AWS re:Inforce 2019 - Keynote with Steve Schmidt

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

please welcome Amazon Web Services vice-president and chief information security officer Steve Schmidt good morning everyone and welcome to AWS reinforce this is our first inaugural conference and since I said first probably get a hint that there'll be another one we'll talk a little bit later about when that's gonna be and where we're gonna talk today about a broad overview about security in AWS security of the cloud security in the cloud how we can help you build securely the kinds of things that you should expect to see from us in the future we're gonna take a look at our culture of security I think one of the most important things we can do as a security industry is build in the right behavior profiles for our staff and that means building behavior in both the security engineering teams but also in the development teams that we support to help them understand that security is an integral part of everything we do every single day will of course talk about some new tools some new features that we have to offer the new things that are coming out this year we're gonna have a couple customers join us on stage they're gonna give us some insights into their migration paths as well as some of the lessons that they learned as they move from an on-premise environment into the cloud we're gonna go deep on a few technical things that I think are important for people to know things they should be focusing on some tips that may help you move yourself forward more rapidly and then we're gonna finish up with a roadmap and some hints and predictions of where we think our industry is going and where the technology is going as well so the state of security we'd love to be able to say hey everything is awesome and strong thanks very much have a nice conference but that really isn't the where reality is in the world here we are in a position of strength as an industry customers regularly tell us that they are better off operating in the cloud than they are in their own data centers on-premises and that is not only from the availability perspective but often from a security perspective as well we've got more than 2 million customers doing billions and billions of transactions every single day are we perfect of course not but I really object to the sky is falling mantra that some security vendors put out there that is just simply not the case it is not true and it's not good for us as an industry we want this conference reinforce to be about taking you from that ninety-five percent point to a hundred percent of where you want to be in security this is about learning about how to do things how to succeed and it's an area that I think will be able to give you practical materials that help you build the security environment that you want for your business or your industry I want you every single one of you to walk away with at least three maybe five things that help you make yourself more secure every single day that you operate and more secure than you were yesterday interesting thing is most of the services and features that we'll talk about from AWS aren't even revenue drivers these are just trust and success factors that we think are important to helping you succeed in your business so was Thoreau the original cloud evangelist in this case maybe maybe not we'll talk about some foundational aspects of security in the cloud along with the current state and some philosophical discussions about where we think the AWS cloud can be a business differentiator for you and your organization there is always a tension between data sovereignty and resiliency you need resiliency but you have to balance your activities with rules that are imposed on your industry are you subject to GPR for example or do you need data residency in a particular country and that sort of thing by the way that is particularly relevant to this conference when we were looking at the registration materials we found that there are more than 50 countries represented in the conference here today which i think is awesome it really gives you an idea of how global this this business really is the Delaware North quote that's that's on the screen there indicates that we have a really good story about resiliency and that's super important to the thousands of regulated customers we have who cannot tolerate downtime of any kind what I think is also really important though is your resiliency plans must include the ability to be resilient within a particular country or within a particular region no discussion about security is complete without a discussion about availability and I think they're really really intertwined people often try and separate them and look at them as two problems but they are often the same thing so how does the physical world that we live in and we operate in effect cloud services and cloud security well I'll be happy to tell you of course I present you with the concept of a building you know they've been around for a very long time we're all familiar with how they're constructed we live in one but in my world a data center is a building and it's something that I think we do a very good job with we are good at constructing our facilities we know how to operate them well etc but herein lies a problem buildings can fail it happens all the time lightning strikes tornadoes happen earthquakes blizzards and so on and one point of presence in the physical world is a statistic waiting to occur so what do you wanna do instead what you want is many buildings composed into a campus a campus spread across an entire region the point here is statistical diversity physical diversity and the ability to build applications which meet your particular requirements for availability now we don't like it when anybody has a bad day in the cloud including our competitors however this quote illustrates a point of differentiation availability zones a building versus a campus here's a case where a single building which a provider whose unnamed mccauley or region was not robust enough a lightning strike happened the building went offline and in this particular scenario the way it played out was that provider lost all of their services in that region compare that to our concept of availability zones we don't set up a single building call it a region we want maximum robustness in our designs to that end our infrastructure is composed of 64 availability zones within 21 geographic regions around the world right now we've also announced plans for 12 more availability zones and for more AWS regions Bahrain Cape Town Jakarta and Milan our ACS provide you with the data center redundancy and availability that you need to run your business and they're all interconnected with over 2.6 million miles of network that we operate unlike other cloud infrastructure providers for us a region always has multiple availability zones and availability zones have multiple physical data centers associated with them by comparison some cloud providers claim to have over 50 regions but when you really look into it each region has no AZ's at all just one single data center so it's really not comparable to call what they call a region anything near what AWS understands the region to be and our customers expect so in one of our regions we should drill down further each AZ is isolated both by distance by power systems by separate networking paths etc and that gives the customers the ability to operate production applications or databases in a fault-tolerant and scalable fashion that's not possible using a single AZ all of the AZ's by the way are interconnected with the network that we operate it's a high-bandwidth low-latency interconnect over dedicated Metro fiber if you ever had a chance to look at some of the talks that Peter De Santis gives at reinvent there's a really fascinating day against the way we build the network between these facilities and how some of them have and thousands of fiber cables interconnecting them rather than depending on dense wave division multiplexing because of the failure of remotes that are associated with it okay we're gonna do something now that's gonna make the guys who run the networking infrastructure in here really upset at me because they weren't expecting this we're gonna do a thought experiment group participation there are about 5,000 people in this room here there's another five or seven thousand people watching on a live stream right now take out your phone and search how many availability zones does a provider of your choice have choose whatever priety you want and look at the results you'll probably be directed to a discussion about regions instead of a disease or what an AZ is as opposed to how many a certain CSP has asked yourself why don't they answer transparently maybe it's because the answer could actually be seven or four it's really hard to tell and this is reflected in service availability service downtime is a big deal a big component of security it's a part of availability and interestingly even though we have many many more AZ's and more regions than the number two provider does they have had five point seven times the downtime we have over the last 24 months our customers are very clear about what they want and what they need always on always available always secure and that is our value proposition for our customers for us it contains continues to be about customer focus Amazonians have learned from the day that they got into the company that we really value the customer input