How 'the feds' rebuilt AWS security

Owned, not pwned

If Amazon EC2 has a security issue, it’s the AWS leader in charge of the service that’s ultimately responsible, according to AWS CISO CJ Moses.

That’s because AWS’s internal security modelis based on parent company Amazon’s single-threaded ownership culture – leaders have end-to-end responsibility for their team’s products, and that includes those products’ security.

• “If EC2 has a security issue, the owner of EC2 knows it's their responsibility,” Moses told Protocol in a recent interview.
• “It's also my responsibility to enable them and make sure it doesn't happen … but straight up, they know that is theirs to own, and they're going to be the ones … answering to that.”
• AWS works to prevent such issues from arising by baking security into the design of its products and services from the start, according to Moses.
• “Finding an issue after something's gone into production and is public, and you have a CVE and all of that process, it's very expensive to then mitigate that and to patch,” Moses said. “We've moved as far to the left as we can and mechanized things.”

Moses became AWS’s CISO in January, succeeding Stephen Schmidt, who’s now Amazon’s CISO. He initially joined AWS in 2007 after leading the technical analysis of computer and network intrusion efforts for the FBI’s cyber division and serving as a computer crime investigator for the Air Force Office of Special Investigations.

• Moses, Schmidt, Andrew Doane and Eric Brandwine started at AWS around the same time. “Our job was the dedicated utility computing team — the DUC team, also known as the feds, [because] you had a bunch of us coming from the FBI,” Moses said.
• AWS’s security story was “very weak” from day one, according to Moses.
• “We thought about the mission that we had previously and how we could build from scratch the environment that we needed to have in order to be able to do the highly secure work that we were doing,” he said.
• “There was no other cloud provider that's ever had that kind of capability built from day one by the paranoid group that we have, with the expertise, that have been chasing hackers around the world,” Moses said.

Read Protocol’s full interview with Moses here.

SPONSORED CONTENT FROM MICRON

Chip shortage could undermine national security: The global shortage of semiconductors has impeded the production of everything from pickup trucks to PlayStations. But there are graver implications than a scarcity of consumer goods. If the U.S. does not ensure continued domestic access to leading-edge semiconductor manufacturing, experts say our national security could suffer.

Read more from Micron

The FTC signals AI rules and wants companies to comment

Think the Federal Trade Commission’s proposed rules on commercial surveillance and data security are only for advertisers or social media companies? Think again.

Any company using algorithmic or automated systems to make decisions that affect people — tech often categorized loosely as AI — could come under the potential rules, particularly if they harm or discriminate against protected groups in housing, employment or health care decisions.

But there are no new rules yet. For now, the agency wants businesses and other stakeholders to comment on possible restrictions on data use for automated systems. So, it’s seeking public comment on nearly 100 questions.

What might FTC rules related to AI look like? Here are some clues:

• Proving AI accuracy – The FTC asks multiple questions about the prevalence of algorithmic errors, whether and how companies might mitigate them, and if they should be allowed to use automated systems even when they make mistakes “in critical areas, such as housing, credit, and employment.”
• Banning or limiting AI that discriminates – For the last few years companies have touted their commitments to preventing unfair and biased AI-based decisions, and some have adjusted algorithmic models to ensure that they do not use certain types of data that could lead to those problems. Now the FTC wonders if that’s good enough and asks whether it should bar or limit use of automated systems that discriminate.
• Requiring AI audits and reports – Some federal bills have called for audits or assessments of algorithmic systems, and New York City’s law requiring “bias audits” will go into effect in January. But the FTC wonders if it should step in. Question number 92 in the FTC’s inquiry list asks whether the commission should require self-reported or third-party audits of commercial surveillance practices, and if so, how frequently.

Want to comment? A link to submit comments to the Federal Register will be posted here “as soon as it is available.” Meanwhile, the FTC will hold a public forum about the proposed rules on Sept. 8. There’s more information on how to file comments here.

— Kate Kaye (email| twitter)

Network effects

Steve Mullaney describes himself as an “old-time networking guy from 37 years ago,” with stints at Cisco, Force10 Networks and Palo Alto Networks, among other companies. He was the CEO of Nicira, a network virtualization and software-defined networking company, when VMware acquired it for $1.26 billion in 2012.

“I stayed at VMware for a few years and then said, ‘That's it, I'm done, had a great career, and I'm just going to retire and travel around the world and be on boards and have a great life,’” Mullaney told Protocol. “And then this thing called cloud happened.”

Mullaney was on the board of Aviatrix — then a networking tool company helping to plug holes in networking for AWS — and had been retired for five years when he became its CEO in 2019.

“If you had asked an enterprise eight years ago or more, ‘Are you going to move to the cloud,’ they would say, ‘No, it's too expensive, it’s not secure enough,’” Mullaney said. “It was just DevOps people swiping a credit card and spinning up workloads, and it wasn't enterprise IT that was part of it. All of a sudden, the conversation changed overnight.”

Mullaney knew immediately that enterprises would opt for multicloud strategies, and he saw room for a company to become the equivalent of what Cisco Systems was for on-premises networking. It wasn’t going to be Cisco, Arista Networks or Juniper Networks, he said, “because when you have a transformation that happens where, on Monday, nobody's doing something and then Tuesday, everybody is, incumbents can't handle that.”

“I said why not Aviatrix?” Mullaney said. “At that time, we had about 100 customers. We were completely born in the cloud.”

Today Aviatrix is a cloud networking and networking security company expecting to hit $100 million in ARR this fiscal year, up from $3.5 million when Mullaney became its leader. It landed another $200 million in funding last September, which put its valuation at $2 billion, and expects an IPO within 18 months.

“It's a whole other level of intelligence that we integrate into the network,” Mullaney said. “People are going to get rid of their MPLS [multi-protocol label switching]. They're going to leverage the backbones of AWS and Azure and Google, and they need a control plane to basically be the overall route control plane on top of that. That's going to be us.”

Around the enterprise

South Korea’s SK Hynix is looking for a site in the U.S. for a proposed chipmaking factory, and construction could start as early as next year, according to Reuters.

SPONSORED CONTENT FROM MICRON

Chip shortage could undermine national security: To ensure American security, prosperity and technological leadership, industry leaders say the U.S. must encourage domestic manufacturing of chips in order to reduce our reliance on East Asia producers for crucial electronics components.

Read more from Micron