AWS CISO On Cybersecurity ‘Baked Into’ Chips, Security Services And Marketplace

Amazon Web Services Chief Information Security Officer Chris Betz takes a deep dive with CRN about AWS’ overall security strategy, new products, channel partner opportunities and why the $110 billion cloud giant doesn’t publicly break out security sales.

Amazon Web Services is one of the most important cybersecurity organizations on the planet, yet the cloud giant never breaks out security sales figures.

With a current annual run rate of $110 billion, AWS is arguably one of the largest security vendors in the world with a red-hot innovation engine consistently releasing new products, tools and features.

Chris Betz, AWS’ chief information security officer (CISO), said his Seattle-based company doesn’t break out its cybersecurity revenue figures because that’s not how AWS strategizes its security portfolio and market approach.

“My team partners with EC2 as they’re releasing each new product. We’re diving deep into the Trainium2 and the Trainium3 chip sets and deeply looking at the security features that should be there and how are they designed,” said Chris Betz, AWS chief information security officer (CISO). “Security is built-in across AWS services. It’s important to realize that security is baked into everything that you’re touching.”

From Intel- and AMD- based chips to its Nitro System and EC2, AWS is constantly building security features across its portfolio.

Additionally, AWS is counting on channel partners to drive security solutions via the AWS Marketplace as well as independent software vendors (ISVs) who AWS will both partner and compete with.

“We recognize there’s no one magic solution to security. So leveraging that giant Marketplace of those partners is incredibly powerful,” said Betz.

In an interview with CRN, AWS’ CISO talks about his company’s cybersecurity philosophy and overall strategy, new AWS security products and the “massive” AWS partner opportunity.

“It’s my job and our job to make sure that the AWS cloud, as a whole, is secure. So we need to make sure that we are providing everybody a foundation with the highest level of security we can make happen,” said Betz. “But my care-abouts don’t stop there. Because I desperately want to make sure that customers operating on AWS are the most secure.

AWS doesn’t break out its cybersecurity sales so it’s hard to compare AWS against others like Palo Alto Networks, Fortinet, etc. So how big is AWS’ security business and scope?

The way we think about security is multi-tiered. So my job and my organization’s primary job is about making sure that AWS is secure, and we’re doing things in all of our services, including the security services that help make our customers more secure.

My team partners with EC2 as they’re releasing each new product. We’re diving deep into the Trainium2 and the Trainium3 chip sets, and deeply looking at the security features that should be there and how are they designed.

So our Graviton4 chips has a ton of security features that were built into that chip that made it so that when you’re using a Graviton4 chip as part of your workload, you’ve got a slew of defenses and defenses against different ways to exploit vulnerabilities and defenses against different suites of attacks. That’s one of the things that my team’s working on consistently.

So when you start to draw a line and you say security services, certainly we have things like the new GuardDuty capabilities that are specifically designed to help customers be secure on top of their platforms. But the piece that that misses is all of the other security pieces that we’ve just built into the tools.

With our identity IAM, with our chipsets, our Nitro platform and S3—each service has security capabilities intentionally built-in. Most of our capabilities already exist [in the solution]. Security is built-in across AWS services. It’s important to realize that security is baked into everything that you’re touching.

What else are big pieces of AWS’ security posture and overall strategy?

Another piece is that, yes, where it makes sense for us, we offer very specific security protections: distributed denial of service, our WAFs technologies, GuardDuty—there’s a whole slew of technologies we provide.

Another piece is that customers who take advantage of the AWS platform, is we have a large number of partners who offer their security services through the AWS Marketplace.

Because we recognize that no one security solution provides everything a customer needs. There’s no magic pill for security. It’s got to be built into everything.

We have to offer things that leverage the power of the cloud, our threat intelligence and our capabilities, that we can do with greater fidelity and a greater capability than anybody else.

We recognize there’s no one magic solution to security. So leveraging that giant Marketplace of those partners is incredibly powerful. So it’s all of those pieces together.

Can you double down on how AWS security features are built into both AWS and non-AWS chips? Where else are some unique security highlights?

We offer chips from Intel. We offer chips from AMD. We’ve got Apple M series chips as part of our MacOS products. We offer multiple generations of Graviton ARM-based chips.

When we can, we take advantage of that opportunity to go build those security features into those chips. But it doesn’t just stop there at the Graviton chip level. Let’s go up a level.

