All posts by Becca Crockett

AWS Security Profiles: Chad Woolf, VP of AWS Security

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-chad-woolf-vp-of-aws-security/

Amazon Spheres and author info

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been at AWS for over eight years now, and I work in security assurance. The essence of my work is to help customers move critical and regulated workloads to the cloud. We own and manage security process, tech, and functions that customers can’t individually validate themselves. My job, and my team’s job, is to make those functions transparent to our customers, allowing them to rely on our processes, procedures, and controls. We work toward this goal by facilitating extensive independent audits and making those reports available. We also engage with regulators and customers to help them understand how the cloud works, what things they’ll have to do differently here, and what new opportunities are available to them in terms of better ways to govern their IT and protect and secure their data.

How do you explain your job to non-tech friends?

Sometimes I simplify by telling people, “I do information security at Amazon,” or “I do data protection and privacy at Amazon.” Mentioning the word “privacy” usually hits the limit of many people’s interest and they stop asking questions. To my kids or other family I usually say something like, “I work to keep Amazon safe for everybody.”

What are you currently working on that you’re excited about?

The world of traditional security assurance is complex and broad, so it’s full of interesting challenges. While working on that we’re also looking ahead at augmenting traditional security assurance and quality assurance models with more effective and newer models. A traditional approach might involve auditors doing sample testing and evaluating the narrative of how systems work. But this approach isn’t always technically deep and sometimes it doesn’t provide full, comprehensive insight into the environment, or into the presence of threats and vulnerabilities in the environment. From the onset of this program, we’ve worked to take these traditional models and modify the approach that will provide true assurance for our customers.

In addition, recently we’ve kicked off something I’m really excited about — the work our Automated Reasoning Group (ARG) is doing around developing mathematical proofs of certain aspects of a system. For example, a mathematical proof might be used to prove that there’s no instance of a weak key being used anywhere in the entire system. That’s a much higher bar than just having a “reasonable assurance” of no weak keys, which is the objective that auditors traditionally use. Auditors can’t evaluate all the code and they can’t evaluate all of the instances where keys are being used. With automated reasoning, if we’re able to tell them, “this proof can examine the entire system for a certain value,“ it’s a much higher bar than even today’s advanced control measures, such as automated controls, preventive controls, or detective controls. It’s a proof. We (and our auditors) are really excited about this possibility, because systems are becoming so immense and so complex that it’s hard for us humans to wrap our minds around around the complexity — so we’re using math to do it for us.

What’s the most challenging part of your work?

Most of the challenges I deal with stem from complexity. Each of the new services we release — including all of the things being launched at re:Invent this year — introduces a new, sometimes complex function into our environment and into the environments of the customers who use it. It’s becoming more and more challenging to effectively govern these disparate services, and for people to be certain that they’re applying the right standards across all of them. We have some services to deal with this, and I think we’ll see AWS release more governance-like features to help deal with this challenge more comprehensively in the future.

Another major challenge is that the many governments and regulators hold an understanding of the cloud that hasn’t kept pace with the cloud’s incredibly rapid evolution. Years ago, the cloud was defined in fairly simple terms — infrastructure, platform, and software as a service. Many people still understand it in those dated categorizations. But it’s getting much more complex the more we offer and the bigger this space gets.

What’s the most common misperception you encounter about cloud security and compliance?

The misperception I encounter the most is that the cloud is unfit for regulated data and workloads. Regulators and auditors — many of whom haven’t operated an IT infrastructure — often have only a high-level understanding of the cloud, many times learned through colleagues, high level reports and media reports. They hear things and may not have a way to technically validate whether those things are true. Years ago, it was a pretty common misunderstanding that accessing your data securely using the internet was the same as, “all of your data is openly available on the Internet,” which of course isn’t the case. I’ve had many personal interactions where someone said they absolutely could not have certain data stored in the cloud, because then the whole world would be able to see it. But this basic misperception is pretty much debunked at this stage. Now we spend a lot to time clearing up the misperception that regulated and audited data can’t be moved to the cloud. The reality is that because of the comprehensive control you have, regulated/audited data is actually better suited for the cloud. My team and many other teams at AWS work to help regulators, auditors, security teams and their leadership reach the right technical depth and understanding to give them the confidence to move these kinds of workloads to AWS.

You’re hosting two sessions for re:Invent 2018. How did you choose your particular topics?

I’m co-presenting a session with Byron Cook, the director of ARG, on Automating Compliance Certification with Automated Mathematical Proof. This session stems from what I mentioned before, the trend that traditional assurance methods are becoming less effective as complexity grows. We’ll be talking about new assurance models. But the session isn’t just us saying, “Here’s what we did! Good luck! Go hire your own PhDs to figure this out.” We’re going to give customers the chance to experiment with automated reasoning in their own cloud environments. It’s a chalk talk, so it’ll be a smaller audience, which will let us go quite in-depth with some of our examples. The CEO of one of our assessors will also be there and will talk about what these changes mean for his firm.

I’m also hosting “peer problem-solving roundtable” at the Executive Summit that will focus on staying ahead of privacy regulation. GDPR, which went into effect in May 2018, made a lot of customers push to reach that date in a compliance state, but many didn’t and are still working on it. It’s a big challenge to sustain the effort around GDPR privacy and data protection. It’s not even like you can reach that state and then say, “Okay, we’re done.” It requires ongoing effort. Additionally, all kinds of laws are starting to be enacted all over the world that either match GDPR’s stringency or exceed it. So the session will be a workshop on how to deal with these challenges, and how companies can sustain their efforts and create frameworks that can handle additional regulation that might be enacted down the road.

What are you hoping that your audience will take away from your sessions?

For the automated reasoning session, I want people to leave with ideas about how they can tinker with automated reasoning and proofs of compliance in their own environments. This approach requires experimentation, so I want to empower people to just go ahead and start tinkering.

For the GDPR session, I want people to leave with some good ideas for how to proactively think about compliance — and with some specific actions they can take to move their companies’ privacy programs into a better state. The exact direction of our conversation will depend on the audience, since it’s an interactive workshop, but I’m hopeful that people will walk away with good ideas.

Five years from now, what changes do you think we’ll see across the security and compliance landscape?

I think that security and compliance will follow a trajectory similar to computing in the mid-2000s. Ten to 15 years ago, we all had PCs that required us to install software, which was all over the place in terms of quality — sometimes it worked on your laptop and sometimes it didn’t. We went from that to mobile devices, where the entirety of an installation is in a single container on an app. There might be some limits on what you can do, in terms of exchanging data with other apps and systems, but everything you need as a user is contained within that app. It’s a kit, rather than a bunch of building blocks. You launch it, set some configurations, and then forget about it. I think more of that is going to happen. The compliance scene is becoming exponentially more complex as we move forward with more services, more IT, and with multiple, diverse environments. We’ll need ways of securing it all in a simple way. IT providers will need to offer more app-like experiences, in which we think of the user and what they need to do rather than just providing a bunch of building blocks.

What does cloud security mean to you, personally?

As a consumer, I care about security a lot. When I use an app that’s on the cloud, or access contacts or photos that are stored in the cloud, I’m concerned about it. I make sure that I use encryption when I can. I have random passwords that I don’t reuse. I follow the best practices that security professionals all know and use. But I’m always shocked by how many people don’t really think about these things, or don’t understand the risks involved with not securing your account or encrypting your data, or in using services that clearly don’t follow best practices. For me personally, cloud security is an essential consideration before I actually use or buy anything.

If you had to pick any other job, what would you do with your life?

I’d move into IT transformation. Moving from one IT environment to another involves a lot of organizational change management, from people and process to technology and projects. It’s super complex, and hardly anyone is truly excellent at it. So that’s what I’d get into. I find the complexity there fascinating. Organizational IT transformation takes all the complexity of tech, and then adds to it with the complexity of people, processes, and culture.

As a personal passion, I’d do search and rescue for people who’ve gotten into trouble hiking or biking or rock climbing. It’s a complex, real-world challenge with life-or-death stakes. If I could use my motorcycles to help achieve that, it would be better. It might help justify further motorcycle purchases and help my wife understand the wisdom in this.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Chad Woolf

Chad joined Amazon in 2010 and built the AWS compliance functions from the ground up, including audit and certifications, privacy, contract compliance, control automation engineering and security process monitoring. Chad’s work also includes enabling public sector and regulated industry adoption of the AWS cloud, compliance with complex privacy regulations such as GDPR and operating a trade and product compliance team in conjunction with global region expansion. Prior to joining AWS, Chad spent 12 years with Ernst & Young as a Senior Manager working directly with Fortune 100 companies consulting on IT process, security, risk, and vendor management advisory work, as well as designing and deploying global security and assurance software solutions. Chad holds a Masters of Information Systems Management and a Bachelors of Accounting from Brigham Young University, Utah.

AWS Security Profiles: Sam Elmalak, Enterprise Solutions Architect

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-sam-elmalak-enterprise-solutions-architect/

Amazon Spheres and author info

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been with AWS for three and a half years. I’m an Enterprise Solutions Architect, which means that I help enterprise customers think through their cloud strategy. I work with customers on everything from business goals and how to align those goals with their technology strategy to helping individual developers create well-architected cloud solutions. I also have an area of focus around security by helping a broader set of customers with their cloud journey and security practices.

How do you explain your job to non-tech friends?

I help my customers figure out how to use AWS and the cloud in a way that delivers business value.

What are you currently working on that you’re excited about?

From a project perspective, the AWS Landing Zone initiative (which also happens to be my 2018 re:Invent topic) is the most exciting. For the last two to three years, we’ve been providing guidance to help customers decide how to build environments in a way that incorporates best practices. But the AWS Landing Zone has a team that’s building out a solution that makes it easier for customers to implement those best practices. We’re no longer just telling customers, “Here’s how you should do it.” Instead, we’re providing a real implementation. It’s a prescriptive approach that customers can set up in just a few hours. This can help customers accelerate their cloud journey and reduce the work that goes into setting up governance. And the solution can be used by any company — including enterprises, educational institutions, small businesses, and startups.

What’s the most challenging part of your job?

I need to strike a balance between different initiatives, which means being able to focus on the right priorities for the moment. I don’t always get it right, but my hope is that I can always help customers achieve their goals. Another challenge is the sheer number of launches and releases—it can be difficult to stay on top of everything that’s being released while maintaining expert-level knowledge about it all. But that’s just a side effect of how quickly AWS innovates.

What’s your favorite part of your job?

The people I work with. I get to interact with so many smart, talented achievers and builders, and they’re always so humble and willing to help. Being around people like that is an amazing experience. Also, I get to learn nonstop. There are a lot of challenging problems to figure out, but there are also so many opportunities for growth. The job ends up being whatever you make of it.

In your opinion, what’s the biggest challenge facing cloud security right now?

Often, security organizations take the approach of saying “No.” They block things instead of making things happen by partnering with their business and development teams. I think the biggest challenge is trying to change that mindset. Skillset is also a challenge: Sometimes, people need to learn how to “do” security in the cloud in a way that keeps pace with their development team, and that can require additional skills. I believe training your entire organization to develop automation and approach problems and processes in an automated manner will help remove these barriers.

