Merritt Baer is a principal in the Office of the Chief Information Security Officer (CISO) at Amazon Web Services. She spends her days guiding AWS customers on how to best achieve security in the cloud.
At the recent Airside Live conference, Baer shared some of that advice with our audience. Here are some highlights from her session.
Security is Freedom
The vision Baer works to convey to CIOs and CSOs is that strong security brings freedom. She shared, “One of the things that I want them to be thinking about is feeling unconstrained about your use of data. So, just assume you could have any dataset, and then you could reason on top of it. How would you change your business?”
A foundation of security allows your business to safely access and use all of your data to make decisions that can change your operations, solve problems, conquer new markets, and more.
The Foundation of Scalable Cloud Security
When you choose an enterprise-grade cloud infrastructure partner like AWS, you inherit a robust security foundation that gives you the freedom to scale your organization.
These days, we’re abstracted away from much of the physical technology and infrastructure involved in running a business. But the cloud is grounded in data centers, in the “racking and stacking of servers, HVAC, the guards and gates, and all of the actual backbone that is still a reality.”
According to Baer, it’s a heavy lift that AWS does very well, so customers don’t have to. When looking at a move to cloud, she advises security organizations to consider the security posture they’ll inherit from the AWS cloud environment.
For example, you gain access to unparalleled geo-redundancy and high availability. You can replicate workloads into multiple availability zones (they have 81) so that in the event of an outage, AWS can initiate an automatic failover to a backup workload in another data center and automatically redirect traffic to this redundant machine in real-time.
Baer also highlighted four components that get to the core of how AWS cloud helps businesses scale securely:
Infrastructure as Code
With a tool like AWS CloudFormation, you can speed up provisioning and manage resources throughout their life cycles with infrastructure as code. It lets you use templates to create, update, and delete an entire stack as a single unit instead of managing resources individually, and manage and provision stacks across multiple AWS accounts and regions.
Elastic Security Automation
Building off the value of infrastructure-as-code, you also get access to security-as-code services. As you architect your unique cloud-native environments, you can leverage API-driven security services to protect your environment against today’s modern security threats.
Runtime security provides active monitoring and protection for cloud-native workloads. Similar to on-premises services such as IDS/IPS, AWS offers network-based monitoring services to detect, alert and remove potential threats traversing an organization’s AWS-native subnetwork.
In the face of rising cybersecurity threats, immutable infrastructure mimics an air-gapped solution that limits how users can write, change, or delete data residing on a server. Immutability offers excellent value to users looking to prevent malware attacks such as ransomware, as it disallows outside entities to change critical data residing on production infrastructure.
Security is a Shared Responsibility
When you choose a public cloud service provider like AWS, security becomes a shared responsibility. Your provider takes on responsibility for protecting the infrastructure of the services that run in their cloud; you are responsible for your cloud services’ proper configuration and operation.
A cloud computing provider like AWS has all sorts of security solutions to help optimize your security and even set up a foundation for compliance. But in the end, you are responsible for things like your security controls, firewalls, data protection, etc.
Your Mission: Build a Security Machine
A key concept that enables security at scale is automation. The approach AWS takes on a grand scale, Baer noted, is what each organization should strive for as well.
“For security teams, one of the things that I try to energize them with is the idea that you need to build a machine,” she said. It’s important to understand that people are a critical component of your machine, alongside the automation, technologies, and processes.
Baer emphasizes this point by saying that, “Good intentions are not enough, and nothing’s going to happen by accident. So, it’s got to be someone’s job. How are you taking action on things? Do you have runbooks for your findings, and how and when do you escalate?”
Speaking of escalation, AWS has instituted a blameless approach. Because when it comes to security, all that matters is fixing any issues as quickly as you can. Baer shared, “We have blameless escalations that go up every 15 minutes. It doesn’t matter if it was John’s fault or not; it doesn’t matter if John left the company, it doesn’t matter. It gets escalated. The fact of the matter is that your executives need to know that this is part of their business proposition.”
Some of her other suggestions for building your machine include:
- Scope down the universe of possible actions using automation and other tools; leave the gray area of human decision-making for truly novel or high-stakes scenarios.
- Build a low-latency, fully API-driven ticketing system for better metrics and better analytics
- Never close a trouble ticket until you’ve scripted a remediation.
- Hire devs who love to automate and write code, then augment and train them on the security side; “democratize security down.”
- Use security tools like Inspector, CloudWatch Events, and Config Rules for automated remediation and full visibility into your environment.
Cloud Security North Stars
Toward the end of her session, Baer outlines seven North Stars for cloud security. We’ll let you watch the session for all of them, but a sneak peek:
North Star Number 2 – Automate all the Things
Two things AWS CTO Werner Vogel says all the time: “Everything fails all the time” and “Get the humans away from the machines.” In other words, if you can automate a process, you should. An organization can minimize the risk of failure by removing the human element and allowing computers to execute well-defined hard-coded tasks.
To encapsulate this idea perfectly, Baer shares, “The point is, computers do some things better. Humans are here to think spatially, creatively, and innovatively. Whereas computers are better at doing a lot of operational stuff. If a computer can do it, we should let them do it.”
Rather than taking away jobs, computers, as Baer points out, allow humans to do more higher-order tasks. This provides an incredible opportunity for organizations to enable advanced computing platforms to help drive innovation rather than stifle it.
To hear all of Baer’s North Stars and learn about areas we didn’t cover in this blog like:
- Automated reasoning
- Ubiquitous encryption
- Zero trust