It really does take a village to keep you secure in the cloud


AWS re:Inforce sign outside Boston Convention Center. July 26, 2022
Image Credits: Amazon

As I walked the halls of the massive Boston Convention Center this week for AWS re:Inforce, the division’s annual security event, I spoke to a number of vendors, and one theme was clear: Cloud security really is a shared responsibility.

That idea has been around for some time, but it particularly hit home this week as I listened to various AWS security executives talk about it at the event keynote and through the ensuing conversations I had during the week.

At a very high level, the cloud vendor has the first level of responsibility for security. It has to make sure that the data centers it runs are secure to the extent that it is within its control. Yet at some point, there is a gray area between the company and the customer. Sure, the vendor can secure the data center, but it can’t save the customer from leaving an S3 bucket exposed, whatever the reason.

Security is such a complex undertaking that no one entity can be responsible for keeping a system safe, especially when user error at any level can leave a system vulnerable to clever hackers. There have to be communication channels across every level of the organization, with customers and with concerned third parties.

When an external event like the Log4J vulnerability or the Solarwinds exploit impacts the entire community, it’s not one single vendor’s problem. It’s everyone’s problem.

The idea is that everyone has to communicate when problems pop up, share the best practices and pull together as a community to the extent possible to prevent or mitigate security events.

So many events

As Steve Schmidt, AWS’ chief security officer, explained in the event keynote, AWS is a target. It has to deal with millions of events every month, most of which we never hear about. That’s why, he said, customers need to deal with the little things, and Amazon will take care of the bigger things for them.

“Work out your short-term security needs first because the outlier cases are the ones that we’re far more likely to see in our everyday monitoring and build into our services so that you don’t have to do that work. With millions of customers, AWS handles billions of distinct customer activities from APIs to logging, etc. Given the scale, we see things that an individual business would not see in generations of operations,” Schmidt explained.

AWS’ sheer scale helps it understand security at a level that other organizations simply don’t have the firepower to relate to. “Given the number of tickets and feature requests that we get every day, it’s entirely likely that we’ve handled 50 things for you this month that just happened. And you had no idea that we were protecting you behind the scenes. At our scale, every outlier scenario that can happen does, and I’m talking about those disproportionately hard-to-predict and rare events that are beyond the realm of normal expectations in history, science, finance or technology. We see events such as those routinely in AWS,” he said.

To give you a sense of that scale, he said the company tracks quadrillions of events — that’s a number that has 15 zeros — every month.

Schmidt said that at AWS security is baked into every service, and they have security guardians — software engineers embedded in each service development team — whose job is to make sure that the service is as secure as possible.

“[These guardians] are in that process for the entire lifecycle of service conception through service delivery. You must not bolt on security after you build something; it has to be in from the very beginning of when we build things. This is a best practice that we recommend to customers as well to weave security into your development lifecycle and your operations,” he said.

Keeping communication channels open

Mark Ryland, director of the office of the CISO at AWS, said his team’s job is to communicate directly with customers about security concerns. That could involve fielding calls from a concerned customer CISO when a large event like Log4J happens or reaching out directly to CISOs to communicate about such an event and how to mitigate it to the extent possible.

He said part of that is bringing the voice of the CISO to internal AWS development teams to help them understand what concerns this group is having so they can address them. “We’re constantly talking to our most security-conscious customers. We actually make sure that the service teams are getting the feedback that we’re hearing … to make sure that the voice of the CISO is reaching them,” Ryland said.

In addition, he said, when it comes to new customers, especially larger ones, his office becomes the security voice of AWS. The idea is to give customer CISOs access to a group with the knowledge to answer questions about the inner workings of AWS security operations and give them a point of contact for related concerns.

He added that it’s important to build a community with these people, so his team does a lot of outreach and information sharing. “We have a CISO Council, which my team runs, where we meet periodically with some of our top customers. We have something called a CISO Roundtable, which kind of scales that globally,” he said.

“It has a broader audience. So we’re able to do outreach in terms of education, community building, best practices sharing across the community, and the customers often are the ones presenting, not just us. They share with each other. So we’re able to build a stronger community that way,” he said.

Jenny Brinkley, director of AWS Security, helps run the Guardian program, which is charged with keeping AWS services secure. She said that AWS is always talking to other companies, even competitors. Ultimately, it’s in the best interest of everyone working together to keep the cloud secure.