process but more importantly we always look for ways to improve the way our customers are using our services and the way they're experiencing our customer service we've reduced prices 73 times since AWS launched in 2006 an example of a recent price reduction that's relevant to the security community for example is a service like AWS config rules where we provide 84 managed rules that customers can use to write custom lambda functions to take actions when there's an event that they're concerned about as of August first a config rule prices have changed to a pay per use model our customers are charged by the number of evaluations that they run each month and when this goes live we expect customers to nearly have 50% cut the cost that they have associated with config rules innovation is a wonderful part of the business it's one of the reasons I love working here I'm a builder at heart and it's something that I really really enjoy and we continue to iterate it a faster clip than anybody else out there we don't often talk about the many many capabilities they were adding to our services or features it's kind of ridiculous because it's about five a day at this point interesting thing for my team is that we have to do an application security review for every single service this launched and every single feature so it is this marathon of Sprint's if that's a possibility that we have to put together to keep up with our service teams so let's talk a lot about how cloud provider X you can fill in the X there with some other folks names define compliance programs how do they define it is it something to comply with in particularly some recommendations some casual advice that kind of thing what's happening in reality is there are a lot of providers out there who take everything they can think of throw it in a pile and call it a compliance program does that really help you stay secure maybe maybe not we have a little bit of a different view we've got about 210 security compliance and governance features and services that we've launched which is about 44 0 times the number that the number 2 CSP has more importantly though we've driven encryption into a hundred and seventeen different AWS services which is three times as many as any other cloud provider out there we're always adding new capabilities for example new components and infrastructure security new encryption capabilities better and more fine-grained iam controls or standalone security services like dooty which is built by my own team the important thing here is the bad guys are always improving the way they're doing their business we have to be constantly improving as a security industry as well so we'll always be adding new features and new capabilities to help us keep up and in fact get better than the bad guys in many circumstances as we always bring you new building blocks we also focus on where we think we need to be in the future if you look at stats on the screen here it's kind of an interesting slash scary point when you think about IOT it's an area that we really need to focus as an industry there i OD traffic's increased 150 times recently and an interesting comparison is if you look at the the Internet traffic as a whole around 94 percent of what we see on the Internet is encrypted with TLS nice job people that's awesome we love seeing it the difficulty is that about 99 zero percent of the traffic coming from IOT devices is plain text HTTP which is a giant fail as far as I'm concerned across the industry it's one of the reasons that we built AWS IOT Defender I think every IOT solutions should start and end with security here IOT defender of course helps you identify your devices authorize them on to your infrastructure and your services at encryption access control etc but most importantly IOT defender also gives you a way to patch and update your devices and that's something that many developers never thought about when they deployed these small low-power devices out into the field you must be able to update them with new software with new firmware in a reliable fashion because there are bugs and code that have to be fixed IOT is not only in the ground it's also in the sky so we built AWS ground station to help people manage and control satellite systems downlink and process their data and scale their operations across the Internet as well ground station of course was built with our security and identity infrastructure in place so that the customers who've never had an access control policy process like AWS I am before can apply that to satellite operations as well it's a real differentiator for them so we continue to look into security of course we've got additional services that my team vens like guard duty which helps you secure your infrastructure security hub which helps you understand how you're using your infrastructure to prioritize your alerts and your compliance status inspector which helps you look at your applications and your operating systems on all of your machines and macey which helps you discover and categorize the data that you have but more importantly understand how your humans are accessing that data there are a few sessions I want to point out about foundational security and the tracks are broken out and I'll talk a little bit more about them later the leadership session today at 3:15 is being led by senior principal engineer Don Beetle Bailey and Cori Quinn from last week in AWS they're going to talk about some best practices some features and security updates that you may have missed and it's an awesome opportunity to get brought up to date so now that we've taken a quick look at our services I'd like to bring on stage principal technologists Abby fuller to give you some insights into our security culture hi everyone my name is Abbi fuller and I am a principal technologist here with AWS and I'm here today to talk a little bit about how we build a culture of security here so I have a quote here from Lemony Snicket I think wrote a series of unfortunate events books and I'm not sure whether that's really a good omen or not here but it says nobody wants to fall into a safety net however it beats the alternative and I think that for a lot of us the processes and culture around security that is the safety net so day to day with regard to security we think about it all the time right internal teams external teams we all do this the same way we work backwards from the customers and we have to think about it at every single piece of the day right and there's no one definitely not in that it's audience thinking and I don't need to be secure so we have a lot of customer meetings we talk to a lot of folks we ask questions and you'll often hear us say and if you haven't heard it before you'll definitely hear it today that security is job zero security is job one and however you say it it means the same thing then we take security extremely seriously throughout AWS from our dev pipelines to our operations runbook and at the root of that teams all follow the same processes we communicate we escalate we sanity check we build safety nets and security comes about as an extension of all of that we will delay products and features to address security it is sacrosanct and one of the first parts of that the one of the foundational aspect of security here is the principle of least privilege and that means giving everything a role a service a person the least amount of access that they need to do their job and this means getting humans away from the data because if they don't need it to do their job the more access that you have the more it introduces a huge amount of risk into any business if your access levels aren't dialed in so we have a group internally that monitors critical permissions 24/7 we don't share access between service teams there is no blanket here take a look at everything permissions level this is about giving developers and operators the ability to do their job but not the ability to have access to encryption keys intellectual property personally identify information or any of the other sensitive items are at the core of your systems and one of the things that we hold near and dear here our service level agreements or SLA s and the goal of these is to hold people accountable when things go wrong because it is practically impossible or really not at all possible to design a system that will never fail and even if that were possible attempting to achieve perfection is not cost or time effective it is better to divine to define the desired Ripper's I billet E for each system or its components in terms of the percentage of the time that it is working properly available so for example an SLA of 99.99 often called four nines would mean that the service is only down approximately 4.3 minutes a month so you have standards in place now what you get to automate and you get to template things out so you want them to be repeatable and portable and that might mean building directly from repositories it might mean making it part of your CICP process you want to automate with cloud formation or was something else that does resource management but repeatable doesn't mean just installing packages and putting your application in a pipeline and then calling it good you have to test and observe and debug as well and that's how you know that your templates and your applications are working you have to watch them and you have to understand your system so we see more and more people not only logging for post-mortems but to understand hey what's happening in my application and why and is