Convincing your company to invest in cloud security is similar to disaster recovery. If you never have a disaster, all the money you spent on it seems a waste. But if you do, the investment was priceless.
During the first keynote at AWS re:Inforce last month, AWS CISO Steve Schmidt emphasized one point in particular: “Security is job zero.”
He wanted everyone to understand that security should always be the most important thing — more important than any number one priority.
Interestingly, AWS doesn’t have a traditional security team. Everyone at AWS is individually responsible for meeting their high standards for security:
“While we have dedicated security professionals whose primary responsibility is in fact security, every AWS employee, regardless of role, is responsible for ensuring that security is an integral component of every facet of the business, and security is referred to early and often.”
Clarke Rodgers, Enterprise Security Strategist with Amazon Web Services
Before AWS considers a new product, service, or feature, they must first examine the security implications. And they continue to extend their internal best practices for security to customers through services like AWS Control Tower.
If you have multiple AWS accounts and teams, managing your cloud can get complicated quickly. AWS Control Tower makes it easy to set up and govern multi-account AWS environments:
AWS has close to 30 security-focused services, plus hundreds of security features across all of their products. Offerings like AWS Control Tower make me think about how much more attainable security in the cloud is these days.
Cloud security is better than it used to be
When I was running IT for organizations and standing up traditional infrastructure, there were many times when I wanted to add security layers, install smart inspection services, and encrypt everything at rest and in transit.
Back then, it was hard to convince the business to spend tens of thousands of dollars, sometimes hundreds of thousands, just to add a layer of protection with no clear value. I was often relegated to putting in OS-level security measures and relying on firewalls instead because that was all that I could get through the budget cycle.
Now, with my workloads running on AWS, I can do all these things at a fraction of the cost:
- Enable encryption everywhere with simple key management via AWS KMS
- Get state-of-the-art threat detection for free via Amazon GuardDuty – and show my business the value of the information that it’s presenting
- Add internal segmentation or security rules in between my instances by playing with security groups or network ACLs at no cost
(This list is just the start. Check out the full list here.)
How to have security like Amazon when you’re not Amazon
Amazon is in the process of introducing a securities best practices section to the base documentation on all their products.
If you’re wondering how to take your first steps towards better security, this new documentation is a great place to start.
Here’s an example from S3 to show you what it looks like:
(P.S. If your situation is a bit more nuanced than following Amazon’s security suggestions, an AWS consulting service can help.)
With AWS, there are so many security features baked in that are available to us by default. That’s the real beauty of running your architecture with an organization that works with you like a partner.