Top Takeaways From AWS Security Chief Stephen Schmidt At re:Inforce 2019

Schmidt’s keynote address touched on the current state of cloud security, building a security culture, tactical security tips and a road map of where the industry and technology are headed.


The vast majority of cloud security issues stem from a lack of understanding and failure by security professionals to “dive deeply,” Amazon Web Services security chief Stephen Schmidt said Tuesday.

“If you dive a bit deeper into our security portfolio, the gates will be consistent and considerable across the organization,” Schmidt, AWS’ chief information security officer, said in a keynote address that kicked off the No. 1 cloud provider’s inaugural re:Inforce conference on security, identity and compliance in Boston.

“When you dive more deeply into things, you find that there are opportunities for you to build in security into your development pipeline, and I think that's an area where many people should focus if they don't already,” Schmidt said. “Integrated security testing and security-centric release control is really critical to any organization that has to get things right every single time. And adding feedback loops help you correct common vulnerabilities more rapidly. But, more importantly, teach your SDEs [software development engineers] where they've made errors ... and help them prevent those errors in the future, since no tool will ever be perfect.”

Sponsored post

Schmidt’s keynote address spanned topics including the current state of cloud security, building a security culture, tactical security tips and a road map of where the industry and technology are headed.

“One of the most important things we can do as a security industry is build in the right behavior profiles for our staff,” Schmidt said. “That means building behavior in both the security engineering teams, but also in the development teams that we support, to help them understand that security is an integral part of everything we do, every single day.”

The cloud computing industry is in a position of strength, Schmidt said.

“Customers regularly tell us that they are better off operating in the cloud than they are in their own data centers on-premises,” he said. “And that is not only from an availability perspective, but often from a security perspective as well. We've got more than 2 million customers doing billions and billions of transactions every single day. Are we perfect? Of course not. But I really object to the ‘sky is falling mantra’ that some security vendors put out there. That is just simply not the case. It is not true. It's not good for us as an industry.”

Encryption ‘Not A Silver Bullet’

AWS has put a heavy emphasis on encryption in the past five years, according to Schmidt, who noted Amazon Chief Technology Officer Werner Vogels often wears an “encrypt everything” T-shirt during his keynote speeches.

“I think that's a great mantra to have,” Schmidt said. “It's something that all of us should be thinking about in the design and development process. However, encryption is, of course, no silver bullet. It is one of the ways to build layered security that helps you recover from failures because all software is written by humans, more or less, and all software therefore has bugs in it. So building layered defenses is super important.”

And security is everyone's job within an organization, according to Schmidt.

“It is not just the job of the security professionals who are in this room today, but every developer who's out there,” he said. “We want to make sure that you've got the right way to do business, but we also want to help you build the muscle memory within your organizations ... to build properly, to build securely.”

New AWS Stat And The Importance Of Partners

No discussion about security would be complete without AWS partners that sell their solutions in the AWS Marketplace, Schmidt said.

AWS has about 230,000 active customers using software in 39 categories across 4,800 listings from 1,400 independent software vendors.

“We're really delighted to announce a new public stat we're externalizing for the first time today—that we have over 100,000 subscriptions for security products in AWS Marketplace,” Schmidt said. “Ten percent of all of the subscriptions are in the security category, which I think is really cool. It's a testament to the fact that the process works.”

Automation Is ‘Most Critical Piece Of The Puzzle’

A lot of security software is traditionally focused on alerting organizations that something is wrong, when remediation is what all organizations want, Schmidt said.

“We want an action to take place when the alert is brought up to us,” Schmidt said. “Automation is the most critical piece of this whole puzzle. I've said this again and again and again. If you're waiting for human beings to notice something, to respond to a security incident, you are too late, which means you must use automation in order to succeed in this space. It's important because of speed. That's also important because of talent management. There are not enough security engineers in the world right now, and we're falling further and further behind, so automation is an area where you must put some effort,” he said.

“Using a bunch of our services together or alerting from a partner, for example, or AWS Config, you can use things like AWS Lambda to cause remediation actions to occur,” Schmidt said.

Schmidt announced that AWS Config—a service that enables cloud security professionals to assess, audit and evaluate the configurations of their AWS resources—now includes remediation capabilities with Config rules.

