As I walked the halls of the massive Boston Convention Center this week for AWS re:Inforce, the division's annual security event, I spoke to a number of vendors, and one theme was clear: Cloud security really is a shared responsibility.
That idea has been around for some time, but it particularly hit home this week as I listened to various AWS security executives talk about it at the event keynote and through the ensuing conversations I had during the week.
At a very high level, the cloud vendor has the first level of responsibility for security. It has to make sure that the data centers it runs are secure to the extent that it is within its control. Yet at some point, there is a gray area between the company and the customer. Sure, the vendor can secure the data center, but it can't save the customer from leaving an S3 bucket exposed, whatever the reason.
Security is such a complex undertaking that no one entity can be responsible for keeping a system safe, especially when user error at any level can leave a system vulnerable to clever hackers. There have to be communication channels across every level of the organization, with customers and with concerned third parties.
When an external event like the Log4J vulnerability or the Solarwinds exploit impacts the entire community, it's not one single vendor's problem. It's everyone's problem.
The idea is that everyone has to communicate when problems pop up, share the best practices and pull together as a community to the extent possible to prevent or mitigate security events.
So many events
As Steve Schmidt, AWS’ chief security officer, explained in the event keynote, AWS is a target. It has to deal with millions of events every month, most of which we never hear about. That's why, he said, customers need to deal with the little things, and Amazon will take care of the bigger things for them.
“Work out your short-term security needs first because the outlier cases are the ones that we’re far more likely to see in our everyday monitoring and build into our services so that you don’t have to do that work. With millions of customers, AWS handles billions of distinct customer activities from APIs to logging, etc. Given the scale, we see things that an individual business would not see in generations of operations,” Schmidt explained.
AWS' sheer scale helps it understand security at a level that other organizations simply don't have the firepower to relate to. “Given the number of tickets and feature requests that we get every day, it’s entirely likely that we’ve handled 50 things for you this month that just happened. And you had no idea that we were protecting you behind the scenes. At our scale, every outlier scenario that can happen does, and I’m talking about those disproportionately hard-to-predict and rare events that are beyond the realm of normal expectations in history, science, finance or technology. We see events such as those routinely in AWS,” he said.
To give you a sense of that scale, he said the company tracks quadrillions of events — that’s a number that has 15 zeros — every month.
Schmidt said that at AWS security is baked into every service, and they have security guardians — software engineers embedded in each service development team — whose job is to make sure that the service is as secure as possible.
“[These guardians] are in that process for the entire lifecycle of service conception through service delivery. You must not bolt on security after you build something; it has to be in from the very beginning of when we build things. This is a best practice that we recommend to customers as well to weave security into your development lifecycle and your operations,” he said.
Keeping communication channels open
Mark Ryland, director of the office of the CISO at AWS, said his team's job is to communicate directly with customers about security concerns. That could involve fielding calls from a concerned customer CISO when a large event like Log4J happens or reaching out directly to CISOs to communicate about such an event and how to mitigate it to the extent possible.
He said part of that is bringing the voice of the CISO to internal AWS development teams to help them understand what concerns this group is having so they can address them. “We’re constantly talking to our most security-conscious customers. We actually make sure that the service teams are getting the feedback that we’re hearing … to make sure that the voice of the CISO is reaching them,” Ryland said.
In addition, he said, when it comes to new customers, especially larger ones, his office becomes the security voice of AWS. The idea is to give customer CISOs access to a group with the knowledge to answer questions about the inner workings of AWS security operations and give them a point of contact for related concerns.
He added that it’s important to build a community with these people, so his team does a lot of outreach and information sharing. “We have a CISO Council, which my team runs, where we meet periodically with some of our top customers. We have something called a CISO Roundtable, which kind of scales that globally,” he said.
“It has a broader audience. So we’re able to do outreach in terms of education, community building, best practices sharing across the community, and the customers often are the ones presenting, not just us. They share with each other. So we’re able to build a stronger community that way,” he said.
Jenny Brinkley, director of AWS Security, helps run the Guardian program, which is charged with keeping AWS services secure. She said that AWS is always talking to other companies, even competitors. Ultimately, it's in the best interest of everyone working together to keep the cloud secure.
“It’s not in this siloed space, and a lot of the individuals that work inside of AWS and collectively within the industry, we all have long-term relationships with each other. So if there's a mutual benefit for the industry, there’s a lot of conversations that happen around how we operate and how we work. … And if it’s something that’s going to benefit the community, we will absolutely engage and partner and work with one another,” Brinkley said.
Partners helping out
There are also partners — vendors who look at security from a broader perspective across the private data centers to multicloud environments. Lacework, a startup that landed $1.3 billion last fall at an $8.3 billion valuation, has designed its product with integration across all clouds in mind, according to co-CEO David Hatfield.
“We’ve announced seven or eight products over the last year and a half supporting all clouds, and in AWS specifically working with Graviton and Fargate, integrating into the Command Center. We are doing all of this to make it really easy for customers to operate and leverage the other services to build out their environments, versus security being kind of a blocker to innovation,” Hatfield told me.
Peter McKay, CEO at Boston-based security startup Snyk, agreed that the ability to integrate with public clouds is a critical component of innovation and digital transformation. “With the addition of Snyk Cloud, Snyk now secures the end-to-end software development lifecycle so that developers and their organizations can securely deploy applications to the cloud,” he said. That includes integration with AWS as well as Microsoft, Google and IBM clouds
CrowdStrike also integrates with AWS and other clouds. Param Singh, CrowdStrike VP of the Falcon OverWatch product, gave an example with containers in conjunction with AWS Fargate to see what software is in these containers and whether it's in compliance or not.
“Basically, if somebody is using containers provided by AWS Fargate, we can look into those containers. The best part is when we look into containers, we can also see what software they have installed, what libraries they have installed and create a small software bill of materials,” he said. And if one of those libraries is out of compliance, the developer will get a message to update it, as one example of how it works with cloud vendor’s products.
Even with all that communication and vendor crossover, security is a tough road. Vulnerabilities will pop up, individual companies and governments will have to deal with a ransomware attack, major breaches will happen and unforeseen events like Log4J will send the entire industry scrambling.
It's a constant battle, but cloud industry companies — including Amazon — see this as a community effort, meaning it really does take a village to stay safe in the face of this enormous threat landscape.