A CIO Perspective on Security in the Cloud

“Too many people are thinking of security instead of opportunity. They seem to be more afraid of life than death.” – James F. Bymes

Security is a broad topic, and applies in some way to everything that happens in IT. In all of my time working in technology, I’ve found it to be the one word that has the power to weaken any initiative. In the early days of cloud computing, it was common for those who did not understand the cloud to question how secure it could be. Rather than help their organizations understand how they could benefit from the cloud, they created a barrier for their evolution. As recently as 2012, when I began to use AWS for meaningful enterprise initiatives, there was enough skepticism in my peer group and organization that only experience could address. Our results gave even our most cautious skeptics confidence that AWS gave us a better chance of securing our systems than having to do it alone.

As a former CIO and AWS customer, here are a few points that shaped the way I thought about security in the cloud:

I knew that security is and will always be AWS’s top priority. It has to be in order to serve such a broad and diverse customer base across so many industries and governments. We had PCI systems, PII data, SOX requirements, and intellectual property to protect. Seeing how other enterprises were able to develop solutions that satisfied the requirements of these control frameworks in the cloud was both informative and confidence boosting.

I was sure that AWS was devoting more resources to securing their platform than I had available to support the entire business, let alone security. Like many enterprises who run their own data centers, we were constantly making trade offs between cost, time to market, quality, and security. These decisions are never easy, and it’s not always clear that you’ve made the right one. Not carefully evaluating a firewall change, a cable misconfiguration, or a rushed OS provisioning process could impact our security posturing. If you’ve been around enterprise IT long enough, I’m sure you can relate. It was scary to think about how much vulnerability we may have introduced ourselves. If security is your number one priority, you can’t take those shortcuts.

I knew that reducing our surface area would allow us to focus our efforts on our differentiators. Leveraging the security employed in the AWS facilities allowed us to transition some of our resources devoted to securing our bare metal to securing our applications. The increasing number of known exploits and growing black hat community meant that we would have to increase our efforts on application security regardless of where we hosted our infrastructure. Being able to add resources to this effort without having to take them all from elsewhere gave me additional peace of mind. This shared responsibility model doesn’t imply less responsibility, but it provides help. I wanted all the help I could get.

I knew that AWS had a greater amount of visibility across the global security landscape than we would have from our operations alone. I was eager to take advantage of these economies of scale. We would benefit from improvements made for each customer that AWS serves.

I knew that automation reduces the likelihood of human error. This applies to security in the same way it applies to application development. We were determined to automate an increasing amount of our repeated technology tasks. I knew that AWS relied heavily on automation to scale and reduce the room for human error, thereby improving their security model. Having a partner that would encourage and teach us how to automate better proved to be an added benefit.

CIO&LEADER recently interviewed Stephen Schmidt, AWS’s CISO, on a variety of security related topics. In the interview, Stephen talks scale, investment, and automation and how it applies to security at AWS. I felt that this interview reinforced my views and was worth sharing for those using, or considering, AWS. The interview article was published in the December 2014 issue of the print magazine of CIO&LEADER. Full transcription below reprinted with permission from CIO&LEADER.

CIO&LEADER: Most enterprise information security leaders are at a loss when it comes to next generation threats such as DDoS and APT. How big a threat are these for you and how do you mitigate them?

Stephen Schmidt: We see just about everything that happens on the Internet. I would like to share some interesting statistics to help quantify that. About 1 in 500 IP addresses that are routed on the Internet route to Amazon and about 1 in 700 are actively mapped to an EC2 instance. You can think of us as a very large telescope array deployed to find a very small object. It allows us to identify threats that are coming against our customers and build our services to help them protect against these threats. For instance, a lot of the APT actors try to gather legitimate usernames and passwords. This is one of the reasons we don’t allow usernames and passwords on the networks that contain customer data. We have given smart cards because that is a physical device which you must have in your possession and is really hard for those actors to steal.

CIO&LEADER: Third party risks are also a cause of concern for security practitioners. How do you as a CISO overcome these risks?

Schmidt: To minimize such risks, it is important to ensure that the third party that we work with meets the same security standards as we do. We have to be able to pass on a common set of security standards to our customers. We make sure that we follow this strictly. The way we do this is through audits. For instance, if we have a CloudFront location that is in a co-location facility in some country, we require the co-location provider to give the exact same security requirements that we do. This is part of our agreement with them and we test them regularly.

So, I have a team whose job is it to physically visit every single location we have around the world multiple times a year. We do unannounced inspection where we just show up and make sure they are doing exactly what they should be doing. Our requirements are so stringent that we bring them down to the level of building. For example, are they using approved fasteners, screws and bolts or not so that you cannot unscrew anything from outside. We check the dimensions of holes in the walls to ensure they are not bigger than a certain size, so you cannot stick a hand through it and do something. We check to ensure the cabling that comes out of our facilities is inside tamper-resistant conduits. So, there is a whole list of criteria that we go through to check to make sure that our vendors are meeting our particular requirements.

CIO&LEADER: You sure have a robust third party risk mitigation strategy. But how do you counter insider threats?

Schmidt: The best way to counter insider threat is to limit human access to data. So, one of the things that we do internally is to actively reduce the number of people who can access information.

Even though our business is growing like crazy, we actively reduce the number of humans every single week who have access to information that belongs to our customers. We are able to achieve this through automation. For example, if a human needs to do something repeatedly more than one or two times, we decide to fix it. We look at building a tool that can do it automatically. This approach has two benefits. Firstly, tools rarely go wrong. They do the right thing, the same thing every single time. Humans, on the other hand, may make a typographical error and cause a problem. Secondly, it enhances availability. Automation, therefore, improves security and availability.

CIO&LEADER: So, where does AWS plan to spend in 2015? Which technologies and solutions will the company focus on?

Schmidt: For AWS, the one area that we will focus strongly on is encryption. It will be ubiquitous encryption, that is, encryption every-where. The other area where we will direct our energies would be in providing more customer control over that encryption so that they could control the keys. The third would be to ensure that we give our customers tools to help them make good security decisions.

Customers are used to being told by vendors that if a problem arises, they will come and fix it. At AWS, we take a different approach. Instead what AWS tends to do is: here is the situation where you can improve, and here is the button that says improve or fix it. The point here is, we give customers the tools that they need, very inexpensively or free, so that they can do that themselves.

CIO&LEADER: And as a CISO where do you plan to invest?

Schmidt: We invest a lot on automation, so one of the things that we build are tools. And we do enormous amounts of automation on common security practices, common security testing, penetration testing and configuration management testing, among many others, to ensure that things are doing what they need to be doing. Those are areas where we do a lot of investment every single year.

The reason for doing so is twofold, one it has a definite security benefit. The other is simply no way to operate with the scale we do unless we automate it. There is no way I can hire security engineers of sufficient volume and quality to cover the AWS services, as large as they are, if I didn’t automate quickly. We invest a lot of effort in automation.

Creating secure systems for your company is a core tenet of any IT executive’s job. Why not use the best tools available to do so? Most professional athletes will tell you that their equipment matters. It’s not a substitute for talent, practice, and hard work, but if using better equipment will potentially improve their performance, they’ll use it. The cloud is not a substitute for having the right talent, discipline and governance on your systems, but it does improve your chances.