AWS CISO On Why Its Security Strategy Tops Microsoft, Google
‘We’re not playing checkers, we’re playing chess. And we’re playing chess at 150 miles per hour, on the internet, with everybody watching,’ says CJ Moses, a cloud cybersecurity pioneer and CISO at AWS.
Talk about AWS’ security-first IT culture and how you created it.
Steve Schmidt (pictured), myself and a handful of others were at the FBI with a need for a capability. That capability had to be highly secure and dynamically scalable.
The mission was that we had to take every piece of digital media the U.S. government got for counterterrorism purposes, cross-correlate it against everything else we knew in history. And basically, find the needle in the haystack that was going to keep bad things from happening to good people.
You can imagine back in those days, it was big data before there was big data. Our mission was to figure out how to—when the digital truck showed up at Friday at 4:30pm—how to go ahead and find that piece of data that was going to keep bad things from happening to good people.
We didn’t have the technology we needed in order to make it happen quicker. No matter what we did, it couldn’t scale enough.
We launched EC2 as the very first iteration. We’re like, ‘That’s exactly what we need: Elastic Compute Cloud. 1,000 computers for an hour is much better than the inverse of that.’
From that time, the discussions flipped, because they weren’t ready to provide it for us. Andy Jassy said, ‘The only way we’re ever going to get there as we bring people like you on board in order to build that capability from scratch.’
Steve Schmidt and I came on board with our history of chasing hackers around the wild west of the internet, doing all the things we did around with nation-state actors, counterterrorism work, and we were given the opportunity to build the technical infrastructure to be able provide the most secure cloud in the world.
The reason why I can say that is we built it from scratch. We built the culture. We took the security culture that we had from our paranoid life of FBI and OSI and all these things, and integrated with the ownership model that is part of the core Amazon environment and culture.
Single threaded leaders own success and failure, profit and loss—security is part of that. That’s not just a saying. The reality is you’re in a meeting, that single threaded owner owns the security of each and every service. They’re not saying, ‘It’s CJ’s job. Why isn’t CJ here getting yelled at?’ It’s their job to make sure their services are secure. That’s part of the culture that we helped create and carry forward over the years.
The same thing applies to everything that’s been built from day one.