AWS re:Inforce 2021 - Keynote with Stephen Schmidt
AWS re:Inforce 2021 - Keynote with Stephen Schmidt
Steve Schmidt, VP and CISO of Amazon Web Services, delivers his AWS re:Inforce 2021 keynote, featuring the latest security news and announcements.
Learn more about AWS Security at - https://amzn.to/3koT8ve
Subscribe:
More AWS videos http://bit.ly/2O3zS75
More AWS events videos http://bit.ly/316g9t4
ABOUT AWS
Amazon Web Services (AWS) hosts events, both online and in-person, bringing the cloud computing community together to connect, collaborate, and learn from AWS experts.
AWS is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, become more agile, and innovate faster.
#AWS #AmazonWebServices #CloudComputing #AWSreInforce #AWSreInforce2021 #security #identity #compliance #CloudSecurity #AWSsecurity #CloudSecurityCommunity #LearningConference #SecurityBestPractices #AWSreInforce2021Sessions #StephenSchmidt
Content
0.817 -> (exciting music)
14.55 -> - [Announcer] Please welcome
CEO, Amazon Web Services,
17.9 -> Adam Selipsky.
19.654 -> (exciting music)
23.23 -> - Hello and welcome to re:Inforce.
25.72 -> I'm Adam Selipsky, CEO
of Amazon Web Services.
29.31 -> I'd like to personally welcome all of you.
32.02 -> Today is an opportunity
for in-depth learning
34.34 -> designed to help you meet
your security, identity,
37.33 -> and compliance needs, and I'm
really glad you could join us.
41.41 -> We started re:Inforce in 2019
43.85 -> and are thrilled to be
back hosting this year.
46.69 -> Obviously, we wish we could
be together in person,
49.76 -> but it's still great to gather virtually,
51.97 -> and we're still really, really excited,
54.28 -> grateful you could join,
and really looking forward
56.84 -> to a fantastic, interactive time together.
60.83 -> We are passionate about security at AWS,
64.2 -> and it's my hope that you
come away from this experience
67.3 -> having learned something that makes you
69.08 -> and your environment more secure.
72.39 -> At AWS, security is always
our number one priority.
76.73 -> For us really it's
actually called job zero.
79.94 -> Nothing is more important.
82.39 -> If the right security isn't
in place for our customers,
85.48 -> we don't have an experience that works,
87.99 -> we don't have a business.
89.58 -> This work could not be more fundamental
92.58 -> or more mission critical.
95.13 -> With AWS, you can build
96.78 -> on the most secure global infrastructure,
99.45 -> knowing you always own your
data, including the ability
102.83 -> to encrypt it, move it,
and manage retention.
107.11 -> All data flowing across
the AWS global network
110.3 -> that interconnects to our data centers
112.47 -> and our regions is automatically encrypted
115.49 -> before it leaves our secured facilities.
119.16 -> We provide the broadest and
the deepest security features
122.25 -> and capabilities, and security
continues to be a top area
126.33 -> of investment for us because
that's how critical it is
129.54 -> both for our customers and for us.
132.92 -> We work on security solutions
across many industries,
136.2 -> with just an amazing array of
customers, including Edmunds,
139.57 -> Experian, Infor, NASDAQ, Neiman
Marcus, Siemens, Phillips,
144.91 -> Autodesk, Maryland
Department of Human Services,
148.17 -> Snap, and Swiss Post.
150.07 -> You are also going to
hear from Brian Lozada,
153.14 -> chief information security
officer for HBO Max,
157.02 -> a very talked about, in-the-news customer
159.9 -> obviously at the moment, on their desire
162.14 -> to create a friction-free user experience
164.8 -> and how their cloud journey with AWS
167.01 -> has led to greater automation
168.9 -> and the ability to scale globally.
172.34 -> During today, you'll have
the opportunity to hear
174.78 -> from AWS leaders across
our security organization,
178.51 -> and they're gonna share the
latest best practices and trends
181.44 -> and provide you with their insight
182.94 -> into tactics and strategies
that will help keep your systems
186.53 -> and your tools protected.
189.01 -> AWS is working as hard as we can
191.29 -> to innovate quickly on security,
193.57 -> but we still have a lot of
invention in front of us,
196.13 -> so please don't hesitate
to tell us what we can do
199.46 -> to help you or your business
and where we need to go next.
204.34 -> I want to thank all of
you for making the time
206.33 -> to be part of re:Inforce this year.
208.56 -> We hope that you learn and
explore what can make you
211.14 -> and your company more secure,
213.31 -> so I hope you enjoy the rest of the day
215.689 -> and thanks again for joining us.
218.3 -> Now, please join me
220 -> in welcoming our chief
information security officer,
223.49 -> Steve Schmidt.
226.19 -> - [Announcer] Please
welcome vice president
227.99 -> and chief information security
officer, Amazon Web Services,
232.21 -> Steve Schmidt.
234.014 -> (bright music)
238.2 -> - Good morning, everyone,
and as Adam said,
240.7 -> welcome to our admittedly
abbreviated virtual version
244.04 -> of re:Inforce 2021.
246.3 -> We're so appreciative that you've chosen
247.74 -> to give us a bit of your time today.
249.61 -> I think investing your
attention on a topic
252.03 -> like cloud security has really
made more sense than it does
254.28 -> in the moment we currently find ourselves.
256.6 -> We're in a place where this
ability to connect virtually,
258.95 -> to work online, and quickly
process and store information
262.63 -> in a safe and secure manner
is of paramount importance.
266.58 -> Many of the systems and tools
that we've taken for granted
268.78 -> in the pandemic might not
have worked out so well
270.91 -> as recently as five years ago,
but the work that's been done
274.09 -> to improve cloud security
has been incredible.
277.32 -> That's why I'm still optimistic
and I think it's day one
279.96 -> for us with AWS Security.
281.75 -> All right, let's get started.
283.47 -> First off, a big thank you
285.21 -> to our diamond level sponsors today,
286.87 -> CrowdStrike, Palo Alto,
Splunk, and Trend Micro.
290.17 -> Our large and diverse group
of partners are what enable us
292.91 -> to reach customers where they
are with their cloud migration
296.1 -> or even all-in strategies.
297.93 -> The AWS Partner Network
299.24 -> and our AWS Managed
Security Services Partners
302.15 -> are doing excellent work
to keep customers secure,
304.73 -> so thanks again to them.
306.23 -> We'll have a bit more news from them
307.43 -> later on in the presentation.
309.67 -> This is our agenda order today.
311.93 -> Each section will have some
updates, some best practices,
315.33 -> some paths to avoid,
and we'll have a guest
317.64 -> drop in virtually as well.
319.43 -> Now we'll start off with threat detection
321.27 -> and incident response.
322.28 -> I know it's a big topic for our customers,
324.53 -> so we'll dive right into it to start.
327.2 -> From there, we'll consider
identity and access management
329.91 -> followed by network and
infrastructure security,
332.34 -> then on to data protection
and privacy, and finally,
335.13 -> we'll end with a look at
governance, risk, and compliance.
338.83 -> Now, you may have come to this broadcast
340.75 -> as a specialist in one of these areas,
342.92 -> in which case I hope we give
you an interesting takeaway
345.34 -> in the other categories
346.8 -> that you may not be as familiar with.
350.29 -> First off, threat detection
and incident response.
355.44 -> Now then, if you've seen
my presentations before,
358.62 -> you'll know that I like
to frame up each section
360.57 -> with a quote of some sort,
361.67 -> and this one I think
is certainly evocative.
363.53 -> The quote comes from Warren Buffett,
365.65 -> and it's a take on his
investment strategies,
368.56 -> but I think it has relevance
to our space as well
371.3 -> because the risk and fear in any activity
373.78 -> comes from an overall lack
of awareness, doesn't it?
377.07 -> I'm gonna continually ask you today
378.65 -> to define what it is
you're trying to protect.
381.54 -> A knowledge gap is what causes anxiety.
384.72 -> For our poor guy falling onscreen here,
386.8 -> maybe not knowing what
the weather conditions are
388.86 -> or heck, not knowing
how to surf well enough
390.55 -> given the wave size are what
caused the real problem.
393.48 -> For you, it could be not knowing
if the underlying details
396.69 -> have changed, or if you've got
the right tools for the job.
400.25 -> Risk is introduced from
failing to define, learn,
404.17 -> and iterate, and that's really
what great threat detection
407.24 -> and incident response
is based on, the ability
409.08 -> to know your normal, good state
411.75 -> and react to anomalies quickly.
414.54 -> Ideally, of course, your
response is happening
416.85 -> well before you're aware of the problem,
419.53 -> which we'll break down here momentarily.
422.47 -> All right, so when we're
considering threat detection
424.99 -> and incident response,
425.93 -> what's changed over the past 18 months?
428.57 -> Clearly this is not a
difficult question to answer
430.51 -> because we've all faced profound changes
432.84 -> in the way that we work and
live during COVID times.
435.67 -> Maybe we're used to getting
together in physical spaces
439.36 -> or sharing a coffee
once a week with a peer,
442.01 -> and now we've gone completely virtual.
444.16 -> Your meetings may all
have been pushed online,
446.14 -> work is pulled more and
more into personal devices
449.59 -> the longer we've seen the
work from home situation
451.71 -> stretch on.
453.01 -> It's also become really difficult
454.86 -> to segment your workday
activities by certain hours
457.6 -> because in a remote world,
458.82 -> schedules shift around more fluidly.
461.48 -> It could be childcare concerns
463.02 -> have shifted work hours around
464.35 -> or maybe it's just the new normal
466 -> when you're handling the
most of your daily tasks
468.84 -> in one physical place as
opposed to having a clear line
472.06 -> of demarcation around these are work hours
474.71 -> and now I'm going home, and
by the way, this is one thing
477.38 -> that I think everybody should
very consciously examine.
480.46 -> Do you have the right demarcation
between your work life
483.31 -> and your personal life?
484.7 -> That demarcation is
important to your health
487.15 -> as an individual and your effectiveness
489.52 -> as a security professional.
492.2 -> The numbers bear these trends out.
494.13 -> Published surveys indicate 114% increase
496.99 -> in remote workers coupled
with a 59% increase
499.82 -> in bring your own device policy adoption,
501.91 -> and this has put security
teams into places
503.86 -> they may not be entirely
comfortable operating in.
506.62 -> This is a concern that went
from a sort of a nice-to-have
509.36 -> kind of situation to priority number one
512.01 -> in a matter of weeks.
513.5 -> So as we think about threat
detection and incident response,
516.52 -> and what kind of tooling
becomes more critical
518.75 -> as employees interact across
the disparate user interfaces
521.84 -> on an ever-growing list of
third-party applications,
525.325 -> adversaries have certainly
noticed this paradigm shift
528.12 -> and are attempting to
exploit the vulnerabilities
529.93 -> that go along with it.
531.56 -> As Verizon indicated in one
of their studies recently,
534.71 -> mobile phishing attempts
have increased by 364%
537.85 -> in 2020 year over year.
539.73 -> We are on our phones almost
around the clock these days,
543 -> and it's quickly become apparent
544.32 -> that the quickest way
to a corporate network
546.48 -> might be through a
well-intentioned human being
549.63 -> making a critical mistake
and clicking on a link
551.77 -> that they shouldn't have.
