(spot303) security operations at massive scale
TRANSCRIPT
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
George Stathakopoulos, VP Amazon.com, Information Security
Stephen Schmidt, VP AWS Security Engineering & CISO
October 2015
SPT303
Security Operations
at a Massive Scale
Brothers raised in the same household
With different viewpoints:
• George – responsible for security of Amazon.com
• Steve – responsible for security of AWS
Two guys moving toward the same goal
What we share
• Amazon wants and needs speed and flexibility
• For flexibility, Amazon needs massive capacity
• Wasted when business is slow
• AWS provides speed, capacity, and flexibility
• What you need when you need it
Why Move Amazon to AWS?
So Why the Cloud?
AWS makes security
more agile
Lets you move fast while
staying safe
AWS Security Team
Operations
Application Security
Engineering
Compliance
Aligned for agility
Security Ownership as Part of DNA
Promotes culture of “everyone is an owner” for security
Makes security stakeholder in business success
Enables easier and smoother communication
Distributed Embedded
Operating Principles
Separation of duties
Different personnel across service lines
Least privilege
Technology to Automate Operational Principles
Visibility through log analytics
Shrinking the protection boundaries
Ubiquitous encryption
Pack your bags. We’re moving!
Enterprise Challenges
Fear of losing control
• Logs
• Data centers
• ACLs
• and and and
AWS Advantages
AWS provides more: control, visibility, auditability, agility
• Logging
• CloudWatch Logs
• AWS Config
• VPC Flow Logs
• Data centers
• AWS Management Console
• ACLs
• AWS Identity and Access Management (IAM)
Enterprise Challenges
Shared responsibility does not absolve you of your security
role, but lessens the load.
You still need to maintain control of the application layer.
Shared Workload
Hosted services
• Amazon WorkMail
• Amazon WorkSpaces
• Amazon WorkDocs
• Don’t need team of people managing fleet of exchange servers
• Instead need to manage subscriptions to APIs
• Maintaining two infrastructures until tipping point where all new
apps are developed and launched in the cloud.
Shared Workload
Iteratively migrate workloads until you reach that tipping point
Looking Back
• Ensure move is coordinated well
• Move different sections of the business at different times
• Make sure you consider:
• Identity federation
• IAM
• Access control
• AWS Directory Service
• Logging
• CloudWatch
Lessons Learned
• People move applications without considering all options
• “Gold Rush” mentality
• Snapping up instances that aren't needed
– Too big
– Too many
– Etc.
Look Forward
There is a tipping point where you leave your traditional
mentality behind and embrace a new way of thinking
Benefits of the Cloud
What are the advantages?
• Uptime
• Recoverability
• Lessons learned from others
• Tiny bubbles
• Small moves into the cloud
• Small blast radius should something go amiss
Looking Forward
• The future is now!
• Improvements
• Logging
• Visibility
• Instantaneous firewall changes
• Coming challenges
• Collecting vast amounts of data
• Analyzing this data
• Acting on this data
Structure your staff appropriately
Design & Deploy
Define sensible defaults
Inherit compliance controls
Use available security features
Manage templates - not instances
Operate & Improve
Constantly reduce the role of people
Reduce privileged accounts
Concentrate on what matters
Remember to complete
your evaluations!
Thank you!