Five years from now, what changes do you think we’ll see across the security/compliance landscape?

I think we’ll see more automation, more tooling, more partners, and more products — all of which will make it simpler for customers to adopt the cloud and operate there in an efficient, secure manner. As customers adopting the cloud mature, I also think the job of the security practitioner will change slightly — the work will become a matter of how to use all the available tooling and other resources in the most efficient manner. I suspect that artificial intelligence and machine learning, predictive analytics, and anomaly detection will start to play a more prominent role, allowing customers to do more and be more secure. I also think customers will be starting to think more of security in terms of users and devices rather than perimeter security.

How did you choose your session topics for re:Invent 2018?

This is my third year holding sessions on establishing a Landing Zone. Back in 2016, I had a few customers who asked me about how to set up their AWS environment. I spent quite a bit of time researching but couldn’t find a solid, well-rounded answer. So I took it upon myself to figure out what that guidance should include. I spoke with a number of more experienced people in AWS, and then proposed a re:Invent session around it. At the time, I thought it would sound boring and no one would want to attend. But after the session, feedback from customers was overwhelmingly positive and I realized that people were hungry for this kind of foundational AWS info. We put a team together to develop more guidance for our customers. The AWS Landing Zone initiative leverages that guidance by implementing best practices built by a talented team whose vision is to make our customers’ lives easier and more secure. Since then, Re:Invent sessions on Landing Zone have expanded. We’re up to at least 18 sessions, workshops, and chalk talks this year, and we’ve even added a tag (awslandingzone) so they’re all searchable in the session catalog and customers can find them. In my presentations at re:Invent, we have a customer who will talk through what their journey looked like and how the AWS Landing Zone Solution has helped them.

What are you hoping that your audience will take away from these sessions?

I want customers to start thinking differently about a few areas. One is how to enable their organizations to innovate, build and release services/products more quickly. To do that, central teams need to think of the rest of their organization as their customers, then think of ways to onboard those customers faster by means of automated, self-service processes. Their idea of an application or a team also needs to be smaller than the traditional definition of an entire business unit. I actually want customers to think smaller — and more agile. I want them to think, “What if I have to accommodate thousands of different projects, and I want them all in different accounts and isolated workspaces, sitting under this Landing Zone umbrella?”

Thinking about that type of design and approach from the beginning will help customers start, innovate, and move forward while avoiding the pitfalls of trying to fit everything into a single AWS account. It’s a cultural mindshift. I want them to start thinking in terms of the people and the groups within their organizations. I want them to think about how to enable those groups and get them to move forward and to spend less time focused on how to control everything that those groups do. I want people to think of the balance between governance/security and control.

Any tips for first-time conference attendees?

Plan to do a lot of walking and have comfortable shoes. If you’ve signed up for sessions, get there early and remember that there are at least five venues this year — it’s important to factor in travel time. Other than that, I’d say visit the partner expo, meet other customers, and learn from each other. And ask us questions; we’ll do everything we can to help. Most importantly, enjoy it and learn!

If you had to pick any other job, what would you want to do with your life?

My current role comes down to helping empower people, which I love, so I’d look for a way to replicate that feeling elsewhere by helping people realize their talents and potential.

As a backup plan, I’d downsize, go live somewhere cheap and enjoy life, nature, music and tango…

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Sam Elmalak

Sam is an Enterprise Solutions Architect at AWS and a member of the AWS security community. In addition to helping customers solve their technical issues, he helps customers navigate organizational complexity and address cultural challenges. Sam is passionate about enabling teams to apply technology to address business challenges and unmet needs. He’s largely an optimist and a believer in people’s abilities to thrive and achieve amazing things.

AWS Security Profiles: Adrian Cockcroft, VP of Cloud Architecture Strategy

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-adrian-cockcroft-vp-of-cloud-architecture-strategy/

Amazon Spheres and author info
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been with AWS for two years, based out of the Palo Alto office in California. I tell people that I have three jobs. One is similar to the kind of thing that Werner Vogels does: I present keynotes at AWS summits. I’ve done fourteen keynotes so far, the biggest in New York last year and Tokyo this year. This gives me a calendar that takes me around the world, where I also spend a lot of time visiting customers, meeting with sales teams, gathering input, and talking to people about their architectural challenges, cloud migration challenges, and organizational challenges. I specialize in the architecture of highly available, multi-region, redundant use cases. That’s the second job. The third job is that I’ve recruited and now manage the team that looks after open source engagement from AWS (and to some extent from Amazon as a whole, as we support a few projects that are broader than AWS itself). We hired a bunch of senior, principal-level technologists who are open source specialists in different areas, and one of the most well-known things that has come out of this is AWS joining the Cloud Native Computing Foundation. I’m one of two board members representing AWS. My team has also created an open source web page that describes the work that AWS is doing in open source. We also have an open source blog.

What are you currently working on that you’re excited about?

My current focus is on resilience, particularly as it pertains to financial services. The problem that many financial services companies face is that their current infrastructure consists of data centers full of mainframes. But mainframe experts are retiring, and there aren’t very many millennial mainframe developers and operations people around. The talent pool is disappearing. So people at these institutions are beginning to ask themselves, “We use these mainframes to move trillions of dollars around. How do we run something like that on the cloud securely, and with extreme resilience?” These aren’t rhetorical questions. Financial institutions need to comply with government audits and standards and compliance rules. In fact, there’s a designation for these organizations — Strategically Important Financial Institutions (SIFI) — which means that they’re regulated in a very special way due to events like 9/11 and the 2008 market crash, events that can introduce systemic risk across the industry. AWS has the Well-Architected Guide to describe our current availability architecture, and we are deeply involved with some of these customers to upgrade it for SIFI workloads. The team is working across sales organization, solutions architecture, and the service teams. We’re currently focused on the availability side of the question, but the security piece is also important: We’ll need the right options, from key management to private end points, to make it all viable. It’s a really interesting project, and one I’m deeply involved with.

How did you choose your particular topics for re:Invent this year?

I have one talk in the container track on chaos engineering, which I’m co-presenting with an engineer from one of our partners, Gremlin. Ana Medina is going to do a live demo of trying to break some container orchestration, and I’m going to do the setup, which is how we see chaos engineering playing out. Chaos engineering is a hot topic with a lot of customers. The high-level way of thinking about it is that most large customers have a failover strategy for their backup data centers. But most of them don’t test it very often: Testing is a big pain in the neck, it’s not reliable when you need it, and it’s expensive. However, if you’re failing over between two cloud regions, your APIs are the same, your capabilities are the same, and a lot of the things that make testing hard involve the drift between data centers. AWS just doesn’t have those problems. We’re managing all that out for you. This results in a highly automatable, productized, safe way to do failovers, which means you can test a lot more frequently. Instead of having one annual test, you can run them every quarter, or every month, or every week. And you’re doing low-level, fine-grain testing against individual instances and services. The upshot is that you end up with a much more resilient system, rather than something that once a year you come along and say, “I’m going to see if I can get it through the audit.” There are analogs to that in the security space as well: We’re moving from annual audits of your security architecture to continuous security where you’ve got tamperproof logs of configuration so you can prove that your system has never been in an insecure state, for example, rather than inspecting it every now and again and asking everybody if they’re processing tickets properly.

My second session is about trends in digital transformation. As I meet with customers around the world, I often hear them say, “We’re different than everyone else; we have all of these unique challenges.” And when they start to list their challenges, the list sounds exactly like the lists from twenty other companies. So eventually, I put all these challenges into a presentation that says, “Here are the four things that are blocking you from your technology transition.” This isn’t about adopting any particular set of AWS products. It’s really about the step before that: If you can’t absorb technological change, if you can’t do a cloud migration, if you can’t be agile, then you can’t keep up with the rest of the industry. What’s driving this digital transformation is the connectedness of customers and devices. Pretend you’re a manufacturing company that makes door locks. Traditionally, you’d put them in boxes, ship them off, and hope to never see them again — if products come back, it means they didn’t work. Now pretend you’re manufacturing a connected door lock — if you don’t hear from your door locks every five minutes, it’s a problem. It means your product is either broken, or the customer has stopped using it. Either way, the connected version requires you to continually monitor and understand how people are actually using it—and this shift applies to a huge numbers of industries. So I’ll be talking about how to navigate the various organizational and cultural blockers that exist within many companies.

What’s the most common problem you see customers running into when it comes to cloud security and compliance?

Over and over again, I see people doing data center security that’s largely enforced by network architecture. They have these complex sets of networks with firewalls, and they think if you’re in this box here, and we have a firewall around you, you’re safe. This segmentation model in data centers is largely based on network structure. Then, when customers start to move to the cloud, their security teams say, “We don’t care what you’re doing in the cloud as long as it follows this structure that we use in the data center.” This means you need to go off and build incredibly complex structures to resemble data center structures, all in order to get sign-off from the security teams. But once these systems are running, you’ll quickly find they’re much too complex — and completely the wrong architecture for cloud and cloud security. But it’s almost like you have to go through this step. It would be nice if we could convince security teams to buy into cloud best practices from the start and to use larger, flatter networks with other mechanisms for segmentation.

Five years from now, what changes do you think we’ll see across the security and compliance landscape?

Five or ten years ago, the cloud was a subset of the functionality of the data center. We’ve now flipped this: It’s hard to build a data center that’s even a pale imitation of a subset of an AWS account. We just have so much scalable functionality. I think that five years out, it will be difficult to even pass an audit in a data center. People are going to say, “You’re running that in a data center? I can’t guarantee anything about your configuration!.” And you’re going to struggle to keep your data center from being overrun by hackers because you can’t control what’s going on. You’ll eventually hit the point where you can’t know enough about the data center to secure it. So you’ll move to the cloud, where, with the proper hygiene, you’ll be able to know everything. You can log everything that’s ever happened in a tamperproof log, and that ability allows you to make strong assertions.

I also think we’re starting to get governments around the world to support banking in the cloud. We’re still in the early stages, since this also requires teaching auditors how to understand what a banking audit looks like in the cloud: The goals are the same, but the implementation of patterns is different. We’re also seeing people using AWS Managed Services to create a PCI-compliant configuration from scratch via an API call, within a few hours. And then the auditor comes in, says, “You didn’t mess anything up. You’re done!” and walks away. I think these highly audited systems will be start to be built in an extremely automated, repeatable way.

What does cloud security mean to you, personally?

I bought a house last year and have been installing all these IoT things, like door locks, lights, blinds, and yard sprinklers. These are all cloud services. I think we’re getting to a point where your personal security is tied up into the cloud. The security of all those items, which used to be physical security, is moving toward a cloud-based security model that’s going to touch people more and more as it all rolls out.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Adrian Cockcroft

Adrian Cockcroft has had a long career working at the leading edge of technology, and is fascinated by what happens next. In his role at AWS, Cockcroft is focused on the needs of cloud native and “all-in” customers, and leads the AWS open source community development team.

