solutions. I have a couple of open source repositories that I maintain, where I put various security automation tools that I’ve built to show various innovative ways that customers can use our services to strengthen their security posture. Even if you don’t use open source in your company, you can still look at the vast number of projects out there, both from customers and from AWS, and learn from them.

What does cloud security mean to you, personally?

For me, it represents the possibility of creating efficient, secure solutions. I’ve been working in various security roles for almost twenty-five years, and the ability we have to protect data and our infrastructure has never been stronger. We have an incredible opportunity to solve challenges that would have been insurmountable before, and this leads to one thing: trust. It allows us to earn trust from customers, trust from users, and trust from the industry. It also enables our customers to earn trust from their users.

In your opinion, what’s the biggest challenge facing cloud security right now?

The opportunities far outweigh the challenges, honestly. The different methods that customers and users have to gain visibility into what they’re actually running is mind-blowing. That visibility is a combination of knowing what you have, knowing what you run, and knowing all the ins and outs of it. I still hear people talking about that server in the corner under someone’s desk that no one else knows about. That simply doesn’t exist in the cloud, where everything is an API call away. If anything, the challenge lies in finding people who want to continue driving the innovation and solving the hard cases with all the technology that’s at our fingertips.

Five years from now, what changes do you think we’ll see across the security/compliance landscape?

One shift we’re already seeing is that compliance is becoming a natural part of the security and innovation conversation. Previously, “compliance” meant that maybe you had a specific workload that needed to be PCI-compliant, or you were under HIPPA requirements. Nowadays, compliance is a more natural part of what we do. Privacy is everywhere. It has to be everywhere, based on requirements like GDPR, but we’re seeing that a lot of these “have to be” requirements turning into “want to be” requirements — we’re not distinguishing between the users that are required to be protected and the “regular” users. More and more, we’re seeing that privacy is always going to have a seat at the table, which is something we’ve always wanted.

At re:Invent 2018, you’re presenting two sessions together with Andrew Krug. How did you choose your topics?

They’re a combination of what I’m passionate about and what I see our customers need. This is the third year I’ve presented my Five New Security Automations Using AWS Security Services & Open Source session. Previously, I’ve also built boot camps and talks around secure automation, DevSecOps, and container security. But we have a big need for open source security talks that demonstrate how people can actually use open source to integrate with our services — not just as a standalone piece, but actually using open source as inspiration for what they can build on their own. That’s not to say that AWS services aren’t extremely important. They’re the driving force here. But the open source piece allows people to adapt solutions to their specific needs, further driving the use cases together with the various AWS security services.

What are you hoping that your audience will take away from your sessions?

I want my audience to walk away feeling that they learned something new, and that they can build something that they didn’t know how to before. They don’t have to take and use the specific open source tools we put out there, but I want them to see our examples as a way to learn how our services work. It doesn’t matter if you just download a sample script or if you run a full project, or a full framework, but it’s important to learn what’s possible with services beyond what you see in the console or in the documentation.

Any tips for first-time conference attendees?

Plan ahead, but be open to ad-hoc changes. And most importantly, wear sneakers or comfortable walking shoes. Your feet will appreciate it.

If you had to pick any other job, what would you want to do with your life?

If I picked another role at Amazon, it would definitely be a position around innovation, thinking big, and building stuff. Even if it was a job somewhere else, I’d still want it to involve building, whether woodshop projects or a robot. Innovation and building are my passions.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Henrik Johansson

Henrik is a Principal in the Office of the CISO at AWS Security. With over 22 years of experience in IT with a focus on security and compliance, he focuses on establishing and driving CISO-level relationships as a trusted cloud security advisor who has a passionate focus on developing services and features for security and compliance at scale.

AWS Security Profiles: Sam Koppes, Senior Product Manager

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-sam-koppes-senior-product-manager/

Amazon Spheres and author info

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been with AWS for a year, and I’m a Senior Product Manager for the AWS CloudTrail team. I’m responsible for product roadmap decisions, customer outreach, and for planning our engineering work.

How do you explain your job to non-tech friends?

I work on a technical product, and for any tech product, responsibility is split in half: We have product managers and engineering managers. Product managers are responsible for what the product does. They’re responsible for figuring out how it behaves, what needs it addresses, and why customers would want it. Engineering managers are responsible for figuring out how to make it. When you look to build a product, there’s always the how and the what. I’m responsible for the what.

What are you currently working on that you’re excited about?

The scale challenges that we’re facing today are extremely interesting. We’re allowing customers to build things at an absolutely unheard-of scale, and bringing security into that mix is a challenge. But it’s also one of the great opportunities for AWS — we can bring a lot of value to customers by making security as turnkey as possible so that it just comes with the additional scale and additional service areas. I want people to sleep easy at night knowing that we’ve got their backs.

What’s your favorite part of your job?

When I deliver a product, I love sending out the What’s New announcement. During our launch calls, I love collecting social media feedback to measure the impact of our products. But really, the best part is the post-launch investigation that we do, which allows us understand whether we hit the mark or not. My team usually does a really good job of making sure that we deliver the kinds of features that our customers need, so seeing the impact we’ve had is very gratifying. It’s a privilege to get to hear about the ways we’re changing people’s lives with the new features we’re building.

How did you choose your particular topic for re:Invent this year?

My session is called Augmenting Security Posture and Improving Operational Health with AWS CloudTrail. As a service, CloudTrail has been around a while. But I’ve found that customers face knowledge gaps in terms of what to do with it. There are a lot of people out there with an impressive depth of experience, but they sometimes lack an additional breadth that would be helpful. We also have a number of new customers who want more guidance. So I’m using the session to do a reboot: I’ll start from the beginning and go through what the service is and all the things it does for you, and then I’ll highlight some of the benefits of CloudTrail that might be a little less obvious. I built the session based on discussions with customers, who frequently tell me they start using the service — and only belatedly realize that they can do much more with it beyond, say, using it as a compliance tool. When you start using CloudTrail, you start amassing a huge pile of information that can be quite valuable. So I’ll spend some time showing customers how they can use this information to enhance their security posture, to increase their operational health, and to simplify their operational troubleshooting.

What are you hoping that your audience will take away from it?

I want people to walk away with two fistfuls of ideas for cool things they can do with CloudTrail. There are some new features we’re going to talk about, so even if you’re a power user, my hope is that you’ll return to work with three or four features you have a burning desire to try out.

What does cloud security mean to you, personally?

I’m very aware of the magnitude of the threats that exist today. It’s an evolving landscape. We have a lot of powerful tools and really smart people who are fighting this battle, but we have to think of it as an ongoing war. To me, the promise you should get from any provider is that of a safe haven — an eye in the storm, if you will — where you have relative calm in the midst of the chaos going on in the industry. Problems will constantly evolve. New penetration techniques will appear. But if we’re really delivering on our promise of security, our customers should feel good about the fact that they have a secure place that allows them to go about their business without spending much mental capacity worrying about it all. People should absolutely remain vigilant and focused, but they don’t have to spend all of their time and energy trying to stay abreast of what’s going on in the security landscape.

What’s the most common misperception you encounter about cloud security and compliance?

Many people think that security is a magic wand: You wave it, and it leads to a binary state of secure or not secure. And that’s just not true. A better way to think of security is as a chain that’s only as strong as its weakest link. You might find yourself in a situation where lots of people have worked very hard to build a very secure environment — but then one person comes in and builds on top of it without thinking about security, and the whole thing blows wide open. All it takes is one little hole somewhere. People need to understand that everyone has to participate in security.

In your opinion, what’s the biggest challenge that people face as they move to the cloud?

At AWS, we follow this thing called the Shared Responsibility Model: AWS is responsible for securing everything from the virtualization layer down, and customers are responsible for building secure applications. One of the biggest challenges that people face lies in understanding what it means to be secure while doing application development. Companies like AWS have invested hugely in understanding different attack vectors and learning how to lock down our systems when it comes to the foundational service we offer. But when customers build on a platform that is fundamentally very secure, we still need to make sure that we’re educating them about the kinds of things that they need to do, or not do, to ensure that they stay within this secure footprint.

Five years from now, what changes do you think we’ll see across the security and compliance landscape?

I think we’ll see a tremendous amount of growth in the application of machine learning and artificial intelligence. Historically, we’ve approached security in a very binary way: rules-based security systems in which things are either okay or not okay. And we’ve built complex systems that define “okay” based on a number of criteria. But we’ve always lacked the ability to apply a pseudo-human level of intelligence to threat detection and remediation, and today, we’re seeing that start to change. I think we’re in the early stages of a world where machine learning and artificial intelligence become a foundational, indispensable part of an effective security perimeter. Right now, we’re in a world where we can build strong defenses against known threats, and we can build effective hedging strategies to intercept things we consider risky. Beyond that, we have no real way of dynamically detecting and adapting to threat vectors as they evolve — but that’s what we’ll start to see as machine learning and artificial intelligence enter the picture.

If you had to pick any other job, what would you want to do with your life?

I have a heavy engineering background, so I could see myself becoming a very vocal and customer-obsessed engineering manager. For a more drastic career change, I’d write novels—an ability that I’ve been developing in my free time.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Sam Koppes

Sam is a Senior Product Manager at Amazon Web Services. He currently works on AWS CloudTrail and has worked on AWS CloudFormation, as well. He has extensive experience in both the product management and engineering disciplines, and is passionate about making complex technical offerings easy to understand for customers.

AWS Security Profiles: Alana Lan, Software Development Engineer; Shane Xu, Technical Program Manager

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-alana-lan-software-development-engineer-shane-xu-technical-program-manager/

Amazon Spheres and author info

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

Alana: I’m a software development engineer, and I’ve been here for a year and a half. I’m on the Security Assessment and Automation team. My team’s main purpose is to develop tools that help internal teams save time. For example, we build tools to help people find resources for external customers, like information control frameworks. We also build services that aggregate data about AWS resources that other teams can use to identify critical resources.

Shane: I started around the same time as Alana — we’re part of the same team. I’m a Technical Program Manager, and my role is to perform deep-dives into different security domains to investigate the effectiveness of our controls and then propose ways to automate the monitoring and mitigation of those controls. I like to explain my role using a metaphor: If AWS Security is the guardian of the AWS Cloud, then the role of the Security Assurance team is to make sure the guardians have the right superpowers. And the goal of my team is to ensure those superpowers are automated and always monitored so that they’re always available when needed.

How do you explain your job to non-tech friends?

Alana: I tell people that there are many AWS services, and many teams working to make those services available globally. My work is to make the jobs of those teams easier with tools and resources that reduce manual effort and allow them to serve customers better.

Shane: I normally tell people that my role is related to security automation. Those two words tend to make sense to people. If they want more detail, I explain that my role is to automate the compliance managers out of the repetitive aspects of their jobs. Compliance managers cut tickets to request different kinds of evidence to show to auditors. My role is to automate this so that compliance managers don’t need to go through a long, manual process and so they can focus on more important tasks.

What are you currently working on that you’re excited about?

Alana: We’re working on a service that aggregates data about Amazon and AWS resources to provide ways to find relationships between these resources. We’re also experimenting with Amazon Neptune (a graph database) plus some new features of other services to help our teams help customers. Sometimes, SDEs seek us out for help with specific needs, and we try to encourage that: We want to emphasize how important security is. I like getting to work on a team that grapples with abstract concepts like “security” and “compliance.”

Shane: I’m working on an initiative to reduce the manual effort required for data center audits. We’re a cloud company, which means we have data centers all over the world and they are critical infrastructure for AWS services and customer data. For compliance purposes, we need to do physical audits of all of those sites and a typical approach would be flying out to dozens of locations each year to examine the security and environmental controls we have in place. I’m working on a project that’s less manual and resource-heavy.

You’re involved with this year’s Security Jam at re:Invent. What’s a Security Jam?

Shane: The Security Jam is basically a hackathon. It’s an all-day event from 8 AM to 4 PM that includes a dozen challenges (one of which Alana and I are hosting). The doors open at 7 AM at the MGM Studio Ballroom, and you can sign up as a group, or we’ll randomly pair you as needed. Your team works through as many of the challenges as possible, with the goal of getting the high score. The challenges are intended to provide hands-on experience with how to use AWS services and configure them to make sure your environment is secure. The Jams are structured to accommodate AWS users of all levels.

What’s your Security Jam challenge about?

Shane: Last year, our challenge focused on ensuring an environment was secure and compliant. This year, we’re taking it one step further by focusing on continuous monitoring. It’s a challenge that’s relevant whether you’re a small company or a large enterprise: You can’t realistically have one person sitting in front of a dashboard 24/7. You need to find a way to continuously monitor your resources so that at any time, when a new resource becomes available and older ones are deprecated, you have an up-to-date snapshot of your compliance environment. For the Security Jam challenge, I provide a proof of concept that lets participants use AWS Config to configure some out-of-the-box rules (or develop new rules) to provide continuous monitoring of their environment. We’ve also added an API around this for people like compliance managers, who might not have a technical background but need to be able to easily get a report if they need it.

Alana: Customers have reported that AWS Config is very useful, so we built the challenge to expose more people to the service. It will give participants a foundation that they can use in the future to protect their data or services. It’s a starting point.

What knowledge or experience do you hope participants will gain by completing your challenge?

Alana: I want people to understand that AWS services are not difficult to use. For example, there are many open source AWS Lambda functions that can help protect your data with a few button clicks. Don’t be afraid to get started.

Shane: People sometimes think compliance is scary. I want the hands-on nature of the challenge to show people that we provide tools that will make your life, and your customers’ lives, easier. I also want people to learn ways of avoiding compliance fatigue. Automation makes it easier for you to focus on more innovative work. It’s the future of compliance.

In your opinion, what’s the biggest challenge facing cloud security and compliance right now?