“It’s not in this siloed space, and a lot of the individuals that work inside of AWS and collectively within the industry, we all have long-term relationships with each other. So if there’s a mutual benefit for the industry, there’s a lot of conversations that happen around how we operate and how we work. … And if it’s something that’s going to benefit the community, we will absolutely engage and partner and work with one another,” Brinkley said.

Partners helping out

There are also partners — vendors who look at security from a broader perspective across the private data centers to multicloud environments. Lacework, a startup that landed $1.3 billion last fall at an $8.3 billion valuation, has designed its product with integration across all clouds in mind, according to co-CEO David Hatfield.

“We’ve announced seven or eight products over the last year and a half supporting all clouds, and in AWS specifically working with Graviton and Fargate, integrating into the Command Center. We are doing all of this to make it really easy for customers to operate and leverage the other services to build out their environments, versus security being kind of a blocker to innovation,” Hatfield told me.

Peter McKay, CEO at Boston-based security startup Snyk, agreed that the ability to integrate with public clouds is a critical component of innovation and digital transformation. “With the addition of Snyk Cloud, Snyk now secures the end-to-end software development lifecycle so that developers and their organizations can securely deploy applications to the cloud,” he said. That includes integration with AWS as well as Microsoft, Google and IBM clouds

CrowdStrike also integrates with AWS and other clouds. Param Singh, CrowdStrike VP of the Falcon OverWatch product, gave an example with containers in conjunction with AWS Fargate to see what software is in these containers and whether it’s in compliance or not.

“Basically, if somebody is using containers provided by AWS Fargate, we can look into those containers. The best part is when we look into containers, we can also see what software they have installed, what libraries they have installed and create a small software bill of materials,” he said. And if one of those libraries is out of compliance, the developer will get a message to update it, as one example of how it works with cloud vendor’s products.

Even with all that communication and vendor crossover, security is a tough road. Vulnerabilities will pop up, individual companies and governments will have to deal with a ransomware attack, major breaches will happen and unforeseen events like Log4J will send the entire industry scrambling.

It’s a constant battle, but cloud industry companies — including Amazon — see this as a community effort, meaning it really does take a village to stay safe in the face of this enormous threat landscape.

Snyk snags another $530M as valuation rises to $8.5B

More TechCrunch

Zen Educate, an online marketplace that connects schools with teachers, has raised $37 million in a Series B round of funding. The raise comes amid a growing teacher shortage crisis…

Zen Educate raises $37M and acquires Aquinas Education as it tries to address the teacher shortage

“When I heard the released demo, I was shocked, angered and in disbelief that Mr. Altman would pursue a voice that sounded so eerily similar to mine.”

Scarlett Johansson says that OpenAI approached her to use her voice

A new self-driving truck — manufactured by Volvo and loaded with autonomous vehicle tech developed by Aurora Innovation — could be on public highways as early as this summer.  The…

Aurora and Volvo unveil self-driving truck designed for a driverless future

The European venture capital firm raised its fourth fund as fund as climate tech “comes of age.”

ETF Partners raises €284M for climate startups that will be effective quickly — not 20 years down the road

Copilot, Microsoft’s brand of generative AI, will soon be far more deeply integrated into the Windows 11 experience.

Microsoft wants to make Windows an AI operating system, launches Copilot+ PCs

Hello and welcome back to TechCrunch Space. For those who haven’t heard, the first crewed launch of Boeing’s Starliner capsule has been pushed back yet again to no earlier than…

TechCrunch Space: Star(side)liner

When I attended Automate in Chicago a few weeks back, multiple people thanked me for TechCrunch’s semi-regular robotics job report. It’s always edifying to get that feedback in person. While…

These 81 robotics companies are hiring

The top vehicle safety regulator in the U.S. has launched a formal probe into an April crash involving the all-electric VinFast VF8 SUV that claimed the lives of a family…

VinFast crash that killed family of four now under federal investigation

When putting a video portal in a public park in the middle of New York City, some inappropriate behavior will likely occur. The Portal, the vision of Lithuanian artist and…

NYC-Dublin real-time video portal reopens with some fixes to prevent inappropriate behavior

Longtime New York-based seed investor, Contour Venture Partners, is making progress on its latest flagship fund after lowering its target. The firm closed on $42 million, raised from 64 backers,…

Contour Venture Partners, an early investor in Datadog and Movable Ink, lowers the target for its fifth fund

Meta’s Oversight Board has now extended its scope to include the company’s newest platform, Instagram Threads, and has begun hearing cases from Threads.