AWS Security Profiles: Misty Haddox, AWS Customer Audit Manager

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-misty-haddox-aws-customer-audit-manager/

Amazon Spheres and author info
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been with AWS for about four years. I joined the Compliance team in 2013, where I built processes and established the groundwork for our external global audit programs and built our first AWS controls framework. After that, I left AWS for a year to join a software company, where I worked with some cool folks and was able to educate and help determine their strategy for all things compliance. The opportunity gave me great insight into who I am and reaffirmed my passion for being a builder and delivering! So I came back to AWS and joined the Professional Services team within Security, Risk, and Compliance, working directly with customers who are at varying stages of their AWS cloud journey. I’ve actually just started a new role on the Security Assurance team, where I’ll be managing customer audits and am looking forward to continuing my AWS journey.

What’s the most challenging part of your job?

It’s sometimes challenging to convince customers that they need to get all their teams involved in security and compliance. I’ll be supporting customer EBCs (Executive Briefing Centers) at re:Invent, with my topic focused on “compliance in the cloud,” but the attendees joining the meetings from the customer side are IT specialists and chief technology officers, I don’t see anyone from the compliance teams involved. It’s really hard to get customers to avoid operating in siloed environments. There’s always going to be upstream and downstream impacts when decisions are being made without a full understanding of your security and compliance landscape. We have this DevSecOps model at AWS, in which developers, security, and operations teams all work together on initiatives, and when we encourage customers to take a similar approach, we often get a response like, “That sounds great, but how does it really work?” But it does work — it’s what allows AWS to innovate so quickly. It’s so important for teams to talk to each other and work together to build integrated solutions.

What’s your favorite part of your work?

I have an innate ability to find anything wrong with something. It’s a unique skillset. I used to get frustrated with it, because it made me feel like a canary in a coal mine — but there’s actually value in this ability. It gives me the opportunity to dive into things and fix them before they become bigger issues, which I enjoy very much. I like fixing things. And I like having the ability to “look around corners” and understand what needs to be established in order to support or develop new programs, or to help existing programs scale.

What’s your favorite part of your work?

I have an innate ability to find anything wrong with something. It’s a unique skillset. I used to get frustrated with it, because it made me feel like a canary in a coal mine — but there’s actually value in this ability. It gives me the opportunity to dive into things and fix them before they become bigger issues, which I enjoy very much. I like fixing things. And I like having the ability to “look around corners” and understand what needs to be established in order to support or develop new programs, or to help existing programs scale.

What changes have you seen across the cloud security and compliance landscape over the course of your career?

I’ve worked in this field for 20 years, and compliance isn’t seen as a blocker or a bad word any more. People are starting to see it as a business enabler, which is really refreshing. Security in the nineties was IT-focused and very hands-on: You had a tangible thing you could touch, and policies drove the ways in which you hardened your posture. But now, it’s much more about interpretation and establishing your environment based on whatever processing is occurring within it. There’s no single right answer. If you practice security by design, and you understand your environment and your boundaries, and you build controls to support that, then that drives security, and you’re going to be a complaint. This approach enables you more. You get the freedom to be more innovative in the cloud security space.

What’s the most common misperception you encounter about cloud security/compliance?

I sometimes work with customers who think that they’ll inherit all the compliance certifications that AWS provides. People assume that, because AWS has these, they don’t need to worry about anything. But that’s not the case. The controls you need to establish in your particular environment are going to be unique, based on how you build, what kind of data you have, and how you want to use it — compliance isn’t one-size-fits-all.

You’re co-presenting two different sessions for re:Invent 2018. How did you choose your topics?

The sessions are How Enterprises Are Modernizing Their Security, Risk Management, & Compliance Strategy, which I’m co-presenting with David McDermitt and Balaji Palanisamy, and Confidently Execute Your Cloud Audit: Expert Advice, which I’m co-presenting with Kristen Haught and Devendra Awasthi (from Deloitte).

Both are topics I’m super passionate about. At AWS, we talk a lot about the Shared Responsibility Model. But as we’ve deployed more services further up the stack, the lines of demarcation around responsibility have changed, and a lot of customers are uncomfortable determining what they’re responsible for. I’m using re:Invent as a chance to dive into that shared responsibility model with customers. It’s already the crux of every conversation we have with any customer at AWS, but we don’t tell them exactly what to do. Customers will ask what their controls should be, without understanding that it doesn’t start like that. The first step is to architect your environment and understand how it’s being engineered — because, depending on how you put the pieces together, the responsibility changes. So I’m using my sessions as a chance to really dive into the shared responsibility model with customers.

What are you hoping that your audience will take away from your sessions?

For the How Enterprises Are Modernizing Their Security, Risk Management, & Compliance Strategy session, I hope that customers walk away understanding that all teams need to be involved in the security and compliance conversation. It’s important not to operate in a silo.

For the Confidently Execute Your Cloud Audit: Expert Advice session, I want people to walk away understanding how to dive into control responsibility, and how to apply that knowledge once they’re back in their work environment, so they can look at their SOC report, if they issue one, or maybe determine if they even need one, and have a methodology that they can apply.

If you had to pick any other job, what would you want to do with your life?

I would love to be a crime scene investigator. I’m very fascinated with true life crime. I think it’s the challenge of putting the pieces of the puzzle together. I’m also fascinated by people, and I find the underlying sociology and psychology fascinating.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Misty Haddox

Misty is a passionate builder who’s learning to not take herself too seriously. She believes in the AWS mission and that we should raise the bar in all we do. She strives to look at any opportunity or experience, no matter what it is, as a way to learn and grow!

AWS Security Profiles: Min Hyun, Global Lead, Growth Strategies

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-min-hyun-global-lead-growth-strategies/

Amazon Spheres and author info
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been at AWS almost two years, and I lead the Global Affairs team within Growth Strategies. We monitor the intersection between security, privacy, emerging technologies, and practices so that we can catch sight of emerging issues. Then we help both public and commercial sector customers prepare for what’s to come. Our goal is to provide clarity around the positions that AWS holds when it comes to the security and compliance implications of new technologies, whether that’s IoT, AIML, or whatever’s next. We want to earn people’s trust as thought leaders in the space.

How do you explain your job to non-tech friends?

We are like an internal think tank. We do a lot of anticipating, analyzing, advising, and advancing on specific top-of-mind customer concerns when it comes to security and privacy.

What are you currently working on that you’re excited about?

Where to start? Mark Becker, on my team, is actually developing the privacy statement/position for AWS right now. I’m excited about this because it’s the first step toward introducing our voice into some highly important and relevant conversations. AWS has historically been reticent on certain topics, but we’re starting to become more intentional about amplifying our position. We’re in an interconnected world now, and social media is being used across all demographics. How we apply security and privacy protections in this new world, and what AWS has to say about it (particularly from a privacy perspective) is something that I care about deeply as someone representing AWS and as a citizen. It’s a really good feeling to know that that AWS is just as concerned about it, and is moving the dial as an organization and being more transparent about what it is that we do and how we protect our customers.

What’s the most challenging part of your job?

Getting folks to understand the value and merit behind what we do. A large part of our jobs comes down to the Amazonian leadership principle: “Are right, a lot.” We’re trusting an internal compass on what we need to chase down, so we can’t always provide empirical data up front. But we need to follow that compass. There’s this point where it starts to feel like we’re a voice crying out in the wilderness, but in every instance in which we’ve dug into something, folks have appreciated our impact and foresight after the fact. Still, it can get lonely being out there sometimes. We’re still convincing everyone to buy in.

What’s your favorite part of your job?

The people! I work with such brilliant, passionate people. I feel like I’m always growing as a professional and growing the depth and breadth of my own knowledge. That’s only possible because of the talent we have here.

In your opinion, what’s the biggest challenge facing cloud security and compliance right now?

I would say there’s a lot of misinformation about security in the cloud. Customers have taken what they know about traditional computing models and applied these concepts to the cloud. Our job is to secure the infrastructure, and we’ve got the highest level of talent working to do so and to make sure that customers are confident in moving to the cloud. But there’s this gap between what AWS is doing and what customers know about what we’re doing. We need to learn how to bridge that gap for our customers. We need to have these conversations in ways that resonate and make sense to them.

What’s the most common misperception you encounter about cloud security and compliance?

On the compliance side, some people think the more, the better. Specifically, they think the more security controls you have, the better. But that’s not the case. We’ve seen accreditation regimes out there that might have a high bar in terms of the sheer number of requirements you need to meet, but that doesn’t necessarily mean your security will be “better.” It just means that you have more items on your list that need to be checked off. The conversation needs to start with the security outcomes that you want to achieve. After that, you can decide what to do in the cloud to meet those outcomes.

When it comes to security, we don’t have a whole lot of control over what’s happening in the political environment and some of the shakeup that happened with Edward Snowden and resulting pieces of legislation have led folks — particularly people outside of the US — to mistakenly believe that US law enforcement has access to the cloud in ways that simply aren’t the case. We need to clear up the fear, uncertainty, and doubt associated with that.

Five years from now, what changes do you think we’ll see across the security/compliance landscape?

With emerging technology adoption, and what’s almost an arms race in technology, I think we’re going to see governments become much more aggressive when it comes to AI, machine learning, and blockchain as they start to realize how technology can become an enabler for their economies, their defense capabilities, you name it. Governments will start to become more aggressive in their efforts to be first to market. And we’ll see associated policies and requirements that impact the use of these technologies, plus security, privacy and the rest of the gamut.

What does cloud security mean to you, personally?

I really believe that governments need to modernize their technology to better achieve their missions. Think of the US Department of Homeland Security, which has a mission that extends into national security, public safety, and economy security. That’s a really big burden to bear, and technology can actually be an enabler that helps them deliver on their responsibilities faster and more efficiently. I’m eager to see the government modernize technology. One of the top blockers seems to be security, and this is often due to impressions that haven’t even really been confirmed — the blockers are perceived concerns. I’m very eager to help overcome those barriers so that governments will be able to integrate this technology into the mission critical work that they do.

Privacy is also deeply important to me as the mom of relatively young kids. I want to know that when I give my kids a device and they’re on an app, I don’t have to worry about data getting leaked or my kids being tracked by a company or a rogue individual. I want to be able to protect and preserve their safety and security.

How did you choose your particular topic for re:Invent this year?

So I’m co-hosting a chalk talk with Michael South that’s called Aligning to the NIST Cybersecurity Framework in the Cloud, and it’s actually based on the very first white paper that I worked on when I came to AWS. I was given free reign in terms of what to prioritize, so I said I wanted to do a white paper on the NIST cybersecurity framework (CSF). It’s a framework that provides a foundational set of cybersecurity practices that organizations can use, regardless of their sector or size. It helps your organization implement sound risk management and resiliency practices, and it’s been vetted by government, industry, and academic institutions around the world. NIST really does due diligence in terms of distilling its guidance into a subset of activities—a core list of practices that any organization should implement. I believe it’s becoming the de facto industry standard for both public and private sectors, so I think we need talk to our customers about how we can enable them to align their organizations with the CSF using AWS services. We have so many tools available that can help customers secure their environment. And what I love about the CSF is, it’s not only about security. When correctly applied, it’s intended to support business outcomes. It provides a common taxonomy that allows different stakeholders within the business (from CEOs to security professionals) to talk about the underscoring horizontal function that security plays.