Shane: The scope for compliance is getting larger and larger, and there will always be new revelations and new types of threats. Developing scalable solutions to help achieve compliance is an ongoing challenge, and one we can’t just throw human power at. That’s why automation is so important. The other challenge is that some people see compliance as a burden, when we want it to be an enabler. I want people to understand that it’s not just a regulation or a security best practice. Compliance is a way to enable growth.

Alana: If I worked on another team, I think it would have taken me several years to figure out how my daily job impacted the security and compliance of AWS as a whole. It’s hard to connect the coding of an individual project back to AWS Security. We’re encouraged to take trainings, and we know that it’s important to protect your data, but people don’t always understand why, exactly. It’s hard for individual contributors to get a sense of the big picture.

If you had to pick any other job, what would you want to do with your life?

Alana: If I wasn’t an SDE, I’d want to be a Data Scientist. I think it would be interesting to analyze data and figure out the trends.

Shane: I would really like to be involved in AI. There are so many unknowns right now, in terms of how to ensure AI that’s secure and ethical. I’d also like to be a teacher, or a university professor. When I was working on my Master’s degree, it was really difficult to get some practical skills, such as how to have a productive one-on-one with my manager, or what career paths are available in a security-related field. I like the idea of being able to use my industry experience to help other students.

What career advice do you have for someone just joining AWS?

Shane: There’s a lot of opportunity at AWS. During my first six months here, I was cautious: Because of my previous consulting background, I felt like I had to have a legit case to talk with leadership and take up their time. It’s certainly important that I value their time, but in general I’ve found people in senior positions to be very willing to engage with me. My advice is to not be afraid to reach out, grow your network, and learn new things.

Alana: I’d echo what Shane said. There are a lot of possibilities at AWS, so don’t be afraid to try something new.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Alana Lan

Alana is a Software Development Engineer at AWS. She’s responsible for building tools and services to help with the operations of AWS security and compliance controls. Currently, she is obsessed with exploring AWS Services.

Author

Shane Xu

Shane is a Technical Program Manager for Security Assessment and Automation at AWS. Shane brings together people, technology, and processes to invent and simplify security and compliance automation solutions. He’s a passionate learner and curious explorer at work and in life.

AWS Security Profiles: Matt Bretan, Principal Manager, AWS Professional Services

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-matt-bretan-principal-manager-aws-professional-services/

Amazon Spheres and author info

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I‘ve been with AWS Professional Services nearly five years. I run two teams: our Security Assurance and Advisory Practice team, and our Security Experience team. The Security Assurance and Advisory Practice team is responsible for working with our customers’ executive leadership to help them plan their security risk and compliance strategy when they move to AWS. Executives need to understand how to organize their teams and what tools and mechanisms they need in order to meet expected regulatory or policy-based controls. We help with that. It’s a relatively new team that we started up in early 2018.

The Security Experience team is responsible for our Jam platform, which is changing the way we help customers learn about AWS services and partners. Previously, when we went to a customer, we gave slide presentations about how to be secure on AWS and how to migrate to the cloud. At the end of the presentation, people could usually repeat definitions back at us, but when we put them in front of a keyboard and monitor, they were uncertain about what to do. So, we built out the Jam platform, which allows customers to get hands-on experiences across a wide variety of AWS services, plus some partner products as well. It’s a highly gamified way to learn.

What’s the most challenging part of your job?

How to scale our offerings. A lot of what we do is to work one-on-one with our customers. Part of my job is to figure out how to impact more customers. We don’t just want to work with the largest companies of the world, but rather we want to help all companies be more secure. So, I’m constantly asking myself how to create tools and offerings that are scalable enough to impact everyone, and that everyone can benefit from.

What are you currently working on that you’re excited about?

The Jam platform. It allows us to change the way that customers experience AWS, and the way that they learn about moving to the cloud. It’s a different way to think about learning — gamifying the cloud adoption process helps people actually experience the technology. It’s not just definitions on a slide deck anymore. People get to see the capabilities of AWS in action, and they’ll have that Jam experience as a foundation once they start building their own infrastructure.

What can people expect from your teams at re:Invent this year?

The Jam Lounge will be in the Tundra Lounge within the Partner Expo Center at the Venetian. You’ll be able to register for the Jam Lounge there, and from Monday night through Thursday night, you can take part in a number of challenges — everything from security to migration to data analytics. We’ll be showcasing five partner solutions as well. The cool thing about the Jam Lounge is that it’s a completely virtual event. Once you register for the event in the Partner Expo Center, you can take part in the challenges from anywhere at re:Invent. This means that you can gain hands on experiences with AWS and our partner solutions in between the other amazing sessions and activities that go on during re:Invent.

The Security Jam takes place on Thursday, and it’s purely security-focused. We’ll have 13 different challenges. There are 10 specifically around AWS services and three from partners, and they’ll highlight different cloud security scenarios that people might encounter on a day-to-day basis. You’ll get to go into AWS accounts that we provision for you, identify what is wrong, and then fix them to get them into a known good state.

We’re also hosting the Executive Security Simulation as part of the executive track. That one is a tabletop exercise to help attendees experience and think about security from a high level. We simulate the first two years in a company’s life as they adopt the cloud — including some of the decisions they have to make in this process — so that people can think through security adoption from a lens that’s less about technical implementation and more about high-level strategy.

You mentioned that the Security Jam is an example of gamified learning. Can you talk more about what that means?

People love the hands-on application of learning: Rather than reading definitions, you get to use the technology and experience it. And that’s what gamification does: It gives you the actual infrastructure with an actual problem, and you get to go in and fix it. Also, it plays well to peoples’ competitive side. We set participants up in teams, and you have to work together to solve problems and win. There’s a leader board and scoring with points and clues. Anyone can participate, get what they need out of it, have fun doing it, and feel successful at the end of the day. This is the third year we’ve run a Jam at re:Invent, and we’re excited to have everyone try brand-new challenges and learn about new services and ways to do things on AWS.

Any tips for first-time conference attendees?

This conference is a marathon and not a sprint! There are so many great sessions and activities that go on during the week, so spend a little bit of time now reviewing the agenda and figure out what is most important for you to attend. Prioritize those items, and then make sure to leave some time for some surprise announcements! For the Jam sessions, you actually get to interact with AWS and our partner solutions, so bring your laptop. But also, come with an open mind. I think the big thing here is that re:Invent is a learning event. But for our events, at the end, there are prizes!

Five years from now, what changes do you think we’ll see across the security/compliance landscape?

I think a lot of the changes will be around the requirements themselves. Today, many of the requirements in the compliance space center around specific technologies, rather than around the risk itself. Often, these programs are also primarily written around a traditional data center model where someone deploys an application onto a server and then doesn’t touch it for years. I think as compliance programs mature, we’ll shift to more of a risk-based process that puts the overall security and protection of customers first while taking into account how technology is constantly changing.

What does cloud security mean to you, personally?

I use technology: I stream videos, I do online banking, I buy things online, and I have an IoT-connected house. So, for me, cloud security is a way to protect my own interests and the interests of my family. I’m using these companies — often customers of ours — on a day-to-day basis. So the more I can do to ensure that they’re being secure with their implementations, the more secure I’ll be in the long run — and the more secure all consumers will be. The more I can do to proactively make it difficult for malicious parties to do harm, the safer and better all of our lives will be.

If you had to pick any other job, what would you want to do with your life?

My passion is building things. If I were to switch careers, I think I’d want to build physical structures, like houses or buildings. I believe there is a strong similarity between the work I do now around helping design security controls and the work that architects do when they design buildings. There are risks around building physical structures. You have to deal with things like lateral loads and entrance and exit controls. Technology involves a different kind of load, but in both cases, you have to go through a process of preparing for it and understanding it. I find that similarity fascinating.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Matt Bretan

Matt travels the world helping customers move their most sensitive workloads onto AWS while trying to find the best airline snack. He won’t stop until he has figured out how to help everyone. When not working with customers, he is at home with his beautiful wife and three wonderful kids.

AWS Security Profiles: Phil Rodrigues, Principal Security Solutions Architect

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-phil-rodrigues-principal-security-solutions-architect/

Amazon Spheres and author info

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’m a Principal Security Solutions Architect based in Sydney, Australia. I look after both Australia and New Zealand. I just had my two year anniversary with AWS. As I tell new hires, the first few months at AWS are a blur, after 6-12 months you start to get some ideas, and then after a year or two you start to really own and implement your decisions. That’s the phase I’m in now. I’m working to figure out new ways to help customers with cloud security.

What are you currently working on that you’re excited about?

In Australia, AWS has a mature set of financial services customers who are leading the way in terms of how large, regulated institutions can consume cloud services at scale. Many Aussie banks started this process as soon as we opened the region six years ago. They’re over the first hump, in terms of understanding what’s appropriate to put into the cloud, how they should be controlling it, and how to get regulatory support for it. Now they’re looking to pick up steam and do this at scale. I’m excited to be a part of that process.

What’s the most challenging part of your job?

Among our customers’ senior leadership there’s still a difference of opinion on whether or not the public cloud is the right place to be running, say, critical banking workloads. Based on anecdotal evidence, I think we’re at a tipping point leading to broad adoption of public cloud for the industry’s most critical workloads. It’s challenging to figure out the right messaging that will resonate with the boards of large, multi-national banks to help them understand that the technology control benefits of the cloud are far superior when it comes to security.

What’s your favorite part of your job?

We had a private customer security event in Australia recently, and I realized that: We now have the chance to do things that security professionals have always wanted to do. That is, we can automatically apply the most secure configurations at scale, ubiquitously across all workloads, and we can build environments that are quick to respond to security problems and that can automatically fix those problems. For people in the security industry, that’s always been the dream, and it’s a dream that some of our customers are now able to realize. I love getting to hear from customers how AWS helped make that happen.

How did you choose your particular topic for re:Invent this year?

Myles Hosford and I are presenting a session called Top Cloud Security Myths – Dispelled! It’s a very practical session. We’ve talked with hundreds of customers about security over the past two years, and we’ve noticed the types of questions that they ask tend to follow a pattern that’s largely dependent on where they are in their cloud journey. Our talk covers these questions — from the simple to the complex. We want the talk to be accessible for people who are new to cloud security, but still interesting for people who have more experience. We hope we’ll be able to guide everyone through the journey, starting with basics like, “Why is AWS more secure than my data center?”, up through more advanced questions, like “How does AWS protect and prevent administrative access to the customer environment?”

What are you hoping that your audience will take away from it?

There are only a few 200-level talks on the Security track. Our session is for people who don’t have a high level of expertise in cloud security — people who aren’t planning to go to the 300- and 400-level builder talks — but who still have some important, foundational questions about how secure the cloud is and what AWS does to keep it secure. We’re hoping that someone who has questions about cloud security can come to the session and, in less than an hour, get a number of the answers that they need in order to make them more comfortable about migrating their most important workloads to the cloud.

Any tips for first-time conference attendees?

You’ll never see it all, so don’t exhaust yourself by trying to crisscross the entire length of the Strip. Focus on the sessions that will be the most beneficial to you, stay close to the people that you’d like to share the experience with, and enjoy it. This isn’t a scientific measure, but I estimate that last year I saw maybe 1% of re:Invent — so I tried to make it the best 1% that I could. You can catch up on new service announcements and talks later, via video.

What’s the most common misperception you encounter about cloud security?

One common misperception stems from the fact that cloud is a broad term. On one side of the spectrum, you have global hyperscale providers, but on the opposite end, you have small operations with what I’d call “a SaaS platform and a dream” who might sell business ideas to individual parts of a larger organization. The organization might want to process important information on the SaaS platform, but the provider doesn’t always have the experience to put the correct controls into place. Now, AWS does an awesome job of keeping the cloud itself secure, and we give customers a lot of options to create secure workloads, but many times, if an organization asks the SaaS provider if they’re secure, the SaaS provider says, “Of course we’re secure. We use AWS.” They’ll give out AWS audit reports that shows what AWS does to keep the cloud secure, but that’s not the full story. The software providers operating on top of AWS also play a role in keeping their customers’ data secure, and not all of these providers are following the same mature, rigorous processes that we follow — for example, undergoing external third-party audits. It’s important for AWS to be secure, but it’s also important for the ecosystem of partners building on top of us to be secure.

In your opinion, what’s the biggest challenge facing cloud security right now?

The number of complex choices that customers must make when deciding which of our services to use and how to configure them. We offer great guidance through best practices, Well-Architected reviews, and a number of other mechanisms that guide the industry, but our overall model is still that of providing building blocks that customers must assemble themselves. We hope customers are making great decisions regarding security configurations while they’re building, and we provide a number of tools to help them do this — as do a number of third-parties. But staying secure in the cloud still requires a lot of choices.

Five years from now, what changes do you think we’ll see across the security/compliance landscape?

I’m not losing much sleep over quantum computing and its impact on cryptography. I think that’s a while away. For me, the near future is more likely to feature developments like broad adoption of automated assurance. We’ll move away from a paper-based, once-a-year audits to determine organizations’ technology risk, and toward taking advantage of persistent automation, near-instant visibility, and being able to react to things that happen in real-time. I also think we’ll see a requirement for large organizations who want to move important workloads to the cloud to use security automation. Regulators and the external audit community have started to realize that automated security is possible, and then they’ll push to require it. We’re already seeing a handful of examples in Australia, where regulators who understand the cloud are asking to see evidence of AWS best practices being applied. Some customers are also asking third-party auditors not to bring in a spreadsheet but rather to query the state of their security controls via an API in real-time or through a dashboard. I think these trends will continue. The future will be very automated, and much more secure.

What does cloud security mean to you, personally?