that okay and part of a culture of security is the flexibility to adapt as our workloads change as a way that our customers build their applications change we have to change too and as more and more of our customers have started to adopt containers and server lists we've grown along with them and that means how we think about security too so if I'm running Fargate or if I'm running lambda I don't manage you see to instance anymore and those instances themselves that could have been what led to a security vulnerability so we all know that we have different levels of users out there with different concepts of security standards so how do we go about starting them in a secure space right from the jump in an environment where we can handle the patching and updating for them so with Fargate or with lambda you focus on building secure applications and will give you the tools to help you build that successfully but for the instances themself so we patch them and we update them for you but speaking of the instances we still want to innovate constantly on behalf of our customers and that starts with nitro which is focused on great isolations and security so the nitro controller is really in charge of that whole system the Intel processor mainboard is really an untrusted peripheral that is used to run computer workloads the nitro controller first boots from a local totally private storage device then orchestrates the boot of other nitro computers as well as the mainboard it first validates all the firmware on the main boards to ensure nothing has been modified for a previously installed golden image then in the hypervisor case injects a fully validated hypervisor directly from the nitro controller or in the bare metal case allows the mainboard to be booted from an emulated local nvm device emulated by another nitro computer that is actually a remote EBS volume and once that system is operational nitro computers offload and accelerate all i/o VPC access BBS volumes and instant storage volumes encryption keys for i/o are provisioned by and cached on the nitro computers and are inaccessible from the system mainboard the mainboard has no direct access to the trusted ec2 Network all network access is a hundred percent mediated by the nitro system it is impossible for software in the mainboard to reach any network other than the view pcs that have been associated with that host and finally with no domain 0 or dom0 needed or present on either the system mainboard or any of the nitrile computers that means there's no interactive mode of access like SSH and thus zero human access to these hosts while operational all interaction with the system is via authenticated authorized and logged API calls and we want to keep innovating with nitro as well so there's nitro with fire cracker and as we shift towards these containers and serverless workloads we saw an opportunity to build virtualization technology that will be able to support these workloads efficiently and that means that both we need to have both the security and agility our customers have come from to expect from VMs on ec2 and the flexibility and performance of things like containers so you have to have to balance her both of those both security and performance until firecracker you had to choose between containers with fast startup times and high density or VMs with strong hardware virtualization based security and workload isolation in other words you have to choose between security and performance we will all in this room always choose security and with firecracker you don't have to so firecracker allows you to deploy workloads and lightweight virtual machines called micro VMs which provide enhanced security and workload isolation while enabling the speed and resource efficiency of containers so a really minimalist design it excludes unnecessary devices and guest functionality to reduce the memory footprint an attack service in each micro VM but the bottom line here is that no matter how you're running your workloads we want to put security first and that leads me to where I think this space is going and I think where it gets interesting something like AWS at mesh so I can have many different kinds of compute inside a mesh right I can have an application running on ec2 I can have a container running with ECS or eks i can have kubernetes on ec2 in the fullness of time I'd love to see something like lambda functions inside of at mesh and where that where that gets interesting is because I can mix and match I can drain traffic off from one type to the other lets me experiment a little bit more but what's really interesting is that security wise I can enforce policies and configuration at the mesh level I can pass at mesh a config and I can have that enforced throughout the mesh plus something that I think is really important to us here at AWS is security by default so it's at mesh I opted in two things talking to each other I opted in to different resources and applications talking to each other and I think you see that throughout AWS right with a security group with a roll I'm always opting in to access I'm never opting out so it doesn't start off being able to talk to everything I have to tell it explicitly what to do and I think that that's kind of what the AWS way of security is all about so how can we help customers build whatever they want but to help them be secure reliable and scalable but I don't want you to have to do this all yourself so ultimately like every other AWS event reinforce is a learning conference we want you to walk away having found out about a tool or a feature or a service that helps you be more secure and you can lean on tools to both check your infrastructure and applications or container images for vulnerabilities but also to help you store data securely we've placed a heavy emphasis on encryption over the past five years so you've probably seen Vernor say at one of the reinvent keynotes encrypt like everyone's watching and this is about having multiple fail stays for security there's no silver bullet but there is a way to architect that one problem doesn't sink you and if you haven't overly permissive environment it could be encryption that really saves you on the end and I think that's more appropriate for today maybe there's another phrase that comes up really often in these keynotes from us it says security is everyone's job and that's you and hopefully over the next two days not only will security still be your job but we'll find a way to make it just a little bit easier for you thanks everyone Thank You Abby this is a learning conference like all AWS events and we want you to walk away having found a tool or a feature or a service that makes you more secure and you shouldn't have to manage all that learning and work yourself we've had a really heavy emphasis on encryption over the last five years in fact if you've ever watched Werner Vogel's in his keynotes he'll often wear a t-shirt that says encrypt everything I think that's a great mantra to have and it's something that all of us should be thinking about that a design and development process however encryption is of course no silver bullet it is one of the ways to build layered security that helps you recover from failures because all software is written by humans more or less and all software therefore has bugs in it so building layered defenses is super important the other thing I think is really important that we focus on is security is everyone's job it is not just the job of the security professionals who are in this room today but every developer who's out there we want to make sure that you've got the right way to do business but we also want to help you build the muscle memory within your organization's and your companies to build properly to build securely etc because really being safe and secure in the cloud would be really easy if you didn't have to do anything with your business if you didn't have to have any customer data or credit cards if you never had any employees interacting with systems or networks you would be so easy to get this right but that's not the reality and that's realistically not what ships are for especially not the ships that we operate no discussion about security would be complete without our partners and our partners are present in our marketplace we've got about 230,000 active customers using software in 39 categories across 4800 listings from 1400 ISVs we're really delighted to announce a new public stat we're externalizing for the first time today that we have over a hundred thousand subscriptions for security products in the AWS marketplace and that's 10% of all of the subscriptions are in the security category which i think is really cool it's a testament of the fact that the process works and you folks are interested in as well some of the top vendors in that category were kind enough to help us sponsor our conference today we'd like to appreciate the work done by McAfee Palo Alto and rapid7 for helping us bring the conference to you today so how does marketplace work it's actually really really simple a customer finds the vendors and the products that they're interested in that they're approved for if they've got guardrails in place in their company they choose the contract and the pricing terms for a particular project and then you launch resources and the deployment model and the vendor specific deployments whether it's a machine image for example or a container or a software as-a-service it really couldn't be easier but most importantly it makes it super simple to try