553.26 -> I think it's an important
point to remember,
555.12 -> people often look at security
as a technical problem.
557.88 -> It is not, it is a human problem.
560.71 -> It's one where you have human adversaries
562.67 -> who exploit human weaknesses to get access
565.17 -> to the products of humans in form of data.
569.87 -> Now, in the sort of pseudo funny space,
572.6 -> one of my folks recently
received this text
574.73 -> to his personal device.
575.66 -> We blurred up the URL to
be extra cautious here,
578.32 -> but let's just say the
URL had some clues too
580.6 -> that this wasn't a legit text.
582.56 -> You'll note the overt threat here.
583.93 -> Your Amazon account will be disabled,
586.25 -> and the call to action to
click on the phishing link,
588.66 -> and really, this is posing as
security guidance, isn't it?
592.27 -> Click here, we'll recover
your account for you.
594.59 -> Now, of course, with good
training and hygiene,
596.49 -> none of your employees
should be clicking this link,
599.12 -> but someone out there
is, or else these types
601.9 -> of really low sophistication methods
603.78 -> wouldn't even be attempted.
606.49 -> In the security conscious environment,
608.05 -> your staff should see only red flags here.
610.75 -> Who is cutting off my access?
612.92 -> Is this normal behavior?
614.51 -> Why have we never seen
this phone number before?
617.22 -> Is there someone I should ask about this
618.88 -> before making this decision?
620.45 -> That piece is key.
621.61 -> Do they know who to go to and say,
623.353 -> huh, this doesn't look right?
625.4 -> Have I been trained in
how mobile phishing works?
627.54 -> Because right now, many
of the world's mistakes
629.84 -> are coming from unforced errors.
631.9 -> This is not super villain activity
633.81 -> or ninjas scaling down from rooftops.
636.46 -> This is basic errors.
638.39 -> If we can cut down on
flat-out human mistakes,
641.53 -> we'll be more than halfway
to a more secure world.
644.37 -> I'll be mentioning something
that we call security guardians
647.07 -> or security champions later
on in the presentation
649.27 -> that I think may get at
portions of this issue
651.64 -> because this is really
about training, education,
654.87 -> and security advocacy.
657.8 -> Now, let's look at a few of
the updates that we've released
660.21 -> on threat detection and incident response
662.32 -> that will hopefully provide some easy wins
664.72 -> for your security program.
666.34 -> As Adam mentioned, we're always
looking for ways to iterate
669.66 -> and to improve our services and features.
674.12 -> The first update I
wanted to make mention of
676.35 -> is around a service that I continue
677.81 -> to be really excited
about, Amazon GuardDuty.
681.16 -> For the past few years,
I've come out and told you
683.3 -> you're just one click away from
the type of threat telemetry
686.04 -> that can only be built by a
security provider with access
689.27 -> to billions and billions
of distinct actions.
692.36 -> If your core competency as a business
694.58 -> is mid-century modern furniture design,
697.31 -> why would you be trying
to replicate a service
699.54 -> like this in-house?
701.26 -> This is a tool where we're ingesting
703.94 -> not only our security information,
705.81 -> but our partners' as well.
708.15 -> Names you've definitely heard
of such as IBM, FireEye,
712.15 -> Sophos, Proofpoint, and CrowdStrike.
714.7 -> We've gathered security intelligence
716.66 -> and the partner threat
feeds from around the clock
719.61 -> and around the world,
720.84 -> but we're always looking
to add new partners
722.89 -> into our AWS Partner
Network, and of course,
725.86 -> there are additional partners
726.94 -> that'd be thrilled to
help you operationalize
729.23 -> any part of this workflow as well,
731.33 -> from alerting, to
ticketing, and back again,
734.91 -> and the point I keep making here
736.27 -> is this is really a math equation.
738.92 -> The more data that you have
access to for security,
741.53 -> or maybe, should I say, the more data
743.26 -> that you can reasonably
evaluate and consume
745.78 -> in a timely manner, the better
your detection percentages
749.12 -> are going to be.
750.68 -> The more data you have,
both in terms of raw numbers
753.78 -> and process power, the better
off you're going to be.
756.93 -> The analogy here is if
you're in a ship at sea,
759.43 -> you don't want to be responsible
761.35 -> for predicting the weather as well.
763.93 -> That is a specialty task
765.87 -> that you want to have serious analytics
767.57 -> and number-crunching behind.
769.17 -> You want predictions and forecasts
770.98 -> and best and worst case scenarios.
772.92 -> You don't want to be a
hundred miles out to sea
774.5 -> and squinting at the
horizon and wondering,
775.87 -> is there a storm coming?
776.96 -> You want professionals behind it
778.2 -> doing the work to help you out.
781.53 -> Which brings me to some of the newer
782.97 -> and emerging capabilities
of Amazon GuardDuty
785.15 -> paired with machine learning.
786.33 -> Now of course, machine learning
787.67 -> is one of those marketing terms
789.65 -> that you'll hear thrown out as shorthand
791.42 -> for really techie and
complicated and whizzbang.
794.28 -> It's kind of like, oh yeah,
this is machine learning,
796.03 -> so you should trust us
that it's impressive,
798.16 -> but in the case of GuardDuty,
it's actually pretty simple
800.58 -> to define and understand.
802.36 -> What we're talking about here
803.45 -> is things like domain reputation models
805.68 -> based on behavioral characteristics.
808.16 -> That's one of the elements
809.68 -> that goes into GuardDuty alerting.
811.63 -> This matters in a real-world scenario
813.7 -> when one of your EC2
instances starts communicating
816.83 -> with a domain that's
predicted to be malicious
819.18 -> because you will see an alert.
822.17 -> This is where we can
use the power of scale
824.8 -> to deliver better security results.
826.53 -> Based on all the domains
that we're aware of,
829.08 -> we can build intelligent models
that can very clearly see,
831.58 -> well this domain is not acting
833.81 -> like the rest of our
nice, normal domain crowd,
837 -> and you get an alert, so then
your high-judgment humans
839.97 -> can take a look.
841.21 -> Now, maybe there's a good
reason why this new domain
843.65 -> is interacting with your EC2 instance.
845.86 -> Maybe everything's completely
safe and you'll notice such,
848.5 -> and then our model gets
one more data point
850.25 -> for the next time around.
852.01 -> The model improves with
additional data points,
854.6 -> and the models being leveraged
or looking at the things
856.92 -> that you would logically expect,
858.42 -> domain popularity and history
860.53 -> or association with
known crypto mining IPs
863.29 -> and things like that.
864.52 -> What does this mean in the real world?
866.51 -> It means that because of the ML work
868.26 -> that GuardDuty has in place,
869.98 -> that we, our customers will see
a four to six-week headstart
874.85 -> in protecting themselves
against certain activities
876.97 -> when compared to traditional
threat intelligence platforms.
880.46 -> There's no new action
881.58 -> to turn these additions
on to our threat library,
883.89 -> there's no additional cost.
886.23 -> We report to you an anomalous behavior,
888.45 -> let you make the call from there.
891.1 -> Let me get to AWS Security Hub.
893.27 -> We are regularly looking around corners
895.51 -> to find standards and practices
897.07 -> that we can bake into templates
898.47 -> and control frameworks for you.
900.72 -> To get completely into the
weeds here, there's a control
904 -> for PCI that states
protect audit trail files
907.32 -> from unauthorized
modifications, by the way,
910.12 -> that's PCI DSS control 10.5.2,
913.77 -> if you'd like to check my math here.
916.03 -> This is a requirement that
is reasonable and clear.
919.13 -> You can't have someone editing
your logs after the fact.
921.97 -> This really does make
kind of perfect sense.
924.33 -> Given there's some sort of
issue, you want to be able
926.85 -> to know when and how it happened.
929.02 -> Plus you can integrate Security
Hub with GuardDuty findings
932.17 -> and send them over to Amazon Detective
934.21 -> to get a forensic drill-down
on potential vulnerabilities.
940.18 -> You'll often hear a refrain
941.57 -> from security practitioners around
943.4 -> that sounds something like,
hey, we just want this tool
946.53 -> to work right out of the box.
947.87 -> Give me something that
helps me with security
949.79 -> with just a few clicks.
951.56 -> Well, Security Hub works
across services automatically.
954.59 -> It is a single UI that
aggregates, organizes,
957.59 -> and prioritizes your security alerts
959.78 -> from a bunch of different AWS services,
962.33 -> including Amazon GuardDuty, Amazon EC2,
965.35 -> security groups, Amazon
Macie, AWS Firewall Manager,
969.41 -> Amazon Redshift, AWS Config, IAM Analyzer,
973.111 -> as well as from about 50 different
976.15 -> AWS Partner Network solutions.
978.34 -> Now that is a lot of security benefit
980.22 -> for very minimal effort
because AWS Security Hub
982.75 -> can be started with a single click
985.97 -> in the AWS Management Console,
and then setting Security Hub
989.96 -> to automatically enable new controls
991.9 -> is just one additional click.
994.1 -> Then these controls are enabled
by default going forward.
997.38 -> Right now you can have 159
security controls running
1001.25 -> at this moment automatically
with a couple of clicks.
1004.89 -> That's the sort of reach that you want
1007.23 -> with your threat detection
and incident response systems.
1012.3 -> All right, so my favorite
part of these talks
1014.38 -> is always sort of what are the
things that you can do today?
1017.2 -> What are the things you
can take home and action,
1020.08 -> both tactically and strategically?
1022.61 -> Well, first off, don't
plan your security program
1026.52 -> around competing with
bad actors in real time.
1029.64 -> I urge you, don't do that
because in the time it takes you
1033.21 -> to determine you have an issue,
1035.902 -> figure out who should be involved,
1038.16 -> and begin your process of
figuring out what's broken,
1041.11 -> that's a pretty lengthy period
1042.87 -> where you are not stopping the bad guy,
1045.31 -> you're not stopping exploits.
1047.59 -> You do not want an airbag in
a car to deploy after a crash
1052.15 -> when the car is safe.
1053.94 -> You want the airbag to deploy
during the accident itself,
1057.31 -> and your computer security
processes should be no different,
1061.72 -> which means turning on Amazon GuardDuty
1064.67 -> to start here and now.
1066.28 -> Reduce your remediation and recovery time
1068.51 -> and put yourself on the path
to automated remediation
1072.16 -> by tying in Amazon CloudWatch
Events and AWS Lambda,
1077.16 -> meaning the chain goes
something more like this.
1079.79 -> Something happens, GuardDuty
detects and alerts on it,
1083.68 -> auto-remediation using Lambda occurs.
1086.27 -> Then you start your
what-happened-here meetings.
1090.31 -> All of your AWS user and API
activity, your S3 data events,
1094.61 -> your network traffic data
through Amazon VPC Flow Logs,
1098.94 -> all of this can operate
1100.61 -> under a much more comfortable
blanket of auto-remediation.
1104.751 -> A real life example here would
be an outbound communication
1107.51 -> to a known malicious IP address
that gets noted and logged
1111.6 -> and shut down automatically,
the results delivered to you
1115.62 -> on a silver-plated security platter.