What are you hoping that your audience will take away from your session?

I want them to walk away thinking that cybersecurity risk management doesn’t have to be a complex, obscure, onerous thing. I want them to know that there’s a very sensible, pragmatic approach that they can implement within their organization, regardless of size, that will enable them to secure their assets, their data, and their network. And I want them to know that this CSF paper is actually a tool that will empower them to do that. There’s also a customer workbook portion that provide very tactical advice in terms of the actual AWS services that you can use that meet a particular security outcome. Our goal was to make it very user friendly.

Is there anything else we should know about your session?

The session will be discussing a refreshed version of the original white paper. We first issued it back in 2017, and we’ve refreshed it since then to align with NIST’s version as well as reflect an updated list of AWS services that align to the CSF. We also did our due diligence to ensure that the AWS services that are FedRAMP and ISO 27001 accredited have been validated by a third-party auditor so that customers can have the assurance that that those particular services also align to the updated CSF.

If you had to pick any other job, what would you want to do with your life?

I have two very different answers. If I could make a hop inside of Amazon, I would love to go work with Amazon Fashion. And probably more realistically, I’d love to do nonprofit work. I would really love to be a voice for disadvantaged people and to help them be heard, especially the homeless, and disadvantaged children. There’s such a need to represent their needs. In the same way that I amplify topics of interest in my current role, I would love to amplify their voices.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Min Hyun

Min is the Global Lead for Growth Strategies at AWS. Her mission is to set the industry bar in thought leadership for security and data privacy assurance in emerging technology, issues, and leading practices to advance customers’ journeys to AWS.

AWS Security Profiles: Steven Laino, Security Architect

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-steven-laino-security-architect/

Amazon Spheres and author info
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been with AWS for about 18 months, and I’m a Security Architect in the Global Security, Risk and Compliance Practice. My role is to help customers build the confidence and security capabilities they need in order to migrate their most sensitive applications to AWS.

What are you currently working on that you’re excited about?

So many things. I enjoy working on frameworks and methodologies, like the Cloud Adoption Framework. These resources help customers understand security in the cloud and more easily meet their security and compliance requirements. While security and compliance in themselves might not sound exciting, they really are an exciting piece of my work—as a customer, I’ve been through the experience of migrating to the cloud within a financial services company, and I’ve taken that experience with me to AWS. Now, I get to help other customers navigate the same process. Another area I’m focused on is innovating new ways to accelerate invention on behalf of our customers by developing tools and methods that help consultants more easily get their ideas to the proof of concept stage so customers can benefit even faster.

What’s the most challenging part of your job?

Time management is an ongoing challenge. There are so many areas in which we’re helping customers and doing really interesting work, and I want to be involved in as much of that as possible. It’s difficult to prioritize your passions like that. This leads me to one of the things I love most about my job: looking at the customer experiences, figuring out the pain points, and reinventing them.

What does cloud security mean to you, personally?

I care a lot about technology. I’ve been in IT for 30 years, and I’ve founded companies, one of which was an internet service provider. I think a lot of my passion for the cloud comes from the fact that I’ve been a customer and I’ve been on that adoption journey. It’s important to me to help customers understand the attention to detail and the standards we have at AWS. All of this enables them to keep their data secure which, in turn, allows them to pass that confidence to their own customers—more so than they’d be able to do on their own with their own data centers. Technology can help our customers make a better experience for their customers.

What’s the biggest challenge standing in the way of cloud adoption right now?

From a customer perspective, the biggest challenge is just achieving the understanding and education to reach that ah-ha moment where you understand how it really works and just how much due diligence AWS is putting in. AWS is vigilant about our customers’ security and privacy, and one of the great things about the cloud is that all of our customers get the benefit of all the best practices, AWS policies, architecture and processes that we’ve built to satisfy the requirements of our most security-sensitive customers, which is really a big deal once you start to put the pieces together. The other challenge a lot of people face is just knowing where and how to begin the cloud adoption process. And that’s where the Cloud Adoption Framework comes in. It’s an organizational tool that helps people identify the controls that they need, align them with their current compliance regime, and then actually implement them in a methodical way.

What’s the most common misperception you encounter about cloud security and compliance?

A lot of people think cloud security means only technical controls. The truth is that the move to the cloud requires an organizational and process transformation as well. Organizational shifts might include having developers, operations and security teams work very closely together, plus the integration of current processes to the cloud — for example, integrating the new cloud constructs into your current incident response workflows. Speaking from my own past experience, and from working with customers over the past 18 months, it’s common to encounter this misperception. But once you dive into the details and start to realize that security means people, platform and process that perception shifts. And again, part of my job is to build confidence in our customers by helping them understand that and guiding them through the process.

Initially, many people also think that they’re going to have to rewrite all of their security policies and standards for the cloud. But they often don’t really need to do that. That’s because the “what” and “why” behind the security policies does not change, although the implementation of those policies does. So instead of a rewrite, it becomes more of a translation.

Five years from now, what changes do you think we’ll see across the security and compliance landscape?

I think we’ll see more automation, compliance implementation, and related tools, like compliance and audit checks, coupled with automated remediation for things that aren’t compliant. I also think we’ll see more AWS Quick Starts, which are preconfigured reference deployments that customers can use to build complete environments in just a few steps.

Another shift we’re already seeing has to do with security professionals changing their skill sets: traditionally, these folks were more likely to have backgrounds in system administration or networking, and they probably weren’t developers by practice. But that’s led to challenges as organizations shift to the cloud and need employees who know how to do things like write security as code and understand how policies are codified. These skills are starting to develop, so I think we’ll continue to see more security professionals growing their skills in cloud formation and programming. More and more, it’ll be a true DevSecOps environment.

How did you choose your 2018 re:Invent topic?

I’m really excited to be presenting at re:Invent, and I initially chose a topic that I was passionate about—The AWS Cloud Adoption Framework. After I pitched to the re:Invent team, they asked if I’d be interested in co-presenting with Ben Potter and expanding the session to include both the Cloud Adoption Frameworks and the Well-Architected Framework. They’re a natural fit. So together, we’re presenting a session called Security Framework Shakedown: Chart Your Journey with AWS Best Practices.

What are you hoping that your audience will take away from it?

I want them to leave saying, “I finally understand how to begin helping my company migrate to the cloud.” My hope is that people will leave feeling like they know where to start and what the journey will look like, and that they’ll return to their jobs, read up on the Cloud Adoption Framework, and then piece together the foundational components that they need in order to begin the adoption process—things like inventorying their security controls and their tools and then mapping them together. Based off my own experience, once you realize that it’s not as difficult as you originally thought, you feel very energized. It tends to be another ah-ha moment.

If you had to pick any other job, what would you want to do with your life?

I would want to continue my previous path in law enforcement, which is interesting because there’s a parallel: If working as a security architect wasn’t an option and AWS didn’t exist, I’d still be doing work that helps ensure a secure environment.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Steven Laino

Steven is a Security Architect with AWS Professional Services. His career in Information Technology spans three decades and includes the founding of a physical security company as well as one of the first internet service providers in the US. For the past ten years, he’s helped financial service companies move sensitive workloads to the cloud. Steven holds CISSP-ISSAP, CCSP & CISM Security certifications and is a contributor to the Center for Internet Security Controls Framework.

AWS Security Profiles: Myles Hosford, Compliance Specialist

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-myles-hosford-compliance-specialist/

Amazon Spheres and author info
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been at AWS for about two and a half years. I’m based in Singapore, and I work within the Financial Services Security and Compliance team as a Compliance Specialist. My responsibilities cover about nine different countries. I spend most of my time working with financial institutions like banks and insurance companies, helping them identify their security and compliance requirements as they move into the cloud. I’ve only been in this particular role for six months — I actually moved internally from a security position. Since I was already spending a lot of time with a couple of financial services accounts, it made sense for me to move into a more focused vertical. My new role gives me the chance to dive deeper into some of the challenges in the financial services space.

How do you explain your job to non-tech friends?

In the simplest terms, I advise customers on their journey to the cloud. The cloud itself is a pretty new technology, especially to more traditional organizations. Between the regulatory landscape and the way that large enterprises traditionally consume IT, this presents some unique challenges. So I help break those challenges down into small, manageable chunks.

What’s the most challenging part of your job?

Because the cloud is such a new model, financial organizations and large enterprises often need to do a lot of rethinking about security. What used to be appropriate for on-premise controls might not be suitable for the cloud — and there might be ways of “doing” security in the cloud that were just never conceived of before. This is especially true around automation and the use of APIs, both of which can provide real-time visibility into your environment that you just couldn’t get before. That’s not the only shift in perspective that needs to happen, though. The shift also involves people and processes. By that, I mean that there’s often a lot of retraining that organizations need to undertake. Say you’re an on-premise database administrator: If your company shifts to the cloud, you’d probably continue to be a database administrator. But the job is going to look a little different, and a lot of organizations haven’t started thinking about how to retrain and reposition their existing staff. This is an especially pressing problem when coupled with the existing global shortage of cybersecurity professionals.

What do you enjoy about your work? What makes you excited to get out of bed in the morning?

From a security perspective, I genuinely believe that being in the cloud is more secure than being on-premise. Before I joined AWS, I worked with some large investment banks and saw how much they struggled with foundational security requirements, like patch management, or configuring firewalls, or enabling least-privilege access for users across their estate. Tasks like this can be very difficult to accomplish with a traditional, on-premise approach. So once an organization really leans into the idea of cloud security — once they realize that everything can be automated — they tend to respond very positively and very quickly. One of my favorite parts of my job is when a customer’s internal security team starts to realize this. At the outset, not everyone is optimistic, so it’s very satisfying to see customers start to trust us and start to dive into services like Amazon GuardDuty. Watching their growing excitement makes it all worthwhile.

Do you have advice on how to handle the increased amount of data that organizations are now receiving as a result of automating their processes in the cloud?

The cloud is great, but it’s definitely possible to go overboard with tools and vendor products, until you suddenly have twenty or thirty different dashboards with data coming in all over the place. What I emphasize to my customers is this: It’s great to have real-time visibility and collect all the data that you can, but you always need to think about connecting that last mile. In other words, you need ways to get the right data in the right format to the right analysts. It’s really nice to be able to turn on a service like Amazon GuardDuty and have a dashboard. But unless someone is constantly monitoring that dashboard — which can be a pretty boring job — you need to think about what kinds of decisions you want to make based off of your data, and then you need to start automating that response. In a traditional security setting, you’d receive an alert, you’d go investigate, and you’d follow up on any issues. Even if you switch to AWS services, you still need to make those decisions, but the decision-making process can typically be compressed down to seconds or minutes, and you can set things up so that the cloud responds and protects itself. Say you’ve got a developer or a malicious actor making changes in your environment. Maybe someone accidentally disables multi-factor authentication or turns off encryption. You can protect against that in near-real time, maybe thirty or forty seconds after the fact. And then, using features like Amazon CloudWatch Events and AWS Lambda functions, you can get your system to stop the threat and self-heal by re-enabling the encryption or the password policy or what-have-you. This type of automation and self-healing — the next generation of cloud security — is what customers get really excited about once they start to understand the possibilities.