out new things without going through a heavyweight sales process today we're happy to announce the procurement system integration which is a new feature in marketplace that allows you to integrate with leading procurement system and authors using CM XE XML which is quite a mouthful we're pleased to announce the first integration is with Kupa a leader in business spend management so if you're using coop in integrates with marketplace today support for additional vendors will be coming out soon as well the reason we're doing this because we want to make it super easy for builders to find buy and deploy software that they need from over 4,800 listings across the marketplace so a lot of security software is traditionally focused on alerting you to something saying oh goodness something is wrong but what we all really want is remediation we want an action to take place when the alert is brought up to us automation is the most critical piece of this whole puzzle I've said this again and again and again if you're waiting for a human being to notice something to respond to a security incident you are too late which means you must use automation in order to succeed in this space it's important because of speed that's also important because of talent management there are not enough security engineers in the world right now and we're falling further and further behind so automation is an area where you must put some effort using a bunch of our services together or alerting from a partner for example or AWS config you can use things like AWS lambda to cause remediation actions to occur we're happy to announce the AWS config now includes remediation capabilities with config rules you can associate a particular rule and a remediation put them together in an action will occur automatically when the rule fires for an example you could say you want to check that all s3 buckets do not allow public read access and if they do lambda will automatically execute a remediation to close that particular issue for you a frequent ask we've run into time and time again is please help us encrypt our elastic block store volumes that is done and done all newly created volumes can be encrypted either using a default key or your own key you can set up an iam policy which enforces the use of encryption and a security team for example can enable encryption on all new EBS volumes without any action or code changes by the development teams this is free by the way people it's something that we just need to do I'm happiest when the disks that are in our data centers all they contain is cipher text so please take advantage of these opportunities previously by the way one of the biggest objections that people had to using encryption on storage platforms was it was too hard to implement and it degrades performance EBS encryption delivers the specified throughput that you select in terms of number of I ops and the performance and latency is exactly the same as an unencrypted volume and again this is it no extra charge one specific implementation note that you should be careful of by the way is that because keys for crypto and ec2 settings are regional be sure to opt in on a region by region basis to make sure you get coverage across your infrastructure next up I want to highlight the fact that a de BES config has added support for API gateway in all AWS regions and gov cloud you can now track changes to the configuration of an API gateway stage such as cache cluster settings or throttle settings or access log settings you can also track changes to the configuration of the API itself such as endpoint configurations versions protocols that sort of thing and config maintains a history of this over time which is really important to proving to auditors and approving to your security team how your infrastructure has been designed and implemented over time since we launched this we've recorded about 800,000 configuration changes for API gateway resources from about 31,000 accounts on average we see about 20,000 configuration changes per day related to API gateway resources across all regions as of this week you can now use AWS organizations to centrally manage multiple accounts to scale rate of us workloads with organization's security admins can use service control policies to establish permission guardrails that all iam users and roles in the accounts must adhere to so whether you're just getting started with service control policies or have existing ones you can now use AWS identity and access management access advisor to figure out where you should be limiting access because it's an unnecessary or not needed and remember one of the most fundamental components of all access control is limitation of blast radius finding ways to shrink that and ensure you're not exposing more surface area than you absolutely must do we've talked quite a bit about crypto crypto is the thing that's near and dear to me here but it's really important to keep emphasizing and hear crypto should be at every layer of your design and your stack because it gives you layers of defense should something else fail we offer solutions at every layer most of them are free take advantage of them for example at the application layer you can use our cryptographic SDK at the transport layer there are a lot of TLS options available whether it's through cloud front or application load balancer we even have our own less implementation in s2 n if you're tired of using OpenSSL at the network layer we offer VPC encryption cross region peering and of course our VPN services at the data link layer most people don't realize that we use mac sack 2 or by the way that's a doe 2.1 ae to encrypt all of the connectivity between our data centers so whenever anything leaves our physical control our walls we encrypt it on the data link layer and the physical layer as well so you don't even have to think about that finally today I'd like to announce the general availability of AWS control tower control tower is meant to assist you in setting up and governing multi account AWS environments in addition to multi account setup by the way control tower provides prescriptive guidance for customers on how to establish a landing zone how to create workflows to provision compliant accounts it integrates with iam our identity and access management platform and offers pre-configured architectures for network design across account logging and audit control most importantly workloads which are deployed in landing zones are continuously governed by guard rails which are prepackaged governance rules that you can select and apply enterprise wide or just to a few accounts this has been a feature request that a lot of customers have been asking for for a long time we're really happy that we've gotten and available to you today speaking of governance it's always top of mind for folks a few highlights from our governance risk and compliance Trak this is a great place for everyone in the regulated spaces to get more knowledge about the space in the way we can help you meet and often exceed some really complicated compliance controls around the security or systems and to talk more about operated in a very regulated industry please welcome Brian Riley senior director of global cyber risk management at Liberty Mutual thank you Steve and it is an honor to represent Liberty Mutual here in this rather terrifying room at Liberty we believe progress happens when people feel secure that goes to the core of who we are as an insurance company and underscores the promise we make to our customers to deliver protection from the unexpected delivered with care this same belief motivates our global cyber security community we know our company needs to innovate and we know that cloud environments like AWS are the laboratory in which that innovation will occur this morning I'd like to share with you a personal story about what I've learned as a security professional as we've migrated to eight of us at scale to help us provide our business the confidence that yes we can make progress but first I want to take a moment and welcome all of you to Liberty Mutual's hometown we started a few blocks from here in 1912 and at a hundred and seven years that have followed we've grown into a global enterprise with 50,000 employees spread across 30 countries that includes a global team of over 5,000 technology professionals managing a diverse set of technologies from legacy systems to modern cutting-edge architectures we also have a large and growing presence in AWS among other cloud environments mirroring our global footprint we've deployed thousands of instances in over a dozen regions around the world today that makes up 25% of our technology footprint and we have plans to grow that presence substantially in Liberty Mutual grew to this scale in AWS while our IT organization itself was undergoing a transition adopting agile development practices in a DevOps mindset today 90% of our teams work using agile processes including our security teams an optimizing developer experience is among our principal objectives now with this pace of change it can be a challenge to adapt our security practices to support this classically as a security professional I might have approached this challenge by writing policies and standards and mandating handoffs though internally I've often joked that those security requirements and standards many of which I wrote myself over the years can seem to be Word documents no one reads on a SharePoint site no one can find I think I might have touched a nerve there of course I