My customer base in Australia includes banks, governments, healthcare, energy, telco, and utility. For me, this drives home the realization that the cloud is the critical digital infrastructure of the future. I have a young family who will be using these services for a long time. They rely on the cloud either as the infrastructure underneath another service they’re consuming — including services as important as transportation and education — or else they access the cloud directly themselves. How we keep this infrastructure safe and secure, and how we keep peoples’ information private but available affects my family.

Professionally, I’ve been interested in security since before it was a big business, and it’s rewarding to see stuff that we toiled on in the corner of a university lab two decades ago gaining attention and becoming best practice. At the same time, I think everyone who works in security thrives on the challenge that it’s not simple, it’s certainly not “done” yet, and there’s always someone on the other side trying to make it harder. What drives me is both that professional sense of competition, and the personal realization that getting it right impacts me and my family.

What’s the one thing a visitor should do on a trip to Sydney?

Australia is a fascinating place, and visitors tend to be struck by how physically beautiful it is. I agree; I think Sydney is one of the most beautiful cities in the world. My advice is to take a walk, whether along the Opera House, at Sydney Harbor, up through the botanical gardens, or along the beaches. Or take a ferry across to the Manly beachfront community to walk down the promenade. It’s easy to see the physical beauty of Sydney when you visit — just take a walk.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Phil Rodrigues

Phil Rodrigues is a Principal Security Solutions Architect for AWS based in Sydney, Australia. He works with AWS’s largest customers to improve their security, risk, and compliance in the cloud. Phil is a frequent speaker at AWS and cloud events across Australia. Prior to AWS, he worked for over 17 years in Information Security in the US, Europe, and Asia-Pacific.

AWS Security Profiles: Ken Beer, General Manager, AWS Key Management Service

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-ken-beer-general-manager-aws-key-management-service/

Amazon Spheres and author info

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been here a little over six years. I’m the General Manager of AWS Key Management Service (AWS KMS).

How do you explain your job to non-tech friends?

For any kind of product development, you have the builders and the sellers. I manage all of the builders of the Key Management Service.

What are you currently working on that you’re excited about?

The work that gets me excited isn’t always about new features. There’s also essential work going on to keep AWS KMS up and running, which enables more and more people to use it whenever they want. We have to maintain a high level of availability, low latency, and a good customer experience 24 hours a day. Ensuring a good customer experience and providing operational excellence is a big source of adrenaline for service teams at AWS — you get to determine in real time when things aren’t going well, and then try to address the issue before customers notice.

In addition, we’re always looking for new features to add to enable customers to run new workloads in AWS. At a high level, my teams are responsible for ensuring that customers can easily encrypt all their data, whether it resides in an AWS service or not. To date, that’s primarily been an opt-in exercise for customers. Depending on the service, they might choose to have it encrypted — and, more specifically, they might choose to have it encrypted under keys that they have more control over. In a classic model of encryption, your data is encrypted at storage — think of BitLocker on your laptop — and that’s it. But if you don’t understand how encryption works, then you don’t appreciate the fact that encrypted by default doesn’t necessarily provide the security you think it does if the person or application that has access to your encrypted data can also cause your keys to be used whenever it wants to decrypt your data. AWS KMS was invented to help provide that separation: Customers can control who has access to their keys and enable how AWS services or their own applications make use of those keys in an easy, reliable, and low cost way.

What’s the most challenging part of your job?

It depends on the project that’s in front of me. Sometimes it’s finding the right people. That’s always a challenge for any manager at AWS, considering that we’re still in a growth phase. In my case, finding people who meet the engineering bar for being great computer scientists is often not enough — I’ve got to find people who appreciate security and have a strong ethos for maintaining the confidentiality of customer data. That makes it tougher to find people who will be a good fit on my teams.

Outside of hiring good people, the biggest challenge is to minimize risk as we constantly improve the service. We’re trying to improve the feature set and the customer experience of our service APIs, which means that we’re always pushing new software — and every deployment introduces risk.

What’s your favorite part of your job?

Working with very smart, committed, passionate people.

How did you choose your particular topic for re:Invent this year?

For the past four years, I’ve given a re:Invent talk that offered an overview of how to encrypt things at AWS. When I started giving this talk, not every service supported encryption, AWS KMS was relatively new, and we were adding a lot of new features. This year, I was worried the presentation wouldn’t include enough new material, so I decided to broaden the scope. The new session is Data Protection: Encryption, Availability, Resiliency, and Durability, which I’ll be co-presenting with Peter O’Donnell, one of our solution architects. This session focuses on how to approach data security and how to think about access control of data in the cloud holistically, where encryption is just a part of the solution. When we talk to our customers directly, we often hear that they’re struggling to figure out which of their well-established on-premises security controls they should take with them to the cloud — and what new things should they be doing once they get there. We’re using the session to give people a sense of what it means to own logical access control, and of all the ways they can control access to AWS resources and their data within those resources. Encryption is another access control mechanism that can provide strong confidentiality if used correctly. If a customer delegates to an AWS managed service to encrypt data at rest, the actual encipherment of data is going to happen on a server that they can’t touch. It’s going to use code that they don’t own. All of the encryption occurs in a black box, so to speak. AWS KMS gives customers the confidence to say, “In order to get access to this piece of data, not only does someone have to have permission to the encrypted data itself in storage, that person also has to have permission to use the right decryption key.” Customers now have two independent access control mechanisms, as a belt-and-suspenders approach for stronger data security.

What are you hoping that your audience will take away from it?

I want people to think about the classification of their data and which access control mechanisms they should apply to it. In many cases, a given AWS service won’t let you apply a specific classification to an individual piece of data. It’ll be applied to a collection or a container of data — for example, a database. I want people to think about how they’re going to define the containers and resources that hold their data, how they want to organize them, and how they’re going to manage access to create, modify, and delete them. People should focus on the data itself as opposed to the physical connections and physical topology of the network since with most AWS services they can’t control that topology or network security — AWS does it all for them.

Any tips for first-time conference attendees?

Wear comfortable shoes. Because so many different hotels are involved, getting from point A to point B often requires walking at a brisk pace. We hope a renewed investment in shuttle buses will help make transitions easier.

What’s the most common misperception you encounter about encryption in the cloud?

I encounter a lot of people who think, “If I use my cloud provider’s encryption services, then they must have access to my data.” That’s the most common misperception. AWS services that integrate with AWS KMS are designed so that AWS does not have access to your data unless you explicitly give us that access. This can be a hard concept to grasp for some, but we put a lot of effort into the secure design of our encryption features and we hold ourselves accountable to that design with all the compliance schemes we follow. After that, I see a lot of people under the impression that there’s a huge performance penalty for using encryption. This is often based on experiences from years ago: At the time, a lot of CPU cycles were spent on encryption, which meant they weren’t available for interesting things like database searches or vending web pages. Using the latest hardware in the cloud, that’s mostly changed. While there’s a non-zero cost to doing encryption (it’s math and physics, after all), AWS can hide a lot of that and absorb the overhead on behalf of customers. Especially when customers are trying to do full-disk encryptions for workloads running on Amazon Elastic Compute Cloud (Amazon EC2) with Amazon Elastic Block Store (Amazon EBS), we actually perform the encryption on dedicated hardware that’s not exposed to the customer’s memory space or compute. We’re minimizing the perceived latency of encryption, and we all but erase the performance cost in terms of CPU cycles for customers.

What are some of the blockers that customers face when it comes to using cryptography?

There are some customers who’ve heard encryption is a good idea — but every time they’ve looked at it, they’ve decided that it’s too hard or too expensive. A lot of times, that’s because they’ve brought in a consultant or vendor who’s influenced them to think that it would be expensive, not just from a licensing standpoint but also in terms of having people on staff who understand how to do it right. We’d like to convince those customers that they can take advantage of encryption, and that it’s incredibly easy in AWS. We make sure it’s done right, and in a way that doesn’t introduce new risks for their data.

There are other customers, like banks and governments, who have been doing encryption for years. They don’t realize that we’ve made encryption better, faster, and cheaper. AWS has hundreds of people tasked with making sure encryption works properly for all of the millions of AWS customers. Most companies don’t have hundreds of people on staff who care about encryption and key management the way we do. These companies should absolutely perform due diligence and force us to prove that our security controls are in place and they do what we claim they do. We’ve found the customers that have done this diligence understand that we’re providing a consistent way to enforce the use of encryption across all of their workloads. We’re also on the cutting edge of trying to protect them against tomorrow’s encryption-related problems, such as quantum-safe cryptography.

Five years from now, what changes do you think we’ll see across the security and compliance landscape?

I think we’ll see a couple of changes. The first is that we’ll see more customers use encryption by default, making encryption a critical part of their operational security. It won’t just be used in regulated industries or by very large companies.

The second change is more fundamental, and has to do with a perceived threat to some of today’s cryptography: There’s some evidence that quantum computing will become affordable and usable at some point in time — although it’s unclear if that time is 5 or 50 years away. But when it comes, it will make certain types of cryptography very weak, including the kind we use for data in transit security protocols like HTTPS and TLS. The industry is currently working on what’s called quantum-safe or post-quantum cryptography, in which you use different algorithms and different key sizes to provide the same level of security that we have today, even in the face of an adversary that has a quantum computer and can capture your communications. As encryption algorithms and protocols evolve to address this potential future risk, we’ll see a shift in the way our devices connect to each other. Our phones, our laptops, and our servers will adopt this new technology to ensure privacy in our communications.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Ken Beer

Ken is the General Manager of the AWS Key Management Service. Ken has worked in identity and access management, encryption, and key management for over 6 years at AWS. Before joining AWS, Ken was in charge of the network security business at Trend Micro. Before Trend Micro, he was at Tumbleweed Communications. Ken has spoken on a variety of security topics at events such as the RSA Conference, the DoD PKI User’s Forum, and AWS re:Invent.

AWS Security Profiles: Nihar Bihani, Senior Manager; Jeff Lyon, Systems Development Manager

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-nihar-bihani-senior-manager-jeff-lyon-systems-development-manager/

Amazon Spheres and author info

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

Jeff: I’ve been with AWS for four years. I started as a Product Manager before transitioning into my current role as a Systems Development Manager where I lead the AWS DDoS Response Team. The AWS DDoS Response Team is the group that defends the Amazon infrastructure against denial-of-service attacks, in addition to protecting many of our customers against the impact of those attacks on their own applications.

Nihar: I’ve been with AWS for nearly 10 years. I started as an intern. I’m now a Senior Manager for two customer-facing services. The first is AWS WAF. The other is AWS Firewall Manager. I’m responsible for managing the team that builds those services.

How do you explain your job to non-tech friends?

Jeff: We help AWS defend against outside attacks — external threats that might otherwise cause problems for people.

Nihar: I usually tell people that my job is to make sure the applications that are running on AWS stay secure. My team writes the software that helps keep these sites safe and secure.

What are you currently working on that you’re excited about?

Jeff: I’m excited about some things that are happening behind the scenes. When people hear about the DDoS Response Team, I think the picture that comes to mind is engineers answering tickets and working on individual problems. We do a bit of that, but we’re mostly focused on building automation to solve these problems at scale. What we’re trying to do is to remove the undifferentiated heavy lifting from something that used to be really complicated and difficult for developers to solve, allowing them to focus more on the applications running on our platform.

Nihar: Lots of things! Security is an area that customers take very seriously—and it’s also an area that we take very seriously. My team is working on initiatives in three broad areas. First, we’re going to make our existing services scale more, perform better, and be more available. Second, we’re investing in adding new features for both AWS WAF and AWS Firewall Manager — something that our customers tend to get very excited about because they can use those features right away to help make their applications more secure. The third major project is geographic expansion. We’re working on expanding the AWS WAF presence across more AWS regions.

What’s the most challenging part of your job?

Jeff: Solving problems at scale. If you think about the many different problems in distributed systems, solving them individually tends to be relatively easy. But when you think about them on a large scale, and then think about the number of points of presence within AWS regions that we have, and even the size of some of our customers’ applications, it becomes quite a different story. Being able to think through those problems and figure out how to implement solutions on a much larger scale is a unique challenge.

Nihar: The most challenging part of my job is to deliver everything that our customers need fast enough. It’s not because we don’t want to. We do. And we want to build solutions that are of high-quality. But we have limited resources, and there’s a finite number of things we can do with them. It’s really helpful when customers help us prioritize against their needs, since that allows us to iterate as quickly as we can while knowing that what we’re delivering will have the most impact for customers.

How did you choose your particular topic for re:Invent this year?

Jeff: Our session is about orchestrating perimeter security. Perimeter security is the concept of taking threats and mitigating them far away from the application itself. The session focuses on how to build a layer of defense that people can use to defend against things like external threats, application vulnerabilities, bad bots, and DDoS attacks. Our customers are interested in this topic, and we field a lot of questions like, “What are the best practices? What architectures should I consider?” So the goal of the session is to help people protect their AWS resources so that they can spend more time building their applications and less time worrying about security threats. The “orchestration” component comes into play for large organizations, who need to answer the question, “How do you do that and manage it at scale?” For a large organization with a lot of applications, you have to ensure that if you build out a security policy, any given change will take effect across the entire application. You need a centralized way of doing that. So we’ll also talk about the capabilities that AWS offers via AWS Firewall Manager, which allows customers to orchestrate security policies on behalf of AWS WAF. We’ll discuss ways you can lock down your VPC network access control list, plus other strategies that a centralized security team can use to make sure that there’s a ubiquitous protection layer for the entire application.

Nihar: I also want to emphasize that this approach allows customers to achieve a strong security posture for their applications without the need to re-architect any of the applications or any of the infrastructure that’s already running on AWS. We want to dispel the idea that customers will have to do a ton of work. You won’t, and yet you’ll be able to improve the availability of your applications and benefit from being compliant with many regulatory requirements. Perimeter security is like building a wall around a castle you’ve already built. You don’t have to renovate the castle. You can build the wall, and maybe fill it with security guards, or put cameras on it: you haven’t changed your castle at all, but it’s so much more secure.