Speaking of “next generation,” what kinds of changes do you think we’ll see across the security and compliance landscape within the next five years?

Right now, we’re at a point where organizations just need to get the basics down, and I think AWS is doing a very good job of allowing people to start standardizing their infrastructure and applications. But one trend I’ve seen in the last year or so is an uptick in machine learning and AI. Within AWS, those technologies are starting to power some of our other services, like Amazon GuardDuty and Zelkova. I think that this trend will continue, with more and more capabilities like cyberthreat intelligence and cyber-hunting. This will enable organizations to move beyond patch management and basic infrastructure security, and toward more advanced tools that will allow them to track down bad actors within their estates, hopefully both raising their security bar against fresh vulnerabilities and making more efficient use of their security personnel’s time — which, again, I think is very important given the general shortage of skills and headcount within cloud security.

You’re co-presenting a 2018 re:Invent session with Phil Rodrigues about debunking cloud security myths. How did you choose this topic?

When I meet with new security and compliance teams, they typically have lots of questions (and rightfully so). It’s important that I earn their trust since I’m asking them to trust AWS with their assets and data. And in my experience, there’s this journey of questions that many people go through. The re:Invent session is meant to guide people through this journey and to debunk some of the most common cloud security myths that I encounter. The session is tailored to organizations and customers who don’t have much experience with the cloud. I expect them to have some foundational questions, like “Is my actual data stored in an actual data center somewhere?” So I’ll talk about the way that our regions work, and where data is stored across AWS. This lets people get comfortable with the idea that yes, your data is in a data center with strong physical security controls. Then we’ll move to some specific questions around AWS and the support that we can provide to organizations, whether through contractual commitments or regional compliance programs. After that, I’ll pick out a couple of notable services that have gotten a lot of press. Take Amazon Simple Storage Service (Amazon S3): There’s been some discussion of open S3 buckets — but people might not realize that S3 buckets are actually private by default. You to go out of your way to make them public. We’ll wrap up with some questions from the audience. I want people to walk away from the talk feeling like they have a high-level understanding of cloud security from start to finish.

Do you have any tips for first-time conference attendees?

Obviously, take a look at the agenda ahead of time and try to reserve seats for the sessions that you’re most interested in. Beyond that, network with as many of your peers as possible. Reach out to people that you meet, whether on LinkedIn or social media, and as you see people around the conference, try to interact with them. Everyone’s coming to learn, and everyone’s hopefully friendly and approachable. Find out what other people are working on, share your best practices, take away some new best practices, and just have fun with it all.

You’re based out of Singapore: What’s one thing that a visitor to Singapore should make time for?

If you come to Singapore, make sure that you spend some time trying local food. Singapore has amazing food. If you don’t mind spicy, I’d recommend the national dish, which is Singapore Chili Crab — a big crab poured over with chili oil and served with bread for dipping. It’s amazing.

Do you have anything else that you’d like to touch on?

Using the cloud to protect the cloud is a great idea. And obviously, developments around AI and automation really help out. Once people start to understand that you can move away from a static, point-in-time based security posture and toward a self-healing infrastructure that fixes itself when it attacks misconfigurations is a pretty cool place to be.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Myles Hosford

Myles is a Compliance Specialist on the AWS Financial Services Security and Compliance team. He’s based out of Singapore, where he helps financial institutions in the APAC region transition to the cloud.

AWS Security Profiles: Brittany Doncaster, Solutions Architect

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-brittany-doncaster-solutions-architect/

Amazon Spheres, Brittany Doncaster, Solutions Architect

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been with AWS a little over four years. I work as a Solutions Architect in the Atlanta office. I spend most of my time talking to customers about architecture and best practices, whiteboarding solutions, and helping people move their existing IT infrastructure to AWS solutions. Essentially, I’m the technical point of contact for my customers.

If someone wanted to become a solutions architect, what advice would you give them?

I think the most important quality to have is technical breadth, because you’ll deal with a lot of different technologies. But you also need to have a natural curiosity. You’ll always encounter things that you don’t know, so you need to be able to investigate and learn in order to find the answers.

Tell us about your own past work experience: What helped you get here?

I started my career as a software developer, then I became a software architect leading development teams. From there, I began working on enterprise-level architecture and then got into cloud technology before joining Amazon.

What’s the most challenging part of your job?

The pace of technology. You need to know so many things. When I joined AWS, there were roughly 30 services I needed to know about. Now, there are well over 100. But while the pace is challenging, it’s also the best part of my job. I’m always learning. It goes back to that natural curiosity.

What’s the most common misperception you encounter about cloud security?

Security personnel are used to dealing with policy documents and spreadsheets when performing security tasks on-premise. When moving to AWS, many people have to shift their mindset regarding how they view security. It’s no longer documents and spreadsheets, but instead code. The insight you can have into your AWS environment via our services allows for automated remediation and alerting that wouldn’t have been possible previously. By moving to a model where your security policies are enforced by code, securing the environment happens much quicker and in a much more repeatable manner.

You’re co-presenting a session at re:Invent 2018 about using AWS Lambda as a security team. What are you hoping that your audience will take away from your session?

I hope they’ll shift their thinking away from the need to write policy documents and toward using services like AWS Lambda, instead. I want to help attendees get a feel for how easy Lambda is to use, and to see how Lambda can be the glue for the security team, tying together automated monitoring, auditing, and remediation.

Any tips for first-time conference attendees?

Every year is different, so every year is like a first year! Embrace it and jump in.

If you had to pick any other job, what would you want to do?

I’d be a Geologist – I love rocks!

Want more AWS Security news? Follow us on Twitter.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Author

Brittany Doncaster

Brittany is a Solutions Architect based out of Atlanta, GA. She comes from a development background. She now works with enterprise customers in the Southeast to adopt cloud technologies and architect using best practices. She specializes in Security and Serverless technologies.

AWS Security Profiles: Brigid Johnson, Senior Manager of Product Management

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-brigid-johnson-senior-manager-of-product-management/

Amazon Spheres and author info
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been with AWS a little over four years. I’m currently the Senior Manager of Product Management in AWS Identity. I head a team of product managers that manage AWS Identity and Access Management (IAM) and AWS Secrets Manager.

How do you explain your job to non-tech friends?

I’m the voice of the customer. I work to simplify security for AWS customers.

What are you currently working on that you’re excited about?

A lot of my work is focused on how we can simplify permissions management at scale. Customers are moving an enormous number of workloads to AWS, and a lot of teams are on-boarding to manage those workloads. And often, a lot of applications need access to resources within AWS. Companies rely on granular permissions to manage their resources and data securely. My team is working on the tools and experiences to make this experience easy.

What’s the most challenging part of your job?

AWS IAM and AWS Secrets Manager are services that every AWS customer will use, from small start-ups to really large enterprises. Balancing their needs, use cases, and requirements, and then creating a product vision based on this information is challenging—and also very rewarding.

What’s your favorite part of your job?

Talking with customers. I find it incredibly fascinating to hear what people are building on top of AWS, how they’re using our system, and what they need more of. And while I really love presenting AWS products on stage, it’s usually brainstorming meetings with a central security team or someone who manages permissions at a small startup that I love the most. I love real conversations about day-to-day routines and experiences. It helps me hone in on where we need to innovate.

How did you choose your particular topic for re:Invent this year?

The session, Become an IAM Policy Master in 60 Minutes or Less, has been going on for years. Before I took over, my previous manager ran it. Policies are very, very powerful. You can write granular permission rules, and there are some really cool things I’ve seen customers do with them. The session is a way for me to show people that power, and then show them how to think about permissions and use IAM policies. You can use policies to control access to both applications and users in a very granular way. It’s really rewarding to watch as people start to get it—and then get excited about new possibilities of their security posture.

So, how are you going to make someone an IAM Policy Master in 60 minutes?

There are three parts: First, I’ll go through some policy basics. This section’s fairly short, since this is a more advanced session. Next, I’ll explore how to reason and think about policy evaluation. When I explain this in a certain way with customers, I can often see them get it and the lightbulbs go on. This provides them with the foundation to go back and work with their teams to create better permissions rules. Finally, I go into some specific policy types and where you can use these, so people have a framework for understanding different policy types. This section includes use cases for how and why you might use different types. My favorite part of the sessions is at the end: I go through some of my favorite complex use cases and show the real power and granularity of the AWS permissions model.

What are you hoping that your audience will take away from your session?

I want them to have a deeper understanding of the power of our policies. And, honestly, I want them to go play and explore. So many times, when we’re setting up permissions, we’re trying to get something done, and so we go through the set-up really quickly—and I should stress that my team is working to make that set-up quicker and easier. But if you’re part of a central security team, and you spend a little time exploring the ninja moves that I’m going to explain in my session, you can more easily scale your permissions management. Spending just a little bit of up-front cost to explore and figure out how things work will make your permissions management much easier.

Any tips for first-time conference attendees?

Two tips: One, be sure to go to sessions that interest you, even if you know nothing about the topic. At the end of the day, the conference is a chance for you to explore. Two, try spending some time outside. Being indoors all day can be more draining than you think. A little outdoor time helps keep your energy level up.

What does cloud security mean to you, personally?

Permissions are critical to running workloads in the cloud. Here’s why I’m passionate about this topic. Permissions enable people to build without getting themselves into trouble accidentally. The easier that AWS makes permissions (and managing permission in the cloud), the easier and faster it is for customers to onboard workloads to AWS—and the easier and faster it is for builders to build on AWS. And that’s what really inspires me. If builders are blocked because they don’t have access to something that they should, it’s a frustrating experience. It also means they’re not building the next cool app I didn’t know I needed, solving healthcare challenges, or innovating as fast as they can. My goal, and what I love about my work, is getting to innovate in ways that make security easier by default. People can operate safely in the cloud, and they can still move fast to build exciting things.

In your opinion, what’s a challenge facing cloud security teams right now?

AWS innovates really quickly. We send out a lot of new features that continually change the game in terms of how a central security team can approach security, monitor security, or author their permissions. Keeping up with all of this game-changing information is really, really hard. I follow Twitter and the What’s New announcements for up to date information, and of course the AWS Security Blog.

Five years from now, what changes do you think we’ll see across the security/compliance landscape?

I think we’ll see more preventative security controls turned on by default, rather than controls that rely on you to go turn them on. If you have a use case where you need to turn things off, you’ll still be able to do so. But I think turned on will become the new default, and that more management tools and services will be able to “do” security for you. This might mean that the job of the central security team will move away from building out systems and toward consuming information that comes from these systems and using it to make judgment calls based on environment and workload.

If you had to pick any other job, what would you want to do with your life?