don't need to tell a roomful of security professionals that that's a joke setting clear expectations of how we manage risk and clear guidance for what our developers need to do is the lifeblood of a security organization and we will always continue to produce that we've learned though that that's not enough we need to do better as a security team the transition to automated deployments remove some of the handoffs that would make those processes successful in the past and the transition to infrastructure is code is a challenge but also a huge opportunity for security teams offering repeatable builds and actual consistency between environments but if security is code and if infrastructure is code security needs to be code to it be claim clear to us that we needed to adapt and have our security team get closer to developers and this is something we had to learn the hard way through repeated tough conversations with teams across the organization and I'm sure many of you have had those same discussions yourself and it goes without saying any policy any written policy is going to struggle to keep pace with the the rate at which AWS releases new services there's no decision we can make today that a year from now we'll still be the right decision because the cloud is changing so fast all of us need to keep an open mind and an eagerness to learn so we formed a close partnership with our DevOps there's our secure DevOps team giving us a trusted partner with close connections to our application developers and set out to use the cloud to the cloud and one result of that is a product that we call radar radar is a framework for enforcing cloud security standards at a global scale routing cloud watch events through this framework we can review changes across our global environment for consistency with our policies leveraging cloud watch rules a give a deliberately simple example of this to help illustrate the concept and then go a bit deeper in a moment assume for the sake of argument someone tries to deploy a infrastructure that is not consistent with our requirements that everything is encrypted in AWS in transit and at rest the cloud watch event generated when that s3 bucket is created is routed through the rules engine radar will detect the inconsistency and through automation turn encryption on if someone attempts to remove encryption from existing storage the same thing follows we'll turn it right back on and in all cases the logs generated by that are recorded so we can provide guidance to our developers on why their deployment failed the result of this is leveraging the cloud to secure the cloud building a flexible set of guardrails that allow agile teams to experiment while enforcing that our standards are match give a couple of examples of classes of practices that we can enforce with this framework we can govern an encryption across our global footprint ensuring that all types of storage are encrypted we can even enforce that RDS master secrets are stored in our secrets management solution we can govern external access across our environment controlling which classes of instances can receive public IP addresses changes to a double security groups can be reviewed programmatically for consistency with our architecture we can enforce visibility across our global deployment ensuring that logging is pervasive tagging standards are followed now these are just a couple of examples of the 95 or so we enforced through automation today with an active product team that is building and curating these rules but more than that this is not just a product this is an example of a way that we as a community of security professionals can approach innovation partner with DevOps teams and transform the way we provide value now if you want to learn more about radar the product team that built it is presenting it tomorrow afternoon in the ballroom upstairs they're going to go into much more detail about the architecture and give additional examples and I'll be there myself if you have questions for me as you go through the conference the next few days I hope you keep this transformation in mind and not just a transformation about our technologies but a transformation about us and our careers as security professionals look for new approaches that you can bring back to your organization it's been a pleasure to share details of our cloud security journey with you today I hope you have a great time here in our hometown and have a wonderful conference thank you thanks Brian I was awesome as a spot leader in that space it's kind of fun to hear from people who are operating in really conservative industries because it's an area where customers have found that they have an opportunity to really both disrupt the status quo but also have to meet an incredible number of requirements from a regulatory perspective to help meet requirements that often helps to have individual little tips or techniques and I'm going to switch to a much more tactical view of things at this point here some sustenance for the security engineers who are in the crowd here the vast majority of security issues in the cloud really come from a lack of understanding I think a failure to dive deeply and I get it there are so many things to try out there are so many new features and services that we're releasing all the time I have a hard time keeping up with us and I work here it's a lot of fun there are about 20 new services to discover every time we have a reinvent in November so how are you gonna fit those into your roadmap but if you dive a bit deeper into our security portfolio the gains can be consistent and considerable across the organization so when you dive more deeply into things you find that there are opportunities for you to build in security into your development pipeline and I think that's an area where many people should focus if they don't already for example you can build something like AWS code pipelines with a container system and build in automated security testing as part of that work integrated security testing and security centric release control is really critical to any organization that has to get things right every single time and adding feedback loops help you correct common vulnerabilities more rapidly but more importantly teach your SDEs where they've made errors your software development engineers and help them prevent those errors in the future since no tool will ever be perfect you can also hear us talk all the time about scale at AWS it's something that we think is really an impressive part of operating the cloud because every cuss to take advantage of our scale from a protection perspective things like automation and template izing wouldn't be possible without scale in many circumstances and they're really best practices that most businesses should be taking advantage of but they're particularly important where the risk profile for not implementing the right controls can be profound now scale is something when you compose systems together that you can take advantage of the sort of synergies that they have with each other using for example guard duty may see inspector and security hub to investigate and respond to threats in a rapid fashion and also help you understand what happened after an attack and make sure that your response pipeline is properly built to respond to an issue and not just understand that there is a problem and notice I said response pipeline it is something it should be built on tooling that allows you to say not only here is a problem but here's the solution to the problem and it can scale with my particular business an example of that by the way was the GE told us that they replaced their entire intrusion detection intrusion prevention infrastructure over a weekend when their incumbent vendor failed and they used guard duty to make up the difference in what was going on now of course at the core of security is an encryption and identity management and those are all anchored on certificates or identities we heard that it was difficult to operate a root certificate authority so to meet customer needs a new feature allows you to create a certificate authority hierarchy with a cm private CA you can create secure and highly available CAS which are complicated things to operate by the way without building or maintaining your own on-premises infrastructure this is something that not many people are really good at it takes a lot of very precise decision making and it's something that a lot of our customers had problems with so really wanted some help here this is getting rid of that undifferentiated heavy lifting that makes so many people unhappy now of course root ca's help you manage certificate chains but there are also secrets out there that need management as well secrets like usernames and passwords for databases and things like that and this is an area where featuring like a tub is lambda can help you when mixed with secrets manager automate compliance by rotating credentials across your applications as well as the infrastructure on which they operate now we of course want you to have building blocks that help you secure the foundation of all of your services but it's also important not to leave the front door open when you're doing this api's provide an awesome opportunity for enterprises to develop and integrate your applications together however it can be a challenge to build security measures into api's in order to protect data and meet your compliance requirements there are so many ways to get at this particular problem we've built a lot of