What are you hoping that your audience will take away from your session? What should they do differently as a result of it?

Jeff: I hope our customers will realize that there are lots of ways to architect and build things on AWS. And one of those ways is by using the AWS edge network as a tool to mitigate threats. We want them to understand the differentiating capabilities that we provide with that edge network and to be able to up-level their security when they get back to the office.

Nihar: I want people to understand that making their applications more secure doesn’t take a lot of effort. There are tools available, and we’ll show them how to use those tools in their own service architectures. Some customers might not be aware of all the threats they should be protecting their applications from, so the session is also about educating our customers on potential threats and how to mitigate against those threats. Jeff and I live in this world, so we’re very aware.

Does your session require existing knowledge about the topic?

Jeff: There’s a lot of a value in this session for developers at different experience levels and across different applications, but it’ll be especially useful for application developers who’ve built on AWS and who’ve gone through our security best practices — but are looking for opportunities to do more.

Nihar: You don’t need to have an extensive background in security because we’ll cover some of the current threat landscape, in addition to covering some of the ways that you can defend against these threats.

What are the biggest misconceptions that people have about perimeter security?

Jeff: People sometimes think that the on-premise capabilities they’ve built for themselves are going to be lost when they move to the cloud. One of the things we do in our session is demonstrate how our customers actually retain all those capabilities. We’ve just made them easier to consume and understand.
Nihar: People also think sometimes that perimeter security isn’t beneficial, or that it’s too hard, or too expensive. To the first point, I’d say that there are a lot of “bad actors” out there, and consumers have high standards for availability and security when they use any application. As for difficulty and expense, these are exactly the things we have in mind — we’re doing our best to ensure that it’s a simple experience that’s affordable for everyone.

Can you tell us about some of the innovations AWS has made in perimeter security?

Jeff: My favorite is the way we’ve leveraged the AWS global infrastructure to be able to detect and mitigate threats at the point of ingress. If you think about distributed denial-of-service attacks, historically, the network of any given company might have multiple points of presence. But these individual points of presence might not all be prepared to handle a DDoS attack, and so you’d have to shunt the traffic off to much larger locations called “scrubbing centers” and then pull it back to the point of presence in order to serve your customers. That approach can be costly, it can be difficult to build at scale, and it can add a performance penalty—but it was historically the industry standard. One of the things we’ve created at AWS is a way to do this such that every point of presence in every AWS region has a system right there at the point of ingress that will inspect the traffic, decide if it’s valid to be passed to the customer’s application, and pass it without a noticeable performance penalty. That’s difficult to accomplish at scale.

Nihar: AWS WAF offers a flexible rule language with full API access, so many of our customers have built automations with it. For instance, customers see traffic coming to their applications and they evaluate their logs using some of the data processing tools AWS AWF has, and then they immediately turn around and programmatically create a new WAF rule, submit it to AWS WAF, and within minutes AWS WAF is starting to block that bad traffic. All of this can be automated, and that’s powerful. In addition to customers writing their own rules, we offer Managed Rules that are written, curated and managed by AWS Marketplace Sellers and can be easily deployed in front of your web applications.

AWS Firewall Manager is integrated with AWS Organizations and AWS Config with the goal of providing a consistent, reliable security posture for customers that have potentially hundreds or thousands of applications running on AWS. These customers often find it beneficial to use AWS Firewall Manager to programmatically protect all of their applications in a simple way rather than having to do a lot of undifferentiated heavy lifting by building Lambda functions and working with AWS Config and doing a lot of scripting. All that is doable, but AWS Firewall Manager simplifies the experience.

What does cloud security mean to you, personally?

Jeff: Cloud security to me means two different things, both related to the Shared Responsibility Model. There is security in the cloud and security of the cloud. Security of the cloud is AWS’s responsibility, and security in the cloud is our customer’s responsibility. Our engineers are responsible for building security into AWS services, so that when customers move to the cloud, some aspects of security are taken care of automatically. But there are other aspects that our customers remain responsible for. To me, cloud security means that we will take care of all the things we’re able to take care of for our customers. And for the things we can’t take care of — the things that our customers remain responsible for and will have to manage themselves — we’re going to at least make them easier to think about, easier to configure, and easier to manage at scale.

Nihar: Security is our highest priority. If we’re not secure, we don’t have a business. So in one word, cloud security for me is trust. Our customers have a high bar because their customers, their consumers, demand a very high security posture. And as Jeff said, security is certainly a shared responsibility. But for the pieces for which we’re responsible, we have set a very high bar for ourselves so we continue to earn customer trust.

Five years from now, what changes do you think we’ll see across the security and compliance landscape?

Jeff: If you’re developing on AWS, you don’t have to worry about a lot of foundational things, like building a data center, figuring out where the power comes from, or managing the infrastructure. Security is the next frontier, where we can abstract and make it easier for our customers. I think that over the next several years, customers will see things get easier to manage and easier to think about. People won’t have to worry as much about the engineering behind the security. They’ll be able to express intent, which will be translated into security.

Nihar: I think we’re going to continue to add more learning and intelligence to our security services over the next several years, so we can be more proactive when it comes to the security and compliance of our customers’ applications. In practical terms, I think this means that we’ll innovate by building solutions that are really simple to use, targeted to each specific application, evolve with that application, yet work at AWS scale.

If you had to pick any other job, what would you want to do with your life?

Jeff: My dream job growing up was to be a police officer. I went through school and college thinking I’d pursue that dream and actually joined the Navy as a Master at Arms, which is a police officer in the Navy. I did that for nine years and was also an auxiliary Sheriff’s Deputy for two years. So I got a lot of law enforcement experience, which has actually benefited my career. Really law enforcement is all about problem solving. So coming to AWS, I was able to bring a lot of those skills with me.

Nihar: I like building things. It just resonates with me. Here at Amazon, we like building new things, launching them, and then going back to square one to do it all over again. I’m organized and meticulous, so I like to have the end goal in mind and then build up to that. If I weren’t in software engineering, I’d like to do something involving construction: You start with a vision and a flat piece of land — and how you get from there to the end goal of a finished building is a fascinating process to me.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Jeff Lyon

Jeff leads technical operations for AWS Perimeter Protection, where he manages engineering and response teams who defend AWS against Distributed Denial of Service (DDoS) attacks, and other external threats. His teams’ responsibilities include the defense of the AWS network, the defense of AWS services, and responding to attacks on behalf of many AWS customers who rely on services like AWS Shield, AWS WAF, and AWS Firewall Manager. Prior to joining AWS, Jeff founded a startup that was focused on providing DDoS mitigation capabilities to large, distributed networks.

Author

Nihar Bihani

Nihar leads the teams that built the AWS WAF and AWS Firewall Manager services. He joined Amazon in 2009 and has spent time in AWS Marketing and Amazon CloudFront teams, most recently leading Product Management for CloudFront. Nihar was also an intern with AWS in 2008. Prior to Amazon, Nihar worked at a start-up for a few years. Nihar has earned his BS in Computer Science and an MBA in Marketing and Finance.

AWS Security Profiles: Chad Woolf, VP of AWS Security

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-chad-woolf-vp-of-aws-security/

Amazon Spheres and author info

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been at AWS for over eight years now, and I work in security assurance. The essence of my work is to help customers move critical and regulated workloads to the cloud. We own and manage security process, tech, and functions that customers can’t individually validate themselves. My job, and my team’s job, is to make those functions transparent to our customers, allowing them to rely on our processes, procedures, and controls. We work toward this goal by facilitating extensive independent audits and making those reports available. We also engage with regulators and customers to help them understand how the cloud works, what things they’ll have to do differently here, and what new opportunities are available to them in terms of better ways to govern their IT and protect and secure their data.

How do you explain your job to non-tech friends?

Sometimes I simplify by telling people, “I do information security at Amazon,” or “I do data protection and privacy at Amazon.” Mentioning the word “privacy” usually hits the limit of many people’s interest and they stop asking questions. To my kids or other family I usually say something like, “I work to keep Amazon safe for everybody.”

What are you currently working on that you’re excited about?

The world of traditional security assurance is complex and broad, so it’s full of interesting challenges. While working on that we’re also looking ahead at augmenting traditional security assurance and quality assurance models with more effective and newer models. A traditional approach might involve auditors doing sample testing and evaluating the narrative of how systems work. But this approach isn’t always technically deep and sometimes it doesn’t provide full, comprehensive insight into the environment, or into the presence of threats and vulnerabilities in the environment. From the onset of this program, we’ve worked to take these traditional models and modify the approach that will provide true assurance for our customers.

In addition, recently we’ve kicked off something I’m really excited about — the work our Automated Reasoning Group (ARG) is doing around developing mathematical proofs of certain aspects of a system. For example, a mathematical proof might be used to prove that there’s no instance of a weak key being used anywhere in the entire system. That’s a much higher bar than just having a “reasonable assurance” of no weak keys, which is the objective that auditors traditionally use. Auditors can’t evaluate all the code and they can’t evaluate all of the instances where keys are being used. With automated reasoning, if we’re able to tell them, “this proof can examine the entire system for a certain value,“ it’s a much higher bar than even today’s advanced control measures, such as automated controls, preventive controls, or detective controls. It’s a proof. We (and our auditors) are really excited about this possibility, because systems are becoming so immense and so complex that it’s hard for us humans to wrap our minds around around the complexity — so we’re using math to do it for us.

What’s the most challenging part of your work?

Most of the challenges I deal with stem from complexity. Each of the new services we release — including all of the things being launched at re:Invent this year — introduces a new, sometimes complex function into our environment and into the environments of the customers who use it. It’s becoming more and more challenging to effectively govern these disparate services, and for people to be certain that they’re applying the right standards across all of them. We have some services to deal with this, and I think we’ll see AWS release more governance-like features to help deal with this challenge more comprehensively in the future.

Another major challenge is that the many governments and regulators hold an understanding of the cloud that hasn’t kept pace with the cloud’s incredibly rapid evolution. Years ago, the cloud was defined in fairly simple terms — infrastructure, platform, and software as a service. Many people still understand it in those dated categorizations. But it’s getting much more complex the more we offer and the bigger this space gets.

What’s the most common misperception you encounter about cloud security and compliance?

The misperception I encounter the most is that the cloud is unfit for regulated data and workloads. Regulators and auditors — many of whom haven’t operated an IT infrastructure — often have only a high-level understanding of the cloud, many times learned through colleagues, high level reports and media reports. They hear things and may not have a way to technically validate whether those things are true. Years ago, it was a pretty common misunderstanding that accessing your data securely using the internet was the same as, “all of your data is openly available on the Internet,” which of course isn’t the case. I’ve had many personal interactions where someone said they absolutely could not have certain data stored in the cloud, because then the whole world would be able to see it. But this basic misperception is pretty much debunked at this stage. Now we spend a lot to time clearing up the misperception that regulated and audited data can’t be moved to the cloud. The reality is that because of the comprehensive control you have, regulated/audited data is actually better suited for the cloud. My team and many other teams at AWS work to help regulators, auditors, security teams and their leadership reach the right technical depth and understanding to give them the confidence to move these kinds of workloads to AWS.

You’re hosting two sessions for re:Invent 2018. How did you choose your particular topics?

I’m co-presenting a session with Byron Cook, the director of ARG, on Automating Compliance Certification with Automated Mathematical Proof. This session stems from what I mentioned before, the trend that traditional assurance methods are becoming less effective as complexity grows. We’ll be talking about new assurance models. But the session isn’t just us saying, “Here’s what we did! Good luck! Go hire your own PhDs to figure this out.” We’re going to give customers the chance to experiment with automated reasoning in their own cloud environments. It’s a chalk talk, so it’ll be a smaller audience, which will let us go quite in-depth with some of our examples. The CEO of one of our assessors will also be there and will talk about what these changes mean for his firm.

I’m also hosting “peer problem-solving roundtable” at the Executive Summit that will focus on staying ahead of privacy regulation. GDPR, which went into effect in May 2018, made a lot of customers push to reach that date in a compliance state, but many didn’t and are still working on it. It’s a big challenge to sustain the effort around GDPR privacy and data protection. It’s not even like you can reach that state and then say, “Okay, we’re done.” It requires ongoing effort. Additionally, all kinds of laws are starting to be enacted all over the world that either match GDPR’s stringency or exceed it. So the session will be a workshop on how to deal with these challenges, and how companies can sustain their efforts and create frameworks that can handle additional regulation that might be enacted down the road.

What are you hoping that your audience will take away from your sessions?

For the automated reasoning session, I want people to leave with ideas about how they can tinker with automated reasoning and proofs of compliance in their own environments. This approach requires experimentation, so I want to empower people to just go ahead and start tinkering.

For the GDPR session, I want people to leave with some good ideas for how to proactively think about compliance — and with some specific actions they can take to move their companies’ privacy programs into a better state. The exact direction of our conversation will depend on the audience, since it’s an interactive workshop, but I’m hopeful that people will walk away with good ideas.

Five years from now, what changes do you think we’ll see across the security and compliance landscape?

I think that security and compliance will follow a trajectory similar to computing in the mid-2000s. Ten to 15 years ago, we all had PCs that required us to install software, which was all over the place in terms of quality — sometimes it worked on your laptop and sometimes it didn’t. We went from that to mobile devices, where the entirety of an installation is in a single container on an app. There might be some limits on what you can do, in terms of exchanging data with other apps and systems, but everything you need as a user is contained within that app. It’s a kit, rather than a bunch of building blocks. You launch it, set some configurations, and then forget about it. I think more of that is going to happen. The compliance scene is becoming exponentially more complex as we move forward with more services, more IT, and with multiple, diverse environments. We’ll need ways of securing it all in a simple way. IT providers will need to offer more app-like experiences, in which we think of the user and what they need to do rather than just providing a bunch of building blocks.

