In an exclusive interview at re:Inforce 2022 Boston (July 26-28), Stephen Schmidt, Amazon’s CISO, told us about the company’s recipe for keeping its employees and customers safe. facilities and services by combining automation and training.
You moved from AWS to Amazon as CSO, can you describe your scope today? How many data centers and people do you manage?
My job now is that I’m the head of security for Amazon. And that means I’m responsible for information security and physical security for all Amazon businesses around the world. This means supporting an employee population of approximately 1.6 million people.
Amazon does not have its own data centers, it uses those of AWS to provide the service to our customers around the world. We’re in 26 regions, by the way, and 84 Availability Zones. So a region is a geographic area, like Paris, for example, that has multiple Availability Zones. And each of these Availability Zones can be made up of multiple buildings. Thus, some of the larger Availability Zones, for example, on the East Coast of the United States, have several 10 buildings that constitute an Availability Zone. So you can’t say that a region is equivalent to a datacenter.
You are present all over the world, have you noticed any differences in terms of security between the United States and Europe for example?
I don’t think security itself is any different to Europe or the US or anywhere else in the world, really what varies are the multiple regulations we have to comply with in different locations. And sometimes they require separate security implementations.
For cyberattacks, I don’t think there are more in one country, there are certainly individual attack organizations, groups, that focus on different countries or industries. For example, when you look at some of the big national and state players, they have teams that will each focus on a particular industry, one may target the oil industry, another may target nuclear power, another telecommunications, this kind of attackers are specialized.
We see the attackers continue to be the ones you expect. Nations that have the ability to exploit other countries continue to do so, so I won’t name them, but you’ve been an IT journalist for a long time, you know who they are.
In a multi-cloud world, security is becoming increasingly complex with different platforms to manage. How can you help your customers work with other providers securely?
I think there is no global console for all vendors, and mainly because the features available on each vendor are different. And so you must have something that is designed for the features you are watching. That being said, there are certainly tools you can use that are helpful, whether it’s your on-premises environment or AWS, for example. Splunk works well on premise, and it works well in AWS. CrowdStrike also works the same way. And you’ll see that with a lot of the partners that we have in our marketplace and our partner ecosystem, they’re there specifically because they enable people to move from an on-premise environment to the cloud using tools that ‘they know. And it gives them a unique perspective on their assets, whether they’re in their own data centers or in AWS.
I think there will always be specific differences in functionality between cloud providers. For example, one of the reasons customers come to us is because we have specific feature sets. And what you’ll see in common is the use of certain types of logs, for example, and we’ll talk more about that in the not-too-distant future. We will come back to this subject in a month or two.
Security is an IT problem, but also a physical one. Access and control of sites for example. Have you increased the number of security officers on your sites to deal with risks?
It is necessary to keep people away from data: this applies in the logical world, and also in the physical world. So, for example, if you’re a developer, working for AWS on EC2, you won’t have access to data centers that contain those machines. In fact, very, very few people in the company have access to these data centers, and only because it is necessary for them to do their jobs.
Automation is one of Amazon’s favorite topics. How do you strengthen automation in cybersecurity?
In its own way, as an industry, we need to hire about 300,000 more security engineers than this year. So that’s a lot of people. The only way to ensure that the engineers we can hire are efficient and happy is to automate tasks, which are not necessarily performed by human beings. So if you think about it that way, if you’re a smart person, which you are, and you’re an engineer, and you build systems, do you want to do the same boring thing every day? No, you want automation.
But in the area of security, it’s doubly important, because we have to do it right, every time. Humans are not perfect. So we need to use automation wherever possible to make sure we’re doing exactly what we need to do.
Do you have one or more SOCs to monitor operations and risks?
We have different SOCs, and they are all virtual, there is no room, for example, that has a SOC for different companies. So Amazon Retail, the e-commerce company has its own SOC. AWS has its SOC. And that’s intentional, because we don’t want anyone in retail to have access to AWS customer information. And the way we use these SOCs follows the cycle of the sun around the world. This means, for example, that people who are on call at any given time could start in Virginia. And six hours later, they hand over to Seattle, which then switches to Sydney, Australia, which then switches to Dublin and Ireland. Yes. We also have specific operations in each country.
How do you protect your customers’ personal data and control human risk?
We work with national authorities in all the countries in which we operate to ensure that we meet regulatory requirements. So whether it’s responding in France, or the NCSC, the UK, or whoever it is, separately on the security side, it’s a job that never stops, that won’t be never finished. Because our opponents are always changing the way they attack. So we have to constantly change our defense. It’s like a football team only has one way to counter attackers, it sure would hurt to find a way around that fast enough. We improve the security of all our services through pentests. We use red teams to scrutinize our services and to test if they work as they should.
Is recruiting still difficult in the United States and the rest of the world? Do you expect business to drop with the coming recession and have you started to slow down recruitment in your security sector?
I think the industry itself does not have enough trained security professionals. If people have technical skills and are interested in security, this is a great job field with lots of openings right now. And if you go to our jobs website, there are probably 2,000 open positions right now for IT security professionals. And we are just one company. And there are a lot of companies hiring people. The problem is that there simply aren’t enough trained security professionals.
Try collaborating with universities?
Yes, we work with universities around the world, we intentionally go to places outside the United States because there are talent pools that we want to access. For example, Cape Town in South Africa has a very good university. And we really like the students we can recruit straight out of college in Cape Town. Similarly, in Europe, there are a number of large institutions in Germany, France and the UK in particular.
Yesterday you talked about your operations in Ukraine? What is the cost of these operations for Amazon?
We did not ask the government to pay. As far as I know, the price for Amazon is insignificant compared to the price the Ukrainian people and country paid because of the Russian invasion. We are here to do whatever we can to help them in this situation.
Do you have activities in Ukraine?
No, no data centers, no offices, no activities. The Ukrainian government has asked us for help. It’s a good thing and we were happy to help them.