In this Help Net Security interview, Amy Herzog, CISO at AWS, discusses how cloud-native security enables scalable, flexible protection that aligns with how teams build in the cloud. She explains the Shared Responsibility Model and the tools and processes that scale security.
Herzog also explains how AI helps automate threat detection and vulnerability management.
What does “cloud-native security” mean?
Cloud-native security refers to both security controls that work the same way the cloud does and processes that work the same way your builders do. Cloud-native security scales up and down as needed, is API-driven, and is focused on helping you meet your responsibilities under the Shared Responsibility Model. It’s an approach to security that is flexible and helps your builders meet their goals safely.
I mentioned the Shared Responsibility Model there, and it’s an important concept to understand. It’s a high-level framework to understand who is taking care of the day-to-day security work in a cloud environment. At AWS, we are responsible for the security of the cloud. It’s on us to make sure that the services we provide to customers have world-class security and are ready for customers to use in their solutions. That secure foundation, security of the cloud, makes it easier for our customers to secure what they build.
That’s why we continually invest in security. From the security of our datacenters to capabilities like identity access management and ubiquitous encryption. We’ve built the AWS Cloud to be the most secure global cloud infrastructure on which to build, migrate, and manage applications and workloads.
You can see the proof of that through the 143 compliance standards that we meet, including being the first major cloud provider to achieve ISO/IEC 42001:2023 accreditation for AI services, including Amazon Bedrock, Amazon Q Business, and more.
Circling back to the Shared Responsibility Model lens, you, the customer, are responsible for security in the cloud. This covers areas like the configuration of AWS services to meet your requirements, hardening the operating systems of your EC2 instances, or fine-tuning the authorization policies on your data so your teams can use AI services like Amazon Bedrock without worry.
Cloud-native security is the catch-all term for doing security work in a way that matches how your teams are working in the cloud, so that you don’t slow down the business unnecessarily.
Where do security teams start when it comes to the mission of securing the cloud?
Once teams understand the Shared Responsibility Model, the first place to start is understanding what your business goals are. Knowing where your organization wants to go will help shape the security decisions that you need to make.
With that context, I think teams should start at the root of all things in AWS, accounts. Setting up AWS Organizations is an easy way to create and manage your organization’s accounts. That will help you manage access to your accounts and, with the help of a service like AWS Control Tower, make sure that every account in your organization has strong security guardrails right out of the gate (like requiring multi-factor authentication!).
From there, security teams should focus on visibility. Using tools like AWS CloudTrail and CloudWatch for insights into what’s happening in your environment and AWS Security Hub to help understand and prioritize security issues.
That visibility and understanding of what your builders are doing in the cloud will help security teams shape their strategy and choose the controls that can best help them to meet their security goals. At AWS we have great solutions like Amazon GuardDuty for intelligent threat detection or Amazon Inspector for vulnerability management. We also have a vibrant partner community that offers all sorts of security tools to meet any customer’s needs.
How can these teams effectively scale security in cloud environments?
The answer here ties back to the first question about “cloud-native security”. Cloud-native security tools will scale as needed, matching the demand for their protection. To help scale the rest of your security practice, the processes and the people, it’s critical to help the entire business develop a security mindset.
A lot of security teams struggle to scale because they take on all the work themselves. Security is a team sport and it’s your responsibility as the security expert to help those around you understand why this work is important.
At AWS, we have a program called Security Guardians. It’s our way of helping builders who have raised their hands and said, “I’m interested in security”. We provide these folks with extra security training, opportunities for collaboration, and create a collaborative partnership with them to help their teams and ours improve.
That investment is paying off. We’re seeing faster security reviews and fewer significant findings in those reviews when Security Guardians are involved. That’s less work for our security team, helping them to scale. More importantly, our business teams are meeting their goals faster as a result.
How can AI help security teams and developers build strong defenses?
Talking to customers and to our own teams, one challenge that keeps coming up is the overwhelming volume of security signals they need to process. This is an area where AI can help, automating the analysis of these security signals to help your security teams focus on the signal, not the noise.
We’re using this technique and others to help deliver high quality findings through our security services (like Security Hub) and to shape managed firewall rules like those now available in the AWS Network Firewall.
We’ve also seen significant success using AI alongside automated reasoning. Automated reasoning uses formal methods to provide assurances about a program or system. Pairing automated reasoning of particularly important trust components with broader AI systems helps us get the benefits of AI and strong assurance of system behavior at the same time. A great example of this is the code scanning feature of Amazon Inspector. This feature examines your code for different types of vulnerabilities and when those issues are detected, it generates the fix automatically for you to review.
It’s features like this that help customers to ensure that what they’ve built does what they intend it to do and only what they intend it to do. AI is most helpful when combined with the other steps we’ve discussed to build a complete security practice, helping you work with the rest of your organization to meet your goals.
Source link
