News/Trends, Tech/Engineering

No, It’s Not Just You: Enterprise Security Really is Hard.

There is a reason why cloud security is always a first concern in enterprise cloud adoption, and it’s not only because companies don’t want to see their names in the news. As Bill Shinn, senior consultant for AWS Professional Services pointed out, cloud security is the first issue to emerge because enterprise security is just plain hard. It requires a huge amount of planning and processes.

When was the last time you heard a security admin say, after a security audit with regulators or internal auditors, “Wow, that was great! I can’t wait for the next one!”

Probably not often. That’s because enterprise security is complex, said Shinn, who spoke at the AWS Summit in San Francisco. As with so many other things: The technology isn’t as much of a barrier as is cultural change. When security is done with traditional processes, safeguarding data can be a bottleneck. And as we know all too well: It’s human nature to go around a bottleneck.

Shinn described AWS’s customers’ expectations: for the company to be more prescriptive, beyond its technical architecture. As he said, AWS customers and partners also want it to adapt to organizational behaviors. Enterprises want AWS to help it evolve security programs, leadership styles, and processes so that they can take advantage of the cloud. His technical session went beyond technology, including also how modern security organizations have evolved their key security processes, using cloud services to become faster-moving and become far more secure.

Enterprise security is a complex undertaking, with big budgets and large departments with a significant commitments to resources. And that is without mention of the threat landscape and the increasing sophistication of attacks. Add to that the ever-changing regulatory environment, particularly as companies expand businesses globally with different security and privacy regulations.

“Security is hard today because enterprises don’t have the ability to detect unwanted change and course-correct in an iterative, low risk way that reduces the impact of failure,” Shinn said.

Shinn went over numerous AWS services (including CloudTrail AWS Config and CloudWatch Logs) that enable users to change and course-correct these changes with minimal risk. Doing so significantly reduces the amount of planning and processes traditionally involved with security changes, he said, thereby making security faster while keeping corporate data safe.

Shinn stressed that security should move fast; it has to. “The attackers move fast and you have to keep up. Security should be the thing that moves the fastest in an organization, so that you can respond and get ahead of risk.”