AWS CISO On Why Its Security Strategy Tops Microsoft, Google
‘We’re not playing checkers, we’re playing chess. And we’re playing chess at 150 miles per hour, on the internet, with everybody watching,’ says CJ Moses, a cloud cybersecurity pioneer and CISO at AWS.
What’s one security philosophy that helps AWS stand out from your cloud rivals?
We actually have security trained ambassadors for the service teams called ‘Security Guardians’ so those teams don’t have to come to our security, they’re going to have their own security engineers in many cases.
We take those engineers and make sure that they are as closely aligned with us as they can be. So that if there’s questions, normally they’ll ask their Guardians within their own environment.
It also means is that when it comes time that they’re creating a new service, or have something that’s going to get retrospective review from a security perspective, we’ll go ahead and work with the Guardian, the ambassador if you will, to make sure everything is good.
What we found is by doing so, there’s a greatly increased percentage of them going through the review without any real findings. So it’s a big reduction, because they’re actually even that much more focused. We created that. You’re starting to see that now in a lot of places.
The previous model used to be that you’d have security people from a security team that we hire, and then we embed. The problem is that they’re always seen as outsiders.
So rather than do that, how about take people that are insiders, train them on security stuff that they should be looking for, and continue to maintain that relationship and that flow of information. Then grow and foster to make sure that they’re part of the embedded teams.