“You can associate a particular rule and remediation, put them together, and an action will occur automatically when the rule fires,” he said. “For example, you could say you want to check that all S3 buckets do not allow public read access, and if they do, Lambda will automatically execute a remediation to close that particular issue for you.”

Encrypting AWS Elastic Block Store Volume

Security professionals frequently ask AWS to help encrypt their AWS Elastic Block Store (EBS) volumes, according to Schmidt.

“That is done and done,” he said. “All newly created volumes can be encrypted, either using a default key or your own key. You can set up an IAM [identity and access management] policy which enforces the use of encryption. And a security team, for example, can enable encryption on all new EBS volumes without any action or code changes by the development teams.

Shut The Front Door

“We, of course, want you to have building blocks that help you secure the foundation of all of your services, but it's also important not to leave the front door open when you're doing this,” Schmidt said.

Application programming interfaces (APIs) provide an “awesome” opportunity for enterprises to develop and integrate applications, but it can be a challenge to build security measures into APIs to protect data and meet compliance requirements, he said.

“There are so many ways to get at this particular problem,” Schmidt said. “We've built a lot of services to help you do that effectively. Resource policies, for example, let you create resource-based policies to allow or deny access to your APIs. They're standard IAM rules and policies that we curate that you can use to control who can get and create and manage your APIs, or tags you can apply in IAM with IAM policies to control access to the APIs. So there are a lot of different ways that you can look at control and enablement in our API infrastructure, where we take on the heavy lifting for you.”

‘Crazy Progress’ With Amazon GuardDuty

Launched in November, Amazon GuardDuty, a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts and workloads, has been one of the most rapidly adopted services in AWS history, according to Schmidt.

“We’ve seen absolutely crazy progress in this space,” he said. “We've also not slowed down at all in building up the capabilities of GuardDuty. We've increased detections by 86 percent since launch, while also reducing the effective costs to customers by 28 percent. Some of our largest customers have seen their bills for GuardDuty drop by up to 80 percent because of our cost-reduction optimizations that we've undertaken here.”

AWS Lambda Momentum

Momentum with AWS Lambda, which lets users run code without provisioning or managing servers, continues to grow, according to Schmidt.

“With only three years in the market, we see trillions of executions every single month and have hundreds of thousands of active customers every month using AWS Lambda,” he said. “My security team is the largest consumer of Lambda in the world because we use it to react to every alarm that we get on our infrastructure. With an infrastructure our size, of course you see lots of people poking at you. But Lambda allows us to scale our security team to the point where we still only have one on-call security engineer who's babysitting the automation. And that, I think, is the power of using service architectures.”

AWS Technology Partner Reaction

Ameesh Divatia, co-founder and CEO of Baffle, a Santa Clara, Calif.-based advanced data protection vendor and AWS technology partner, welcomed the opportunity to attend re:Inforce.

“It’s great to actually have a security-focused gathering from AWS because as vendors, it’s really good to see the quality of the attendees on the show floor,” he said, noting AWS’ main re:Invent conference has “just become too big.”

“AWS is starting to provide more and more capabilities around security, and it’s not just the fact that they are providing tools, but also that they are integrating third-party tools,” Divatia said. “They can’t always be best-in-class for everything.”

But, he said, there’s still a lot of ground for AWS to cover for security in the cloud.

“Today, AWS says that is something that falls to a customer, but there is an equal system of vendors that provide that as well and, eventually, AWS will integrate that into their offering … which is what we expect.”

The first day of the re:Inforce conference showed how AWS views security—as a fundamental part of building technology, said Mark Nunnikhoven, vice president of cloud research at Trend Micro, an enterprise data security and cybersecurity company with a U.S. headquarters in Irving, Texas. He took away three repeated themes: Security is a key business concern, automation is key part of modern security, and security must be built into the fabric of everything.

“An undercurrent in the keynote was also the acknowledgment that security is a challenge for most organizations,” Nunnikhoven said. “The pragmatic tone lent itself well to the balance that security teams need to strike within their organizations. While some teams are used to getting their way, truly effective security is a collaboration within the organization.”