In 
Most enterprise information security leaders are at a loss when it comes to next generation threats such as DDoS and APT. How big a threat are these for you and how do you mitigate them?
We see just about everything that happens on the Internet. I would like to share some interesting statistics to help quantify that. About 1 in 500 IP addresses that are routed on the Internet route to Amazon and about 1 in 700 are actively mapped to an EC2 instance. You can think of us as a very large telescope array deployed to find a very small object. It allows us to identify threats that are coming against our customers and build our services to help them protect against these threats. For instance, a lot of the APT actors try to gather legitimate usernames and passwords. This is one of the reasons we don’t allow usernames and passwords on the networks that contain customer data. We have given smart cards because that is a physical device which you must have in your possession and is really hard for those actors to steal.
Third party risks are also a cause of concern for security practitioners. How do you as a CISO overcome these risks?
To minimize such risks, it is important to ensure that the third party that we work with meets the same security standards as we do. We have to be able to pass on a common set of security standards to our customers. We make sure that we follow this strictly. The way we do this is through audits. For instance, if we have a CloudFront location that is in a co-location facility in some country, we require the co-location provider to give the exact same security requirements that we do. This is part of our agreement with them and we test them regularly. So, I have a team whose job is it to physically visit every single location we have around the world multiple times a year. We do unannounced inspection where we just show up and make sure they are doing exactly what they should be doing. Our requirements are so stringent that we bring them down to the level of building. For example, are they using approved fasteners, screws and bolts or not so that you cannot unscrew anything from outside. We check the dimensions of holes in the walls to ensure they are not bigger than a certain size, so you cannot stick a hand through it and do something. We check to ensure the cabling that comes out of our facilities is inside tamper-resistant conduits. So, there is a whole list of criteria that we go through to check to make sure that our vendors are meeting our particular requirements.
You sure have a robust third party risk mitigation strategy. But how do you counter insider threats?
The best way to counter insider threat is to limit human access to data. So, one of the things that we do internally is to actively reduce the number of people who can access information. Even though our business is growing like crazy, we actively reduce the number of humans every single week who have access to information that belongs to our customers. We are able to achieve this through automation. For example, if a human needs to do something repeatedly more than one or two times, we decide to fix it. We look at building a tool that can do it automatically. This approach has two benefits. Firstly, tools rarely go wrong. They do the right thing, the same thing every single time. Humans, on the other hand, may make a typographical error and cause a problem. Secondly, it enhances availability. Automation, therefore, improves security and availability.
So, where does AWS plan to spend in 2015? Which technologies and solutions will the company focus on?
For AWS, the one area that we will focus strongly on is encryption. It will be ubiquitous encryption, that is, encryption everywhere. The other area where we will direct our energies would be in providing more customer control over that encryption so that they could control the keys. The third would be to ensure that we give our customers tools to help them make good security decisions. Customers are used to being told by vendors that if a problem arises, they will come and fix it. At AWS, we take a different approach. Instead what AWS tends to do is: here is the situation where you can improve, and here is the button that says improve or fix it. The point here is, we give customers the tools that they need, very inexpensively or free, so that they can do that themselves.
And as a CISO where do you plan to invest?
We invest a lot on automation, so one of the things that we build are tools. And we do enormous amounts of automation on common security practices, common security testing, penetration testing and configuration management testing, among many others, to ensure that things are doing what they need to be doing. Those are areas where we do a lot of investment every single year. The reason for doing so is twofold, one it has a definite security benefit. The other is simply no way to operate with the scale we do unless we automate it. There is no way I can hire security engineers of sufficient volume and quality to cover the AWS services, as large as they are, if I didn’t automate quickly. We invest a lot of effort in automation.
Going forward, what will be the top three challenges confronting you as a CISO?
The number one and biggest challenge going ahead would be to ensure that we have quality staff. This is a perpetual problem for anyone who is in the security industry. Security is not a stationary business. It is constantly changing which means we have to spend a lot of time, effort and money in educating our staff and encouraging them to keep up-to-date with the latest trends, techniques, and technology. It means we have to invest in them from a training perspective. If you look at the available time a staff has over a week, we have to carve out a piece of that every single week so that they can go learn new things about services, threats and how to solve problems. The second challenge is to make sure we are making sufficient investment on automation. Automation is, as I said, the only way to cover all the things that we need to do. This is an area that we continue to invest in to make sure we are keeping up with the rapid changes. Amazon is innovating at a fast clip. We have launched over 400 new features this year already and have to cover all of those by penetration testing with security scan and that takes a lot of effort. Automation can be a big help in this area.
Add new comment