Meta’s Oversight Board takes its first Threads case

The company says it’s refocusing and prioritizing fewer initiatives that will have the biggest impact on customers and add value to the business.

SeekOut, a recruiting startup last valued at $1.2 billion, lays off 30% of its workforce

The U.K.’s self-proclaimed “world-leading” regulations for self-driving cars are now official, after the Automated Vehicles (AV) Act received royal assent — the final rubber stamp any legislation must go through…

UK’s autonomous vehicle legislation becomes law, paving the way for first driverless cars by 2026

ChatGPT, OpenAI’s text-generating AI chatbot, has taken the world by storm. What started as a tool to hyper-charge productivity through writing essays and code with short text prompts has evolved…

ChatGPT: Everything you need to know about the AI-powered chatbot

SoLo Funds CEO Travis Holoway: “Regulators seem driven by press releases when they should be motivated by true consumer protection and empowering equitable solutions.”

Fintech lender SoLo Funds is being sued again by the government over its lending practices

Hard tech startups generate a lot of buzz, but there’s a growing cohort of companies building digital tools squarely focused on making hard tech development faster, more efficient and —…

Rollup wants to be the hardware engineer’s workhorse

TechCrunch Disrupt 2024 is not just about groundbreaking innovations, insightful panels, and visionary speakers — it’s also about listening to YOU, the audience, and what you feel is top of…

Disrupt Audience Choice vote closes Friday

Google says the new SDK would help Google expand on its core mission of connecting the right audience to the right content at the right time.

Google is launching a new Android feature to drive users back into their installed apps

Jolla has taken the official wraps off the first version of its personal server-based AI assistant in the making. The reborn startup is building a privacy-focused AI device — aka…

Jolla debuts privacy-focused AI hardware

The ChatGPT mobile app’s net revenue first jumped 22% on the day of the GPT-4o launch and continued to grow in the following days.

ChatGPT’s mobile app revenue saw its biggest spike yet following GPT-4o launch

Dating app maker Bumble has acquired Geneva, an online platform built around forming real-world groups and clubs. The company said that the deal is designed to help it expand its…

Bumble buys community building app Geneva to expand further into friendships

CyberArk — one of the army of larger security companies founded out of Israel — is acquiring Venafi, a specialist in machine identity, for $1.54 billion. 

CyberArk snaps up Venafi for $1.54B to ramp up in machine-to-machine security

Founder-market fit is one of the most crucial factors in a startup’s success, and operators (someone involved in the day-to-day operations of a startup) turned founders have an almost unfair advantage…

OpenseedVC, which backs operators in Africa and Europe starting their companies, reaches first close of $10M fund

A Singapore High Court has effectively approved Pine Labs’ request to shift its operations to India.

Pine Labs gets Singapore court approval to shift base to India

The AI Safety Institute, a U.K. body that aims to assess and address risks in AI platforms, has said it will open a second location in San Francisco. 

UK opens office in San Francisco to tackle AI risk

Companies are always looking for an edge, and searching for ways to encourage their employees to innovate. One way to do that is by running an internal hackathon around a…

Why companies are turning to internal hackathons

Featured Article

I’m rooting for Melinda French Gates to fix tech’s broken ‘brilliant jerk’ culture

Women in tech still face a shocking level of mistreatment at work. Melinda French Gates is one of the few working to change that.

2 days ago
I’m rooting for Melinda French Gates to fix tech’s  broken ‘brilliant jerk’ culture

Blue Origin has successfully completed its NS-25 mission, resuming crewed flights for the first time in nearly two years. The mission brought six tourist crew members to the edge of…

Blue Origin successfully launches its first crewed mission since 2022

Creative Artists Agency (CAA), one of the top entertainment and sports talent agencies, is hoping to be at the forefront of AI protection services for celebrities in Hollywood. With many…

Hollywood agency CAA aims to help stars manage their own AI likenesses

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’