1119.91 -> Next up is to drive to root cause.
1124.63 -> The human attention span
and analysis process
1127.35 -> is really kind of amazing at
noticing small discrepancies.
1130.67 -> The problem is we may not
always act on them the way
1133.82 -> that we need to.
1135.51 -> An easy real life example
1136.96 -> of you're running a small business,
1138.82 -> maybe my favorite Philly
cheesesteak place,
1141.79 -> and you get an alert that a
new admin user has been created
1144.66 -> in one of your accounts.
1145.88 -> You track it down and it turns
out it's a new payroll person
1148.43 -> who's been hired and some of their tools
1150.79 -> require additional accesses
because they have permissions
1153.51 -> to information that's protected,
things like date of birth
1155.95 -> or physical address and so on.
1158 -> The person that onboarded
them just made them an admin
1160.65 -> so they didn't have to
deal with permissions,
1163.62 -> but that is not what we want.
1165.34 -> We don't want an admin permission level
1167.08 -> getting thrown around as
the new way people onboard.
1171.03 -> At some point, that payroll person
1173.3 -> is gonna bring on a new manager,
1175.318 -> and that person's gonna
be made an admin as well.
1178.49 -> That is how security slippage
1180.46 -> and normalization of deviance happens.
1183.1 -> Fast forward to a year later,
you now have a situation
1186.68 -> where you have no idea who is
doing what in your systems.
1191.08 -> What's the solution here?
1192.23 -> More granular permissions.
1194.18 -> Your new payroll person is an admin.
1195.98 -> They have certain tools that
they need, but for instance,
1198.35 -> they can't add new software
to your environment
1201.02 -> or create other new admins.
1204.19 -> To bring the lesson home,
1205.98 -> don't hear something go
bump in the night and shrug.
1208.55 -> That is not the path forward
that we want to be on.
1211.29 -> If you're EC2 instances are communicating
1213.07 -> with malicious IPs,
1214.26 -> you shut that traffic down automatically,
1217.2 -> but you go behind afterwards
and figure out the why
1221.05 -> because it may be indicative
of a larger problem
1223.36 -> that you haven't yet solved.
1226.95 -> Where can we find the underlying causes?
1229.76 -> Our old pal Security Hub here.
1231.67 -> For alert management,
1232.58 -> Security Hub already uses two mechanisms
1234.95 -> to help prioritize findings for you,
1237.7 -> insights and security standards.
1240.46 -> Insights are correlated findings
1242.57 -> that help you identify
higher priority items faster.
1246.89 -> Examples of insights are
things like S3 buckets
1249.36 -> with public write or read permissions.
1251.96 -> You can also create and
customize your own insight,
1255.27 -> tailored to your specific
security and compliance needs.
1258.57 -> Blocking suspicious IP addresses
and AWS users and accounts
1262.25 -> are supported right out of the box.
1264.77 -> So when you're starting any
after-action incident report,
1268.01 -> we have many ways to get at that data.
1269.87 -> Start with Security Hub, Amazon Detective,
1272.68 -> and our logging services.
1274.57 -> These are all ways that
you can drive to root cause
1277.35 -> to fix issues once, not multiple times,
1281.38 -> and then trust your alerts
every single time out
1284.3 -> that you see them because
you've tuned them to be accurate
1287.35 -> for your particular scenario.
1290.01 -> Do not be the ironic
use case of the person
1292.39 -> turning off the alert each time,
1293.88 -> who says, oh yeah, it just does that,
1295.27 -> we'll always ignore it.
1296.36 -> I guarantee you you'll miss
something important if you do.
1300.764 -> Ransomware, yeah, this
is a big topic right now.
1304.13 -> It gets headlines routinely,
1305.66 -> it gets at many of the
detection and response themes
1308.18 -> that we've been talking about.
1310.04 -> What's interesting about
this topic is it's not new
1312.79 -> in terms of presenting us
1314.02 -> with some magical new
type of vulnerabilities.
1317.12 -> An exploit in your system
1318.44 -> or a failure in your human
processes is still an issue
1321.56 -> no matter what happens afterwards.
1324.44 -> If you have a malicious insider
1325.78 -> with the wrong access levels,
throughout technology history,
1328.53 -> they could do a lot of damage to you.
1331.38 -> What's new here is the idea
that whomever is infiltrating
1334.04 -> doesn't actually even need to have access
1336.31 -> to the data itself to cause harm.
1339.44 -> Let's say you've got a
great data protection plan,
1342.03 -> super crisp and well thought out,
1343.9 -> encryption everywhere it needs to be,
1345.86 -> segregated key management so one identity
1348.01 -> can't get at the other identities' keys,
1350.2 -> critical intellectual
property is stored in a manner
1352.44 -> that takes multiple users
to access, the works.
1356.2 -> Well the person on the
other end of the line
1358.03 -> holding your system hostage
doesn't care about any of that
1361.62 -> because they've precluded you
from operating your business.
1365.27 -> They aren't necessarily even
threatening your business
1367.38 -> with we'll sell these credit
cards on the dark web.
1369.82 -> What they're saying
is, hey, if you pay us,
1372.59 -> you get your access back
and can operate again,
1375.05 -> until then, you can't, and
businesses are more willing
1378.86 -> to pay this type of ransom
because they're losing money
1381.2 -> for every second they're
down, which makes this new
1384.81 -> in the sense that it leans more heavily
1386.81 -> on business resiliency methods.
1389.29 -> You do have a system that, if hijacked,
1391.7 -> you can get back to known
good rapidly, right?
1396.32 -> And so, our guidance for ransomware,
1398.12 -> which actually dovetails pretty nicely
1400.3 -> with traditional remedies,
is overall prevention
1403.12 -> is far, far better than having
to deal with it in real time.
1406.88 -> If you want to dive really
deeply into prevention ideas
1409.86 -> around this topic, you
can reference something
1412.27 -> like NIST 1800-25, which
is gonna go much deeper
1416.15 -> into asset management
and policies and logging
1419.05 -> and backups and blocklisting and so on,
1421.89 -> but what I want to get into
right now is some easy stuff
1424.92 -> that's on your to-do list for right now,
1427.44 -> the basic stuff like separation of duties.
1430.84 -> If no one user has the
right to lock you out
1433.11 -> of all of your systems,
it's gonna be tougher
1435.4 -> for the ransomware actor
to get to that point.
1438.13 -> Your operational accounts
and backup accounts
1440.53 -> should be owned by different identities.
1443.12 -> That is just security hygiene,
1444.88 -> and please don't save the
authentication credentials
1448.94 -> for those identities in the same place.
1452.633 -> There are publicly available
self-assessment toolkits
1455.53 -> for AWS which will run
you through the checks
1457.96 -> that look for public access enablement
1460.23 -> or IAM roles that haven't
been used in a few months
1462.67 -> or EBS volumes where you
don't have a snapshot saved.
1466.3 -> You can use a tool like S3
Object Lock to make sure
1469.32 -> that someone can't exfiltrate
your data, delete your copy,
1472.28 -> and then charge you to get it back.
1475.33 -> With S3 versioning feature,
you can preserve, retrieve,
1478.57 -> and restore every version
of an object stored
1480.98 -> in your buckets, meaning recovery
1482.84 -> from both unintended user
actions, because let's face it,
1485.81 -> your administrators occasionally say oops
1487.58 -> and make a mistake, and
application failures
1490.69 -> is a smaller lift.
1492.43 -> With just a bit of rigor,
you've got an environment
1494.85 -> where folks can't delete,
1496.52 -> where you can restore from backup easily,
1498.86 -> and where your backup has the ability
1500.53 -> to start your business up again quickly.
1504.94 -> I also want to mention
CloudEndure Disaster Recovery.
1508.76 -> This is a service that
continuously replicates
1511.03 -> your operating system, the
system configuration state,
1514.42 -> your databases, applications, and files
1516.7 -> into a low-cost staging area
in your target AWS account.
1521.72 -> Adds in your preferred
region as well, by the way,
1523.89 -> so you maintain that sort of
data sovereignty perimeter
1526.3 -> that you require.
1527.86 -> Now, of course, we hope it never happens,
1529.84 -> but in a true disaster scenario,
1531.84 -> you can have CloudEndure
automatically launch thousands
1534.59 -> of your machines in their
fully provisioned state
1537.13 -> within minutes.
1538.72 -> That's the type of backup that
allows you to tell your boss
1541.31 -> or the board of directors
that you have to report to,
1543.45 -> you've got it under control
even in stressful situations,
1547.36 -> and speaking of backups,
AWS Backup Audit Manager
1551.68 -> is launching with general
availability today.
1554.27 -> This is a great way to provide yourself
1555.98 -> with additional protections
1557.21 -> against your data being held ransom.
1559.47 -> This is also meant to massively simplify
1561.77 -> data governance management of your backups
1564.32 -> because Audit Manager automatically tracks
1566.51 -> your backup activities
and detects when you drift
1569.41 -> from defined parameters,
1571.22 -> enabling you to take
quick corrective actions,
1573.85 -> and this kind of concept
really rolls up as well
1577.38 -> if the resource is evaluated
by a Backup Audit Manager
1580.22 -> controller compliant, it reports as such.
1583.82 -> Similarly, if all the controls
in a framework are compliant,
1586.98 -> then you're provided with that assurance
1588.81 -> and reporting as well.
1591.49 -> Now, I'd also encourage you,
1593.01 -> once you've got a comprehensive
backup plan, to test it.
1597.3 -> Run a game day, see if you are able
1599.72 -> to restore and validate that backup
1601.82 -> is working precisely how you want it.
1604.18 -> Do not let an incident be the first time
1607.25 -> you are taking a look
at this type of tooling.
1609.4 -> Making backups is a great
first step, but have a runbook
1613.21 -> around regular testing
of recovery as well.
1617.41 -> My guess here is that we
are headed towards a future
1620.06 -> where the validation of the
backup and recovery process
1622.98 -> is implicitly regulated,
1625.61 -> and we could quite well
see cyber insurers require
1628.44 -> this level of rigor shortly thereafter.
1631.93 -> All right, let's talk about
identity and access management.
1635.59 -> IAM is such a critical
aspect of a security strategy
1639.23 -> 'cause it's the basis for everything.
1641.14 -> Our quote here highlights
the critical components
1643.84 -> of good IAM policy and execution.
1646.04 -> It is action.
1648.42 -> In a meeting, everyone is
gonna say, well of course,
1651.23 -> we should have fine-grained
permissions and least privilege.
1653.72 -> That's a nice conversation
topic because the correct way
1656.61 -> is usually so clear and so obvious,
1659.43 -> but then real life is going to intercede.
1662 -> You are going to get busy.
1663.6 -> You're going to think
about cutting a few corners
1665.78 -> and you're gonna end up with
a less effective IAM program
1668.46 -> as a result, and we really,
really don't want that.
1672.01 -> As we consider IAM, know
that it is still a place
1675.76 -> where you can pick up huge
security wins right now.
1678.86 -> Today's action can pay
immediate dividends.
1681.87 -> The reason the potential
wins here are so prevalent
1683.98 -> is the thing we talked
about back at the start
1685.87 -> of this keynote, this muddling
of work and home resources.
