AWS Security Profiles: Alana Lan, Software Development Engineer; Shane Xu, Technical Program Manager
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.
How long have you been at AWS, and what do you do in your current role?
Alana: I’m a software development engineer, and I’ve been here for a year and a half. I’m on the Security Assessment and Automation team. My team’s main purpose is to develop tools that help internal teams save time. For example, we build tools to help people find resources for external customers, like information control frameworks. We also build services that aggregate data about AWS resources that other teams can use to identify critical resources.
Shane: I started around the same time as Alana — we’re part of the same team. I’m a Technical Program Manager, and my role is to perform deep-dives into different security domains to investigate the effectiveness of our controls and then propose ways to automate the monitoring and mitigation of those controls. I like to explain my role using a metaphor: If AWS Security is the guardian of the AWS Cloud, then the role of the Security Assurance team is to make sure the guardians have the right superpowers. And the goal of my team is to ensure those superpowers are automated and always monitored so that they’re always available when needed.
How do you explain your job to non-tech friends?
Alana: I tell people that there are many AWS services, and many teams working to make those services available globally. My work is to make the jobs of those teams easier with tools and resources that reduce manual effort and allow them to serve customers better.
Shane: I normally tell people that my role is related to security automation. Those two words tend to make sense to people. If they want more detail, I explain that my role is to automate the compliance managers out of the repetitive aspects of their jobs. Compliance managers cut tickets to request different kinds of evidence to show to auditors. My role is to automate this so that compliance managers don’t need to go through a long, manual process and so they can focus on more important tasks.
What are you currently working on that you’re excited about?
Alana: We’re working on a service that aggregates data about Amazon and AWS resources to provide ways to find relationships between these resources. We’re also experimenting with Amazon Neptune (a graph database) plus some new features of other services to help our teams help customers. Sometimes, SDEs seek us out for help with specific needs, and we try to encourage that: We want to emphasize how important security is. I like getting to work on a team that grapples with abstract concepts like “security” and “compliance.”
Shane: I’m working on an initiative to reduce the manual effort required for data center audits. We’re a cloud company, which means we have data centers all over the world and they are critical infrastructure for AWS services and customer data. For compliance purposes, we need to do physical audits of all of those sites and a typical approach would be flying out to dozens of locations each year to examine the security and environmental controls we have in place. I’m working on a project that’s less manual and resource-heavy.
You’re involved with this year’s Security Jam at re:Invent. What’s a Security Jam?
Shane: The Security Jam is basically a hackathon. It’s an all-day event from 8 AM to 4 PM that includes a dozen challenges (one of which Alana and I are hosting). The doors open at 7 AM at the MGM Studio Ballroom, and you can sign up as a group, or we’ll randomly pair you as needed. Your team works through as many of the challenges as possible, with the goal of getting the high score. The challenges are intended to provide hands-on experience with how to use AWS services and configure them to make sure your environment is secure. The Jams are structured to accommodate AWS users of all levels.
What’s your Security Jam challenge about?
Shane: Last year, our challenge focused on ensuring an environment was secure and compliant. This year, we’re taking it one step further by focusing on continuous monitoring. It’s a challenge that’s relevant whether you’re a small company or a large enterprise: You can’t realistically have one person sitting in front of a dashboard 24/7. You need to find a way to continuously monitor your resources so that at any time, when a new resource becomes available and older ones are deprecated, you have an up-to-date snapshot of your compliance environment. For the Security Jam challenge, I provide a proof of concept that lets participants use AWS Config to configure some out-of-the-box rules (or develop new rules) to provide continuous monitoring of their environment. We’ve also added an API around this for people like compliance managers, who might not have a technical background but need to be able to easily get a report if they need it.
Alana: Customers have reported that AWS Config is very useful, so we built the challenge to expose more people to the service. It will give participants a foundation that they can use in the future to protect their data or services. It’s a starting point.
What knowledge or experience do you hope participants will gain by completing your challenge?
Alana: I want people to understand that AWS services are not difficult to use. For example, there are many open source AWS Lambda functions that can help protect your data with a few button clicks. Don’t be afraid to get started.
Shane: People sometimes think compliance is scary. I want the hands-on nature of the challenge to show people that we provide tools that will make your life, and your customers’ lives, easier. I also want people to learn ways of avoiding compliance fatigue. Automation makes it easier for you to focus on more innovative work. It’s the future of compliance.
In your opinion, what’s the biggest challenge facing cloud security and compliance right now?
Shane: The scope for compliance is getting larger and larger, and there will always be new revelations and new types of threats. Developing scalable solutions to help achieve compliance is an ongoing challenge, and one we can’t just throw human power at. That’s why automation is so important. The other challenge is that some people see compliance as a burden, when we want it to be an enabler. I want people to understand that it’s not just a regulation or a security best practice. Compliance is a way to enable growth.
Alana: If I worked on another team, I think it would have taken me several years to figure out how my daily job impacted the security and compliance of AWS as a whole. It’s hard to connect the coding of an individual project back to AWS Security. We’re encouraged to take trainings, and we know that it’s important to protect your data, but people don’t always understand why, exactly. It’s hard for individual contributors to get a sense of the big picture.
If you had to pick any other job, what would you want to do with your life?
Alana: If I wasn’t an SDE, I’d want to be a Data Scientist. I think it would be interesting to analyze data and figure out the trends.
Shane: I would really like to be involved in AI. There are so many unknowns right now, in terms of how to ensure AI that’s secure and ethical. I’d also like to be a teacher, or a university professor. When I was working on my Master’s degree, it was really difficult to get some practical skills, such as how to have a productive one-on-one with my manager, or what career paths are available in a security-related field. I like the idea of being able to use my industry experience to help other students.
What career advice do you have for someone just joining AWS?
Shane: There’s a lot of opportunity at AWS. During my first six months here, I was cautious: Because of my previous consulting background, I felt like I had to have a legit case to talk with leadership and take up their time. It’s certainly important that I value their time, but in general I’ve found people in senior positions to be very willing to engage with me. My advice is to not be afraid to reach out, grow your network, and learn new things.
Alana: I’d echo what Shane said. There are a lot of possibilities at AWS, so don’t be afraid to try something new.
The AWS Security team is hiring! Want to find out more? Check out our career page.
Want more AWS Security news? Follow us on Twitter.