What does cloud security mean to you, personally?

As a consumer, I care about security a lot. When I use an app that’s on the cloud, or access contacts or photos that are stored in the cloud, I’m concerned about it. I make sure that I use encryption when I can. I have random passwords that I don’t reuse. I follow the best practices that security professionals all know and use. But I’m always shocked by how many people don’t really think about these things, or don’t understand the risks involved with not securing your account or encrypting your data, or in using services that clearly don’t follow best practices. For me personally, cloud security is an essential consideration before I actually use or buy anything.

If you had to pick any other job, what would you do with your life?

I’d move into IT transformation. Moving from one IT environment to another involves a lot of organizational change management, from people and process to technology and projects. It’s super complex, and hardly anyone is truly excellent at it. So that’s what I’d get into. I find the complexity there fascinating. Organizational IT transformation takes all the complexity of tech, and then adds to it with the complexity of people, processes, and culture.

As a personal passion, I’d do search and rescue for people who’ve gotten into trouble hiking or biking or rock climbing. It’s a complex, real-world challenge with life-or-death stakes. If I could use my motorcycles to help achieve that, it would be better. It might help justify further motorcycle purchases and help my wife understand the wisdom in this.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Chad Woolf

Chad joined Amazon in 2010 and built the AWS compliance functions from the ground up, including audit and certifications, privacy, contract compliance, control automation engineering and security process monitoring. Chad’s work also includes enabling public sector and regulated industry adoption of the AWS cloud, compliance with complex privacy regulations such as GDPR and operating a trade and product compliance team in conjunction with global region expansion. Prior to joining AWS, Chad spent 12 years with Ernst & Young as a Senior Manager working directly with Fortune 100 companies consulting on IT process, security, risk, and vendor management advisory work, as well as designing and deploying global security and assurance software solutions. Chad holds a Masters of Information Systems Management and a Bachelors of Accounting from Brigham Young University, Utah.

AWS Security Profiles: Sam Elmalak, Enterprise Solutions Architect

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-sam-elmalak-enterprise-solutions-architect/

Amazon Spheres and author info

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been with AWS for three and a half years. I’m an Enterprise Solutions Architect, which means that I help enterprise customers think through their cloud strategy. I work with customers on everything from business goals and how to align those goals with their technology strategy to helping individual developers create well-architected cloud solutions. I also have an area of focus around security by helping a broader set of customers with their cloud journey and security practices.

How do you explain your job to non-tech friends?

I help my customers figure out how to use AWS and the cloud in a way that delivers business value.

What are you currently working on that you’re excited about?

From a project perspective, the AWS Landing Zone initiative (which also happens to be my 2018 re:Invent topic) is the most exciting. For the last two to three years, we’ve been providing guidance to help customers decide how to build environments in a way that incorporates best practices. But the AWS Landing Zone has a team that’s building out a solution that makes it easier for customers to implement those best practices. We’re no longer just telling customers, “Here’s how you should do it.” Instead, we’re providing a real implementation. It’s a prescriptive approach that customers can set up in just a few hours. This can help customers accelerate their cloud journey and reduce the work that goes into setting up governance. And the solution can be used by any company — including enterprises, educational institutions, small businesses, and startups.

What’s the most challenging part of your job?

I need to strike a balance between different initiatives, which means being able to focus on the right priorities for the moment. I don’t always get it right, but my hope is that I can always help customers achieve their goals. Another challenge is the sheer number of launches and releases—it can be difficult to stay on top of everything that’s being released while maintaining expert-level knowledge about it all. But that’s just a side effect of how quickly AWS innovates.

What’s your favorite part of your job?

The people I work with. I get to interact with so many smart, talented achievers and builders, and they’re always so humble and willing to help. Being around people like that is an amazing experience. Also, I get to learn nonstop. There are a lot of challenging problems to figure out, but there are also so many opportunities for growth. The job ends up being whatever you make of it.

In your opinion, what’s the biggest challenge facing cloud security right now?

Often, security organizations take the approach of saying “No.” They block things instead of making things happen by partnering with their business and development teams. I think the biggest challenge is trying to change that mindset. Skillset is also a challenge: Sometimes, people need to learn how to “do” security in the cloud in a way that keeps pace with their development team, and that can require additional skills. I believe training your entire organization to develop automation and approach problems and processes in an automated manner will help remove these barriers.

Five years from now, what changes do you think we’ll see across the security/compliance landscape?

I think we’ll see more automation, more tooling, more partners, and more products — all of which will make it simpler for customers to adopt the cloud and operate there in an efficient, secure manner. As customers adopting the cloud mature, I also think the job of the security practitioner will change slightly — the work will become a matter of how to use all the available tooling and other resources in the most efficient manner. I suspect that artificial intelligence and machine learning, predictive analytics, and anomaly detection will start to play a more prominent role, allowing customers to do more and be more secure. I also think customers will be starting to think more of security in terms of users and devices rather than perimeter security.

How did you choose your session topics for re:Invent 2018?

This is my third year holding sessions on establishing a Landing Zone. Back in 2016, I had a few customers who asked me about how to set up their AWS environment. I spent quite a bit of time researching but couldn’t find a solid, well-rounded answer. So I took it upon myself to figure out what that guidance should include. I spoke with a number of more experienced people in AWS, and then proposed a re:Invent session around it. At the time, I thought it would sound boring and no one would want to attend. But after the session, feedback from customers was overwhelmingly positive and I realized that people were hungry for this kind of foundational AWS info. We put a team together to develop more guidance for our customers. The AWS Landing Zone initiative leverages that guidance by implementing best practices built by a talented team whose vision is to make our customers’ lives easier and more secure. Since then, Re:Invent sessions on Landing Zone have expanded. We’re up to at least 18 sessions, workshops, and chalk talks this year, and we’ve even added a tag (awslandingzone) so they’re all searchable in the session catalog and customers can find them. In my presentations at re:Invent, we have a customer who will talk through what their journey looked like and how the AWS Landing Zone Solution has helped them.

What are you hoping that your audience will take away from these sessions?

I want customers to start thinking differently about a few areas. One is how to enable their organizations to innovate, build and release services/products more quickly. To do that, central teams need to think of the rest of their organization as their customers, then think of ways to onboard those customers faster by means of automated, self-service processes. Their idea of an application or a team also needs to be smaller than the traditional definition of an entire business unit. I actually want customers to think smaller — and more agile. I want them to think, “What if I have to accommodate thousands of different projects, and I want them all in different accounts and isolated workspaces, sitting under this Landing Zone umbrella?”

Thinking about that type of design and approach from the beginning will help customers start, innovate, and move forward while avoiding the pitfalls of trying to fit everything into a single AWS account. It’s a cultural mindshift. I want them to start thinking in terms of the people and the groups within their organizations. I want them to think about how to enable those groups and get them to move forward and to spend less time focused on how to control everything that those groups do. I want people to think of the balance between governance/security and control.

Any tips for first-time conference attendees?

Plan to do a lot of walking and have comfortable shoes. If you’ve signed up for sessions, get there early and remember that there are at least five venues this year — it’s important to factor in travel time. Other than that, I’d say visit the partner expo, meet other customers, and learn from each other. And ask us questions; we’ll do everything we can to help. Most importantly, enjoy it and learn!

If you had to pick any other job, what would you want to do with your life?

My current role comes down to helping empower people, which I love, so I’d look for a way to replicate that feeling elsewhere by helping people realize their talents and potential.

As a backup plan, I’d downsize, go live somewhere cheap and enjoy life, nature, music and tango…

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Sam Elmalak

Sam is an Enterprise Solutions Architect at AWS and a member of the AWS security community. In addition to helping customers solve their technical issues, he helps customers navigate organizational complexity and address cultural challenges. Sam is passionate about enabling teams to apply technology to address business challenges and unmet needs. He’s largely an optimist and a believer in people’s abilities to thrive and achieve amazing things.

AWS Security Profiles: Adrian Cockcroft, VP of Cloud Architecture Strategy

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-adrian-cockcroft-vp-of-cloud-architecture-strategy/

Amazon Spheres and author info
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been with AWS for two years, based out of the Palo Alto office in California. I tell people that I have three jobs. One is similar to the kind of thing that Werner Vogels does: I present keynotes at AWS summits. I’ve done fourteen keynotes so far, the biggest in New York last year and Tokyo this year. This gives me a calendar that takes me around the world, where I also spend a lot of time visiting customers, meeting with sales teams, gathering input, and talking to people about their architectural challenges, cloud migration challenges, and organizational challenges. I specialize in the architecture of highly available, multi-region, redundant use cases. That’s the second job. The third job is that I’ve recruited and now manage the team that looks after open source engagement from AWS (and to some extent from Amazon as a whole, as we support a few projects that are broader than AWS itself). We hired a bunch of senior, principal-level technologists who are open source specialists in different areas, and one of the most well-known things that has come out of this is AWS joining the Cloud Native Computing Foundation. I’m one of two board members representing AWS. My team has also created an open source web page that describes the work that AWS is doing in open source. We also have an open source blog.

What are you currently working on that you’re excited about?

My current focus is on resilience, particularly as it pertains to financial services. The problem that many financial services companies face is that their current infrastructure consists of data centers full of mainframes. But mainframe experts are retiring, and there aren’t very many millennial mainframe developers and operations people around. The talent pool is disappearing. So people at these institutions are beginning to ask themselves, “We use these mainframes to move trillions of dollars around. How do we run something like that on the cloud securely, and with extreme resilience?” These aren’t rhetorical questions. Financial institutions need to comply with government audits and standards and compliance rules. In fact, there’s a designation for these organizations — Strategically Important Financial Institutions (SIFI) — which means that they’re regulated in a very special way due to events like 9/11 and the 2008 market crash, events that can introduce systemic risk across the industry. AWS has the Well-Architected Guide to describe our current availability architecture, and we are deeply involved with some of these customers to upgrade it for SIFI workloads. The team is working across sales organization, solutions architecture, and the service teams. We’re currently focused on the availability side of the question, but the security piece is also important: We’ll need the right options, from key management to private end points, to make it all viable. It’s a really interesting project, and one I’m deeply involved with.

How did you choose your particular topics for re:Invent this year?

I have one talk in the container track on chaos engineering, which I’m co-presenting with an engineer from one of our partners, Gremlin. Ana Medina is going to do a live demo of trying to break some container orchestration, and I’m going to do the setup, which is how we see chaos engineering playing out. Chaos engineering is a hot topic with a lot of customers. The high-level way of thinking about it is that most large customers have a failover strategy for their backup data centers. But most of them don’t test it very often: Testing is a big pain in the neck, it’s not reliable when you need it, and it’s expensive. However, if you’re failing over between two cloud regions, your APIs are the same, your capabilities are the same, and a lot of the things that make testing hard involve the drift between data centers. AWS just doesn’t have those problems. We’re managing all that out for you. This results in a highly automatable, productized, safe way to do failovers, which means you can test a lot more frequently. Instead of having one annual test, you can run them every quarter, or every month, or every week. And you’re doing low-level, fine-grain testing against individual instances and services. The upshot is that you end up with a much more resilient system, rather than something that once a year you come along and say, “I’m going to see if I can get it through the audit.” There are analogs to that in the security space as well: We’re moving from annual audits of your security architecture to continuous security where you’ve got tamperproof logs of configuration so you can prove that your system has never been in an insecure state, for example, rather than inspecting it every now and again and asking everybody if they’re processing tickets properly.

My second session is about trends in digital transformation. As I meet with customers around the world, I often hear them say, “We’re different than everyone else; we have all of these unique challenges.” And when they start to list their challenges, the list sounds exactly like the lists from twenty other companies. So eventually, I put all these challenges into a presentation that says, “Here are the four things that are blocking you from your technology transition.” This isn’t about adopting any particular set of AWS products. It’s really about the step before that: If you can’t absorb technological change, if you can’t do a cloud migration, if you can’t be agile, then you can’t keep up with the rest of the industry. What’s driving this digital transformation is the connectedness of customers and devices. Pretend you’re a manufacturing company that makes door locks. Traditionally, you’d put them in boxes, ship them off, and hope to never see them again — if products come back, it means they didn’t work. Now pretend you’re manufacturing a connected door lock — if you don’t hear from your door locks every five minutes, it’s a problem. It means your product is either broken, or the customer has stopped using it. Either way, the connected version requires you to continually monitor and understand how people are actually using it—and this shift applies to a huge numbers of industries. So I’ll be talking about how to navigate the various organizational and cultural blockers that exist within many companies.

What’s the most common problem you see customers running into when it comes to cloud security and compliance?

Over and over again, I see people doing data center security that’s largely enforced by network architecture. They have these complex sets of networks with firewalls, and they think if you’re in this box here, and we have a firewall around you, you’re safe. This segmentation model in data centers is largely based on network structure. Then, when customers start to move to the cloud, their security teams say, “We don’t care what you’re doing in the cloud as long as it follows this structure that we use in the data center.” This means you need to go off and build incredibly complex structures to resemble data center structures, all in order to get sign-off from the security teams. But once these systems are running, you’ll quickly find they’re much too complex — and completely the wrong architecture for cloud and cloud security. But it’s almost like you have to go through this step. It would be nice if we could convince security teams to buy into cloud best practices from the start and to use larger, flatter networks with other mechanisms for segmentation.

Five years from now, what changes do you think we’ll see across the security and compliance landscape?