I’ve always thought it would be fun to build and run my own sleep-away camp for girls. I’m an avid horseback rider, so there would be a lot of horseback riding. If I had to do something else, I’d go buy a plot of land somewhere and make it happen.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Brigid Johnson

Brigid manages the Product Management team for AWS IAM. Prior to her career at Amazon, she received her MBA from the Carnegie Mellon’s Tepper School of Business. Brigid spent her early career as a consultant for Accenture and an engineer for JPMorgan Chase, after receiving an undergraduate degree in Computer Science from University of Illinois. In her spare time, Brigid enjoys riding and training her new horse Pickles.

AWS Security Profiles: Eric Brandwine, VP and Distinguished Engineer

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-eric-brandwine-vp-and-distinguished-engineer/

Amazon Spheres and author info
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long you have been at AWS, and what you do in your current role?

I’ve been at AWS for 11 years, and I report to Steve Schmidt, who’s our Chief Information Security Officer. I’m his Chief Engineer. I engage across the entire AWS Security Org to help keep the bar high. What we do all day, every day, is help AWS employees and customers figure out how to securely build what they need to build.

What part of your job do you enjoy the most?

It’s a trite answer, but it’s true: delivery. I enjoy impacting the customer experience. Often, the way security impacts the customer experience is by not impacting it, but we’re starting to launch a suite of really exciting security services for customers.

What’s the most challenging part of your job?

It’s a combination of two things. One is Amazon’s culture. I love the culture and would not change it, but it poses particular challenges for the Security team. The second challenge is people: I thought I had a computer job, but it turns out that like pretty much all of the Senior Engineers I know, I have a people job as much as or more than I have a computer job. Amazon has a culture of distributed ownership and empowerment. It’s what allows the company to move fast and deliver as much as it does, and it’s magnificent. I wouldn’t change it. But as the Security team, we’re often in a position where we have to say that X is no longer a best practice. Whatever the X is—there’s been a new research paper, there’s a patch that’s been published—everyone needs to stop doing X and start doing Y. But there’s no central lever we can pull to get every team and every individual to stop doing X and start doing Y. I can’t go to senior leaders and say, “Please inform your generals that Y needs to be done,” and have that message move down through the ranks in an orderly fashion. Instead, we spend a lot of our time trying to establish conditions, whether it’s by building tools, reporting on the right metrics, or offering the right incentives that drive the organization towards our desired state. It’s hacking people and groups of people at enormous scale and trying to influence the organization. It’s a tremendous amount of fun, and it can also be maddening.

Do you have any advice for people early in their careers about how to meet the challenge of influencing people?

I’ve got two lessons. The first is to take a structured approach to professional interactions such as meetings and email strings. Before you start, think through what your objective is. On what can you compromise? Where are you unwilling to compromise? What does success look like? Think through the engagement from the perspective of the other parties involved. This isn’t to say that you shouldn’t treat people like people. Much of my success is due to the amount of coffee and beer that I’ve bought. However, once you’re in the meeting or whatever, keep it on topic, drive towards that outcome, and hopefully end early so there’s time for coffee.

The other is to shift the discussion towards customers. As a security professional, it’s my job to tell you that you’ve done your job poorly. That thing that you sweated over for months? The one that you poured yourself into? Yeah, that one. It’s not good enough, it’s not ready to launch. This is always a hard discussion to have. By shifting the focus from my opinion versus yours to trying to delight customers, it becomes a much easier discussion. What should we do for customers? What is right for customers? How do we protect customers? If you take this approach, then you can have difficult conversations with peers and make tough decisions about product features and releases because the focus is always on the customer and not on social cohesion, peer pressure, or other concerns that aren’t customer-focused.

Tell us about your 2018 re:Invent topic. How did you choose it?

My talk is called 0x32 Shades of #7f7f7f: The Tension Between Absolutes and Ambiguity in Security. I chose the topic because a lot of security issues come down to judgment calls that result in very finely graduated shades of gray. I’ve seen a lot of people struggle with that ambiguity—but that ambiguity is actually central to security. And the ability to deal with the ambiguity is one of the things that enables a security team to be effective. At AWS, we don’t have a checklist that we go down when we engage with a product team. That lack of a checklist makes the teams more likely to talk to us and to bring us their problems, because they know we’re going to dig into the problem with them and come up with a reasoned recommendation based on our experience, not based on the rule book. This approach is excellent and absolutely necessary. But on the flipside, there are times when absolutes apply. There are times when you draw a bright line that none shall pass. One of the biggest things that can enable a security team to scale is knowing where to draw those bright lines and how to keep those lines immaculately clean. So my talk is about that tension: the dichotomy between absolute black and white and the pervading shades of gray.

What are some of the common misperceptions you encounter about cloud security?

I’ve got a couple. The first is that choosing a cloud provider is a long-term relationship. Make sure that your provider has a track record of security improvements and flexibility. The Internet, your applications, and your customers are not static. They’re going to change over time, sometimes quite quickly. Making it perfect now doesn’t mean that it will be perfect forever, or even for very long. At Amazon, we talk about one-way doors versus two-way doors. When going through a one-way door you have to be very sure that you’re making a good decision. We’ve not found a way to reliably and quickly make these decisions at scale, but we have found that you can often avoid the one-way door entirely. Make sure that as you’re moving your applications to the cloud, your provider gives you the flexibility to change your mind about configurations, policies, and other security mechanisms in the future.

The second is that you cannot allow the perfect to be the enemy of the good. Both within Amazon and with our customers, I’ve seen people use the migration to the cloud as an opportunity to fix all of the issues that their application has accreted over years or perhaps even decades. These projects very rarely succeed. The bar is so high, the project is so complex, that it’s basically impossible to successfully deliver. You have to be realistic about the security and availability that you have now, and you have to make sure that you get both better security when you launch in the cloud, and that you have the runway to incrementally improve over time. In 2016, Rob Joyce of the NSA gave a great talk about how the NSA thinks about zero-day vulnerabilities and gaining access to systems. It’s a good, clear articulation of a well-known security lesson, that adversaries are going to take the shortest easiest path to their objective. The news has been full of low-level side channel attacks like Spectre and Meltdown. While you absolutely have to address these, you also have to adopt MFA, minimize IAM policies, and the like. Customers should absolutely make sure that their cloud provider is someone they can trust, someone who takes security very seriously and with whom they can have a long-term relationship. But they also have to make sure that their own fundamentals are in order.

If you had to pick a different job, what would it be?

I would do something dealing with outer space. I’ve always read a lot of science fiction, so I’ve always had an interest, and it’s getting to the point where space is no longer the domain of large government agencies. There are these private companies that are doing amazing things in space, and the idea of one of my systems in orbit or further out is appealing.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Eric Brandwine

By day, Eric helps teams figure out how to cloud. By night, Eric stalks the streets of Gotham, keeping it safe for customers. He is marginally competent at: AWS, Networking, Distributed Systems, Security, Photography, and Sarcasm. He is also an amateur parent and husband.

AWS Security Profiles: Ben Potter, Security Lead, Well-Architected

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-ben-potter-security-lead-well-architected/

Amazon Spheres with author info

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been with AWS for four and a half years. I started as a one of the first mid-market territory Solution Architects in Sydney, then I moved to professional services doing security, risk, and compliance. For the last year, I’ve been the security lead for Well-Architected, which is a global role.

What is Well-Architected?

It’s a framework that contains best practices, allowing you to measure your architecture and implement continuous improvements against those measurements. It’s designed to help your architecture evolve in alignment with five pillars: Operational Excellence, Security, Reliability, Performance Efficiency, and Cost Optimization. The framework is based on customer data that we’ve gathered, and learnings that our customers have shared. We want to share these learnings with everyone else.

How do you explain your job to non-tech friends?

Basically, I listen to customers a lot. I work with specialists and service teams around the world to help create security best practices for AWS that drive the Well-Architected framework. My work helps customers make better cloud security decisions.

What are you currently working on that you’re excited about?

I’ve been developing some in-depth, hands-on training material for Well-Architected, which you can find on GitHub. It’s all open-source, and the community is welcome to contribute. We’re just getting started with this sort of hands-on content, but we’ve run AWS-led sessions around the globe using this particular content, including at our AWS Security Lofts throughout the USA — plus Sydney, London, and Singapore — and we’ve gotten very positive feedback.

What’s the most challenging part of your job?

Everyone has different priorities and opinions on security. What a Singapore financial startup thinks is a priority is completely different from what an established bank in London thinks — which is completely different from the entertainment industry. The priorities of startups often center around short time-to-market and low cost, with less focus on security.

I’m trying to make it easy for everyone to be what we call Well-Architected in security from the start, so that the only way to do something is via automated, repeatable, secure mechanisms. AWS is great at providing building blocks, but if we can combine those building blocks into different solution sets and guidance, then we can help every customer be Well-Architected from the beginning. Most of the time, it doesn’t cost anything additional. People like me just need to spend the time developing examples, solutions, and labs, and getting them out there.

What does cloud security mean to you, personally?

Cloud security is an opportunity to rethink cybersecurity — to rethink the boundaries of what’s possible. It’s not just a security guard in front of a data center, with a big, old-fashioned firewall protecting the network. It’s a lot deeper than that. The cloud lets you influence security at every layer, from developers all the way to end users. Everyone needs to be thinking about it. I had a big presentation earlier this year, and I asked the audience, “Put your hand up if you’re responsible for your organization’s security.” Only about a quarter of the audience put their hands up. But that’s not true — it’s everyone’s responsibility. The cloud provides opportunities for businesses to innovate, improve their agility and ability to drive business value, but security needs to go hand-in-hand with all of that.

What’s the biggest issue that you see customers struggling with when it comes to cloud security?

A lot of customers don’t think about the need for incident response. They think: I don’t want to think about it. It’s never gonna happen to me. No, my access keys will never be lost. It’s fine. We’ve got processes in place, and our developers know what they’re doing. We’re never gonna lose any access keys or credentials. But it happens, people make mistakes. And it’s very important for anyone, regardless of whether or not they’re in the cloud, to be prepared for an incident, by investing in the tools that they need, by actually practicing responding to an incident, and by having run books. If X does happen, then where do I start? What do I need to do? Who do I need to communicate with? AWS can help with that, but it’s all very reactive. Incident response needs to be proactive because your organization’s reputation and business could be on the line.

In your opinion, what’s the biggest challenge facing the cloud security industry right now?

I think the biggest challenge is just staying up to date with what’s happening in the industry. Any company that develops software or tools or services is going to have a predefined plan of work. But often, security is forgotten about in that development process. Say you’re developing a mobile game: you’d probably have daily agile-style stand-ups, and you’d develop the game until you’ve got a minimum viable product. Then you’d put it out there for testing. But what if the underlying software libraries that you used to develop the game had vulnerabilities in them, and you didn’t realize this because you didn’t build in a process for hourly or daily checking of vulnerabilities in the external libraries you pulled in?

Keeping up-to-date is always a challenge, and this is where the cloud actually has a lot of power, because the cloud can drive the automated infrastructure combined with the actual code. It’s part of the whole dev ops thing — combining infrastructure code with the actual application code. You can take it all and run automated tools across it to verify your security posture and provide more granular control. In the old days, nearly everyone had keys to the data center to go in and reboot stuff. Now, you can isolate different application teams to different portions of their cloud environment. If something bad does happen, it’s much easier to contain the issue through the segmentation and micro-segmentation of services.

