Eric realized they couldn’t scale up the team to the size of AWS, it just wasn’t possible
they had to figure out a way to help the organization build the #security culture itself
@awscloud #reinforce
they had to figure out a way to help the organization build the #security culture itself
@awscloud #reinforce
effectively tenets are rules for a culture. hard to write them down but they are critical
@awscloud #reinforce
@awscloud #reinforce
#security cultural tenets are published internally at AWS. they have to be transparent and open, so people know what the team values
@awscloud #reinforce
@awscloud #reinforce
1st #security tenet of AWS;
“We lead in preventing unauthorized access to AWS resources: our customers’ or ours. We continuously assess our systems, identify exposures, evaluate risks, and relentlessly drive mitigations.”
@awscloud #reinforce
“We lead in preventing unauthorized access to AWS resources: our customers’ or ours. We continuously assess our systems, identify exposures, evaluate risks, and relentlessly drive mitigations.”
@awscloud #reinforce
2nd #security tenet of AWS:
“We constantly provide visibility to senior leadership into the biggest potential risks, backed up with data and carefully prioritized.”
@awscloud #reinforce
“We constantly provide visibility to senior leadership into the biggest potential risks, backed up with data and carefully prioritized.”
@awscloud #reinforce
3rd #security tenet of AWS:
“We escalate appropriately yet aggressively to ensure that security issues are resolved promptly and with high judgement. If in doubt, we will escalate.”
@awscloud #reinforce
“We escalate appropriately yet aggressively to ensure that security issues are resolved promptly and with high judgement. If in doubt, we will escalate.”
@awscloud #reinforce
“Escalation within the AWS security organization is free” << Eric Brandwine points out the need to make it a comfortable action to escalate appropriately
@awscloud #reinforce
@awscloud #reinforce
inappropriate escalations => feedback that training, tooling, and data should be improved
@awscloud #reinforce
@awscloud #reinforce
4th tenet of AWS #security culture:
“We are guardians of customer privacy and trust. We advocate for our customers in all security engagements.”
@awscloud #reinforce
“We are guardians of customer privacy and trust. We advocate for our customers in all security engagements.”
@awscloud #reinforce
“Is now the time to speak up for our customers?", the answer is always “Yes” << you need to build a culture where that is encouraged and widely accepted
@awscloud #reinforce
@awscloud #reinforce
5th tenet of @awscloud #security:
“We own security for all of AWS, including 3rd party & oss. We take nothing as a given & extensively test all of our components, even those built by other parts of the co. If something doesn’t work fo run, we will move off to it”
#reinforce
“We own security for all of AWS, including 3rd party & oss. We take nothing as a given & extensively test all of our components, even those built by other parts of the co. If something doesn’t work fo run, we will move off to it”
#reinforce
btw, here’s another great talk from Eric, Leadership Session: Aspirational Security … from #reinforce 2019
@awscloud #reinforce
@awscloud #reinforce
…and this great interview with @werner, “15 years of Amazon S3 - Security is Job Zero“,
@awscloud #reinforce
@awscloud #reinforce
…and this one from re:Invent 2018, “The Tension Between Absolutes & Ambiguity in Security”,
@awscloud #reinforce
@awscloud #reinforce
…always frustrating when I can’t find someone’s twitter handle. Eric is at @ebrandwine…which let’s admit is pretty obscure and hard to figure out 🤣
@awscloud #reinforce
@awscloud #reinforce
6th tenet of AWS #security:
“We are the one-stop shop for all security questions within AWS. In cases where we don’t own the answer, we own getting the question answered.”
@awscloud #reinforce
“We are the one-stop shop for all security questions within AWS. In cases where we don’t own the answer, we own getting the question answered.”
@awscloud #reinforce
this tenet also demonstrates a choice made for the betterment of the org. it’s not optimal for the security team but is optimal for the organization overall
@awscloud #reinforce
@awscloud #reinforce
7th tenet of @awscloud:
“We drive our work to focus on the most critical security risks for the business. They will be prioritized 1st for the biz & then for the service teams. We will ensure each expectation is well understood, actionable, & supported by appropriate tooling”
“We drive our work to focus on the most critical security risks for the business. They will be prioritized 1st for the biz & then for the service teams. We will ensure each expectation is well understood, actionable, & supported by appropriate tooling”
these tenets (and others) help the team focus. when they are internalized by everyone on the team, they are part of the discussion and help everyone work together to meet their goals...
@awscloud #reinforce
@awscloud #reinforce
also of note to event organizers: speakers should always control their own slides
@awscloud #reinforce
@awscloud #reinforce
another amazing talk by @ebrandwine…definitely check it out on the replay on YouTube…hopefully…soon?
@awscloud #reinforce
@awscloud #reinforce
next up is IAM with Karen Haberkorn…new thread 👇
@awscloud #reinforce
@awscloud #reinforce
https://twitter.com/marknca/status/1430236765948891138
• • •
Missing some Tweet in this thread? You can try to
force a refresh