Five or ten years ago, the cloud was a subset of the functionality of the data center. We’ve now flipped this: It’s hard to build a data center that’s even a pale imitation of a subset of an AWS account. We just have so much scalable functionality. I think that five years out, it will be difficult to even pass an audit in a data center. People are going to say, “You’re running that in a data center? I can’t guarantee anything about your configuration!.” And you’re going to struggle to keep your data center from being overrun by hackers because you can’t control what’s going on. You’ll eventually hit the point where you can’t know enough about the data center to secure it. So you’ll move to the cloud, where, with the proper hygiene, you’ll be able to know everything. You can log everything that’s ever happened in a tamperproof log, and that ability allows you to make strong assertions.

I also think we’re starting to get governments around the world to support banking in the cloud. We’re still in the early stages, since this also requires teaching auditors how to understand what a banking audit looks like in the cloud: The goals are the same, but the implementation of patterns is different. We’re also seeing people using AWS Managed Services to create a PCI-compliant configuration from scratch via an API call, within a few hours. And then the auditor comes in, says, “You didn’t mess anything up. You’re done!” and walks away. I think these highly audited systems will be start to be built in an extremely automated, repeatable way.

What does cloud security mean to you, personally?

I bought a house last year and have been installing all these IoT things, like door locks, lights, blinds, and yard sprinklers. These are all cloud services. I think we’re getting to a point where your personal security is tied up into the cloud. The security of all those items, which used to be physical security, is moving toward a cloud-based security model that’s going to touch people more and more as it all rolls out.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Adrian Cockcroft

Adrian Cockcroft has had a long career working at the leading edge of technology, and is fascinated by what happens next. In his role at AWS, Cockcroft is focused on the needs of cloud native and “all-in” customers, and leads the AWS open source community development team.

AWS Security Profiles: Misty Haddox, AWS Customer Audit Manager

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-misty-haddox-aws-customer-audit-manager/

Amazon Spheres and author info
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been with AWS for about four years. I joined the Compliance team in 2013, where I built processes and established the groundwork for our external global audit programs and built our first AWS controls framework. After that, I left AWS for a year to join a software company, where I worked with some cool folks and was able to educate and help determine their strategy for all things compliance. The opportunity gave me great insight into who I am and reaffirmed my passion for being a builder and delivering! So I came back to AWS and joined the Professional Services team within Security, Risk, and Compliance, working directly with customers who are at varying stages of their AWS cloud journey. I’ve actually just started a new role on the Security Assurance team, where I’ll be managing customer audits and am looking forward to continuing my AWS journey.

What’s the most challenging part of your job?

It’s sometimes challenging to convince customers that they need to get all their teams involved in security and compliance. I’ll be supporting customer EBCs (Executive Briefing Centers) at re:Invent, with my topic focused on “compliance in the cloud,” but the attendees joining the meetings from the customer side are IT specialists and chief technology officers, I don’t see anyone from the compliance teams involved. It’s really hard to get customers to avoid operating in siloed environments. There’s always going to be upstream and downstream impacts when decisions are being made without a full understanding of your security and compliance landscape. We have this DevSecOps model at AWS, in which developers, security, and operations teams all work together on initiatives, and when we encourage customers to take a similar approach, we often get a response like, “That sounds great, but how does it really work?” But it does work — it’s what allows AWS to innovate so quickly. It’s so important for teams to talk to each other and work together to build integrated solutions.

What’s your favorite part of your work?

I have an innate ability to find anything wrong with something. It’s a unique skillset. I used to get frustrated with it, because it made me feel like a canary in a coal mine — but there’s actually value in this ability. It gives me the opportunity to dive into things and fix them before they become bigger issues, which I enjoy very much. I like fixing things. And I like having the ability to “look around corners” and understand what needs to be established in order to support or develop new programs, or to help existing programs scale.

What’s your favorite part of your work?

I have an innate ability to find anything wrong with something. It’s a unique skillset. I used to get frustrated with it, because it made me feel like a canary in a coal mine — but there’s actually value in this ability. It gives me the opportunity to dive into things and fix them before they become bigger issues, which I enjoy very much. I like fixing things. And I like having the ability to “look around corners” and understand what needs to be established in order to support or develop new programs, or to help existing programs scale.

What changes have you seen across the cloud security and compliance landscape over the course of your career?

I’ve worked in this field for 20 years, and compliance isn’t seen as a blocker or a bad word any more. People are starting to see it as a business enabler, which is really refreshing. Security in the nineties was IT-focused and very hands-on: You had a tangible thing you could touch, and policies drove the ways in which you hardened your posture. But now, it’s much more about interpretation and establishing your environment based on whatever processing is occurring within it. There’s no single right answer. If you practice security by design, and you understand your environment and your boundaries, and you build controls to support that, then that drives security, and you’re going to be a complaint. This approach enables you more. You get the freedom to be more innovative in the cloud security space.

What’s the most common misperception you encounter about cloud security/compliance?

I sometimes work with customers who think that they’ll inherit all the compliance certifications that AWS provides. People assume that, because AWS has these, they don’t need to worry about anything. But that’s not the case. The controls you need to establish in your particular environment are going to be unique, based on how you build, what kind of data you have, and how you want to use it — compliance isn’t one-size-fits-all.

You’re co-presenting two different sessions for re:Invent 2018. How did you choose your topics?

The sessions are How Enterprises Are Modernizing Their Security, Risk Management, & Compliance Strategy, which I’m co-presenting with David McDermitt and Balaji Palanisamy, and Confidently Execute Your Cloud Audit: Expert Advice, which I’m co-presenting with Kristen Haught and Devendra Awasthi (from Deloitte).

Both are topics I’m super passionate about. At AWS, we talk a lot about the Shared Responsibility Model. But as we’ve deployed more services further up the stack, the lines of demarcation around responsibility have changed, and a lot of customers are uncomfortable determining what they’re responsible for. I’m using re:Invent as a chance to dive into that shared responsibility model with customers. It’s already the crux of every conversation we have with any customer at AWS, but we don’t tell them exactly what to do. Customers will ask what their controls should be, without understanding that it doesn’t start like that. The first step is to architect your environment and understand how it’s being engineered — because, depending on how you put the pieces together, the responsibility changes. So I’m using my sessions as a chance to really dive into the shared responsibility model with customers.

What are you hoping that your audience will take away from your sessions?

For the How Enterprises Are Modernizing Their Security, Risk Management, & Compliance Strategy session, I hope that customers walk away understanding that all teams need to be involved in the security and compliance conversation. It’s important not to operate in a silo.

For the Confidently Execute Your Cloud Audit: Expert Advice session, I want people to walk away understanding how to dive into control responsibility, and how to apply that knowledge once they’re back in their work environment, so they can look at their SOC report, if they issue one, or maybe determine if they even need one, and have a methodology that they can apply.

If you had to pick any other job, what would you want to do with your life?

I would love to be a crime scene investigator. I’m very fascinated with true life crime. I think it’s the challenge of putting the pieces of the puzzle together. I’m also fascinated by people, and I find the underlying sociology and psychology fascinating.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Misty Haddox

Misty is a passionate builder who’s learning to not take herself too seriously. She believes in the AWS mission and that we should raise the bar in all we do. She strives to look at any opportunity or experience, no matter what it is, as a way to learn and grow!

AWS Security Profiles: Min Hyun, Global Lead, Growth Strategies

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-min-hyun-global-lead-growth-strategies/

Amazon Spheres and author info
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been at AWS almost two years, and I lead the Global Affairs team within Growth Strategies. We monitor the intersection between security, privacy, emerging technologies, and practices so that we can catch sight of emerging issues. Then we help both public and commercial sector customers prepare for what’s to come. Our goal is to provide clarity around the positions that AWS holds when it comes to the security and compliance implications of new technologies, whether that’s IoT, AIML, or whatever’s next. We want to earn people’s trust as thought leaders in the space.

How do you explain your job to non-tech friends?

We are like an internal think tank. We do a lot of anticipating, analyzing, advising, and advancing on specific top-of-mind customer concerns when it comes to security and privacy.

What are you currently working on that you’re excited about?

Where to start? Mark Becker, on my team, is actually developing the privacy statement/position for AWS right now. I’m excited about this because it’s the first step toward introducing our voice into some highly important and relevant conversations. AWS has historically been reticent on certain topics, but we’re starting to become more intentional about amplifying our position. We’re in an interconnected world now, and social media is being used across all demographics. How we apply security and privacy protections in this new world, and what AWS has to say about it (particularly from a privacy perspective) is something that I care about deeply as someone representing AWS and as a citizen. It’s a really good feeling to know that that AWS is just as concerned about it, and is moving the dial as an organization and being more transparent about what it is that we do and how we protect our customers.

What’s the most challenging part of your job?

Getting folks to understand the value and merit behind what we do. A large part of our jobs comes down to the Amazonian leadership principle: “Are right, a lot.” We’re trusting an internal compass on what we need to chase down, so we can’t always provide empirical data up front. But we need to follow that compass. There’s this point where it starts to feel like we’re a voice crying out in the wilderness, but in every instance in which we’ve dug into something, folks have appreciated our impact and foresight after the fact. Still, it can get lonely being out there sometimes. We’re still convincing everyone to buy in.

What’s your favorite part of your job?

The people! I work with such brilliant, passionate people. I feel like I’m always growing as a professional and growing the depth and breadth of my own knowledge. That’s only possible because of the talent we have here.

In your opinion, what’s the biggest challenge facing cloud security and compliance right now?

I would say there’s a lot of misinformation about security in the cloud. Customers have taken what they know about traditional computing models and applied these concepts to the cloud. Our job is to secure the infrastructure, and we’ve got the highest level of talent working to do so and to make sure that customers are confident in moving to the cloud. But there’s this gap between what AWS is doing and what customers know about what we’re doing. We need to learn how to bridge that gap for our customers. We need to have these conversations in ways that resonate and make sense to them.

What’s the most common misperception you encounter about cloud security and compliance?

On the compliance side, some people think the more, the better. Specifically, they think the more security controls you have, the better. But that’s not the case. We’ve seen accreditation regimes out there that might have a high bar in terms of the sheer number of requirements you need to meet, but that doesn’t necessarily mean your security will be “better.” It just means that you have more items on your list that need to be checked off. The conversation needs to start with the security outcomes that you want to achieve. After that, you can decide what to do in the cloud to meet those outcomes.

When it comes to security, we don’t have a whole lot of control over what’s happening in the political environment and some of the shakeup that happened with Edward Snowden and resulting pieces of legislation have led folks — particularly people outside of the US — to mistakenly believe that US law enforcement has access to the cloud in ways that simply aren’t the case. We need to clear up the fear, uncertainty, and doubt associated with that.

Five years from now, what changes do you think we’ll see across the security/compliance landscape?

With emerging technology adoption, and what’s almost an arms race in technology, I think we’re going to see governments become much more aggressive when it comes to AI, machine learning, and blockchain as they start to realize how technology can become an enabler for their economies, their defense capabilities, you name it. Governments will start to become more aggressive in their efforts to be first to market. And we’ll see associated policies and requirements that impact the use of these technologies, plus security, privacy and the rest of the gamut.

What does cloud security mean to you, personally?

I really believe that governments need to modernize their technology to better achieve their missions. Think of the US Department of Homeland Security, which has a mission that extends into national security, public safety, and economy security. That’s a really big burden to bear, and technology can actually be an enabler that helps them deliver on their responsibilities faster and more efficiently. I’m eager to see the government modernize technology. One of the top blockers seems to be security, and this is often due to impressions that haven’t even really been confirmed — the blockers are perceived concerns. I’m very eager to help overcome those barriers so that governments will be able to integrate this technology into the mission critical work that they do.

Privacy is also deeply important to me as the mom of relatively young kids. I want to know that when I give my kids a device and they’re on an app, I don’t have to worry about data getting leaked or my kids being tracked by a company or a rogue individual. I want to be able to protect and preserve their safety and security.

How did you choose your particular topic for re:Invent this year?

So I’m co-hosting a chalk talk with Michael South that’s called Aligning to the NIST Cybersecurity Framework in the Cloud, and it’s actually based on the very first white paper that I worked on when I came to AWS. I was given free reign in terms of what to prioritize, so I said I wanted to do a white paper on the NIST cybersecurity framework (CSF). It’s a framework that provides a foundational set of cybersecurity practices that organizations can use, regardless of their sector or size. It helps your organization implement sound risk management and resiliency practices, and it’s been vetted by government, industry, and academic institutions around the world. NIST really does due diligence in terms of distilling its guidance into a subset of activities—a core list of practices that any organization should implement. I believe it’s becoming the de facto industry standard for both public and private sectors, so I think we need talk to our customers about how we can enable them to align their organizations with the CSF using AWS services. We have so many tools available that can help customers secure their environment. And what I love about the CSF is, it’s not only about security. When correctly applied, it’s intended to support business outcomes. It provides a common taxonomy that allows different stakeholders within the business (from CEOs to security professionals) to talk about the underscoring horizontal function that security plays.

What are you hoping that your audience will take away from your session?

I want them to walk away thinking that cybersecurity risk management doesn’t have to be a complex, obscure, onerous thing. I want them to know that there’s a very sensible, pragmatic approach that they can implement within their organization, regardless of size, that will enable them to secure their assets, their data, and their network. And I want them to know that this CSF paper is actually a tool that will empower them to do that. There’s also a customer workbook portion that provide very tactical advice in terms of the actual AWS services that you can use that meet a particular security outcome. Our goal was to make it very user friendly.

Is there anything else we should know about your session?

The session will be discussing a refreshed version of the original white paper. We first issued it back in 2017, and we’ve refreshed it since then to align with NIST’s version as well as reflect an updated list of AWS services that align to the CSF. We also did our due diligence to ensure that the AWS services that are FedRAMP and ISO 27001 accredited have been validated by a third-party auditor so that customers can have the assurance that that those particular services also align to the updated CSF.

If you had to pick any other job, what would you want to do with your life?

