Cloud News
AWS CISO On Why Its Security Strategy Tops Microsoft, Google
Mark Haranas
‘We’re not playing checkers, we’re playing chess. And we’re playing chess at 150 miles per hour, on the internet, with everybody watching,’ says CJ Moses, a cloud cybersecurity pioneer and CISO at AWS.
Why will AWS best Azure and GCP in security in the long run?
We believe in least privilege like crazy, to the point where I want to make sure that, as best we can, we create technology that not even my people nor I can access the data that’s on a server.
Rather than having administrators that secure shell into a box in order to do some sort of work, obviously these things have to be maintained, we have created chipsets or hardware that’s designed along the lines of being able to take out the management and control planes and separating them.
So your disk controllers and all that kind of stuff is separate from each other.
Now what the people that are running the infrastructure are doing, is they’re using API’s that have a very small attack surface and do not have the means by which to pull customer data out of the system.
It used to be, when you’re talking to a customer, ‘What contractual obligations do you have to protect me from insider threat of somebody getting access to my data?’
I’d rather put a technical control mechanism in place that prohibits us from being able to do so. Run your environment in a Nitro architectures—and we’re on multiple generations of that now we’ve been doing it for years—and you’re limiting our ability to actually ever be able to have access to that.
We’ve invested literally billions of dollars into doing things that previously were contractually based, into creating mechanisms and technical controls to prevent it from happening to begin with.
That’s why we’re more secure than others.
Because others don’t have that level of investment, that commitment, crazy paranoid people like Steve and I, or Andy Jassy and Adam Selipski, who are pushing us to continue down that road.
We’re going to continue to do that to the point where we’ll be in a situation where customers will be able to see everything that’s going on, and be able to audit it, and know all of the actions that are done on their behalf in order to run within the cloud.
