It wasn’t that long ago when the prevailing attitude towards security was that while it was important, it slowed down the processes of launching an application or bringing a product to market. Too often security was tacked on at the end of a product launch, which created roadblocks for developers. Today, security is too important to be an afterthought, and people working in security are promoting this message at events like the recent AWS security conference.
Liberty Mutual senior director of global cyber risk management Brian Riley recalled seven or eight years ago when he would give presentations to the C-suite, and his audience's eyes would glaze over at the mention of security.
“As soon as security would come up, out came the BlackBerrys,” he said in an interview at AWS re:Inforce in Boston, the inaugural AWS security conference. “The last couple of years there's been a drumbeat in the press of security issues that have affected various organizations, and there’s much greater focus [on security] at the executive management level and at a board level.”
That increased focus in the C-level was evident at last month’s re:Inforce conference. While many sessions provided deep dives into specific security features and tools from AWS, there were just as many focused on broader security trends, breaking down silos between security professionals and developers.
“Historically, as a software developer back on Wall Street, I would produce a software package, put it onto a tape together with printed out installation instructions and hand it to someone who would take it to a room I wasn't allowed to go into to install it,” Riley said. Now, “we can actually implement those security controls more effectively if we partner with the teams that are building those pipelines and build those controls through automation, so that we can execute them at a scale that we're simply not going to be able to [with] staff in a security organization.”
Bill Shinn, senior principal engineer in the office of the CISO for Amazon Web Services (AWS), said that as the consumption of security has changed from companies sinking millions of dollars into CapEx investments to pay-as-you-go models, the industry has been able to embrace a faster pace of handling security threats.
“I think security teams have to go faster. And they have to be the fastest thing in the organization,” Shinn said in an interview at re:Inforce. Holding onto a data center mindset when it comes to architecting security in the cloud will hold organizations back from embracing its full potential, he said.
At AWS, “every service has to go through a rigorous app sec review at launch,” Shinn said, a process that includes threat modeling, static and dynamic analysis, and putting canaries in place for services, i.e. releasing a new feature to just a subset of the users or systems.
AWS has used canaries for years now, Shinn said. “Once you state the security intent of how something should or shouldn’t exist in production, we have a set of canaries around making sure that state doesn’t change.”
Teams come up with their own threat models, or if they don’t know how to threat model, Shinn’s team helps them. But generally speaking, teams that are building a service are closer to the architecture and the threats that face they may face, as well as have an idea of potential ways to mitigate them.
“That helps us and there’s a deep culture of ownership in Amazon, it starts at the very top. And the service teams just know culturally that it’s their job. And we’re there to help them do it faster.”
One of the ways Amazon is able to achieve this level of speed is through an affinity program that makes sure when teams come back for significant feature changes to their service they are working with the same security engineers. This means that teams don’t have to re-explain everything to a new engineer every time, though new engineers can be brought in for a fresh perspective.
The entire process is aimed at making security as frictionless as possible within the organization, and getting feedback from teams about their experience with AWS security is an important aspect of quality assurance. Shinn says through CSAT scores his team is able to better understand whether an engagement was friction-free, if it lowered the cost, and if AWS security helped the team ship secure code.
“We've been talking about it for years, and pretty much as I started here ... we've been kind of screaming from the rooftops to get security engineers at the table with professional developers,” he said.
Multi-Cloud Environments, Talent Gap Present Challenges
Scalability and automation are necessary in today’s modern IT environments, which typically bring together multiple clouds and other types of infrastructure such as containers.
“Being in a multi-cloud environment makes some security processes more challenging because Amazon has made very different architectural decisions than Microsoft made, for extremely good reasons that make great sense with their platforms,” Riley said. “But that means from an enterprise perspective that we really need to take each cloud provider on their own terms.”
“There are some vendors that say they can offer consistency across cloud providers. But that really means that you can’t take advantage of some of the capabilities that differentiate AWS and their very rich feature set from what makes Microsoft a really good environment for Windows back-end infrastructure. And so, the challenge then is how do you make the right decisions about where you invest as an enterprise? How do you make sure that you've got the right people deployed in areas where they can really understand the environment?”
Making sure that an organization has the right people in place is by far one of the biggest challenges facing the security industry today, Riley said.
“There's demand for talent in this space that far outstrips supply,” he said. “And we've got a great recruiting process at Liberty and a really wonderful recruiting team. And I think it's an advantage for us that our global scale means that we will take talent, I will take talent, wherever I can find it. But the demand for that talent really is substantial.”
New AWS Security Tools
The first AWS security conference saw the launch of two new services to help customers manage security and compliance across AWS cloud environments.
AWS Control Tower gives customers access to a pre-configured environment and a pre-packaged set of guardrails to ensure ongoing governance.
“Control Tower is an answer to what customers are really asking for in terms of governance and guardrails out of the box,” Shinn said. “Control Tower is launching with very prescriptive guardrails. And we also still have the Landing Zone solution available for customers that want a higher degree of configuration or customization in there.”
AWS Security Hub gives customers a central place to manage security and compliance across an AWS environment by aggregating findings from AWS services and partner solutions.
“Security Hub is really about meeting customers where they're at in terms of integrations and event flows. So taking findings and high signal findings and making them actionable is something that Security Hub has done well within the public preview,” Shinn said.
Security Hub ingests data from different sources, and can be integrated with services like Amazon CloudWatch and Lambda so customers can execute automated remediation actions based on specific findings.
“I particularly like the CloudWatch series of services and visibility that gives when you have a large multi-cloud environment, getting consistent visibility into what's going on across that can be challenging,” Riley said.