Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The AWS Philosophy of Security - SID322 - re:Invent 2017

1,547 views

Published on

AWS distinguished engineer Eric Brandwine speaks with hundreds of customers each year, and noticed one question coming up more than any other, "How does AWS operationalize its own security?" In this session, Eric details both strategic and tactical considerations, along with an insider's look at AWS tooling and processes.

  • Be the first to comment

The AWS Philosophy of Security - SID322 - re:Invent 2017

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. N o v e m b e r 3 0 , 2 0 1 7 The AWS Philosophy of Security SID322 Eric Brandwine, AWS VP and Distinguished Engineer
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Some Context
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How Do You Do Security? 'Cause I want to security, too!
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Is This System Secure? ?
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Is Easy…
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Usable Security Though…
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. It is the goal of every security organization to build a system that, over time, maximizes the delivered customer value while minimizing the cost of that delivery.
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Rejected Takeoff 6
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A List No pre-flight checklist No abort when they spot the lock warning light No abort when they can't throttle up Use of the auto throttle to attempt to throttle up FPSOV pulled despite not being on any procedure
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The boss will be angry because we have to abort takeoff. That means we will be late, and might even miss our clearance window and be even later. Maybe we will all die. or
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A review of data from the airplane’s quick access recorder revealed that the pilots had neglected to perform complete flight control checks before 98% of their previous 175 takeoffs in the airplane, indicating that this oversight was habitual and not an anomaly.
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “The gradual process through which unacceptable practice or standards become acceptable. As the deviant behavior is repeated without catastrophic results, it becomes the social norm for the organization.”
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. http://science.ksc.nasa.gov/shuttle/missions/ 51-l/docs/rogers-commission/Appendix-F.txt
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. That's how we've always done it. Nothing bad has ever happened. I don't think that's how {humanity/society/the internet} works.
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Democracy is the worst form of government, except for all the others. —Winston Churchill
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Humans are the worst way to put together a security team, except for all the others. —not Winston Churchill
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What's a Security Guy to Do? • Calibrate objectively • Invite (appropriate) outside scrutiny • Account for the humans in your system • Service teams • The Security team • Customers • Adversaries • You
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Some Lots Many
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. "Security and operational excellence are job zero."
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Escalate!
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ownership Leaders are owners. They think long term and don’t sacrifice long-term value for short-term results. They act on behalf of the entire company, beyond just their own team. They never say, “that’s not my job."
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Earn Trust Leaders listen attentively, speak candidly, and treat others respectfully. They are vocally self-critical, even when doing so is awkward or embarrassing. Leaders do not believe their or their team’s body odor smells of perfume. They benchmark themselves and their teams against the best.
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer Obsession Leaders start with the customer and work backwards. They work vigorously to earn and keep customer trust. Although leaders pay attention to competitors, they obsess over customers.
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Measure Everything and Report On It
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The primary virtue of the programmer is laziness. —not quite Larry Wall “Good intentions never work, you need good mechanisms to make anything happen.” —Jeff Bezos
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 0 10 20 30 40 50 60 0-30 30-60 60-90 90+ NumberofReviews Days Stale AppSec Review Staleness
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Insist On the Highest Standards Leaders have relentlessly high standards—many people may think these standards are unreasonably high. Leaders are continually raising the bar and driving their teams to deliver high quality products, services, and processes. Leaders ensure that defects do not get sent down the line and that problems are fixed so they stay fixed.
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Measure Everything and Report On It and Take an SLA
  42. 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  43. 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. It is the goal of every security organization to build a system that, over time, maximizes the delivered customer value while minimizing the cost of that delivery.
  44. 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Time Lots
  45. 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Least Privilege = Maximum Effort
  46. 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Prevention Analysis Response Detection
  47. 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. … even well-meaning gatekeepers slow innovation. When a platform is self-service, even the improbable ideas can get tried, because there’s no expert gatekeeper ready to say “that will never work!” And guess what—many of those improbable ideas do work, and society is the beneficiary of that diversity.
  48. 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Prevention Analysis Response Detection
  49. 49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What Should I Automate? ?
  50. 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Is Your System Real-Time? Maybe?
  51. 51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Prevention Analysis Response Detection
  52. 52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “The gradual process through which unacceptable practice or standards become acceptable. As the deviant behavior is repeated without catastrophic results, it becomes the social norm for the organization.”
  53. 53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Action Items Do the thing you signed up to do 12/31/2017
  54. 54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Action Items Do the thing you signed up to do 12/31/2017
  55. 55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Action Items Do the thing you signed up to do 1/5/2018
  56. 56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Action Items Do the thing you signed up to do 1/5/2018 1/3/2018
  57. 57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Action Items Do the thing you signed up to do 1/5/2018 12/5/2017 11/5/2017 10/5/2017 9/5/2017
  58. 58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Action Items Do the thing you signed up to do 1/5/2018 7/5/2017
  59. 59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Short Version • Humans are weird • Account for them, you can't patch them • Security is everyone's job • Saying it doesn't make it true • Measure objectively • Security is all about efficiency • Guard your resources, especially your humans
  60. 60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

×