1689.35 -> Here are some stats that should
give you enough data points
1691.54 -> to see how important this topic is.
1693.71 -> Four out of every five security incidents
1696.11 -> occurred due to weak credentials.
1699.41 -> A third of employees are
sharing their work materials
1702.98 -> via personal email providers.
1706.05 -> Another third have the exact same password
1708.31 -> across all of their devices,
1709.8 -> allowing for one-stop
shopping for adversaries.
1713.2 -> Now, if a password for, say, I don't know,
1715.24 -> your hotel loyalty card gets leaked,
1717.51 -> but that's also the password you use
1718.95 -> for your corporate resources,
that takes the concern level
1722.38 -> from minimal to massive very quickly.
1725.28 -> Plus almost half of employees
1727.45 -> are using their personal
devices for work purposes,
1730.73 -> whether it's calendaring or chat or email.
1735.95 -> There's an additional
stat that's not on here,
1738.14 -> that 42% of employers haven't secured
1740.84 -> their remote employees' personal devices.
1743.54 -> Broad access to sensitive items,
1745.49 -> that is a recipe for a bad
day, whether it's in the cloud
1748.27 -> or on premises or anywhere else.
1750.43 -> With a permissive identity
and access policy,
1752.81 -> you've created the environment
1754.18 -> a bad actor needs to be successful,
1756.86 -> because they can easily
find a personal password
1758.933 -> that you use for a website
1761.08 -> that may not even be around anymore
1763.2 -> and try that out against
your corporate resources.
1765.76 -> Gain access, use that
access, assume an identity,
1768.77 -> and then look around for
valuable information.
1771.52 -> There are always multiple
failure points in any accident.
1774.9 -> It takes many things falling
over to get to the point
1777.32 -> where you're having tense
meetings with your team.
1779.39 -> Don't let access and identity
be one of those things.
1783.23 -> Now we're gonna give you some quick tips
1784.46 -> that you can do today at
the end of this section.
1788.91 -> These are a few of the key concepts
1790.35 -> that our IAM team regularly mentions.
1792.57 -> First off, this is free.
1794.71 -> Now free is a solid price point, right?
1797.07 -> This goes back to what our
CEO, Adam, said at the opening.
1799.87 -> Nothing is more important
than security to us,
1802.87 -> and that's reflecting the fact
1804.21 -> that we don't want to be confused
1805.74 -> with a revenue generator here.
1807.3 -> This is table stakes, this
is something I tell my people
1809.81 -> every single day, we have to
get this right for customers,
1813.22 -> we have to give them the tools
that are required for them
1816.62 -> to properly secure the things
that are important to them.
1820.4 -> That may be everything in the case
1821.91 -> of a large multinational
bank, or it may just be email
1824.77 -> and mailing addresses
for a small business.
1827.39 -> Either way, making things easier
1829.31 -> is what we have to aim for every day.
1832.36 -> With IAM, right from the start,
1834.76 -> you can do things like setting work hours.
1837.01 -> No one can log in at
2:00 a.m. from Australia
1839.53 -> to your business in Des Moines, Iowa.
1842.04 -> You can restrict services as well.
1844.28 -> You can require
multi-factor authentication,
1846.37 -> meaning I not only need this
password that I've remembered,
1849.54 -> but I need this physical hardware device
1851.69 -> to be able to log into
a particular application
1855.48 -> or a set of infrastructure components.
1857.81 -> And if someone steals one
of my people's laptops,
1860.6 -> I want them to get,
1861.9 -> to have to go past two
different access control systems
1864.76 -> at least in order to get access
1866.83 -> to anything that's interesting.
1868.17 -> That slows down the adversary's progress
1870.69 -> and gives us as defenders
more time to react.
1875.25 -> Credentialing contractors for
a certain period as a feature,
1878.2 -> and doing that work right upfront at hire
1880.83 -> so I'm not scrambling around wondering
1882.49 -> if anyone is left at the
company holds a grudge.
1885.46 -> That kind of thing is where you need
1886.9 -> to build the right muscle
memory by repeatable processes
1890.11 -> and building your identity and
access management frameworks
1892.88 -> to last for the long run.
1894.77 -> By the way, all of this
works within the framework
1896.93 -> of existing identity systems,
1898.8 -> such as Microsoft Active Directory.
1901.17 -> Again, we're looking to do the right thing
1902.73 -> for customers here, to
help you stay secure
1905.15 -> regardless of what
tooling you choose to use.
1909.29 -> Right, a few updates to our
IAM features to consider,
1912.21 -> and, by the way, Karen Haberkorn
1914.01 -> will have a more in-depth IAM review
1916.33 -> during her leadership session,
1918.23 -> Building for the Future
with AWS Identity Services,
1921.08 -> later on today.
1923.68 -> This update allows for policy validation
1926.7 -> through IAM Access Analyzer.
1928.55 -> It's been called a
game-changer by customers.
1931.71 -> A real use case here might
be IAM Access Analyzer
1935.14 -> sending a security alert
when a policy grants access
1938.34 -> for a role for all services,
1940.515 -> plus that security warning
will include a recommendation
1943.56 -> you scope down the permissions.
1946.06 -> Another example might be
the validation of policies
1948.61 -> that specify your tagging conditions.
1951.56 -> This is a place where IAM tooling
1953.23 -> can tie directly into your risk program.
1955.47 -> You're able to show definitively
1957.2 -> that you've taken tangible
steps to drive down risk.
1960.58 -> Now under the hood, of
course, IAM Access Analyzer
1962.8 -> is automatically performing these checks
1964.72 -> as you're offering your identity policies,
1967.01 -> using the JSON Policy
Editor in the IAM console.
1969.92 -> I'd encourage you to take
a look at this feature
1972.02 -> as part of your larger IAM program.
1975.36 -> Now, what can you do today?
1977.45 -> What are the takeaways from
this particular activity?
1981.02 -> First up, put on your
calendar to review permissions
1984.39 -> on a regular cadence.
1985.69 -> Monthly, quarterly, you
decide, but have a regular idea
1988.42 -> of who needs access to
what and revalidate it
1991.03 -> on a periodic schedule.
1994.28 -> Now, of course, the
better thing to do really
1996.19 -> is to automate this process,
where you prompt your managers
1998.56 -> to say, do these people still need access?
2001.23 -> Yes or no, if not, revoke that access.
2004.64 -> And if you pull a report
that says this user type
2008.15 -> hasn't accessed this system in 60 days,
2010.51 -> remove that set of permissions.
2012.83 -> If an employee doesn't
need access to something,
2014.98 -> why are you expanding your risk profile?
2018.76 -> This is a place to consider
how the work is evolving too.
2021.91 -> Maybe now credit card numbers
2023.11 -> are being accepted by your business,
2024.54 -> and you need an entirely
new permissions group
2026.51 -> to handle that.
2027.85 -> Don't have a security program
2029.32 -> where you are bolting on
permissions as the business grows,
2032.01 -> thinking, well, this is
close enough to what they do.
2034.67 -> No, no, no.
2037.15 -> If your business is changing,
2038.93 -> if you're heading to a new
country or a new vertical,
2041.68 -> that's awesome, you're opening up
2043.91 -> for new streams of revenue.
2047.62 -> With that, though, comes
reevaluating your security needs
2051.67 -> each and every time.
2053.46 -> This should be put on a regular schedule
2055.53 -> so that it becomes a normal behavior.
2058.3 -> This will lead to your employee
base being more curious
2061.02 -> and aware on their own too,
2062.93 -> and next time a new line
of business is opening,
2065.01 -> your partners in operations
are gonna approach you
2067.167 -> and the security team prior
to launching something.
2070.36 -> You're gonna get closer to
the inception of all the areas
2073.08 -> that need foundational
security if you show
2075.45 -> that you're a diligent partner
throughout that process,
2079.19 -> and finally, within
that plan, be granular.
2083.78 -> Don't just take everything
your business does
2085.39 -> and throw it into an ops
bucket and call it good.
2087.41 -> That is the easy way out
2088.8 -> and it is probably the wrong thing to do.
2090.68 -> You never want security
to be a department of no,
2093.76 -> so ideally set this up
correctly from the beginning.
2097.73 -> You as a security practitioner
want to have people
2099.74 -> banging on your door saying,
2100.94 -> hey, I need this access to do my job.
2103.96 -> No, that isn't the best use
case, it's not the best use
2106.61 -> of your time, and it's not
the best user experience,
2109.37 -> but that is a lot better than,
oh, wait, Jenny had access
2112.13 -> to what database and what
credentials were taken?
2115.58 -> So build the framework,
make it easy to use,
2118.3 -> audit it regularly,
confine user access to that
2121.44 -> which is just what's needed.
2125.53 -> Now, speaking about user friction,
2127.33 -> if someone is opening a
ticket or paying security
2129.25 -> that they can't do their
job because of permissions,
2131.53 -> that is a problem you need
to fix, but fix it once.
2136.15 -> You've got a user that
likely should be a part
2137.88 -> of a larger group that does things,
2139.42 -> and now you've remediated
for all of the users
2142.09 -> within that group of permissions as well,
2144.8 -> but we all have activities
that we do all day
2146.82 -> that form that sort of
texture of our work.
2149.1 -> I personally don't want access to things
2151.06 -> that I don't need access to.
2153.367 -> I want to be located as far
away from sensitive information
2157.36 -> that doesn't involve my actual job.
2159.6 -> You've heard me say this before,
keep humans away from data.
2164.8 -> A sub-clause of that could
be, and only give the access
2168.14 -> that each human needs for
only as long as they need it.
2172.3 -> That mantra will go a long way
2174.21 -> towards making you and
your company more secure.
2178.04 -> All right, network and
infrastructure security.
2180.59 -> This is clearly a biggie
where cloud is concerned
2182.49 -> because large portions
of this are controls
2184.47 -> that we can set up for you on our side
2186.13 -> of the shared responsibility model,
2187.8 -> and you don't have to deal
with the heavy lifting
2189.27 -> associated with it.
2190.91 -> Here's Amazon CEO Andy Jassy's quote
2193.01 -> on the beginning of AWS.
2194.9 -> This was the sort of initial crux
2196.36 -> of what we were trying to do
2197.38 -> to cut a bunch of repetitive processes out
2200.06 -> and get right to the part where our people
2201.65 -> could start building safely and quickly.
2205.47 -> A slight historical aside, by
the way, when I joined Amazon,
2208.53 -> it was to help set up a
service that became known
2210.55 -> as Amazon Virtual Private Cloud or VPC,
2213.21 -> and after we delivered VPC, Andy asked me
2215.49 -> to help build a security
team for the company
2217.34 -> precisely because we were service
builders and owners first.
2222.26 -> We wanted to remove the hassles
2224.05 -> for all of our service builders.
2227.12 -> We want to handle the
items that are a hassle
2229.67 -> for your business as well.
2231.5 -> You shouldn't want to build a data center
2233.45 -> if we are doing our job properly,
2235.7 -> and we never want
security to get in the way
2237.56 -> of running your core business.
2239.98 -> The spirit of AWS is one
of customer obsession,
2242.84 -> making security easy for you.
