Stephen Schmidt's deep dive into the culture and inner workings of how AWS Security keeps customer's safe every day, including what practices customers can adopt to improve their own position.
6. constantly improving
AWS
Founda+on
Services
Compute
Storage
Database
Networking
AWS
Global
Infrastructure
Availability
Zones
Regions
Edge
Loca+ons
GxP
ISO 13485
AS9100
ISO/TS 16949
AWS is
responsible for
the security OF
the Cloud
7. Customer
applica2ons
&
content
Pla<orm,
Applica2ons,
Iden2ty
&
Access
Management
Opera2ng
System,
Network
&
Firewall
Configura2on
AWS
Founda+on
Services
Compute
Storage
Database
Networking
AWS
Global
Infrastructure
Availability
Zones
Regions
Edge
Loca+ons
Client-‐side
Data
Encryp2on
Server-‐side
Data
Encryp2on
Network
Traffic
Protec2on
Customers
shared responsibility
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
11. The practice of security at AWS is
different, but the outcome is familiar:
Focus on your business, not the undifferentiated
heavy lifting
This applies within AWS, just as it does for our customers
12. The practice of security at AWS is
different, but the outcome is familiar:
Focus on your business, not the undifferentiated
heavy lifting
Make it easier for our customers (internal & external) to do
the “right” thing
13. The practice of security at AWS is
different, but the outcome is familiar:
Apply more effort to the “why” rather than the “how”
Why is what really matters
When something goes wrong, ask the “five why’s”
14. The practice of security at AWS is
different, but the outcome is familiar:
Decentralize - don’t be a bottleneck
It’s human nature to go around a bottleneck
15. The practice of security at AWS is
different, but the outcome is familiar:
So what does your security team look like?
16. The practice of security at AWS is
different, but the outcome is familiar:
Everyone’s an owner
When the problem is “mine” rather than
“hers” there’s a much higher likelihood I’ll do
the right thing
17. The practice of security at AWS is
different, but the outcome is familiar:
Measure constantly, report regularly, &
hold senior executives accountable for
security – have them drive the right
culture
20. Our Tenets (unless you know better):
• We lead AWS in helping prevent
unauthorized access to AWS resources: our
customers’ or ours. We continuously assess
our systems, identify exposures, evaluate
risks, and relentlessly drive mitigations.
21. Our Tenets (unless you know better):
• We are the one-stop shop for all security
questions within AWS. In cases where we
don’t own the answer, we own getting the
question answered.
22. Our Tenets (unless you know better):
• We build systems and provide
recommendations that make it easier to build
secure systems than it is to build insecure
ones.
29. Our Culture:
• Proactive monitoring rules the day
• What’s “normal” in your environment?
• Depending on signatures == waiting to
find out WHEN you’ve been had
30. Our Culture:
• Collect, digest, disseminate & use
intelligence
31. Our Culture:
• Make your compliance team a part of your
security operations