How AWS is Shifting Security Left to Protect Businesses in the APJ Region
Think you know cybersecurity? It’s not just about code and algorithms; it’s about the perpetual tug-of-war between the rapid cadence of innovation and the relentless quest for security, where victory belongs to those who master the art of balance.
As the digital storm rages on, creating endless challenges for the warriors of data protection, there are those who stand unshaken, their poise a testament to years of fending off the technological tempest. Kimberly Chow, the Senior Security Architect at Amazon Web Services (AWS), is one such stalwart. During our meeting in re:Inforce 2023, she dove into the swirling vortex of cybersecurity, illuminating the treacherous undercurrents of the Asia Pacific and Japan (APJ) security landscape. The perspective she offered wasn’t a mere exposition, rather, it was akin to lifting the veil off a shadowy enigma, offering insight that blends stark realities with glimmers of hope.
Navigating the Treacherous Terrain of Speed vs Security
Our dialogue begins with a fundamental struggle: the inherent tension between rapid-fire business and IT development, and the non-negotiable need for thorough security. This tug-of-war isn’t played on a muddy field, but rather on a vast, ever-evolving landscape filled with potential landmines and ambushes. To navigate this battleground, a delicate and often precarious balancing act is necessary. However, in this battle, speed is not the enemy of security, nor vice versa. There exists a harmonious state where both can thrive without impeding each other.
Kimberly, in her insightful articulation, captures this essence, “It’s all about shifting security left.” This phrase, though seemingly simple, presents a profound solution: if security measures are integrated early in the development process, every single piece of application code written is already secure. It’s like each developer has their personal security officer coding alongside them. This happens courtesy of Amazon’s AI-powered tool, the Code Whisperer. Kimberly emphasises that “The Code Whisperer is like an AI pair-programming partner that spots issues in real-time.”
This strategy, attacking the problem head-on from the earliest stages of development, empowers businesses to meet their aggressive timelines without compromising on security. Thus, the battlefield transforms into a concert, where the rhythm of development and the melody of security creates a harmonious symphony, and the discord is silenced.
Evolving in the Face of Shapeshifting Threats
The digital landscape is a wild, living organism. It shifts, evolves, and frequently throws up new challenges in the form of emergent threats. Navigating this terrain is like trying to plot a course through shifting sand dunes – as soon as you take a step, the landscape has already changed.
So how does AWS, the Leviathan of the digital world, keep up with this ever-morphing landscape? It leverages a potent mix of experience, AI and machine-learning. As Kimberly wisely reaffirms, “There’s no compression algorithm for experience”. AWS uses its decades-long experience and diverse user patterns to train AI and machine-learning models, shaping its security services to stay ahead of the curve. Their proactive approach helps them quickly patch vulnerabilities, even those as daunting as the infamous Log4j Zero-Day incident.
The AWS ecosystem is further fortified by partner services like Proofpoint and CrowdStrike, providing a robust line of defence. Kimberly outlines this collaborative approach, saying, “AWS focuses on a multi-layered security strategy, working with a wide ecosystem of security partners.”
The goal is not merely to react to threats but to anticipate and nullify them. The ability to evolve in the face of shapeshifting threats is what sets AWS apart, ensuring its customers can operate with peace of mind, even in the most turbulent digital storms.
The Power and Scrutiny Conundrum
When one holds power, the spotlight of scrutiny is inevitable. AWS, as a global tech titan, finds itself at the heart of this scrutiny, especially in terms of its security strategy. It’s like standing at the centre of a coliseum, with spectators all around, watching and weighing every move.
But far from buckling under the pressure, AWS has demonstrated a remarkable willingness to listen, adapt and improve. Kimberly candidly acknowledges this aspect, saying, “Our customers are our best compass.” This customer-centric approach, she tells us, has led to innovations such as encryption-by-default and improved public access management. Not only does AWS hear customer feedback, but they also implement it, transforming it into features that further enhance their services’ security.
The power of AWS doesn’t stop at its own growth; it also seeks to democratise access to technology. This strategy ensures that top-tier security isn’t just a luxury for the largest corporations but a standard feature available to customers of all sizes. “We believe security should be the highest priority, regardless of the size of the business or the sector it belongs to,” asserts Kimberly.
Balancing Act: Support and Autonomy
Walking the tightrope between providing support and respecting autonomy is an intricate dance, particularly when working with a diverse range of companies, each with its own unique understanding of security. AWS’s solution to this delicate problem is eloquently simple: a shared responsibility model.
As Kimberly elaborates, “The AWS side of the Shared Responsibility Model includes protecting the infrastructure that runs all of the services offered in the AWS Cloud.” AWS provides a secure platform and a wealth of resources like white papers and training to guide users. Customers, in turn, manage their security in the cloud, controlling configurations, managing data, and enforcing their security measures.
This approach strikes an essential balance between support and autonomy. AWS provides the foundation and the tools, but it’s up to the customers to build their secure digital fortress. The guiding philosophy is that security, like a well-orchestrated symphony, is a collaborative effort. Each player, AWS and the customer has their part to play, and their melody to contribute.
‘Chaos Kitty’
As Kimberly walks us down the winding lanes of the digital age, charting a path forward in a landscape continually reshaped by innovation and threats alike, we encounter a delightful surprise at this year’s re:Inforce expo: the ‘Chaos Kitty’ exhibit.
Developed by the AWS ASEAN team under Kimberly’s leadership, Chaos Kitty is a gamified security chaos engineering experience. As a playful nod to the unpredictability of the cyber world, the game challenges participants to solve synthetic chaos against the clock, making security not just a priority, but a thrilling adventure.
Imagine the scene: a bustling expo filled with the luminaries of the tech world, the air charged with anticipation. And at the heart of it all, people gather around an exhibit where a colourful lit board seemingly holds sway. Don’t be fooled by its playful exterior; this is where theory meets practice, where learning takes the shape of a game, and where security becomes a challenge to be conquered with glee.
“Chaos Kitty is a symbol of our approach to cybersecurity at AWS,” Kimberly shared with a twinkle in her eye. “It’s a testament to the fact that learning about security doesn’t have to be daunting. It can be fun, engaging, and immensely powerful.”
As we glance back at our journey through the cyber landscape of AWS APJ, we’re left with a sense of awe and reassurance. Whether it’s navigating the intricate dance between speed and security, evolving to tackle shapeshifting threats, maintaining the delicate balance of power and scrutiny, or supporting customers while fostering their autonomy, AWS has proved its mettle. And with the Chaos Kitty exhibit, we see a glimpse of the future – a future where security isn’t just understood, but embraced, practised, and even celebrated, from the schoolyard to the university, to the tech giants of the world.