We are seen of the moon delighted that we have Margo proteins from Amazon Web Services over to Margo can you hear me okay good stuff so I’m here today to talk to you about security automation and house security automation will help you innovation and my name is Margo I’m from Amazon Web Services based here in Zurich in Switzerland.
My colleague Ralph is here as well and we’re happy to talk to you about through the day I wish to speak to either of us this is not a session on debt cycles sometimes people use.
The term desde cops DevOps is something that has enabled us in our industry to innovate it has enabled us to push our assets faster into production and to recover faster and of course that’s important because fate here is key in innovation.
But then it’s like somebody came along and said oh gosh I.
Forgot my security and so like the unpopular kid the last kid gained on the bus is told to squeeze between 10 amps so deficit this is not a session on devstack ops it’s not particularly a term I like before we get into security automation I want to.
Talk to you a little bit about Amazon Web Services I’m sure many of you have not all of you here know of Amazon Web Services okay in 2006 the founders of cloud our first services ec2 sqs and s3 were launched now we have 125 plus services ok it’s across the world across 18 meters and 57 availability serves maybe something you don’t know about Amazon is the speed at which we believe release key features and new services and.
These numbers here what I’m actually showing on this slide is that in 2010 we released as 61 new key features and services as opposed to 2017 which was 1413 new key features and serve so these are.
Services and key features that go all the way from compute storage and network right the way up to machine learning a IOT servers now there are two things that are interesting about these numbers the first is that all of these features are released globally across our 18 majors.
And fifty-seven availability zones the second is that we have hundreds of security standards we have to align to that these services and features have.
To align to so if you go to aws.
com towards that compliance you will see the Sox one two three the ISO 27 nineteen twenty seven seventeen 27001 the c5 the HIPAA PCI is the FIPS and then.
It goes on and on so how do we retain this pace of innovation whether it is.
The security standards we need to alight to and this is something that as customers you have to do as well let’s look at.
One of our customers amazon.
com is a customer allows us on Web Services no.
Big surprise there in the length of time that I have been talking to you there have been hundreds of updates on the live site these are the metrics for amazon.com about once every 10 seconds across 30 thousands of.
Instances 30,000 potatoes how do you repaired you maintain that rate of release while at the same time respecting the.
Security of your production landscape imagine if we had a security incident.
With Amazon can you imagine that you wouldn’t know about it within milliseconds with Noah badges as quickly as Amazon does Twitter would be alive would be incredibly public the answer lies in automation okay specifically it’s automation.
And at scale automation at global scale automation at cloud scale security automation now automation is not you okay automation has been a fundamental concept of DevOps since 2009 okay but if automation is a super hero of my story we first of all need to understand on the arch enemy is right because without Falls Mort Harry Potter is just a.
School boy I’m Superman that Lex Luthor Charles Xavier is not interesting at all he’s just an elderly headmaster without Magneto.
So who is my arch enemy when.
I talk about automation it’s the human right it’s you and me now I like humans many of my best friends happen to be human but it has to be said that people make mistakes okay so picture.
This scenario you’re working on a team you’re responsible for an assistant production okay and some things go wrong you have no idea what has gone wrong people are live tweeting Avengers the people have given you funding are screaming to have the phone and going what and you need to resolve it maybe you’re on an incident call maybe your organization does that or maybe you’re on a snack channel lead the way you’re talking about 40 people and 38.
Of them around no value your own cup coffee number seven you think.
You might know the solution and you need.
To make a change on this life assets and you make that change because you want to fix this you want to get the people to stop tweeting you want.
To enable your customers to be successful making a change in that scenario you have a higher risk of creation and error than.
You would in the business as usual scenario or you have a higher risk of creating an error with a higher risk of putting something that fixes something a production for forgetting to or services so a couple weeks later with the same problem now.
Cold of course we make mistakes and code and machines machines Vacanti a mistake but it’s a repeatable pattern right so it’s easier to find that this mistake as poor guy you and me working Midnight’s called Coffee number seven we’re making that change and people bend rules this is my favorite thing about people right we love to bend rules it turns.
A little bit on culture I’m Irish so I can tease.
Love bending rules you give an Irish person a rule immediately our grave is working on how we can bend it.
But interestingly about rules and in our industry.
When it comes to rules I have noticed the.
Rules can bend the most in an effort to collaborate it comes from a place of goodness you’re working on something you truly believe and what you’re.
Working in right you’ve made clear changes so you can work on something that you believe in you may be truly believe in your Cu you truly believe in the teams that you work for and you have somebody come to you and they say Margo please make this change with the do all.
The steps in the next sprint but can you do this now for me and you do it right you bend the rules it’s something we do from a place of collaboration so let’s talk then about the opposite of collaboration let’s talk about malice people can be jerks you can tweet that okay when you have people attack your life sites and then attack your products there’s typically executed by parts sure but humans.
Somewhere has written that but okay people.
Can act with malice and we should instilled or at least not yet the armory so in my session today what I’m going to talk about specifically a security automation at scale at a large scale so that your humans can focus on innovation and you don’t need to.
Worry about that first job security these four steps are going to talk about through.
This session are not exhaustive there are many other steps out there but no matter what.
Your role is in your organization you you should.
Really look at and examine how are you automating these security tasks in your organization the first one is so simple.
There’s always beauty and simplicity the first one is establish a level of trust no matter what you do in life you’re always somewhere.
On a trust bar no matter who you are no matter what you do and this also applies to security and it also applies to using cloud services or using AI or using machine learning so I have many customers and when it comes to trust the security they’re down at this end these.
Are typically customers and they have dedicated security departments they dedicated security engineering practices dedicated security tools that they have invested in.
Infrastructure that they have invested in that they wish to continue using and typically a very structured organization that reports up into a C so and quite a bit of governance around that as of these guys they’re kind of down at the zero level of close they want to use their own tools and they don’t want this to hand us over to a cloud service provider at the other end of the.
Scale we have customers in their reach 100% this they know they say like our that Amazon Web Services is.
More secure than their data center is so they’re under 200 and then a lot of customers are somewhere in the middle where they begin a certain point they move to the left or they move to the right according to their needs the first important point is it doesn’t where you are in the.
Joseph our Amazon Web Services with 125 test services 55 of which are in security we can compare tools configure services.
Are in the transpired and benefit from the cloud but how does.
This impact automation so that’s not encryption right dance like no one is watching but a crypt like everybody is one of my favorite things so my customer down at the zero end okay they do everything themselves.
This means that they have customers keys think their own encryption algorithms and they have their own hardware to store these keys in okay but now we have determined that.
If they don’t have their own hardware to store the keys in registering at a John’s laptop and so we moved to further up the scale we say okay use your own keys to your own encryption manager own encryption algorithms but they store the key management service from Amazon for example which is fixed level to compliant like a hardware security module and then you.