Using automation and simplification to enhance your cloud security

Security is changing the cloud, said Amazon Web Services CISO at AWS Enterprise Summit in London yesterday.

“Security is changing the cloud itself. Change is something that we think is good and it’s something that drives benefit in business.” Those are the words of Stephen Schmidt - Vice President of Security Engineering and Chief Information Security Officer at Amazon Web Services – talking about “democratised security” at AWS Enterprise Summit in London yesterday.

“Businesses are being forced to change,” he continued. “This is not something people want to do in many cases, but because the demographics of the world are changing, because the interests of our customer base are changing, we as organisations must change in order to survive.”

Schmidt also identified several “mega trends” that he’s seeing in the world of cloud security, centring around the importance of automation and simplification.

Automation in security, he said, is “one of the most effective controls that you can put in place.” And the reasoning behind it holds true in all areas of security: “People make mistakes. People’s credentials get compromised, people make errors and this is one of those wonderful intersections between security and operational availability. If you automate actions that humans usually undertake you reduce the risk of error.” By using infrastructure to deal with problems rather than having to rely on security personnel, organisations can not only save themselves time and money, but also scale efficiently with the business.

Schmidt was equally passionate about the merits of simplification in cloud security: “Simplification in the security world is something that, I believe, is the most important thing we can do.” Where this is especially relevant is data protection, more specifically, controlling employees’ access rights. “If you think about access to customer data, it’s something that we are incredibly paranoid about,” he said, explaining that incorporating very simple yet specific rules about who has access to what data are the “easiest to understand for our staff, easiest to enforce and the easiest to audit against.”

For example, an employee might only have access to a certain data set between the hours of 9-5, Monday to Friday and only from his desktop computer in the office. While this might seem overly cautious, “people are the number one cause of mistakes” so having the ability to push down controls to very small boundaries could save businesses a lot of headaches in the long run.

AWS is on something of a hot streak at the moment, currently boasting 1 million active customers a month in 190 countries and, according to a recent report, controls more of the public cloud market than Google, Microsoft and IBM combined.

Image source: Shutterstock/faithie