services to help you do that effectively so resource policies for example let you create resource based policies to allow or deny access to your api's there are standard iam roles and policies that we curate that you can use to control who can get and create and manage your api's or tags that you can apply in I am with I am policies to control access to api's so there are a lot of different ways that you can look at control and enable mint in your API infrastructure where we take on the heavy lifting for you so you don't have to on the subject of api's Amazon API gateway handles all of the tasks associated with accepting and processing up to hundreds of thousands of concurrent API calls so that you don't have to build an infrastructure to do that that includes typical functions like traffic management and authorization monitoring version management and that kind of thing but you can also now create a cloud front distribution and help secure your API gateway with AWS laughs our web applications firewall the nice thing is this is really really easy to do you create a regional API and you create a cloud front distribution you set up laughs and create a web Akal ACL access control list that's appropriate for your particular workload and you attach the wife web Akal to the front distribution done which is really much simpler than doing things the old way on this subject of code one of the things that we've invested in quite a bit is building up formal reasoning about the way infrastructures operate and for those of you who aren't familiar with it the problem we're trying to attack here is in a complex infrastructure the problem becomes this combinatorial explosion where if I want to say can this particular machine talk to the internet or is this policy more or less expressive or permissive than this policy it's very difficult to do so we built a set of tools that help use math to understand whether your policies are more permissive or less permissive than a previous policy or whether one component of your infrastructure can talk to the Internet and it never should be able to or whether your s3 buckets are locked down consistently with your particular priorities and policies one of the things I'm most proud about though is Amazon guard duty guard duty is something we launched at reinvent last year we've seen absolutely crazy progress in this space it has been one of the most rapidly adopted services in AWS history we've also not slowed down at all in building up the capabilities of guard duty we've increased detection zhh by 86% since launch while also reducing the effective cost to customers by 28% some of our largest customers have seen their bills for guard duty dropped by up to 80% eight zero percent because of our cost reduction optimizations that we've undertaken here some new detections by the way that we've launched recently include crypto mining outbound denial of service attacks which often indicate that your machines have been compromised by a botnet or instances using your credentials to run intrusion tools lastly we have also added detections for use of route credentials that's something by the way they please don't do use I am credentials that are minimally scoped to the roles that they need to to undertake if you're a security practitioner and you're looking to gain insight around EPIK tools and services the deep dive track is going to be for you as you see on screen a few the call-outs here are denial of service detection security analytics and permissions management now then we think about operating in a highly regulated industry I think a customer and partner like Capital One comes immediately to mind we first heard about their cloud adoption at reinvent in 2015 and now to speak to the progress they've made on getting out of their data centers I'd like to welcome the stage there C is o Michael Johnson thank you Steve I'd also like to thank Andy and the rest of AWS for inviting Capital One to be part of the first reinforced conference given the strategic relationship between Capital One and AWS it's a pleasure to be here let me tell you a little bit about Capital One a Capital One we dare to dream disrupt and deliver a better way our goal is to bring ingenuity simplicity and humanity to the industry that is most right for change that is banking capital one is a 25 year old founder led company the nation's largest direct bank and the third-largest credit card issuer in the United States with more than 70 million customers and importantly Capital One just this year old order opened a Tech Center here in Boston if you think about the bank of the future there's really two parts to it on one side there's the innovation skills of a tech company on the other the risk management skills of a bank enabling proactive personalized customer experiences that transform people's relationship with money to help people live their best lives enabling and safeguarding the bank of the future requires a comprehensive transformation Talent technology infrastructure and how we work and now is an amazing time to be a technology and a cyber professional we're at the height of the digital transformation revelation izing every aspect of human life with multiple mutually reinforcing paradigm shifts including platforming cyber is evolving from a tradecraft to a science in cyber professionals are defining the future of business when our CIO Rob Alexander addressed reinvents back in 2015 we were just beginning our cloud journey even then AWS was a key partner of ours but that relationship has only continued to grow allowing us to bring award-winning capabilities to market faster while safeguarding our customers and our businesses we have embraced the public cloud and we are well on our way to migrating all of our applications and all of our data to the cloud we are now considered one of the most cloud forward come in the world and we expect to completely exit our data centers by the end of 2020 we're innovating much faster and our engineers are loving it our tech transformation is enabling how we rapidly deliver award-winning and innovative solutions to our customers by not worrying about the underlying infrastructure but importantly given the context of this conference now let's look under the hood and see how we're safeguarding our customers most important to us is the confidentiality the integrity and the availability of our data in the cloud cloud native companies must take a multi-layered approach to security leveraging internally developed tools like the Capital One developed open source cloud custodian and leveraging AWS safeguarding tools like guard duty may see an AWS shield and importantly while Capital One is always fully accountable for our customers data by leveraging AWS expertise to secure the cloud that allows us to focus resources on security of what's in the cloud and the innovation we need to deliver and so as I like to say together this makes us measurably safer in the cloud by reducing the attack surface constant hardware refresh is speed of deployment and automated patching dynamic attack surface with shorter-lived resources and frequent reprovision spread out attack surface with commingled data across multiple data storage arrays seamlessly integrating monitoring across all of our services and applications including real-time visibility into resources configurations and our control structures speed a detection and remediation of issues earlier detection of threats and improved data protection including 11 9s of data durability fine grain access control multi-region availability and forced data encryption and this ensures that the regulatory requirements are met through in-depth service assessments of every service speed in the cloud also allows us to be faster at safeguarding against new and emerging threats and the best example of this that we all had to deal with was in early 2018 when spectrum meltdown was identified we knew that we had to replace our entire infrastructure footprint and patch all of our services both in the cloud and on-premise 'men team worked with OS vendors to receive patches validate and integrate those into gold image standards that we could deploy across our environment and by D centralizing the maintenance we were able to leverage thousands of software engineers across our company to move the applications to those new hosts we were able to do that within our on-prem in our data centers that still exists measured in multiple days we're able to do that in our cloud instances measured in hours we're also innovating heavily in the cloud an example of this is the Capital One developed critical stack the secure container orchestration platform for the enterprise critical stack allows customers to more easily leverage secure containerization by shifting the security boundary and managing kubernetes easily providing improved deployment density moving past the one workload per machine model enforcing security controls with simple installation while retaining full management of all resources but it always comes back to talent as our founder and CEO rich Fairbank says recruit great people and give them the opportunity to be great we've hired thousands of engineers and built an at scale engineering organization we have deeply embedded software engineers designers data scientists and cyber professionals within the business and we have a real presence now here in Boston with 9 Capital One cafes and a new tech center were forming an opening on MIT s campus in 2021 importantly at Capital One we're defining the future of how both