Nitro is the hypervisor system that we use in EC2. The Nitro System is designed to make the hypervisor, the part that’s running all the virtual machines, doesn’t have to use any of the processing power of the CPU. It’s a set of separate systems that runs the hypervisor and everything else off the CPU, so that the customer can get full advantage of the power of the CPU.

But the team that builds Nitro didn’t stop there. They said, ‘We have this really awesome opportunity. We can make it so that AWS is in a position where we cannot access any customer data inside of EC2 running on Nitro.’

What we did is we built systems that encrypt the data between the CPU and storage, CPU and memory, CPU and network—all those capabilities. It’s designed and validated in such a way that operators do not have access to go into that environment.

We use a Nitro for our Intel, for our AMD, for our Graviton—so regardless of CPU that you’re using there, when you’re using one of the Nitro-based platforms, you know that your workload is only accessible by you. It is never accessible by AWS. These are things that AWS is best positioned to offer for our customers.

Talk about some of AWS’ latest and greatest security launches? What makes them so unique in the cybersecurity landscape?

Our VPC [virtual private cloud] Block Public Access.

You can run a lot of different things in an AWS VPC. It’s your network boundary. You’re running a lot of different services. There’s nuanced work that used to be required to make sure that none of those things were advertised on the internet. Because each service, you can go in and configure it, and sometimes you want to configure it to get on the internet, sometimes you don’t—but being absolutely confident it doesn’t get on the internet requires a set of rules. So customers said, ‘Boy, I’d like this to be easier.’ So VPC block public access is one of those cases where we took something that was nuanced for our customers to do security, and we made it literally a one-click solution. So now you’re a developer on AWS and you want nothing in an application to be directly internet accessible. You don’t have to think about it anymore. You don’t have to go think about, ‘How do we do that for EC2 or on RDS or anything else.’ All you have to do is hit one button. Behind the scenes, we’ve taken care of that security at scale.

Another example is our new feature called centralized management of root accounts.

There are very few things that require root level access to an account, but there are some operations that only root can make those changes to the account. It’s the most powerful credential that exists. So for people with tens or hundreds of accounts, making sure that you have those for when you need them, but you’re also protecting them, takes real work. Each one of those is security risk. If somebody puts the wrong credentials in the wrong place, that could have a really big impact to that account.

How do you make that simpler and easier for folks to do that security? We made it so accounts no longer need to have root credentials. Instead, a new feature called centralized management of root accounts in [allows] an organization owner to give a temporary credential with specific capabilities for that account for the rare times that you need that access. So there’s no root credentials for that account. That’s very, very powerful, because it took one whole area of risk—these root credentials that you had to maintain but that you couldn’t let out—and it completely eliminated them for customers altogether.

How should partners go to market with those two new AWS security products and features?

When we’re able to simplify security, it makes it easy for our partners to just go through and make sure that all of our customers, even the smallest customers, have the best security out of the box.

Our whole partner ecosystem is absolutely essential to helping so many people be able to take advantage of the cloud. What I want to do is help make it easier for partners to keep their customers secure.

For the VPC Block Public Access: if you know that this set of infrastructure never should talk to the internet, simply being able to click one-button in the console, make one command and know that no matter what happens, that the customer’s resources and that VPC will not be exposed to the internet is a win for partners. That makes the partners job significantly easier, and helps them have greater confidence that customers security is already in place.

Organizations in root accounts is a great example of, when the root account credentials are stored someplace—that’s risk. And we all know how busy our SMBs are. We all know how complicated it is for partners to maintain this for all of their customers. We’ve simplified it and decreased risk at the same time. That’s a win-win. That’s really powerful.

What’s your message to partners regarding the AWS Marketplace?

We believe in choice. People need different tools to solve different problems. That’s where our advantage of our Marketplace is.

Partners get massive advantages to sell to the Marketplace because they make their products accessible to all of our customers. It makes it easy for them to select that partner, and often easy easier for them to integrate. Because you don’t want friction on integration. That’s a massive lever.

Similarly, for our customers who get to take advantage of those partner networks, the ability to choose a slew of different solutions that are designed to work out of the box within AWS where our partners have put that extra effort in to creating that seamless experience. So that’s why I don’t want to talk about security only in terms of what we do. We should also talk about security in terms of our partners.