Five years from now, what changes do you think we’ll see across the security landscape?

I think we’re going to see a lot of change for the better. If you look at ransomware statistics that McAfee has published, new infection rates have actually gone down. More people are becoming aware of security, including end users and the general public. Cyber criminals go where the money is. This means organizations are under increasing pressure to do the right thing in terms of public safety and security.

For ransomware specifically, there’s also nomoreransom.org, a global project for which I was the “Chief Architect” — I worked with Europol, McAfee, and Kaspersky to create this website. It’s been around for a couple years now, and I think it’s already helping drive awareness of security and best practices for the public, like, don’t click on this phishing email. I co-presented a re:Invent presentation on this project few years ago, if you want more info about it.

Tell us about the chalk talk you’re giving at re:Invent this year.

The Well-Architected for Security chalk talk is meant to help customers get started by helping them identify which best practices they should follow. It’s an open QA. I’ll start by giving an overview of the Well-Architected framework, some best practices, and some design principles, and then I’ll do a live Q&A with whiteboarding. It’ll be really interactive. I like to question the audience about what they think their challenges are. Last year, I ran a session on advanced web application security that was really awesome because I actually got a lot of feedback, and I had some service team members in the room who were also able to use a lot of feedback from that session. So it’s not just about sharing, it’s also listening to customers’ challenges, which helps drive our content road map on what we need to do for customer enablement in the coming months.

Your second re:Invent session, the Security Framework Shakedown, says it will walk you through a complete security journey. What does that mean?

This session that Steve Laino and I are delivering is about where you should start in terms of design: How to know you’re designing a secure architecture, and how the Cloud Adoption and Well-Architected frameworks can help. As your company evolves, you’re going to have priorities, and you can’t do everything right the first time. So you’ll need to think about what your priorities are and create your own roadmap for an evolving architecture that becomes continually more secure. We’ve got National Australia Bank co-presenting with us. They’ll share their journey, including how they used the Cloud Adoption Framework to get started, and how they use Well-Architected daily to drive improvement across their platform.

Broadly, what are you hoping that your audience will take away from your sessions? What do you want them to do differently?

I want people to start prioritizing security in their day-to-day job roles. That prioritization means asking questions like, “What are some principles that I should include in my day to day work life? Are we using tools and automation to make security effective?” And if you’re not using automation and tools, then what’s out there that you can start using?

Any tips for first-time conference attendees?

Get out there and socialize. Talk to your peers, and try to find some mentors in the community. You’ll find that many people in the industry, both in AWS and among our customers and partners, are very willing to help you on a personal basis to develop your career.

Any tips for returning attendees?

Think about your goals, and go after that. You should be willing to give your honest feedback, too, and seek out service team members and individuals that have influenced you in the past.

You’re from Adelaide. If somebody is visiting your hometown, what would you advise them to do?

The “Mad March” festivities should not be missed. If you like red wine, you should visit the wine regions of Barossa Valley or McLaren Vale — or both. My favorite is definitely Barossa Valley.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Ben Potter

Ben is the global security leader for the AWS Well-Architected Framework and is responsible for sharing best practices in security with customers and partners. Ben is also an ambassador for the No More Ransom initiative helping fight cyber crime with Europol, McAfee and law enforcement across the globe.

AWS Security Profiles: Don “Beetle” Bailey, Senior Principal Security Engineer; Brian Wagner, FSI Compliance Specialist

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-don-beetle-bailey-senior-principal-security-engineer-brian-wagner-fsi-compliance-specialist/

Amazon Spheres and author info

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

Beetle: I’ve been at Amazon for eight and a half years, and I’m a Senior Principal Security Engineer. I helped build the AWS Security team from scratch, and for a while I wrangled security operations, threat intelligence, application security, and security engineering for all of AWS; reporting to our CISO Steve Schmidt. I’m still fairly involved with all that, while focused on proactive outreach to independent and academic security research communities. I also represent AWS for the Linux Foundation’s Core Infrastructure Initiative. When I get the time and can put my head down, I geek out on fun things for re:Invent that I think will benefit our customers. Before Amazon, I was a Principal Engineer for the Mitre Corporation for eleven years, and before that, I was in the US Army. I’ve always felt that being a “security geek” is a calling. Whether I’m helping people tackle emergent issues in the moment, or figuring out how new customer experiences that can be delivered in a secure manner, it’s all very rewarding.

Brian: I’ve been at AWS just over five years. I joined AWS as a Solutions Architect in Berlin, Germany, in 2013 where I worked in the enterprise space. I wasn’t a security guy by title, but it came up a lot in my day-to-day work — the cloud was pretty new back then and there was a lot of discussion about the security of it. In 2016, I moved to London and joined Professional Services as a full-time Security Consultant, which allowed me to work with customers in-depth and for very long periods of time, primarily in the financial services industry. Recently, I took on a new role as a Compliance Specialist in financial services. I’ve basically taken the in-depth experience I gained from my time in Professional Services and turned it into a position that lets me help multiple customers. I should note that when I was in Professional Services, I owned the incident response messaging activities for Professional Services and Security globally, which is relevant because our session at re:Invent this year is about incident response. My new job title of Compliance Specialist might make attendees wonder, “What’s he doing up there talking about incident response?

How do you explain your job to non-technical friends?

Brian: I just tell people that I sell dictionaries door-to-door. It’s much simpler than the truth.

Beetle: For the longest time, my kids thought I filled the Amazon boxes that show up on people’s doorsteps. Again, it’s a lot simpler than the truth. But I usually just ask folks if they’ve heard of “the cloud,” then explain that if you do things online like shopping, or storing data, or completing a banking transaction, a lot of those experiences are actually happening on the AWS cloud — and I’m one of the security geeks that helps make sure those activities happen in a secure manner.

Brian: Yes, that’s how I’d also describe it. For my particular role, I’d add that my focus is on helping AWS customers be secure.

What’s your favorite part of your job?

Beetle: My favorite part is interacting with customers. The opportunities that I get to talk to customers during re:Invent, the Summits, and the pop-up Lofts are super important to me. That interaction is absolutely my favorite part of the job.

Brian: What I love the best is getting to watch customers have that “ah-ha” moment. I’ve been living and breathing the cloud every day for over five years, but plenty of people are just getting started and figuring out how to make it all work. It’s very satisfying to see that lightbulb moment, when they go from “trial-and-error” to “this is working out…” and then, “Hey, now it all makes sense!” There’s always that moment with customers and it’s absolutely my favorite.

Beetle: Sometimes we see those lightbulbs go off in the audience when we’re presenting, and it’s great!

Speaking of the crowd, tell us about your re:Invent topic.

Beetle: So the title of our talk is AWS Security in your Sleep, and it builds on a number of talks that we’ve given in the past that demonstrate how to achieve security goals through automation. When you start doing things at scale, or if you want to be able to scale with a certain amount of consistency, you’re going to need automation. But often when we say “security automation” — whether that’s wrangling security events, incident response, or even forensics — customers will shy away, because it sounds intimidating. What we demonstrate is that there’s a lot you can achieve with security automation, and it can actually be fun!

Brian: There will be three demos this year. The first is what we’re calling a “low judgment” incident. This is a “security in your sleep” incident, where no human being has to think about what to do because you’ve automated the response. The second and third demos move on to increasingly complex scenarios based on real-world experiences. In our short hour together, we want to show people that they can automate even these more complex scenarios in a way that elevates their security.

Beetle: That’s right: achieving security goals with automation is not just a necessary thing, but it’s absolutely a possible thing for any of our customers to achieve. There’s this notion that only well-funded enterprises with large security teams and massive developer resources can achieve security goals through automation — particularly in security operations and incident response — and that’s actually not true. We want our demonstrations to show that all of our customers have these capabilities, right now. Our presentation is largely about democratizing security. We’re showing people that everyone can achieve their security goals through automation on AWS. We also throw in a few humorous tidbits to keep it interesting.

What are some of the most common misperceptions about cloud security that you encounter?

Beetle: One of the focal points of our presentation is the transition from traditional on-premise incident response workflows to the cloud. Traditional incident response requires you to put your hands on physical resources, whether you’re connecting and disconnecting cables, or plugging in forensic dongles to clone drives, etc. We want our presentation to dispel the myth that you can’t achieve security incident response goals in the cloud. In fact, you can have some of the most intricate, customized incident response workflows and run books, and you can still translate and map those responses onto capabilities that reside on our platform, with automation to execute at scale and speed. Sometimes, the terminology is different. Sometimes, the timing is different. But generally, you can accomplish more and faster within the cloud than from an on-premise environment.

Brian: Like Beetle said, you really can achieve those same goals, as long as you understand that the cloud might look a little different. But the goals themselves are the same. In fact, I like to think that they can be improved — that you can have more goals from within the cloud, and that you can achieve them with less effort.

If you had to distill your talk down to a single takeaway for your audience, what would it be?

Brian: Demos. Cats. And comedy. You’ll laugh, you’ll cry.

Beetle: Awkward comedy.

Five years from now, what changes do you hope to see across the security landscape?

Beetle. Five years is a long way out in this business! But I think we’ll see even more involvement from partners who flesh out holistic security capabilities that empower our customers to leverage AWS for all sorts of security-related purposes. Most notably, I think we’ll see much more capable solutions in incident response and incident management — decision support and services that help people quickly address concerns and get back to a known good state. I think we’ll continue to see more security-related products and services catering to our customers’ environments, whether it’s microservices, or containers, or whatever the next whiz-bang language or execution environment is.

Brian: When customers do something with AWS in the name of security, they do it because they perceive a risk of something bad happening. The whole point is to reduce risk. And the thing about risk is that it will always exist, whether in five years, or ten years, or fifty years. But if security is done correctly, we can reduce that risk to as close to zero as possible. Reaching zero will always be impossible — we don’t know what we don’t know, and so we can never mitigate all risk. But as time goes on and new threats emerge, AWS is able to offer customers the ability to continue to sleep well at night because we’ve helped them, or we’ve given them tools, or there’s a partner, or we’ve simply taken care of it for them per the Shared Responsibility Model. In five years, I’d like to be up on a re:Invent stage talking about something totally mundane because that’s all that’s left to mitigate — the big risks have been taken care of. I would love for re:Invent five years from now to be the most boring re:Invent ever.

Beetle: It’s interesting — we’re getting to have conversations now about security capabilities that generally reside at the top of the Maslow’s hierarchy of InfoSec needs. At the bottom are basics like inventory and patching, and it turns out that the inventory and patching story in an AWS environment is pretty boring these days: There’s an API call to make, and agents you can deploy on instances at boot that inventory any vulnerabilities and ensure they’re reported, and you can have AWS Lambda function automatically deploy patches. Configuration management isn’t quite there yet, but it’s also becoming a boring story. But as you move further up, toward the top of the Maslow’s hierarchy of InfoSec needs, you get to things like anomaly-based intrusion detection, user behavioral analytics, and even deceptive infrastructure like honeypots. These are like the bonus levels of security engineering. You only get the luxury of indulging in these things if you’ve eaten all your vegetables beforehand. Currently, these things are bleeding edge, but in five years, maybe intrusion detection will be boring and incident response will be boring, because that will all just get done by a capability innate to the platform or from a one-click-deployable partner solution, and then we’ll be eyeing some other type of cherry on top of the security sundae.

