How Amazon Web Services runs security at a global scale

AWS CISO told ZDNet that security is job zero for the cloud behemoth.

Amazon Web Services (AWS) runs a pretty tight ship where security is concerned; the organisation, after all, holds critical business applications and information for some of the world's largest banks, government entities, and streaming services such as Netflix and Spotify that would render many parts of the world useless, or at least mad, if its datacentres were to fail.

Special Feature

Why business leaders must be security leaders

Why do many boards leave IT security primarily to security technicians, and why can’t techies convince their boards to spend scarce cash on protecting stakeholder information? We offer guidance on how to close the IT security governance gap.

Read More

AWS has a vastly higher bar for security than most companies, mainly because its ability to meet the security expectations of its customers is perhaps the company's most important element -- customers have to be willing to trust AWS with their businesses and their data.

With the security responsibility AWS has on behalf of its customers, one assumption would be that its security operations centre (SOC) has staff in the hundreds, but the man in charge of security at the cloud giant told ZDNet it doesn't actually have a SOC.

"I love every time I get a SOC question because we don't have one," president of security engineering and the chief information security officer at AWS Steven Schmidt said.

"Literally. There is no room with monitors and people sitting in it, etc. I have exactly one on-call security engineer. Exactly one.

"Now there's a whole team to back up if something blows up, but literally their job is babysitting the automation."

Schmidt told ZDNet during AWS re:Invent in Last Vegas last month that it instead builds automation to do all the tasks that are normally performed by humans, attributing this to two main reasons.

"One is I can't scale the number of people that I would need to operate a business this big otherwise and two, automation is repeatable and auditable and always does the same thing," he explained.

"Human beings make mistakes; they change the way they behave day-to-day. They're having a bad day because they're sick or they're hungry or whatever, they do things a little differently. I don't like that. I like repeatability and security processes.

"So we've invested enormous amounts in repeatable automation for security. The net result is I don't have to have security engineers doing the grunt work all the time."

Schmidt said the company puts a lot of energy into finding talented security folk, and he believes keeping them on "fresh and interesting" work rather than those that are "repetitive and dull" is one of the best staff retention plays AWS has.

But not everything can be replaced by automation in security -- particularly human judgement.

"Something I think is critically important is teaching our own staff how to make good judgement calls on things ... that's why I don't want the humans in the security operations centre doing the grunt work, I want them using that one thing that they have that the machine doesn't which is their judgement," Schmidt said.

"Often that judgement is very intuition-based ... those are the calls that I want people to be making."

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

AWS builds all of its security controls in-house. Given AWS's scale, or projected scale when the company first started, an off-the-shelf security solution was never going to be sufficient.

"We have to build a lot of things, which in a lot of ways is liberating because we get software that does exactly what we need and no more, that's easier to maintain, easier to develop," he explained.

AWS a few years ago decided to externalise the security services it built internally. For example, Amazon Inspector came out of the company's own need to make sure it was up to date on patching and vulnerability management. The services Amazon Macie, which is AWS's data discovery cataloguing tool, and GuardDuty, which is aimed at intrusion detection, were built due to similar motivations, Schmidt added.

Schmidt said it is important, however, that customers understand that AWS isn't a "silver unicorn".

"We don't solve all problems. What we do is give you a foundation that you can trust and depend on and that means your staff doesn't have to pay attention to that anymore," he explained. "They can focus their energies on the piece that's above what we do and that dividing line does change based on the individual service."

Managing risk at scale is high on Schmidt's agenda, given AWS's business model and scale.

"We have a different risk tolerance in AWS than the retail organisation does, because if you think about it from the standpoint of the retail organisation, they can ship you a new package with the same thing in it at their expense; they can refund your money on your credit card -- we can't give you your data back if we lose it," he explained.

"So we have to treat risk differently than other people do.

"It is a real advantage for us to have a cloud to work with, from a security perspective."

Disclosure: Asha McLean travelled to AWS re:Invent as a guest of AWS

READ ALSO

Cyber threat intelligence versus business risk intelligence: What you need to know

Learning from previous cyber attacks, and understanding what is coming next is key to keeping your data safe.

Eight reasons more CEOs will be fired over cybersecurity breaches (TechRepublic)

Security is everyone's problem, but CEOs should make sure their organisation doesn't block its success. Gartner offers eight situations for CEOs to avoid if a breach occurs within their organisation.

Top cloud providers 2018: How AWS, Microsoft, Google, IBM, Oracle, Alibaba stack up

Here's a look at the annual run rates, hybrid cloud strategies, and approaches to artificial intelligence and machine learning among the public cloud providers.