2245.97 -> There are certain aspects of the equation
2247.76 -> we should be better equipped
to handle given our expertise.
2251.13 -> One of them is supply chain.
2253.47 -> We have decades of logistical experience
2256.05 -> in getting things safely and securely
2258.23 -> from one place to the next.
2259.97 -> We have decades of experience
in sourcing from suppliers
2263.14 -> who have been vetted,
audited, and verified.
2266.94 -> You can see onscreen here,
there's a trend of elevated risk
2269.59 -> among certain supply chains and suppliers,
2271.48 -> and truly, there's not
enough human judgment
2273.83 -> to cover the expanding risk
profile across the industry.
2278.1 -> As we've seen in recent headlines,
2279.61 -> if an adversary can get
into your supply chain,
2281.92 -> they can potentially operate in a manner
2283.948 -> that's gonna weaken your overall security.
2285.51 -> Now, clearly, you should still have checks
2287.42 -> that identify the risk to your business
2289.24 -> throughout its particular lifecycle,
2291.35 -> but we're proud of our efforts here,
2292.98 -> we're proud to say we attest to a level
2295.26 -> of supply chain controls
that allow you to operate
2297.3 -> with confidence in the cloud,
knowing that the broad set
2300.42 -> of materials that make up our cloud
2301.94 -> have been thoughtfully
considered and checked
2304.4 -> throughout each step of our boot process.
2308.94 -> Because our goal here is to
make the teeter-totter longer
2312.48 -> to give you leverage,
taking more responsibility
2315.7 -> when we're able, we've made
inroads down the supply chain
2318.87 -> so that we own more of the
process and the results
2321.31 -> are surfaced in the end
products that you see.
2323.89 -> In this particular paradigm,
the heavy lifting in supplies,
2327.01 -> building things, work
that's best left to us.
2329.97 -> You fire up an instance and
know that wherever in the world
2332.69 -> that command is going, it's
residing in a data center
2335.43 -> with security controls that are backed up
2337.11 -> by 24/7/365 audit attestations.
2340.3 -> We handle the physical
security of our data centers,
2342.95 -> who has access to what,
and each machine is built
2346.48 -> and operated to our
exacting specifications.
2350.6 -> This removes a portion of
risk for your portfolio
2353.5 -> because you get access to the
tools without having to go out
2356.77 -> and set up dozens of
trusted relationships.
2359.97 -> In the same manner, we want
to make security easier
2362.92 -> for you, the end user.
2364.73 -> We want you to leverage our
cloud, secure in the knowledge
2367.13 -> that all the components
have been considered
2368.82 -> from a security perspective.
2370.57 -> This type of thinking
2371.46 -> has been called providing a
friction-free user experience,
2375.42 -> and for more on this
concept of friction-free,
2378.134 -> I want to bring a customer
of ours, the CISO of HBO Max,
2382.61 -> Brian Lozada, joining us virtually.
2384.99 -> Brian?
2386.664 -> (exciting music)
2391.62 -> - Thank you, Steve.
2392.61 -> Appreciate the opportunity to come here
2394.09 -> and share the HBO Max story,
a story of who we are,
2397.55 -> what we're doing, and where we're going.
2399.95 -> 18 months ago, I was given
this amazing opportunity
2402.88 -> to come join the HBO Max team
and be part of this journey,
2406.8 -> a journey of building a
new streaming experience,
2409.76 -> one that's not just about
delivering the content
2412.12 -> that we all enjoy, but about redefining
2414.67 -> what streaming experience could be.
2416.83 -> HBO Max is WarnerMedia's
direct-to-consumer platform,
2419.94 -> offering best-in-class
quality entertainment.
2422.5 -> We launched our platform in May of 2020,
2424.82 -> and we recently began our global rollout
2426.85 -> with launching in 39 markets
2428.35 -> across Latin America and the Caribbean.
2430.9 -> Globally, HBO and HBO Max has
over 67 million customers,
2435.5 -> and we haven't even scratched
the surface of our potential.
2438.68 -> The HBO Max Security Team was excited
2441.05 -> to help tell the HBO Max story.
2443 -> We were also eager to build,
not just build an architecture
2446.64 -> that facilitates our global scale,
2448.6 -> but build a security culture
that helps drive innovation.
2452.39 -> The one thing the HBO Max Security Team
2454.56 -> never wanted to be accused
of was lacking imagination.
2458.01 -> Our mission as a team
2459.44 -> was to establish a
customer-driven security culture
2462.06 -> that enables our growing business
2463.61 -> while securing the customer experience.
2465.97 -> Understanding our business partners
2467.74 -> and their challenges was the first step
2469.83 -> in establishing that
customer-driven security culture,
2472.73 -> as our development and
product organizations
2474.86 -> are at the ground level,
solving those customer problems,
2477.93 -> and we recognize that and
welcome the opportunity
2480.45 -> to support them.
2481.62 -> Creativity plays a large
role in problem-solving,
2485.53 -> and at times, fear gets in
the way of that creativity,
2489.39 -> truly impacting what's possible.
2492.28 -> The HBO Max Security Team did
not want to bring controls
2495.65 -> or limitations to the
problem-solving process.
2498.33 -> We want it to help deliver solutions.
2500.94 -> As part of establishing
2502.24 -> that customer-driven security culture,
2504.07 -> the team wanted to help
break down those fears
2506.21 -> that consistently slowed down innovation,
2509.01 -> whether that's fear of a security risk,
2511.27 -> fear of a misconfiguration,
fear of the unknown.
2514.16 -> As security practitioners,
2515.35 -> we wanted to help our
business overcome those fears,
2518.48 -> as fear does not get to dictate
our tempo, our customers do.
2522.55 -> Our development and product organizations
2524.36 -> are our customers as well.
2526.06 -> Their creativity and problem-solving
is what allows HBO Max
2529.76 -> to deliver on a seamless
customer experience.
2532.34 -> Creating a friction-free
experience for security
2535.27 -> to be applied in our
environment was paramount.
2538.4 -> We felt the more we enable our development
2540.76 -> and product organizations,
the more they will be able
2543.35 -> to innovate on behalf of our customers.
2545.687 -> The HBO Max Security Team
embodied extreme ownership
2548.77 -> of securing the customer experience
2550.58 -> by collaborating across the organization
2552.75 -> to understand where we can
help remove security friction
2555.78 -> in the development life
cycle to enable risk-taking.
2560.48 -> Risk-taking is necessary while innovating.
2563.12 -> Those who do not take risks
2564.84 -> will always be chasing those
that do, and at HBO Max,
2568.45 -> we want to be on the
cutting edge of innovation,
2570.85 -> and that requires taking risk.
2573.5 -> Our approach to accomplish
this shift in security culture
2576.38 -> was to build an event-driven architecture,
2578.62 -> with visibility and guardrails,
not controls or limitations.
2583.29 -> The HBO Max Security Team
2584.56 -> leveraged AWS' Cloud Adoption Framework
2587.22 -> to formulate our build
plan, with security epochs
2589.74 -> around identity and access
management, data protection,
2593.13 -> incident response,
resilience, secure CI/CD,
2596.34 -> just to name a few.
2597.8 -> An event-driven architecture
helps us facilitate
2600.75 -> the developer experience,
focus on detection,
2603.95 -> and enable automatic remediation.
2606.91 -> How are we doing this?
2608.74 -> The main components of our architecture
2610.41 -> are broken into two focus areas,
detection and remediation.
2614.8 -> This approach allows us to
create the right guardrails
2617.48 -> for our development and
product organizations,
2619.67 -> while providing necessary
response if necessary,
2623.24 -> thereby building confidence
in the innovative
2625.84 -> and problem-solving process.
2627.59 -> The detection portion of our architecture
2629.5 -> leverages services like CloudTrail
2631.42 -> to source real-time events as resources
2633.75 -> are being built or actioned on.
2635.83 -> That could be anything
2636.663 -> from overly permissive security groups
2638.6 -> to network and port changes.
2640.95 -> We also leverage GuardDuty across our VPCs
2643.45 -> to ingest a variety of logs
such as CloudTrail logs,
2646.55 -> VPC flow logs, and DNS logs
2648.72 -> to detect possible malicious events.
2651.29 -> Those events, in conjunction
with our Amazon Inspector
2654.03 -> and AWS Config events are
fed into Security Hub,
2657.29 -> which we use as our central
dashboard for security findings
2660.75 -> for all of our AWS Security services.
2663.92 -> EventBridge is a core component
2665.35 -> to our event-driven
architecture, as this allows us
2667.92 -> to automatically connect our detection
2670.24 -> and remediation capabilities.
2673.229 -> EventBridge helps us drive remediation
2675.36 -> by delivering a stream of
real-time data from events
2678.38 -> to our custom security Lambdas,
2680.21 -> for both prevention and remediation.
2683.1 -> This offers us a cost-effective
way of automating security
2686.79 -> in a multi-region,
multi-account environment.
2689.84 -> To drive those Lambdas, we
are using Cloud Custodian,
2692.89 -> an open-source tool that helps us improve
2695.32 -> on our security development velocity.
2697.91 -> Our security engineers can
build a simple YAML file
2701.03 -> for detection, remediation,
and notification actions
2704.1 -> via Slack, which Cloud Custodian
then converts into Lambdas.
2708.17 -> This architecture pushes more automation
2710.39 -> across our environment.
2712.03 -> We should not be fixing
the same problem twice.
2715.07 -> It's not effective or
efficient with our resources.
2718.41 -> Everyone here is an automation away
2720.5 -> from updating their resume,
and that's a good thing.
2722.98 -> We need to embrace that.
2724.64 -> We believe that respond
to risk with automation
2726.93 -> is necessary in today's digital world.
2729.34 -> If we are not responding
at the speed of a tweet,
2731.84 -> we're not responding quick
enough for our customers.
2734.61 -> Now that we've enabled this architecture,
2736.45 -> the HBO Max Security Team is focused
2738.28 -> on expanding our security
out-of-the-box adoption
2740.95 -> by making security free to consume
2742.88 -> for our development and
product organizations.
2745.4 -> This helps us scale security
without slowing us down,
2748.67 -> allowing us to maintain our agility.
2750.97 -> It also helps in reducing the blast radius
2753.5 -> by providing boundary
awareness with automation,
2756.78 -> and finally, it helps
us enable our business
2759.36 -> by automatically having security built-in
2761.91 -> to the AWS services
2763.31 -> our development and product
organizations are using
2765.67 -> to solve customer problems.
2767.79 -> This makes security easy to
consume, where anyone can click,
2771.78 -> innovate, and drive change quickly.
2774.62 -> What have we learned?
2776.33 -> Building an ever-changing
event-driven architecture
2779.13 -> is not easy, it's hard,
but anything worth doing
2782.53 -> is on the other side of hard.
2784.6 -> Committing to failing fast is a mentality,
2788.18 -> and if security is willing to fail fast,
2790.11 -> everyone should consider it.
2792.22 -> Many times, failure is
part of the journey.
2795.25 -> We should embrace the growth
that comes with failing fast,
2798.11 -> but more importantly, recognize
that we are failing forward.
2802.52 -> So what's next for HBO Max?