I have two very different answers. If I could make a hop inside of Amazon, I would love to go work with Amazon Fashion. And probably more realistically, I’d love to do nonprofit work. I would really love to be a voice for disadvantaged people and to help them be heard, especially the homeless, and disadvantaged children. There’s such a need to represent their needs. In the same way that I amplify topics of interest in my current role, I would love to amplify their voices.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Min Hyun

Min is the Global Lead for Growth Strategies at AWS. Her mission is to set the industry bar in thought leadership for security and data privacy assurance in emerging technology, issues, and leading practices to advance customers’ journeys to AWS.

AWS Security Profiles: Steven Laino, Security Architect

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-steven-laino-security-architect/

Amazon Spheres and author info
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been with AWS for about 18 months, and I’m a Security Architect in the Global Security, Risk and Compliance Practice. My role is to help customers build the confidence and security capabilities they need in order to migrate their most sensitive applications to AWS.

What are you currently working on that you’re excited about?

So many things. I enjoy working on frameworks and methodologies, like the Cloud Adoption Framework. These resources help customers understand security in the cloud and more easily meet their security and compliance requirements. While security and compliance in themselves might not sound exciting, they really are an exciting piece of my work—as a customer, I’ve been through the experience of migrating to the cloud within a financial services company, and I’ve taken that experience with me to AWS. Now, I get to help other customers navigate the same process. Another area I’m focused on is innovating new ways to accelerate invention on behalf of our customers by developing tools and methods that help consultants more easily get their ideas to the proof of concept stage so customers can benefit even faster.

What’s the most challenging part of your job?

Time management is an ongoing challenge. There are so many areas in which we’re helping customers and doing really interesting work, and I want to be involved in as much of that as possible. It’s difficult to prioritize your passions like that. This leads me to one of the things I love most about my job: looking at the customer experiences, figuring out the pain points, and reinventing them.

What does cloud security mean to you, personally?

I care a lot about technology. I’ve been in IT for 30 years, and I’ve founded companies, one of which was an internet service provider. I think a lot of my passion for the cloud comes from the fact that I’ve been a customer and I’ve been on that adoption journey. It’s important to me to help customers understand the attention to detail and the standards we have at AWS. All of this enables them to keep their data secure which, in turn, allows them to pass that confidence to their own customers—more so than they’d be able to do on their own with their own data centers. Technology can help our customers make a better experience for their customers.

What’s the biggest challenge standing in the way of cloud adoption right now?

From a customer perspective, the biggest challenge is just achieving the understanding and education to reach that ah-ha moment where you understand how it really works and just how much due diligence AWS is putting in. AWS is vigilant about our customers’ security and privacy, and one of the great things about the cloud is that all of our customers get the benefit of all the best practices, AWS policies, architecture and processes that we’ve built to satisfy the requirements of our most security-sensitive customers, which is really a big deal once you start to put the pieces together. The other challenge a lot of people face is just knowing where and how to begin the cloud adoption process. And that’s where the Cloud Adoption Framework comes in. It’s an organizational tool that helps people identify the controls that they need, align them with their current compliance regime, and then actually implement them in a methodical way.

What’s the most common misperception you encounter about cloud security and compliance?

A lot of people think cloud security means only technical controls. The truth is that the move to the cloud requires an organizational and process transformation as well. Organizational shifts might include having developers, operations and security teams work very closely together, plus the integration of current processes to the cloud — for example, integrating the new cloud constructs into your current incident response workflows. Speaking from my own past experience, and from working with customers over the past 18 months, it’s common to encounter this misperception. But once you dive into the details and start to realize that security means people, platform and process that perception shifts. And again, part of my job is to build confidence in our customers by helping them understand that and guiding them through the process.

Initially, many people also think that they’re going to have to rewrite all of their security policies and standards for the cloud. But they often don’t really need to do that. That’s because the “what” and “why” behind the security policies does not change, although the implementation of those policies does. So instead of a rewrite, it becomes more of a translation.

Five years from now, what changes do you think we’ll see across the security and compliance landscape?

I think we’ll see more automation, compliance implementation, and related tools, like compliance and audit checks, coupled with automated remediation for things that aren’t compliant. I also think we’ll see more AWS Quick Starts, which are preconfigured reference deployments that customers can use to build complete environments in just a few steps.

Another shift we’re already seeing has to do with security professionals changing their skill sets: traditionally, these folks were more likely to have backgrounds in system administration or networking, and they probably weren’t developers by practice. But that’s led to challenges as organizations shift to the cloud and need employees who know how to do things like write security as code and understand how policies are codified. These skills are starting to develop, so I think we’ll continue to see more security professionals growing their skills in cloud formation and programming. More and more, it’ll be a true DevSecOps environment.

How did you choose your 2018 re:Invent topic?

I’m really excited to be presenting at re:Invent, and I initially chose a topic that I was passionate about—The AWS Cloud Adoption Framework. After I pitched to the re:Invent team, they asked if I’d be interested in co-presenting with Ben Potter and expanding the session to include both the Cloud Adoption Frameworks and the Well-Architected Framework. They’re a natural fit. So together, we’re presenting a session called Security Framework Shakedown: Chart Your Journey with AWS Best Practices.

What are you hoping that your audience will take away from it?

I want them to leave saying, “I finally understand how to begin helping my company migrate to the cloud.” My hope is that people will leave feeling like they know where to start and what the journey will look like, and that they’ll return to their jobs, read up on the Cloud Adoption Framework, and then piece together the foundational components that they need in order to begin the adoption process—things like inventorying their security controls and their tools and then mapping them together. Based off my own experience, once you realize that it’s not as difficult as you originally thought, you feel very energized. It tends to be another ah-ha moment.

If you had to pick any other job, what would you want to do with your life?

I would want to continue my previous path in law enforcement, which is interesting because there’s a parallel: If working as a security architect wasn’t an option and AWS didn’t exist, I’d still be doing work that helps ensure a secure environment.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Steven Laino

Steven is a Security Architect with AWS Professional Services. His career in Information Technology spans three decades and includes the founding of a physical security company as well as one of the first internet service providers in the US. For the past ten years, he’s helped financial service companies move sensitive workloads to the cloud. Steven holds CISSP-ISSAP, CCSP & CISM Security certifications and is a contributor to the Center for Internet Security Controls Framework.

AWS Security Profiles: Myles Hosford, Compliance Specialist

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-myles-hosford-compliance-specialist/

Amazon Spheres and author info
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been at AWS for about two and a half years. I’m based in Singapore, and I work within the Financial Services Security and Compliance team as a Compliance Specialist. My responsibilities cover about nine different countries. I spend most of my time working with financial institutions like banks and insurance companies, helping them identify their security and compliance requirements as they move into the cloud. I’ve only been in this particular role for six months — I actually moved internally from a security position. Since I was already spending a lot of time with a couple of financial services accounts, it made sense for me to move into a more focused vertical. My new role gives me the chance to dive deeper into some of the challenges in the financial services space.

How do you explain your job to non-tech friends?

In the simplest terms, I advise customers on their journey to the cloud. The cloud itself is a pretty new technology, especially to more traditional organizations. Between the regulatory landscape and the way that large enterprises traditionally consume IT, this presents some unique challenges. So I help break those challenges down into small, manageable chunks.

What’s the most challenging part of your job?

Because the cloud is such a new model, financial organizations and large enterprises often need to do a lot of rethinking about security. What used to be appropriate for on-premise controls might not be suitable for the cloud — and there might be ways of “doing” security in the cloud that were just never conceived of before. This is especially true around automation and the use of APIs, both of which can provide real-time visibility into your environment that you just couldn’t get before. That’s not the only shift in perspective that needs to happen, though. The shift also involves people and processes. By that, I mean that there’s often a lot of retraining that organizations need to undertake. Say you’re an on-premise database administrator: If your company shifts to the cloud, you’d probably continue to be a database administrator. But the job is going to look a little different, and a lot of organizations haven’t started thinking about how to retrain and reposition their existing staff. This is an especially pressing problem when coupled with the existing global shortage of cybersecurity professionals.

What do you enjoy about your work? What makes you excited to get out of bed in the morning?

From a security perspective, I genuinely believe that being in the cloud is more secure than being on-premise. Before I joined AWS, I worked with some large investment banks and saw how much they struggled with foundational security requirements, like patch management, or configuring firewalls, or enabling least-privilege access for users across their estate. Tasks like this can be very difficult to accomplish with a traditional, on-premise approach. So once an organization really leans into the idea of cloud security — once they realize that everything can be automated — they tend to respond very positively and very quickly. One of my favorite parts of my job is when a customer’s internal security team starts to realize this. At the outset, not everyone is optimistic, so it’s very satisfying to see customers start to trust us and start to dive into services like Amazon GuardDuty. Watching their growing excitement makes it all worthwhile.

Do you have advice on how to handle the increased amount of data that organizations are now receiving as a result of automating their processes in the cloud?

The cloud is great, but it’s definitely possible to go overboard with tools and vendor products, until you suddenly have twenty or thirty different dashboards with data coming in all over the place. What I emphasize to my customers is this: It’s great to have real-time visibility and collect all the data that you can, but you always need to think about connecting that last mile. In other words, you need ways to get the right data in the right format to the right analysts. It’s really nice to be able to turn on a service like Amazon GuardDuty and have a dashboard. But unless someone is constantly monitoring that dashboard — which can be a pretty boring job — you need to think about what kinds of decisions you want to make based off of your data, and then you need to start automating that response. In a traditional security setting, you’d receive an alert, you’d go investigate, and you’d follow up on any issues. Even if you switch to AWS services, you still need to make those decisions, but the decision-making process can typically be compressed down to seconds or minutes, and you can set things up so that the cloud responds and protects itself. Say you’ve got a developer or a malicious actor making changes in your environment. Maybe someone accidentally disables multi-factor authentication or turns off encryption. You can protect against that in near-real time, maybe thirty or forty seconds after the fact. And then, using features like Amazon CloudWatch Events and AWS Lambda functions, you can get your system to stop the threat and self-heal by re-enabling the encryption or the password policy or what-have-you. This type of automation and self-healing — the next generation of cloud security — is what customers get really excited about once they start to understand the possibilities.

Speaking of “next generation,” what kinds of changes do you think we’ll see across the security and compliance landscape within the next five years?

Right now, we’re at a point where organizations just need to get the basics down, and I think AWS is doing a very good job of allowing people to start standardizing their infrastructure and applications. But one trend I’ve seen in the last year or so is an uptick in machine learning and AI. Within AWS, those technologies are starting to power some of our other services, like Amazon GuardDuty and Zelkova. I think that this trend will continue, with more and more capabilities like cyberthreat intelligence and cyber-hunting. This will enable organizations to move beyond patch management and basic infrastructure security, and toward more advanced tools that will allow them to track down bad actors within their estates, hopefully both raising their security bar against fresh vulnerabilities and making more efficient use of their security personnel’s time — which, again, I think is very important given the general shortage of skills and headcount within cloud security.

You’re co-presenting a 2018 re:Invent session with Phil Rodrigues about debunking cloud security myths. How did you choose this topic?

When I meet with new security and compliance teams, they typically have lots of questions (and rightfully so). It’s important that I earn their trust since I’m asking them to trust AWS with their assets and data. And in my experience, there’s this journey of questions that many people go through. The re:Invent session is meant to guide people through this journey and to debunk some of the most common cloud security myths that I encounter. The session is tailored to organizations and customers who don’t have much experience with the cloud. I expect them to have some foundational questions, like “Is my actual data stored in an actual data center somewhere?” So I’ll talk about the way that our regions work, and where data is stored across AWS. This lets people get comfortable with the idea that yes, your data is in a data center with strong physical security controls. Then we’ll move to some specific questions around AWS and the support that we can provide to organizations, whether through contractual commitments or regional compliance programs. After that, I’ll pick out a couple of notable services that have gotten a lot of press. Take Amazon Simple Storage Service (Amazon S3): There’s been some discussion of open S3 buckets — but people might not realize that S3 buckets are actually private by default. You to go out of your way to make them public. We’ll wrap up with some questions from the audience. I want people to walk away from the talk feeling like they have a high-level understanding of cloud security from start to finish.

Do you have any tips for first-time conference attendees?

Obviously, take a look at the agenda ahead of time and try to reserve seats for the sessions that you’re most interested in. Beyond that, network with as many of your peers as possible. Reach out to people that you meet, whether on LinkedIn or social media, and as you see people around the conference, try to interact with them. Everyone’s coming to learn, and everyone’s hopefully friendly and approachable. Find out what other people are working on, share your best practices, take away some new best practices, and just have fun with it all.

You’re based out of Singapore: What’s one thing that a visitor to Singapore should make time for?

If you come to Singapore, make sure that you spend some time trying local food. Singapore has amazing food. If you don’t mind spicy, I’d recommend the national dish, which is Singapore Chili Crab — a big crab poured over with chili oil and served with bread for dipping. It’s amazing.

Do you have anything else that you’d like to touch on?

Using the cloud to protect the cloud is a great idea. And obviously, developments around AI and automation really help out. Once people start to understand that you can move away from a static, point-in-time based security posture and toward a self-healing infrastructure that fixes itself when it attacks misconfigurations is a pretty cool place to be.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Myles Hosford

Myles is a Compliance Specialist on the AWS Financial Services Security and Compliance team. He’s based out of Singapore, where he helps financial institutions in the APAC region transition to the cloud.

AWS Security Profiles: Brittany Doncaster, Solutions Architect

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-brittany-doncaster-solutions-architect/

Amazon Spheres, Brittany Doncaster, Solutions Architect

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been with AWS a little over four years. I work as a Solutions Architect in the Atlanta office. I spend most of my time talking to customers about architecture and best practices, whiteboarding solutions, and helping people move their existing IT infrastructure to AWS solutions. Essentially, I’m the technical point of contact for my customers.