Do you have any tips for first time conference attendees?

Beetle: Beyond general health tips, like wearing comfortable shoes and drinking enough water, I think the mobile app is super helpful, particularly when you customize it and choose which talks you’re interested in. Also, people may not realize this, but AWS has always made a significant investment in re:Invent’s wireless infrastructure. (It’s been a privilege of mine to help plan and deliver some of that infrastructure in years past.) It’s fast, and likely better than any hot spot or overloaded cell tower. There are Wi-Fi access points every twenty yards or so, nearly everywhere you go at re:Invent.

Brian: If you have questions or need help with something, look for the Security booth signs and the people with AWS shirts — everybody is super-helpful and our approach is basically, “if I don’t know the answer to your question, I’m going to find someone who does!” The other thing I’d recommend is networking: Bring your business cards and try to step outside of your comfort zone. If you don’t know anything about security, come to a security session. If you’ve always wanted to learn about IoT, this is a really great place to do it. Rarely will you see a higher quality bar for presentations, so mix in stuff that might feel tangential to you personally or to your business. Diversify your schedule and take advantage of as many of the opportunities as you can.

Beetle: One final recommendation: there’s a charity fun run that we hold at re:Invent that benefits Girls Who Code. They close off streets in Las Vegas for thousands of runners, and there are different distances to choose from. It’s a fantastic and fun event. Sign up and run!

If you had to pick any other job to do, what would it be?

Beetle: QA for Comixology.

Brian: You had that answer in your back pocket! Wow.

Beetle: Amazon acquired Comixology, I’m a big comic book geek, and I love Comixology — it’s great for reading digital comics. I’m angling to convince them that they need a security engineer dedicated to them full time, making sure their comic books render correctly.

Brian: I cannot top that.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Don “Beetle” Bailey

Beetle made the transition from Army supply guy to security geek in the mid-90s, inspired by dial-up access to a BBS, Trumpet Winsock, and the L0pht. Today, he’s a Senior Principal Security Engineer at AWS and is passionate about his day job: protecting customers, their data, and AWS itself. He founded the “ShmooCon” hacker conference, and he’s presented on wireless security and cloud security at a variety of conferences. Beetle has a BS in Computer Science from James Madison University.

Author

Brian Wagner

Brian worked as a software developer for 15 years, and then as a network engineer, until AWS hired him in 2013 in Berlin where he helped customers get comfortable with the cloud (even before the Frankfurt region was launched). He’s since made security a full-time job and moved to the AWS Professional Services team in London where he’s led efforts such as GDPR, Incident Response, and the AWS Security Workshop. These days, you can find Brian in his natural habitat at the gym or on a rugby pitch.

AWS Security Profiles: Becky Weiss, Senior Principal Engineer

Post Syndicated from Becca Crockett original https://aws.amazon.com/blogs/security/aws-security-profiles-becky-weiss-senior-principal-engineer/

Amazon Spheres and author info

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

My title is Senior Principal Engineer, and most of my work is with the AWS Identity team. That’s the team that does AWS Identity and Access Management, AWS Organizations, AWS Directory Service, AWS Single Sign-On, and a bunch of other things. We build the infrastructure for security, compliance, and manageability across all of AWS. It’s a large swath of services, and it’s a very interesting place to be. My team is at the crossroads of everything that’s going on, so we get an up-close view of trends and patterns around the controls customers demand as they move workloads to the cloud, as well as what they do to secure those workloads and put guardrails around them once they’re here.

How do you explain your job to non-tech friends?

Most people, even outside of the tech space, have heard about the cloud. And they’ve likely heard about companies in almost every imaginable industry choosing to move their core infrastructure — computing, and networking — from their own data centers to the cloud, as well as taking advantage of data services and higher-level application and AI services, of which there are increasingly many options. So to these people, I’d say that my job is to make sure that the security controls these enterprise customers will need are present, and that we’re constantly improving them by making them more comprehensive and simpler to get right.

What’s your favorite part of your job?

My job is very rewarding because, as customers move into the cloud, one of the things that I deeply and truly believe is that they’ll be able to improve their security posture. They’re going to gain visibility into and get control over things they didn’t have visibility into or control over before, and they’ll have it in a way that scales much better than the processing power of human gatekeepers. It’s really rewarding to see those transformations happen and to be able to give customers something that I believe will serve them so well.

Another privilege of this aspect of my job, in which I get to work with customers, is seeing how much these customers value AWS’s institutional experience, not just in security but in building for resilience and scalability. They ask, “How would Amazon architect this? What would you do if you were building our stuff?” It’s an incredible honor to be asked a question like that.

What are you currently working on that you’re excited about?

In the last couple of months, my team has done a lot of deep dives and close listening with some of our customers on what “governance in the cloud” means to them and what their needs are. We have this process at Amazon called “working backwards from the customer,” where we start with the very real challenges, concerns, and problems that customers lay out for us as they describe their own workloads and approaches. We take those insights and we use them to work backward toward what we need to build. That peculiar Amazonian focus on mapping customer needs and using them to drive what we’ll provide is one of the things that keeps me looking forward to coming into work. It’s special.

What’s the most challenging part of your job?

I mentioned before that my team sits at the crossroads of AWS, and the number of new services and new features that show up every re:Invent and throughout the year is mind-boggling. The reason we’re able to maintain this pace as a company is a consequence of the Amazon DNA: Each service is managed as its own business, and its owners engages directly with its own customers. Working from those specific customer needs is what allows us to iterate quickly and address customer-needs head-on. But the flip side is that you do have certain features that need to be constant, consistent, and effective across all services, and this is sometimes at loggerheads with what makes us makes us fast. One of our biggest strengths is also one of the things that can pose challenges when you’re sitting in the middle of “downtown AWS” like my team does.

What does cloud security mean to you, personally?

When it comes to security, complexity is the enemy. So you’re looking for security controls and mechanisms that are as simple as possible while still doing the job. When you’re answering the question, “Why is this thing secure?” having a long answer can be a sign that you have the wrong answer. If you can figure out a simple expression of the controls that you want to put on your infrastructure, it means you’re doing something right.

One of your 2018 re:Invent sessions is A Practitioner’s Guide to Securing Your Cloud (Like an Expert). What’s that session about?

One of the reasons why I wanted to give this talk is because you might look at this incredible landscape of AWS services and, especially if you’re new to the cloud, you might think, “Wow, there’s so much stuff here.” If you’re a security- or governance-minded professional and it’s your job to make sure things are secure and properly controlled, you might ask yourself, “How is my job even possible over this kind of surface area?” But the truth of the matter is it’s easier than you might think if you’re new here. We’ve worked hard to make sure that’s the case. In fact, there are just a couple of patterns: You’re securing your infrastructure with IAM permission controls and with VPC network security controls. (There are also encryption controls, which I won’t have time to cover in the session, but that follows simple patterns too.) But really, these two or three patterns repeat everywhere. If you learn them once, it doesn’t matter what new AWS service your team is going to adopt—you’re already going to know how to secure it. That even includes features and services we haven’t yet launched or even dreamed up yet—you’re already going to know how to secure it. The patterns are repeatable and very learnable.

You’re also co-presenting a session with David Yanacek that talks about Failing Successfully in the Cloud. How did you choose that topic?

That one’s a chalk talk—basically an open-ended Q&A with folks in the audience. Here’s where I got the topic idea: One of the tremendous privileges of being an engineer at Amazon is that AWS has been running at such a scale, and for long enough, that we’ve built up this institutional experience that I believe you can’t find anywhere else. There’s no compression algorithm for experience, and people like David and me have been lucky enough to have a front-row seat. The various services we’ve worked on—between us, Amazon Elastic Compute Cloud (Amazon EC2), Amazon DynamoDB, IoT, AWS Lambda, and AWS IAM—have given us a first-class education in resilience. It’s the law of large numbers: Anything can happen and eventually does. So we’ve learned a number of lessons that we’ve now baked into the design of what we do.

One of the things we’re going talk about is how, when we run a service, we break it down between the data plane (the “day job” of the service, the part that runs at high volume and is critical to the business), and the control plane (the part that’s used to configure the rest of the service). At AWS, we think about these planes very separately because of the resiliency benefits. We’re also going to talk about some approaches to handling high levels of load, and how to think about dependency failures. I’m expecting some really interesting discussion.

And finally, you’ll be co-presenting a session and chalk talk with Alan Halachmi on Securing Your Virtual Data Center in the Cloud. Tell us about those.

These two are an outgrowth of a re:Invent session I used to lead called NET201: Creating Your Virtual Data Center in the Cloud (this was back when I used to work on Amazon Virtual Private Cloud). It continues to be one of our most popular sessions, and it’s now led by my colleague Gina Morris. Based on the feedback I received when I hosted these talks, I realized that our customers were hungry for simple explanations of networking in AWS. And it really is possible to explain this topic simply, which I think is why the talk remains so popular.

But I realized there’s also a security angle on this topic. So we created the breakout session NET202: Securing Your Virtual Data Center in the Cloud as a primer on how to use Amazon VPC to secure your resources and as a way to educate people about the ways in which Amazon VPC intersects with other security controls in AWS. Because the NET201 session always generated incredible Q&A after the talk, we’re also pairing the new session with a chalk talk of the same name, and we’re looking forward to an active discussion. We’re bringing a number of examples to walk through, but based on the past experiences Alan and I have had talking to our customers about networking in AWS, we’re expecting great Q&A.

What are you hoping that your audience will do differently after your session?

For the “Practitioner’s Guide” and “Securing your Virtual Data Center” sessions, I want my customers to go back and look at the workloads their teams are standing up, and the workloads they’re standing up themselves, and recognize the patterns we’ve pointed out—and then apply these patterns and feel confident that they’re securing things correctly because, again, there are only really a couple of things you need to know to get the network right, and to get the access controls right. And I think these things are eminently teachable in a fifty-minute session.

For the “Failing Successfully” chalk talk, I want the folks to go back home, take a look at the workloads they’re running and ask themselves questions that they may not have thought to ask before. For example: “Does this system have a control plane and a data plane?” Most systems do; you just have to know where to apply the analogies. “Have I separated them?” Maybe start thinking about separating those if you want to get more resilient. “Am I taking dependencies on things that are going to fail more than I want my own service to fail, and what I could do about that? If my system is under load, what do I want to have happen?

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Becky Weiss

Becky is a Senior Principal Engineer at Amazon Web Services. She currently works on AWS IAM and has worked on Amazon EC2 and AWS Lambda in the past. In addition to being a proud service owner at AWS, Becky is also an enthusiastic user of AWS services herself.