cyber enables and safeguards a dynamic mission-critical and highly regulated business and we're doing this with AWS to deliver the bank of the future we invite you to join Capital One where we're working to change banking for good thank you thank you Michael really great stuff it's really instructive to see how you can take a giant multinational organization like that and actually spin it and go in a whole new direction relatively quickly and effectively it's just a few short years since they started and they've made an amazing progress doing it now a quote here from Abraham Lincoln helps us frame up where I think we're headed next and we're all gonna get there by creating it together in a lot of ways we give you the tools but you really drive what those tools are the path forward of course always includes our partners who are helping us create the future make sure that you visit them in the expo hall today three partners have significant launches that I wanted to call out this year first up Symantec has launched cloud workload protection which works closely with Amazon guard duty to automatically detect threats and infrastructure misconfigurations in AWS and recommend necessary changes and automate the workflow to remediate those gaps in that last piece I think is really key close the gap with automation next up Palo Alto Networks is announcing the integration of a new security scanning API service with code pipeline integration that integrates security checks early in software development lifecycle these API services are part of their newly announced Prisma public cloud suite of security offerings and lastly of course McAfee's cloud division is announcing a product concept but they call shift left using cloud formation templates in conjunction with McAfee zem vision cloud to identify configuration and compliance issues preemptively protecting companies that use it then from accidental Mis configs they monitor customer environments for configuration changes downstream to help you continuously protect your infrastructure now compliance and security walk hand in hand if you're doing it properly it's an area where in order to support the pace of innovation that we've got we have to support the innovation pace in our audit world as well we'll move away from the very traditional world of audit by paper you know when the not it was measured by how many pounds of dead trees that you had to determine sufficiency and instead we're gonna be seeing a move towards automation in the audit process we want to move to a world where important workloads are continuously audited where there is no time frame during which a material difference or change can creep forward and we have to do that through automation customers are also asking their third-party auditors don't bring in a spreadsheet when you do an audit of us query our security controls via an API and detect changes using a dashboard we think that's an area that the industry is going right now and we can help move them with better tooling in that space now if we're looking towards the future let's baseline sort of a very traditional application process for a complex issue which is a forensic examination of money laundering or anti money laundering the weight used to work was that people monitored transactions using maybe a rule-based system and then they wrote that material down and they passed it off to a set of investigators who then of course laborious leap aged through the paperwork that they got data review etc and if they find something interesting then they maybe go out and look for some interesting data from a third party to help corroborate something and of course then finally at the end of this long long process they might file a suspicious activity report you'll note that this is kind of analogous to what happens with the computer security investigation it's a lot about digging out the data and finding something out of all that mush that's of interest so where does a process like anti money laundering end up in the machine learning world well what we're seeing financial services institutions do now is use data lakes to put that of course pool of data into that you had previously then they're using Amazon Sage Maker to quickly build train and deploy machine learning models at scale and all of that automation removes that whole first series of actions that the anti money laundering staff had to undertake the interesting part about it is because machines do exactly what they're told it not only removes a lot of the delay Lag but it also removes a lot of the errors that happen when humans are involved in processes the same thing should be true in your Security Response processes use the ml engines that are out there to develop models of the behavior of your applications and your services define what normalcy is and identify situations that are abnormal use machines to do it so that your highest value asset your human security professionals can focus on what's important which is human understanding of complex issues this is by the way how guard duty takes actions on your behalf we collect statistical norms about how your machines perform who they talk to over what period of time with what volume and periodicity and we identify situations where they don't behave like each other or like they normally do and we'll raise you an alert saying perhaps this particular machine has never talked to a Bitcoin mining hub before and now it is that's probably not a good thing and you might want to take a look at it and do something about it and of course if you add in automations from our partners you can remediate that problem or you can use it AWS lambda to do the same thing people are using ml in real life as well this is a great example to look at by the way so Celgene uses apache MX Net on Amazon Sage Maker to virtually analyze biological impact of potential drugs a model that used to take about two months to Train by the way is can now be trained in about four hours which is a heck of a differentiator for them if the average commercial drug costs more than two and a half billion to bring to market it takes about ten years getting to market quickly is critical not only to the financial success of organizations but also realistically the patients who depend on that new medication in the past for when you were looking at this kind of drug development researchers would rely on imperfect image processing algorithms to analyze cancer cells and then they correct them by hand when they found errors with tens of thousands of cells this of course required a huge expenditure of time and effort now using sage maker and MX Net deep learning frameworks Celgene can do this kind of critical toxicology prediction virtually which means it comes to market more quickly less expensively but also without putting live patients at risk now of course you cannot protect what you don't see and the easier it is to see what happens to your network the easier it is to secure it tools security tools especially typically rely on an agent or being a bump in the wire something that interposes your traffic they maybe then decrypt the traffic that they get they monitor it for compliance detect threats perhaps perform forensics but a lot of our customers have not tens or hundreds but thousands of virtual private clouds most companies that are out there have between 20 and 40 security tools that they're using which require some form of collection process deploying an agent or a collector for each tool is a recipe not only for inefficiency but also for an outage or vulnerability in your infrastructure so we decided to solve that we're happy to announce that we have traffic mirroring available for virtual private cloud today in traffic mirroring forwards traffic natively from your VP sees to tools of your choice without an agent or a bump in the wire and more importantly without performance impact to your infrastructure 19 partners already support traffic mirroring on launch including all the leaders in the security space they're available in the marketplace today if you want to experiment with them and we know that other partners will be adopting quickly speaking of service launches we're very proud to announce that one of my own team services is generally available today with security hub you now have a single place that aggregates organizes in prioritizes your security alerts your findings from multiple AWS services like guard duty or inspector or Amazon Macy as well as from AWS partner solutions your findings are visually summarized for you on an integrated dashboard with actionable graphs and tables that help you focus your investigative efforts in the right place at the right time of course no security story is complete without our partners we've got 25 different partner integrations with security hub that are available today that's across 23 different partners but the point here is that you get not only alerting but the actionable movements towards a secure environment after the alert occurs if you use a partner integration taking action is always more important the partners listed on the slide here have built the integrations already that allow our customers to take action on their security and their compliance findings such as sending them to tickets or a chat bot an on-call management system or an orchestration platform this of course helps you not only reduce the time to resolve issues but also prevents compliance failures from creeping up in your environment down the road please make sure to attend Eli Cohn session listed on the