2804.89 -> We are excited to announce
2805.98 -> that we are continuing our
global expansion with launches
2808.7 -> in certain countries
in the EU in the fall,
2810.91 -> and we want your help in doing so.
2812.93 -> We have over a hundred
open roles within HBO Max
2815.63 -> across multiple disciplines.
2817.21 -> If you want to be challenged
and be given the opportunity
2819.54 -> to be creative in problem-solving,
come put your mark
2822.31 -> on building a new streaming
experience and join us.
2825.52 -> With that, I leave you with
this video on what it's like
2828.17 -> to be part of building a
new streaming experience
2830.4 -> at HBO Max.
2832.12 -> Thank you for your time.
2834.204 -> (exciting music)
2838.95 -> - People are starting to notice.
2842.48 -> (exciting music)
2872.996 -> - Whoa.
2873.829 -> (exciting music)
2880.23 -> - Thank you to the Academy for
this incredible recognition.
2883.62 -> - [Man] Thank you so much.
2884.936 -> (people cheering)
2885.769 -> - Wow.
2886.602 -> (exciting music)
2889.82 -> - I told you, man.
2890.72 -> - I'm impressed, Morty.
2892.208 -> (exciting music)
2893.9 -> - Welcome to CNN Special Coverage.
2895.761 -> (exciting music)
2901.556 -> - All right.
2902.389 -> - All right.
2903.222 -> - Okay.
- We should do it.
2904.492 -> (Larry groans)
2905.325 -> (exciting music)
2911.8 -> - This is really happening.
2913.643 -> (exciting music)
2934.6 -> - Great stuff, Brian,
2936.31 -> and I know as a watcher
of Mare of Easttown,
2938.34 -> I'm gonna take his word for it
2939.45 -> that his team is not keeping tabs
2941.64 -> on my recent binge-watching sessions here.
2944.17 -> So we're gonna move on
to some updates now,
2946.49 -> as well as best practices
around your network
2949.3 -> and infrastructure security plan.
2951.62 -> A term that you'll often hear a lot about
2954.55 -> is confidential computing,
2956.77 -> but what we're really talking
about here, let's define it.
2960.09 -> The most basic definition
is isolation technology
2963.94 -> in processing sensitive data.
2966.24 -> Our way of doing this at
AWS is with Nitro Enclaves.
2969.94 -> Nitro Enclaves offer a hardened
2972.92 -> and highly constrained environment
2974.71 -> to isolate security-critical applications.
2977.43 -> Now customers already use Amazon EC2
2979.8 -> to process a wide variety
of highly sensitive data,
2983.18 -> such as personally
identifiable information,
2985.49 -> and they protect this
data with access controls
2988.26 -> and with encryption both
at rest and in transit,
2992.05 -> but when this data needs to
be decrypted for processing,
2994.73 -> customers might be setting
up a wide array of VPCs
2997.15 -> to do that work in.
2998.15 -> This can be a significant effort
3000.05 -> and it leads to a potential
path where shortcuts get taken.
3003.81 -> We wanted to make it easier to set up
3005.3 -> and manage isolated
compute environments in EC2
3007.62 -> that not only protect your information
3009.74 -> against outside adversaries,
but also protect your data
3013.4 -> from your own staff.
3017.21 -> In terms of the what around
confidential computing,
3020.07 -> enclaves are separate virtual machines.
3022.92 -> They have no persistent
storage, no interactive access,
3025.97 -> and no external networking,
so even if you're a root user
3029.74 -> or an admin user on the
instance, you will not be able
3032.9 -> to SSH into the enclave
or otherwise access it,
3036.76 -> which means with Nitro Enclaves,
3038.41 -> you're able to isolate the processing
3039.93 -> of highly sensitive data
within your EC2 instances,
3043.38 -> including from your own people.
3046.23 -> Nitro Enclaves has attestation
that allows you to verify
3049.593 -> that only authorized code
is running in your enclaves
3053.01 -> and includes AWS Key
Management Service integration,
3055.87 -> where KMS is able to read and verify
3058.55 -> these attestation documents
so that only your enclaves
3062.66 -> can access your sensitive material.
3067.77 -> Another update we're excited about
3069.34 -> is the AWS IoT Core integration
with AWS PrivateLink,
3074.17 -> enabling customers to
create private IoT endpoints
3077.7 -> in a virtual private
cloud using VPC endpoints.
3081.27 -> If you're collecting data from machines
3083.24 -> in a connected factory,
3084.8 -> but you don't want to expose
the local factory network
3087.14 -> to the public internet
for security reasons,
3089.01 -> which is probably a good choice,
3090.67 -> then this is the update for you.
3092.96 -> This also allows for the
restriction of access
3095.05 -> to only allow connections
over a VPC endpoint.
3099.73 -> When used with
network-to-VPC connectivity,
3102.5 -> your IoT Core VPC endpoint can function
3105.25 -> as though it were hosted
directly on your private network.
3109.69 -> This is a solid example
of shutting down an angle
3111.94 -> that doesn't seem flashy,
3113.03 -> but we've all seen headlines recently
3115.44 -> where always-on physical devices
3118.08 -> connected to the public internet
3119.68 -> had very little to no
security protections in place,
3123.23 -> and as a result, got abused
by adversaries all over.
3127.45 -> All right, so what makes
sense to look at today
3130.65 -> for your network and
infrastructure security plan?
3133.99 -> First up, launch AWS resources
in defined virtual networks.
3138.5 -> You have complete control
3139.84 -> over your virtual networking environment,
3141.72 -> including the selection of
your own IP address ranges,
3144.45 -> the creation of subnets, the
creation of routing tables
3147.29 -> and network gateways.
3149.01 -> You can use both IPv4 and
IPv6 for most resources
3153.05 -> in your virtual private cloud,
helping to ensure secure
3156.82 -> and easy access to
resources and applications.
3161 -> Next up, the AWS Well-Architected Tool.
3164.55 -> This is another completely
free security tool
3167.73 -> that compares your workloads
3169.66 -> to the latest architectural
best practices.
3172.22 -> The tool was developed
to help cloud architects
3174.46 -> build secure and resilient
application infrastructure,
3177.23 -> and is based on the
Well-Architected Framework.
3180.09 -> This is available right now
in the AWS Management Console.
3182.97 -> Just define your workload and
answer a series of questions
3186.02 -> regarding operational excellence,
security, reliability,
3189.75 -> performance efficiency,
and cost optimization.
3192.94 -> The AWS Well-Architected
Tool then provides you a plan
3196.6 -> on how to architect for the cloud
3198.17 -> using established and
audited best practices,
3201.72 -> which brings us to data
protection and privacy.
3204.54 -> For global companies, there's
definitely been an awakening
3207.4 -> as to how sensitive different
cultures are to data privacy.
3210.83 -> I think that we're gonna
see that looking at this
3213.11 -> in a jurisdictional sense
might really miss the mark.
3215.55 -> You really need to have ways
to protect customer data
3218.35 -> no matter where it resides.
3220.95 -> Customers still have plenty
of valid questions out there.
3223.6 -> How long will my data be retained for?
3226 -> Who will you share it with?
3227.64 -> How will it be protected from someone
3229.38 -> walking out the door with it and so on?
3231.54 -> These are concepts in
areas where it's critical
3233.51 -> to get it right, no matter what
business you're in, but how?
3237.65 -> This can become a very
complicated topic very quickly,
3240.68 -> so it's important once again
3241.98 -> to define some of our terminology.
3245.84 -> Speaking of data protection,
one of the things
3248.09 -> that we've seen recently is a trend
3249.75 -> towards zero trust architecture.
3252.29 -> A recent United States
government executive order
3254.89 -> mentioned zero trust as a security model
3257.36 -> that they want agencies to
develop a plan towards adopting.
3260.96 -> And right here in the EO,
3262.09 -> you can find some of the
definitions which state
3264.1 -> that zero trust architecture
3265.81 -> is a set of system-designed principles
3268.83 -> and a coordinated cybersecurity
3270.65 -> and systems management strategy
3273.21 -> based on an acknowledgement
that threats exist
3275.6 -> both inside and outside
traditional network boundaries.
3281.47 -> And if you keep scanning,
3282.7 -> you'll note a bunch of familiar terms,
3285.23 -> eliminating implicit trust,
continuous verification,
3289.05 -> setting up users in the
manner of least privilege,
3292 -> constantly limiting access
to only what is needed
3294.45 -> to do a particular job for
a particular period of time,
3297.96 -> looking for anomalous
or malicious activity,
3300.56 -> granular risk-based controls
and security automation.
3304.7 -> These are not new topics clearly,
3306.78 -> but they're definitely worth
discussing within the framework
3309.75 -> of data protection
because this type of model
3312.63 -> is all about keeping sensitive data secure
3315.62 -> by using multiple security layers.
3320.48 -> Now because zero trust
can mean different things
3322.57 -> in different contexts,
3323.83 -> I'd like to briefly get
into the guiding principles
3325.86 -> for zero trust and the way
that we think about them
3328.65 -> within AWS.
3330.38 -> The first thing to consider
3331.57 -> is always gonna be your
particular use case.
3334.66 -> Are you looking at adding a
mobile app for your workforce
3337.16 -> to check their appointments or calendars
3339.36 -> or maybe you're building a new portal
3340.83 -> to upload personally
identifiable information.
3343.44 -> These use cases should
have a direct impact
3345.5 -> on how you move forward.
3348.05 -> The next key is to avoid a false choice
3350.69 -> between identity or network controls.
3353.16 -> This is what zero trust is getting at.
3355.1 -> Do not trust one layer
of security controls
3358.44 -> to be the end of the equation.
3359.62 -> We've known for a long time
3361.18 -> that network perimeter-based
security controls
3363.09 -> are really not sufficient for anything.
3365.78 -> The best security does
not come from a choice
3368.14 -> between identity-centric or
network-centric controls.
3371.61 -> Network permissions provide guardrails
3374.71 -> where identity-centric
controls can operate
3377.28 -> within those guardrails.
3379.4 -> They should not only coexist,
3381.11 -> they should augment each other.
3383.21 -> A great example of this is VPC endpoints.
3386.12 -> They provide the ability
to attach a policy
3388.78 -> that allows you to enforce
identity-centric rules
3391.77 -> at a logical network boundary.
3397.3 -> And finally, though zero trust
is an overarching concept,
3401.94 -> it is not a stamp that you can just throw
3403.73 -> on your particular technology,
3405.09 -> no matter how much marketing people try,
3407.07 -> and call it zero trust-certified.
3409.29 -> That's just sort of like cloud washing,
3410.73 -> but for trust enforcement.
3413.16 -> For example, we have millions of customers
3415.31 -> securely calling AWS through a diverse set
3417.65 -> of public and private networks.
3419.02 -> There's nothing about the
security of AWS API infrastructure
3422.34 -> that depends on the
underlying network itself.
3425.27 -> Each one, every one, of those
API requests is authenticated
3429.11 -> and authorized every single
time all around the globe.
3432.54 -> I should note that the
use of cloud-based APIs
3435.19 -> aren't generally mentioned
within zero trust discussions,
3437.82 -> perhaps because AWS led
the way with this approach
3440.56 -> to securing APIs from the very start,
3443.28 -> such that it's now assumed
to be sort of a basic part
3445.48 -> of every cloud security
story, even before zero trust
3448.48 -> was a fashionable term.
