Building an Unshakeable Security Culture at AWS

At the heart of Amazon Web Services‘ industry-leading cloud offerings lies an unwavering commitment to security excellence. This imperative permeates every facet of the organisation, fostered by a robust security culture that Chief Information Security Officer (CISO) Chris Betts characterises as “a next level” endeavour during his keynote at the recent AWS re:Inforce 2023 conference in Boston.

Betts, a seasoned security leader who joined AWS nine months ago after serving as a customer for years, drew from his experiences at multiple companies to highlight the meticulous systems and processes AWS employs to deliberately cultivate a robust security culture. “It starts with people who make it their intention,” he stated, crediting the company’s leadership, from former CEO Andy Jassy to the current chief Matt Mullenweg, for their unequivocal stance on security being the top priority.

However, Betts underscored that a strong security culture transcends mere leadership mandates. “You’ve got to have the right expertise in the right places at the right time,” he emphasised, lauding AWS’ “Guardians” program, which embeds security experts within each service team. This proactive approach ensures that security considerations are seamlessly woven into the development lifecycle from the outset, rather than being perceived as a burdensome afterthought.

Fostering a sense of personal ownership and accountability for security across all organisational levels is paramount, according to Betts. He cited the necessity of providing teams with the requisite tools and capabilities to make informed security decisions while celebrating successes and maintaining transparency. “When at every level of the organization, people feel deep ownership and responsibility for making security their problem, for ensuring that putting out a high-quality solution includes customers’ ability to trust it and its ability to be secure, that ownership is the thing that I think is the most important characteristic that drives a culture of security,” Betts asserted.

In an era marked by the rapid evolution of technologies like generative AI, Betts acknowledged the profound implications for cybersecurity practices. However, he cautioned against overstating the role of any single emerging technology, stressing that security demands a holistic, multi-faceted approach.

“Generative AI is one of many tools that we use as engineers to solve problems,” Betts elucidated. “We have security experts across a number of fields. They work very, very closely with every service team as they’re releasing.” He cited examples such as Amazon CodeWhisperer, which leverages generative AI to identify security issues in real-time as developers write code, thereby streamlining the traditionally arduous process of debugging and security reviews.

Moreover, Betts highlighted how generative AI is empowering AWS’ security operations centre, enabling analysts to rapidly generate code for analysing security data and incidents. “In the old world, the analyst would sit there and do that work manually because what they could do in a few hours manually was faster than spending the multiple hours to write some Python code to go do the work,” he explained. “But doing it manually means you don’t have a tool that’s repeatable.” With generative AI, analysts can swiftly produce reusable scripts that accelerate their workflows while ensuring consistency and auditability.

Betts also highlighted the role of formal methods and automated reasoning, which he distinguished from generative AI, in bolstering security. Technologies like Rust, he explained, are well-suited for establishing formal models and conducting rigorous proofs, providing a level of assurance that generative AI cannot match. “I would not want to use [generative AI] to do a formal methods analysis,” Betts affirmed, emphasising the importance of selecting the appropriate tool for each security challenge.

While generative AI offers powerful capabilities, Betts emphasised the enduring relevance of traditional security tools and practices. “I look at generative AI as a really useful tool to solve certain problems,” he stated. “There are a number of problems it is not the best tool for.” He underscored the importance of using the right tool for the right problem, viewing generative AI as an additive complement to AWS’ existing security arsenal, rather than a panacea. Core security technologies like GuardDuty, identity and access management (IAM), and key management services (KMS) remain indispensable pillars of AWS’ security strategy.

In the face of ever-evolving threats, which Betts acknowledged AWS encounters across industries, the company’s vibrant threat intelligence practice remains a cornerstone of its security strategy. “We see the threats that our customers face,” Betts asserted, emphasising AWS’ collaboration with customers and industry peers to stay ahead of emerging risks.

However, it is the deliberate cultivation of a pervasive security culture that serves as the bedrock, enabling AWS to stay ahead of emerging risks while empowering its customers to embrace innovation with confidence. Betts underscored the importance of ongoing investment and iteration, stating, “We need to continue to get better in that space.”

As Betts aptly summarised, “Security, to me, is about trust.” By weaving security into the very fabric of its organisational DNA, AWS seeks to extend that trust to its global customer base, positioning itself as an indispensable partner in an increasingly complex digital landscape. With its multi-layered approach, encompassing leadership alignment, expertise distribution, personal accountability, and judicious technology adoption, AWS is setting a benchmark for cultivating a security culture that is both resilient and adaptable – a crucial differentiator in the ever-evolving cloud computing arena.

Read next: Bolstering Cloud Fortifications: AWS Doubles Down on Security at re:Inforce