If someone wanted to become a solutions architect, what advice would you give them?

I think the most important quality to have is technical breadth, because you’ll deal with a lot of different technologies. But you also need to have a natural curiosity. You’ll always encounter things that you don’t know, so you need to be able to investigate and learn in order to find the answers.

Tell us about your own past work experience: What helped you get here?

I started my career as a software developer, then I became a software architect leading development teams. From there, I began working on enterprise-level architecture and then got into cloud technology before joining Amazon.

What’s the most challenging part of your job?

The pace of technology. You need to know so many things. When I joined AWS, there were roughly 30 services I needed to know about. Now, there are well over 100. But while the pace is challenging, it’s also the best part of my job. I’m always learning. It goes back to that natural curiosity.

What’s the most common misperception you encounter about cloud security?

Security personnel are used to dealing with policy documents and spreadsheets when performing security tasks on-premise. When moving to AWS, many people have to shift their mindset regarding how they view security. It’s no longer documents and spreadsheets, but instead code. The insight you can have into your AWS environment via our services allows for automated remediation and alerting that wouldn’t have been possible previously. By moving to a model where your security policies are enforced by code, securing the environment happens much quicker and in a much more repeatable manner.

You’re co-presenting a session at re:Invent 2018 about using AWS Lambda as a security team. What are you hoping that your audience will take away from your session?

I hope they’ll shift their thinking away from the need to write policy documents and toward using services like AWS Lambda, instead. I want to help attendees get a feel for how easy Lambda is to use, and to see how Lambda can be the glue for the security team, tying together automated monitoring, auditing, and remediation.

Any tips for first-time conference attendees?

Every year is different, so every year is like a first year! Embrace it and jump in.

If you had to pick any other job, what would you want to do?

I’d be a Geologist – I love rocks!

Want more AWS Security news? Follow us on Twitter.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Author

Brittany Doncaster

Brittany is a Solutions Architect based out of Atlanta, GA. She comes from a development background. She now works with enterprise customers in the Southeast to adopt cloud technologies and architect using best practices. She specializes in Security and Serverless technologies.

AWS Security Profiles: Brigid Johnson, Senior Manager of Product Management

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-brigid-johnson-senior-manager-of-product-management/

Amazon Spheres and author info
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been with AWS a little over four years. I’m currently the Senior Manager of Product Management in AWS Identity. I head a team of product managers that manage AWS Identity and Access Management (IAM) and AWS Secrets Manager.

How do you explain your job to non-tech friends?

I’m the voice of the customer. I work to simplify security for AWS customers.

What are you currently working on that you’re excited about?

A lot of my work is focused on how we can simplify permissions management at scale. Customers are moving an enormous number of workloads to AWS, and a lot of teams are on-boarding to manage those workloads. And often, a lot of applications need access to resources within AWS. Companies rely on granular permissions to manage their resources and data securely. My team is working on the tools and experiences to make this experience easy.

What’s the most challenging part of your job?

AWS IAM and AWS Secrets Manager are services that every AWS customer will use, from small start-ups to really large enterprises. Balancing their needs, use cases, and requirements, and then creating a product vision based on this information is challenging—and also very rewarding.

What’s your favorite part of your job?

Talking with customers. I find it incredibly fascinating to hear what people are building on top of AWS, how they’re using our system, and what they need more of. And while I really love presenting AWS products on stage, it’s usually brainstorming meetings with a central security team or someone who manages permissions at a small startup that I love the most. I love real conversations about day-to-day routines and experiences. It helps me hone in on where we need to innovate.

How did you choose your particular topic for re:Invent this year?

The session, Become an IAM Policy Master in 60 Minutes or Less, has been going on for years. Before I took over, my previous manager ran it. Policies are very, very powerful. You can write granular permission rules, and there are some really cool things I’ve seen customers do with them. The session is a way for me to show people that power, and then show them how to think about permissions and use IAM policies. You can use policies to control access to both applications and users in a very granular way. It’s really rewarding to watch as people start to get it—and then get excited about new possibilities of their security posture.

So, how are you going to make someone an IAM Policy Master in 60 minutes?

There are three parts: First, I’ll go through some policy basics. This section’s fairly short, since this is a more advanced session. Next, I’ll explore how to reason and think about policy evaluation. When I explain this in a certain way with customers, I can often see them get it and the lightbulbs go on. This provides them with the foundation to go back and work with their teams to create better permissions rules. Finally, I go into some specific policy types and where you can use these, so people have a framework for understanding different policy types. This section includes use cases for how and why you might use different types. My favorite part of the sessions is at the end: I go through some of my favorite complex use cases and show the real power and granularity of the AWS permissions model.

What are you hoping that your audience will take away from your session?

I want them to have a deeper understanding of the power of our policies. And, honestly, I want them to go play and explore. So many times, when we’re setting up permissions, we’re trying to get something done, and so we go through the set-up really quickly—and I should stress that my team is working to make that set-up quicker and easier. But if you’re part of a central security team, and you spend a little time exploring the ninja moves that I’m going to explain in my session, you can more easily scale your permissions management. Spending just a little bit of up-front cost to explore and figure out how things work will make your permissions management much easier.

Any tips for first-time conference attendees?

Two tips: One, be sure to go to sessions that interest you, even if you know nothing about the topic. At the end of the day, the conference is a chance for you to explore. Two, try spending some time outside. Being indoors all day can be more draining than you think. A little outdoor time helps keep your energy level up.

What does cloud security mean to you, personally?

Permissions are critical to running workloads in the cloud. Here’s why I’m passionate about this topic. Permissions enable people to build without getting themselves into trouble accidentally. The easier that AWS makes permissions (and managing permission in the cloud), the easier and faster it is for customers to onboard workloads to AWS—and the easier and faster it is for builders to build on AWS. And that’s what really inspires me. If builders are blocked because they don’t have access to something that they should, it’s a frustrating experience. It also means they’re not building the next cool app I didn’t know I needed, solving healthcare challenges, or innovating as fast as they can. My goal, and what I love about my work, is getting to innovate in ways that make security easier by default. People can operate safely in the cloud, and they can still move fast to build exciting things.

In your opinion, what’s a challenge facing cloud security teams right now?

AWS innovates really quickly. We send out a lot of new features that continually change the game in terms of how a central security team can approach security, monitor security, or author their permissions. Keeping up with all of this game-changing information is really, really hard. I follow Twitter and the What’s New announcements for up to date information, and of course the AWS Security Blog.

Five years from now, what changes do you think we’ll see across the security/compliance landscape?

I think we’ll see more preventative security controls turned on by default, rather than controls that rely on you to go turn them on. If you have a use case where you need to turn things off, you’ll still be able to do so. But I think turned on will become the new default, and that more management tools and services will be able to “do” security for you. This might mean that the job of the central security team will move away from building out systems and toward consuming information that comes from these systems and using it to make judgment calls based on environment and workload.

If you had to pick any other job, what would you want to do with your life?

I’ve always thought it would be fun to build and run my own sleep-away camp for girls. I’m an avid horseback rider, so there would be a lot of horseback riding. If I had to do something else, I’d go buy a plot of land somewhere and make it happen.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Brigid Johnson

Brigid manages the Product Management team for AWS IAM. Prior to her career at Amazon, she received her MBA from the Carnegie Mellon’s Tepper School of Business. Brigid spent her early career as a consultant for Accenture and an engineer for JPMorgan Chase, after receiving an undergraduate degree in Computer Science from University of Illinois. In her spare time, Brigid enjoys riding and training her new horse Pickles.

AWS Security Profiles: Eric Brandwine, VP and Distinguished Engineer

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-eric-brandwine-vp-and-distinguished-engineer/

Amazon Spheres and author info
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long you have been at AWS, and what you do in your current role?

I’ve been at AWS for 11 years, and I report to Steve Schmidt, who’s our Chief Information Security Officer. I’m his Chief Engineer. I engage across the entire AWS Security Org to help keep the bar high. What we do all day, every day, is help AWS employees and customers figure out how to securely build what they need to build.

What part of your job do you enjoy the most?

It’s a trite answer, but it’s true: delivery. I enjoy impacting the customer experience. Often, the way security impacts the customer experience is by not impacting it, but we’re starting to launch a suite of really exciting security services for customers.

What’s the most challenging part of your job?

It’s a combination of two things. One is Amazon’s culture. I love the culture and would not change it, but it poses particular challenges for the Security team. The second challenge is people: I thought I had a computer job, but it turns out that like pretty much all of the Senior Engineers I know, I have a people job as much as or more than I have a computer job. Amazon has a culture of distributed ownership and empowerment. It’s what allows the company to move fast and deliver as much as it does, and it’s magnificent. I wouldn’t change it. But as the Security team, we’re often in a position where we have to say that X is no longer a best practice. Whatever the X is—there’s been a new research paper, there’s a patch that’s been published—everyone needs to stop doing X and start doing Y. But there’s no central lever we can pull to get every team and every individual to stop doing X and start doing Y. I can’t go to senior leaders and say, “Please inform your generals that Y needs to be done,” and have that message move down through the ranks in an orderly fashion. Instead, we spend a lot of our time trying to establish conditions, whether it’s by building tools, reporting on the right metrics, or offering the right incentives that drive the organization towards our desired state. It’s hacking people and groups of people at enormous scale and trying to influence the organization. It’s a tremendous amount of fun, and it can also be maddening.

Do you have any advice for people early in their careers about how to meet the challenge of influencing people?

I’ve got two lessons. The first is to take a structured approach to professional interactions such as meetings and email strings. Before you start, think through what your objective is. On what can you compromise? Where are you unwilling to compromise? What does success look like? Think through the engagement from the perspective of the other parties involved. This isn’t to say that you shouldn’t treat people like people. Much of my success is due to the amount of coffee and beer that I’ve bought. However, once you’re in the meeting or whatever, keep it on topic, drive towards that outcome, and hopefully end early so there’s time for coffee.

The other is to shift the discussion towards customers. As a security professional, it’s my job to tell you that you’ve done your job poorly. That thing that you sweated over for months? The one that you poured yourself into? Yeah, that one. It’s not good enough, it’s not ready to launch. This is always a hard discussion to have. By shifting the focus from my opinion versus yours to trying to delight customers, it becomes a much easier discussion. What should we do for customers? What is right for customers? How do we protect customers? If you take this approach, then you can have difficult conversations with peers and make tough decisions about product features and releases because the focus is always on the customer and not on social cohesion, peer pressure, or other concerns that aren’t customer-focused.

Tell us about your 2018 re:Invent topic. How did you choose it?

My talk is called 0x32 Shades of #7f7f7f: The Tension Between Absolutes and Ambiguity in Security. I chose the topic because a lot of security issues come down to judgment calls that result in very finely graduated shades of gray. I’ve seen a lot of people struggle with that ambiguity—but that ambiguity is actually central to security. And the ability to deal with the ambiguity is one of the things that enables a security team to be effective. At AWS, we don’t have a checklist that we go down when we engage with a product team. That lack of a checklist makes the teams more likely to talk to us and to bring us their problems, because they know we’re going to dig into the problem with them and come up with a reasoned recommendation based on our experience, not based on the rule book. This approach is excellent and absolutely necessary. But on the flipside, there are times when absolutes apply. There are times when you draw a bright line that none shall pass. One of the biggest things that can enable a security team to scale is knowing where to draw those bright lines and how to keep those lines immaculately clean. So my talk is about that tension: the dichotomy between absolute black and white and the pervading shades of gray.

What are some of the common misperceptions you encounter about cloud security?

I’ve got a couple. The first is that choosing a cloud provider is a long-term relationship. Make sure that your provider has a track record of security improvements and flexibility. The Internet, your applications, and your customers are not static. They’re going to change over time, sometimes quite quickly. Making it perfect now doesn’t mean that it will be perfect forever, or even for very long. At Amazon, we talk about one-way doors versus two-way doors. When going through a one-way door you have to be very sure that you’re making a good decision. We’ve not found a way to reliably and quickly make these decisions at scale, but we have found that you can often avoid the one-way door entirely. Make sure that as you’re moving your applications to the cloud, your provider gives you the flexibility to change your mind about configurations, policies, and other security mechanisms in the future.

The second is that you cannot allow the perfect to be the enemy of the good. Both within Amazon and with our customers, I’ve seen people use the migration to the cloud as an opportunity to fix all of the issues that their application has accreted over years or perhaps even decades. These projects very rarely succeed. The bar is so high, the project is so complex, that it’s basically impossible to successfully deliver. You have to be realistic about the security and availability that you have now, and you have to make sure that you get both better security when you launch in the cloud, and that you have the runway to incrementally improve over time. In 2016, Rob Joyce of the NSA gave a great talk about how the NSA thinks about zero-day vulnerabilities and gaining access to systems. It’s a good, clear articulation of a well-known security lesson, that adversaries are going to take the shortest easiest path to their objective. The news has been full of low-level side channel attacks like Spectre and Meltdown. While you absolutely have to address these, you also have to adopt MFA, minimize IAM policies, and the like. Customers should absolutely make sure that their cloud provider is someone they can trust, someone who takes security very seriously and with whom they can have a long-term relationship. But they also have to make sure that their own fundamentals are in order.

If you had to pick a different job, what would it be?

I would do something dealing with outer space. I’ve always read a lot of science fiction, so I’ve always had an interest, and it’s getting to the point where space is no longer the domain of large government agencies. There are these private companies that are doing amazing things in space, and the idea of one of my systems in orbit or further out is appealing.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Eric Brandwine

By day, Eric helps teams figure out how to cloud. By night, Eric stalks the streets of Gotham, keeping it safe for customers. He is marginally competent at: AWS, Networking, Distributed Systems, Security, Photography, and Sarcasm. He is also an amateur parent and husband.