3451.35 -> So then, you know what you're building.
3453.37 -> Don't make either/or security decisions
3455.62 -> and do get very granular
with your security choices.
3459.82 -> That will help you build
a robust data protection
3462.2 -> and privacy program.
3463.97 -> With that in mind,
3465.57 -> what are some of the
more recent developments
3467.38 -> in this category?
3468.84 -> Well, we announced strengthened
contractual commitments
3471.53 -> that go beyond what's required
3472.73 -> to protect the personal data
3473.92 -> that customers entrust AWS to process.
3476.9 -> These new commitments
apply to all customer data,
3479.46 -> subject to GDPR processed by AWS.
3482.72 -> Whether it's transferred outside
the European economic area
3485.59 -> or not, these commitments
are automatically available
3488.59 -> to all customers using AWS to
process their customer data
3492.03 -> with no additional action required
3494.56 -> through a new supplementary addendum
3496.21 -> to the AWS GDPR Data Processing Addendum.
3499.8 -> That's a mouthful.
3500.633 -> Thanks, lawyers, I appreciate it.
3502.59 -> Our strengthened contractual commitments
3504.4 -> include challenging law
enforcement requests
3507.25 -> where they're overly broad,
3508.64 -> and disclosing only the
minimum amount of customer data
3511.28 -> that's necessary to
satisfy a lawful request.
3515.15 -> We're also strengthening data protection
3516.93 -> from a technology perspective.
3519.23 -> Customers are using our latest
generation of EC2 instances,
3522.18 -> automatically getting the protection
3523.93 -> of the AWS Nitro System
I discussed earlier.
3527.03 -> Nitro was designed to operate
3528.56 -> in the most hostile network
environment we could imagine,
3531.67 -> building an encryption, a
secure boot that's validated,
3534.8 -> a hardware-based root of
trust, and restrictions
3537.82 -> on operator access, whether ours or yours.
3541.79 -> Lastly, we continue to
provide additional support
3543.86 -> to customers subject to GDPR.
3546.2 -> We've launched two new online resources
3548.1 -> to help customers complete
data transfer assessments
3550.6 -> that are required by
GDPR, the first of which
3553.28 -> is our privacy features of AWS services,
3556.47 -> as well as our sub-processor page,
3559.12 -> which contain information
on third-party processing,
3562.93 -> customer-initiated support requests,
3565.27 -> and our infrastructure entities worldwide.
3568.33 -> This is information that's
available publicly today.
3572.08 -> With all this in mind,
what should you do next?
3578.07 -> First off, have a plan.
3580.69 -> This seems really simple, but
so many people miss this step.
3584.32 -> Know what you're storing,
where it is stored,
3588.04 -> who has access to it,
and what types of access
3590.86 -> they have for what reason.
3593.67 -> This is the place where being
rigorous is an absolute must.
3597.57 -> You have to know and classify
the levels of customer data
3600.27 -> you're storing, why you're
storing it, for how long
3603.55 -> and so on, and you have
to keep records of this,
3606.22 -> especially if you're in
a regulated industry.
3608.94 -> This could be an entirely easy exercise
3610.85 -> if you're storing limited
customer information.
3613.26 -> The risk clearly rises, though,
3615.05 -> with each rung you go up the PII ladder,
3618.09 -> whether it's health information
or national ID cards.
3621.14 -> These are areas where you
must have definitive steps
3623.75 -> in place to classify
and track information.
3627.9 -> Customer service could access this much,
3629.85 -> but human resources needs
these types of permissions.
3634.03 -> Sales can maybe see phone numbers.
3636.26 -> This is a place you do not wing it,
3638.92 -> as these are business-ending
levels of risk
3640.75 -> at the highest levels.
3642.61 -> Plus, honestly, it's just
the right thing to do
3644.89 -> for all of our customers out there.
3646.77 -> I mentioned access levels
before and this ties in.
3650.1 -> Think about it this way, you
want your own data protected
3653.64 -> when you go to the pharmacy
3654.83 -> or when you're accessing
your bank account,
3657.03 -> so treat your customers the same way
3659.12 -> that you'd want your data to be treated.
3662.19 -> From a moral imperative standpoint,
3663.82 -> this is a really easy call,
3665.93 -> but just make sure this is the one place
3667.91 -> you do get completely down into the weeds,
3670.79 -> no matter where you sit
in the organization.
3673.62 -> One of the Amazon leadership
principles is dive deep,
3676.4 -> and this is an area where it
really, really does matter
3679.72 -> that you understand with precision
3681.35 -> the details of what's
going on in your business.
3683.77 -> You are never going to regret
3685.55 -> having granularly defined
everything sensitive
3688.09 -> that you are storing and processing.
3691.97 -> With that in mind, you can use
tools like what S3 supports
3696.22 -> for free, easy encryption using
AES-256 encryption standard.
3700.81 -> As I'm sure we're all aware,
S3 bucket encryption at rest
3704.047 -> is important to prevent
your data from being exposed
3706.67 -> to anyone who might get physical access.
3709 -> This level of protection
also happens to be required
3711.56 -> for certain compliance
standards, whether it's PCI DSS
3714.61 -> for credit cards, NIST 800,
or encryption has to be set
3718.59 -> on default for any particular bucket.
3721.43 -> This causes all subsequent
items to be saved
3723.93 -> in that S3 bucket to be
encrypted automatically.
3726.87 -> So although this isn't
a set-and-forget tool,
3729.56 -> it's a great way to
streamline your data policies
3731.81 -> with just a few clicks,
and speaking of encryption,
3735.633 -> we're excited to share
that AWS acquired Wickr
3738.58 -> in late June.
3739.7 -> This is a company that developed
3741.14 -> end-to-end encrypted
communication technology.
3744.12 -> With Wickr, customers and partners benefit
3746.37 -> from advanced security
features not available
3748.3 -> with traditional communication services,
3750.1 -> whether it's across messaging
or voice and video calling,
3753.06 -> file sharing or collaboration.
3755.74 -> This gives security-conscious
enterprises the ability
3758.27 -> to implement important security controls
3760.73 -> to help them meet their
compliance requirements.
3763.14 -> Now, some of these use
cases here might be things
3765.73 -> like securely communicating
with office-based employees,
3768.63 -> or to keep communication between employees
3770.45 -> and business partners private
while remaining compliant
3774.45 -> with regulatory record
retention requirements,
3777.02 -> and that's a really big one
3778.11 -> when you consider encrypted
communication tools.
3782.38 -> Right, so we're now arriving
3784.77 -> at the governance, risk,
and compliance portion
3786.75 -> of this talk.
3787.8 -> Now this is a topic that lends itself
3789.55 -> to passionate practitioners
3791.61 -> because no one accidentally
starts learning
3794.07 -> about compliance
regulations, let's face it.
3796.45 -> You either have an active
interest in the security controls
3799.3 -> and frameworks that
comprise the massive amounts
3801.42 -> of standards and certifications
that are out there
3803.14 -> or you don't, but I'm gonna
give you a quick preamble here
3806.23 -> in a moment as to why this
topic should interest you
3809.216 -> if you're involved with cloud security,
3811.62 -> even when it seems like
something you'd prefer to leave
3814.13 -> to your auditors and
regulators to sort out.
3817.4 -> We went with an Anna Kendrick quote here
3818.85 -> to lighten up the subject
matter a little bit
3820.42 -> because it is GRC, but as
she's an Academy Award nominee
3823.78 -> that loves structure, she is
the perfect context-setter.
3829.1 -> This is a very tiny sliver
of compliance programs
3832.29 -> that we regularly update, but
I thought it might be helpful
3834.41 -> to drill down on one in particular.
3837.17 -> The first I want to call out
on GRC is the first line,
3840.51 -> services in scope for HITRUST.
3842.69 -> I want to break this down slightly
3844.03 -> in order to give you some feel
3845.37 -> for why these kinds of
attestations are important.
3848.64 -> The first thing to note is HITRUST itself
3851.03 -> was built as a framework
3852.29 -> for protecting sensitive
healthcare information,
3854.7 -> but it draws from standards
and regulations like GDPR,
3858.98 -> the ISO series of standards,
NIST, PCI, and HIPAA,
3862.7 -> to create a comprehensive set
3865.08 -> of baseline security and privacy controls.
3867.73 -> Now we as practitioners tend
to want to box certifications
3870.41 -> and attestations into whatever region
3873.26 -> or industry vertical they
are most relevant to,
3876.13 -> which makes sense when we look
at our business granularity,
3879.54 -> but in this case, I wanted to
note that HITRUST is derived
3882.33 -> from a bunch of different
standards in its own right.
3885.36 -> GDPR or European data privacy law,
3887.98 -> maybe it's PCI for credit cards,
3889.51 -> HIPAA of course is a healthcare law
3891.3 -> here in the United States.
3892.9 -> International standards
organization, right,
3894.64 -> so is itself an international
standards-setting body,
3897.34 -> and so on.
3898.173 -> You get the concept here.
3899.78 -> Many of these standards
have overlapping concepts
3902.76 -> and many of the standards have
overlapping security controls
3906.36 -> attached to them as well.
3910.528 -> And we need to meet over
150 different controls
3913.47 -> to be HITRUST-certified.
3915.06 -> These control sets have arranged
in a manner that many of us
3917.49 -> are actually familiar with,
3918.63 -> we just may not have thought
of it as compliance as such.
3922.17 -> There are seven objectives
around access control,
3924.45 -> with names like define user
roles and responsibilities.
3928.73 -> That sounds pretty familiar, it should,
3930.77 -> because the primary function of IAM
3933.19 -> and having a plan for handling data.
3935.576 -> Then there's a human resources component,
3937.71 -> with detailed security for
the entire employee lifecycle,
3941.34 -> followed by having a risk
management plan, asset management,
3944.89 -> security, and physical security and so on.
3948.89 -> I'm not gonna list them all here
3950.403 -> because that would be a whole
presentation on its own,
3951.84 -> but what I'm getting at is the concepts
3953.58 -> that make up these certifications,
3955.08 -> frameworks, laws, and
attestations, all drill down
3958.43 -> to real security concepts
that you can use.
3962.32 -> You don't need to do business
in the EU to take a look
3964.86 -> at the GDPR concepts and
find something of value
3967.11 -> to your organization.
3968.55 -> You don't need to process
credit cards to understand
3971.32 -> that encryption and
limiting who has access
3973.16 -> to sensitive data is important.
3975 -> I point all this out to
show that all of these terms
3977.97 -> and acronyms can be
distilled down to their core
3980.73 -> by looking at the regulations
or frameworks themselves.
3984.12 -> This is something we do at AWS routinely.
3987.33 -> Our cloud services are validated
3988.92 -> against thousands of security
controls across geographies
3992.12 -> and industries, and it gives
us a very solid insight
3994.86 -> into how security is made
operational and real.
3999.35 -> What that means is you can
trust that a level of rigor
4001.86 -> goes into the building and
operating of each service
4004.53 -> and the auditing of each
service before it appears
4007.7 -> on our services and scope webpage.
