The future of security means focusing on people
AWS re:Inforce was back in person in Boston for the 2022 edition. For two days, the cloud security community gathered to learn from each other and hear the latest from AWS.
Before the show, I had written down what I hoped to see from the keynote and after taking a few days to process the content from the show, it’s fair to say that I got more than I bargained for!
The one critical takeaway
The conference features a couple of announcements from AWS—mainly Amazon GuardDuty’s support for scanning EBS volumes for malware and Amazon Detective’s support for Amazon EKS workload investigation. That’s a far cry from the avalanche of features and functionality from a show like AWS re:Invent.
I’m actually happy about that. The lack of new functionality let the breakout sessions focus on the already extensive set of features and services that help you fulfill you part in the Shared Responsibility Model.
The lack of news also made it easier for a new theme to shine through; it’s time to focus on the people side of security.
Before we dive in, I think a little context is necessary. Here are two clips from Stephen Schmidt, the CSO of Amazon during the keynote;
He goes one to describe the sheer volume of interactions and events that the AWS Global Infrastructure –– billions of use cases every day.
Volume at that level provides a unique perspective. Most of us know that AWS operates at enormous scale either explicitly or intuitively. That’s why I find it so interesting that there was such a focus on the people associated with security throughout the event.
It started with Stephen a couple of minutes later…
AWS calls their program, “Security Guardians.” Some organizations call it “Security Champions.” The name doesn’t matter (except when you’re researching it ????). What is important is the core concept, security expertise embedded within the teams that are building your solutions.
The security community has long used the almost cliché, “built-in, not bolt-on.” Making that a reality is a completely different story.
The scale that AWS operates provides insights into unique events but also a lot of different organizational structures. It’s telling that they are using this structure and advocating for all of us to adopt it as well.
So, what exactly is that approach? Here’s Lena Smart, the CISO of MongoDB, explaining how they’ve implemented this type of program;
Lena Smart, the CISO of MongoDB, explains their approach to the same idea. The tl:dr is that instead of putting all of the security expertise into one, central security team, there are security specialists on each product or development team.
Centralized security levels up
The central security team still exists but their roles shift.
In this model, the embedded security talent provides advice and guidance on a lot of the day-to-day security work. They are part of the development team.
This provides much needed context for security decisions but it’s also provides balance. Because they are part of the development team, their goal is the same. They aren’t just aiming at a set of security goals.
This means the central security team can focus on organization-wide issues, incident response, and setting clear standards. Instead of constantly switching context to try and understand specific builds, they can up level their work and really improve the overall security posture of your organization.
This leadership session, “Proactive security: Considerations and approaches”, featuring Eric Docktor (VP of Software Builder Experience, Amazon) and Kristen Haught (Principal Technical Program Manager, Amazon) gets into some of the specifics on how this can work.
How you can get started
It’s hard to recruit cybersecurity talent right now because security expertise is in high demand. While this is great news for cybersecurity practitioners, it poses a challenge for organizations looking to hire and retain talent.
That’s why it’s critical to make sure that you’re optimizing the work of the talent you do have on board. The Security Guardians model is a strong step forward to make that a reality.
Developers and builders don’t want to build insecure systems. There’s an innate desire there to build better. Your security program should encourage that through training and education initiatives.
Those efforts should highlight the developers and engineers that could be, with further encouragement and support, Security Guardians. You can supplement this with direct security hires but that can be tricky at scale.
Getting a program like this off the ground is challenging. You need buy-in at multiple levels but the rewards are clear. Embedded security talent will deliver better security outcomes for each solution you’re developing.
Combined with a more effective centralized team, this two pronged effort is the most efficient approach to security at any scale.
With the focus on people at AWS re:Inforce 2022, I expect AWS to talk about this model more frequently in public. That’ll help drive adoption and create a community of practice where we can help each other meet our collective security goals.