right hand side of the screen there he'll provide a deeper dive into the various customer use case is associated with security hub switching gears a little bit we've been talking a lot about the virtual world but one of the things I'm responsible for in our organization is our physical data center security as well and we decided that we were going to take on the physical world using AWS tools as you can imagine the physical world is something that we want to understand what's going on and to do that we've got literally many tens of thousands of video cameras across our data centers around the world the old way of doing that was that we would collect all that information in NVRs which were local to a data center if we needed to do any kind of analysis on it we had to export the video and move it to a new system and keeping them updated was terrible and took it a lot of effort oh by the way they cost a ton so we got tired of that and we built an application that we use in-house that uses Kinesis video streams for streaming video so all of our cameras stream video directly to Kinesis all the video is stored on the cloud we use s3 for long-term storage of the video the playback is at 4k resolutions at 30 frames a second so it's awesome clarity but more importantly this allows us to scale our security operations with the business without having to build more physical and vr boxes and my team is known responsible for the availability of those physical envy ours we can meet all the compliance requirements we have to with this service and most importantly it allows us to apply new techniques easily to analyze that video like using recognition to understand who's in a particular facility at a particular point in time serverless is another thing that's really on top of people's minds our service technologies with AWS lambda let you run code without provisioning or maintaining or managing servers you can run code for virtually any type of application or back-end service all with its zero administration as Abby mentioned by the way security is one of the key strengths our server lists because customers have a lot less that they have to pay attention to you know unless your passion is maintaining an operating system or a container management platform it's really not where you want to spend your development effort in time so service allows you to depend on us to do all the underpinning heavy work and as Abby said AWS lambda is now running on a fire cracker which not only improves the latency of creating new VM containers but it also strengthens the virtualization barriers between functions if you've been paying attention to the security of containers you'll know that our decision to use virtual machines or VMs even Micro VMs as the security boundary for containers was a good one it turns out the container management systems were never really designed for multi-tenant security and as a result there are a lot of opportunities for improvement their momentum with lambda of course continues to grow with only three years in the market we see trillions of executions every single month and have hundreds of thousands of active customers every month using it as lambda for a long time it's not true anymore my security team was the largest consumer of lambda in the world because we use it to react to every alarm that we get on our infrastructure with an infrastructure our size of course you see lots of people poking at you but lambda allows us to scale our security team to the point where we still only have one on-call security engineer who's babysitting the automation and that I think is the power of using serverless architectures effectively we see a tremendous amount of growth in the application of machine learning and artificial intelligence historically security has been a really binary rules-based system which in which things are either okay or they're very not okay and we've built complex systems to define what okay is based on a number of criteria right now I think we're in a world where we can build strong defenses against known threats but we can build effective hedging strategies to intercept we thing intercept things that we think are okay versus risky we've lacked the ability however to apply human level intelligence to threat detection and remediation and today we're just starting to see that change I think we're in the early stages of a world where machine learning and artificial intelligence become a foundational and indispensable part I'm an effective security perimeter all right this is this is me getting up on my high horse here so I'll preface this with that but I am NOT a fan of dev sack ops we want security embedded in the dev process I think our industry and your applause indicates this thought this was a catchy turn you know let's throw some security in the middle of this dev thingy the real goal however is that security and development are embedded throughout your operations process they have to be there at every stage of development there is no scenario that I can envision where wouldn't security be nice to put in here should be a mantra that you're okay with in your infrastructure we're always working with things of value here whether its intellectual property your corporate reputation people's personally identifiable information credit card data none of this leads any sane person to think that security should happen eventually dev seccomp just has to be the way ops happen three takeaways I'd like to give you for this discussion things you can take home number one we have to be at the point where security is not scary let's dial down the fear uncertainty and doubt folks we have to focus on solutions because that moves everybody forward makes us all more successful number two there are real tactical things you can do right now to make yourself safer and real strategic decisions you can take to make yourself more secure going forward for the first thing let's look at the docks there is now a security section being built out for every single AWS services not just the security services it gives you best practices things you can implement immediately to help you be more secure on their strategic side as we bring together our makers and our builders emphasize that security is the top priority for everybody across your industry without customer trust it's impossible to operate in the digital space no matter who you are for CIS OS for the VPS in the audience the directors the CTOs make a commitment today that security is critical to the function of your business Andy Jessie says it on stage at every single reinvent security is job zero for AWS for anybody who operates a digital business you should be thinking the same way I report every single week to our CEO Andy on the critical security issues that face our customers because he cares deeply about the problem if your management chain is not thinking the same way find a way to encourage them to become interested in it because if you get ahead of the problem it's so much better than having to catch up when something bad goes wrong my team interacts with every portion of our business every single day and this should be the same for you as well Erik Brann Wan will be handling the leadership session for the pioneering and security track today he's got a lot of fun topics to talk about and I'm not gonna spoil it for you but let's just say that yes the Oregon Trail on a Mac se 30 does come up in his talk so keep you entertained but if you'd like more encryption guidance check out SCP 402 it's actually a really cool way to get real direct knowledge about how you should implement encryption practically in an organization but I think the most fun session that's going to be available today at least from my perspective here is the last one that's listed I'm always fascinated with how organizational events like this and reinvent happen behind the scenes now what are all the pieces that go together to make this a seamless event for our customers and make it a safe event for everybody so we actually decided to give you a design the scenes tour and the event engineering it's scale we'll talk about how we build the Wi-Fi infrastructure that you all use today as well as the security systems that help keep you safe so take a look at that if you're international customer we may just be coming to a location near you we're launching a ten-city global security Roadshow in August with the primary objective being educating our customers around the world on security and compliance with very hands-on content delivered by local security experts in AWS these are smaller events there's no charge they'll be happening in places like Sydney Tokyo Tel Aviv and more we'll have more of that available by the way on our AWS security blog which I encourage you to take a look at it feels like the right time to tell you this is not a one-time thing we hope to see you next year at AWS reinforced it's going to be in Houston Texas on June 16th and 17th of 2020 and according to all the people that I met in Texas the security event will even be bigger there because everything's bigger in Texas so with that I want to thank you very much for your attention today I hope you enjoy the afternoon thank you for coming

Info

Channel: Amazon Web Services

Views: 23,406

Rating: undefined out of 5

Keywords: AWS, Amazon Web Services, Cloud, cloud computing, AWS Cloud, reinforce, security, boston, reenforce, aws summit, aws security, steve schmidt

Id: FKphJNfpWk8

Channel Id: undefined

Length: 81min 18sec (4878 seconds)

Published: Wed Jun 26 2019