4010.07 -> We take that all on so that
you can partner with us
4013.217 -> and not have to do so.
4015.71 -> For certifications such as HITRUST CSF,
4017.9 -> if you're using our in-trust
or in-scope services,
4021.21 -> you inherit our portion of those controls.
4024.22 -> You're responsible for
implementing the controls
4026.09 -> that aren't running in our cloud,
4027.69 -> but you're starting with a
significant structural advantage
4030.55 -> if you're all in on
AWS, and as per normal,
4033.97 -> customers can download the
latest HITRUST CSF certificate
4037.28 -> now through AWS Artifact in
the AWS Management Console.
4043.47 -> I'm gonna take a moment to
go over some of the partners
4045.81 -> that are making the business
of security and compliance
4048.71 -> easier for customers, as well
as a few updates of note here.
4052.91 -> First off, our Level 1 MSSP program.
4056.24 -> This is a program that's
an industry first,
4058.81 -> a baseline standard of quality,
4060.52 -> for managed security
providers in the cloud.
4064.31 -> I asked for them to put together
4065.82 -> a quick little explainer video
with a few of our partners
4068.687 -> and our own Ryan Orsi.
4070.46 -> Ryan, take it away.
4072.41 -> - We created the Level 1
MSSP Competency Program
4075.46 -> to bring the best MSSPs in the world
4078.05 -> to the AWS Partner Network.
4080.24 -> The program annually enables and validates
4082.94 -> MSSP's technical and
operational capabilities
4086.41 -> meet the Level 1 Managed
Security Service requirements.
4089.42 -> It's a good starting point for customers
4091.53 -> to operationalize their
security responsibilities
4094.63 -> in the cloud.
4095.71 -> It spans 10 specific 24/7
security service areas,
4100.23 -> each with defined technical
and operational requirements
4103.66 -> by AWS Security experts
all around the company.
4106.61 -> - Known as AWS Level 1
MSS bundle of services,
4109.51 -> we're helping to deliver
business value to our customers.
4112.38 -> Combining cloud needs experience
4114.45 -> with the AWS Level 1 MSSP competency
4118.56 -> gives our customers a
long-term security partner
4120.74 -> they can rely on and helps
achieve their business goals.
4123.67 -> - We expect that the mass
security overall growth
4126.6 -> will be 2 1/2 times faster
4128.22 -> than our traditional core offering
4130 -> and even stronger for cloud.
4131.67 -> Combined with our number one
cyber consultancy globally
4134.7 -> will put us in a unique position
4136.47 -> as we serve our clients have cyber needs.
4139.07 -> - The biggest thing that
Sophos wants customers
4141.02 -> to understand is that we
understand that the burden
4143.33 -> of managing security and
that's why we want to do it
4146.41 -> for the customers, and so
together with our partnerships
4150.446 -> with AWS and our partnerships
with our global network
4154.13 -> of channel community, we
can do that for customers.
4157.82 -> - We've long held the belief that security
4160.5 -> can be a tremendous enabler for success
4162.22 -> on the AWS cloud and allow for customers
4164.5 -> to really unleash its full potential.
4166.17 -> The Level 1 MSSP competency
should give you faith
4169.48 -> that there are offerings out there
4170.62 -> that are tried and tested,
that many have experience with,
4172.82 -> and have seen success with,
so you can take the plunge,
4175.87 -> fully embrace getting,
you know, an augmentation
4178.87 -> for your own security operations
4180.6 -> and unleashing the full
potential of AWS cloud.
4185.95 -> - And here are our launch partners
4187.78 -> for the Level 1 Managed Security
Services Partners program,
4190.84 -> both for the Competency
and Category sellers.
4193.71 -> We want this program to
help you free up time
4195.99 -> to invest in your core business.
4198.16 -> Dan said it well at the tail end there.
4200.3 -> These are tried, tested,
and vetted solutions.
4203.9 -> Next up, our AWS Security
Competency Partners.
4207.61 -> We're very deliberate about our community
4209.45 -> of security technology
and consulting partners,
4212.03 -> and they represent every
aspect of cloud management,
4214.73 -> from migration to operations.
4217.18 -> Again, to become a Security
Competency Partner,
4219.7 -> you have to have been vetted
4220.91 -> across multiple security categories.
4223.54 -> So these are partners who
really know their space.
4226.81 -> We've asked a few of those partners,
4228.27 -> including CrowdStrike, Trend
Micro, Palo Alto, and Splunk,
4231.99 -> to give us 90 seconds on this topic.
4234.45 -> We'll hear first from Jessica
Alexander of CrowdStrike.
4238.41 -> - Customers usually express
three main challenges
4241.29 -> when they move or migrate to the cloud,
4243.61 -> skillset, visibility, and
consumption-based billing models.
4248.19 -> Well at CrowdStrike, we learned
4249.51 -> that our AWS Security
Competency builds trust
4252.7 -> not only with our customers,
4254.19 -> because they know we've
been validated by AWS,
4257.25 -> but it also builds trust
with AWS because they know
4260.06 -> that our products align
with their best practices.
4263.55 -> - Cloud platforms like AWS
provides incredibly powerful sets
4267.11 -> of capabilities to application
owners and development teams.
4270.43 -> Yet security teams are
challenged with just the scale
4273.09 -> and velocity at which new
services are being adopted.
4276.59 -> - Many organizations
are moving to the cloud,
4278.75 -> but this increases complexity.
4281.53 -> For most, it isn't a
simple lift and shift,
4284.07 -> and they have to maintain security
4285.86 -> and stay compliant
throughout the migration.
4289.17 -> So across our customer base,
4290.94 -> customers are at different
stages in their cloud journey,
4293.78 -> so Splunk solutions help
customers search, analyze,
4296.87 -> and act on data ingested into Splunk.
4299.007 -> Our security analytics
solutions help customers
4302.21 -> really reduce mean time
to detect new threats
4304.77 -> and streamline investigations.
4307.09 -> - The AWS environment
is incredibly secure,
4310.06 -> but you as a customer are responsible
4312.5 -> for securing what you put in the cloud,
4314.54 -> and that's where we focused
4315.85 -> our Cloud One security services platform,
4318.92 -> providing your builders
with the tools they need
4321.45 -> to get security done quickly
in their environments
4324.75 -> without slowing them down.
4329.92 -> - These are all of our
Security Competency Partners,
4332.37 -> and as you can see, there
are plenty available
4334.78 -> to help you wherever you
are with your own program.
4338.89 -> You can locate, purchase, deploy,
4341.15 -> and manage these cloud-ready
software solutions
4343.62 -> in a matter of minutes
from the AWS Marketplace,
4346.27 -> and finally, our consulting
and technology partners
4349 -> in security engineering,
governance, risk, and compliance,
4352.15 -> security operations, and automation.
4354.62 -> Again, no matter where
you are in your program,
4357.09 -> there's someone out there
who has seen it before
4359.74 -> and can assist you in
getting to the next level.
4363.12 -> So what can you do today to
make your program stronger
4366.8 -> with regards to governance,
risk, and compliance?
4370.12 -> There are so many ways to learn right now.
4373.2 -> How to up-level your security program,
4375.13 -> whether you're running your own business
4376.74 -> as a sole proprietor or leading
a multinational enterprise,
4381.07 -> whether it's in the AWS Security Blog,
4383.79 -> our security and compliance
website, or AWS Artifact
4387 -> that allows you to download
our certifications,
4389.16 -> there are plenty of ways to learn more
4392.17 -> to make your security program even better.
4395.78 -> We have technical documentation,
videos, demos, trainings,
4400.08 -> certifications, and best
practices being published
4403.57 -> and updated regularly, so check back.
4407.44 -> Well, as we near the end
of the presentation today,
4409.68 -> I'd also like to take a quick moment
4411.14 -> to recommend an operational program
4413.01 -> that we are seeing tangible
results from internally.
4416.34 -> We all know that security
can't be the only,
4418.71 -> the job of your security team,
4420.76 -> and that truly maintaining a culture
4422.79 -> of good security hygiene
is gonna take buy-in
4425.26 -> from everyone within your business.
4427.86 -> This brings me to the concept
of security guardians,
4430.41 -> or I've also seen it
called security champions.
4433.44 -> Essentially, this is a group of people
4434.86 -> that sit outside the
security organization,
4437.78 -> but who volunteer to help
maintain certain best practices
4440.97 -> within their individual teams.
4443.9 -> Embedding security champions
within your business
4446.08 -> and giving them a seat at the table
4448.2 -> as to how security and their
group can work better together
4450.73 -> within framework of the business
4452.45 -> can really provide huge value.
4454.83 -> I'd encourage you to
consider starting this type
4456.62 -> of program internally,
and we'll be sharing more
4458.75 -> about this program at
re:Invent in a few months.
4463.14 -> I'd also like to give a quick plug
4464.52 -> to our Cloud Audit Academy,
4465.97 -> which we've designed
specifically for those
4468.42 -> who are in auditing, risk,
and compliance roles,
4471.12 -> and are involved in
assessing regulated workloads
4473.71 -> in the cloud.
4474.84 -> The training we've put together
4475.88 -> dives into both cloud-specific
audit considerations,
4479.06 -> as well as AWS best practices
4481.11 -> for security auditing generally.
4483.25 -> The curriculum here
starts with a wide scope,
4485.47 -> which is cloud and
industry-agnostic, and then narrows
4489.54 -> as the learner progresses to focus on AWS
4492.24 -> and industry-specific content.
4494.93 -> Of course, eLearning formats are available
4497.42 -> and we have instructor-led
training formats too.
4500.69 -> Attendees can also receive
4502.15 -> continuing professional education credits
4504.94 -> from recognized security
professional associations
4507.25 -> within the industry.
4509.27 -> So if you're an auditor,
regulator, or even just a security,
4512.29 -> privacy, or compliance
practitioner out there
4515.066 -> looking to learn more
about how the concepts
4516.39 -> around confidentiality,
integrity, and availability work
4520 -> within auditing AWS,
4522.06 -> you'll likely find this
really interesting.
4524.15 -> You can learn more at the
URL here on the screen.
4527.12 -> What I'd like you all to do now
4528.53 -> is to join the conversation
around security.
4531.41 -> Security professionals never
function best in isolation
4534.94 -> and a free exchange of
ideas and suggestions
4537.58 -> on how to improve security is something
4539.39 -> that we all can bring value to, so please,
4542.31 -> join the conversation.
4544.64 -> If you're looking to keep
the conversation going,
4546.5 -> we've got a number of Twitter handles
4547.88 -> that you can engage with.
4549.13 -> This is a really easy
way to stay up-to-date.
4553.05 -> That's all for me.
4554.25 -> We have a really great day
of content coming up for you.
4556.88 -> Up next will be how AWS
integrates a culture of privacy
4560.36 -> to protect and enable customers.
4562.26 -> This will be a great session
from our own Jenny Brinkley,
4564.84 -> Ken Beer, and Anne Toth.
4566.75 -> We'll take a short break
while we reset the stage
4568.95 -> and be right back with that session.
4570.32 -> Thanks, everyone, I appreciate your time.
Source: https://www.youtube.com/watch?v=H3LTjVWSQ6g