AWS Security Profiles: Brigid Johnson, Senior Manager of Product Management
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.
How long have you been at AWS, and what do you do in your current role?
I’ve been with AWS a little over four years. I’m currently the Senior Manager of Product Management in AWS Identity. I head a team of product managers that manage AWS Identity and Access Management (IAM) and AWS Secrets Manager.
How do you explain your job to non-tech friends?
I’m the voice of the customer. I work to simplify security for AWS customers.
What are you currently working on that you’re excited about?
A lot of my work is focused on how we can simplify permissions management at scale. Customers are moving an enormous number of workloads to AWS, and a lot of teams are on-boarding to manage those workloads. And often, a lot of applications need access to resources within AWS. Companies rely on granular permissions to manage their resources and data securely. My team is working on the tools and experiences to make this experience easy.
What’s the most challenging part of your job?
AWS IAM and AWS Secrets Manager are services that every AWS customer will use, from small start-ups to really large enterprises. Balancing their needs, use cases, and requirements, and then creating a product vision based on this information is challenging—and also very rewarding.
What’s your favorite part of your job?
Talking with customers. I find it incredibly fascinating to hear what people are building on top of AWS, how they’re using our system, and what they need more of. And while I really love presenting AWS products on stage, it’s usually brainstorming meetings with a central security team or someone who manages permissions at a small startup that I love the most. I love real conversations about day-to-day routines and experiences. It helps me hone in on where we need to innovate.
How did you choose your particular topic for re:Invent this year?
The session, Become an IAM Policy Master in 60 Minutes or Less, has been going on for years. Before I took over, my previous manager ran it. Policies are very, very powerful. You can write granular permission rules, and there are some really cool things I’ve seen customers do with them. The session is a way for me to show people that power, and then show them how to think about permissions and use IAM policies. You can use policies to control access to both applications and users in a very granular way. It’s really rewarding to watch as people start to get it—and then get excited about new possibilities of their security posture.
So, how are you going to make someone an IAM Policy Master in 60 minutes?
There are three parts: First, I’ll go through some policy basics. This section’s fairly short, since this is a more advanced session. Next, I’ll explore how to reason and think about policy evaluation. When I explain this in a certain way with customers, I can often see them get it and the lightbulbs go on. This provides them with the foundation to go back and work with their teams to create better permissions rules. Finally, I go into some specific policy types and where you can use these, so people have a framework for understanding different policy types. This section includes use cases for how and why you might use different types. My favorite part of the sessions is at the end: I go through some of my favorite complex use cases and show the real power and granularity of the AWS permissions model.
What are you hoping that your audience will take away from your session?
I want them to have a deeper understanding of the power of our policies. And, honestly, I want them to go play and explore. So many times, when we’re setting up permissions, we’re trying to get something done, and so we go through the set-up really quickly—and I should stress that my team is working to make that set-up quicker and easier. But if you’re part of a central security team, and you spend a little time exploring the ninja moves that I’m going to explain in my session, you can more easily scale your permissions management. Spending just a little bit of up-front cost to explore and figure out how things work will make your permissions management much easier.
Any tips for first-time conference attendees?
Two tips: One, be sure to go to sessions that interest you, even if you know nothing about the topic. At the end of the day, the conference is a chance for you to explore. Two, try spending some time outside. Being indoors all day can be more draining than you think. A little outdoor time helps keep your energy level up.
What does cloud security mean to you, personally?
Permissions are critical to running workloads in the cloud. Here’s why I’m passionate about this topic. Permissions enable people to build without getting themselves into trouble accidentally. The easier that AWS makes permissions (and managing permission in the cloud), the easier and faster it is for customers to onboard workloads to AWS—and the easier and faster it is for builders to build on AWS. And that’s what really inspires me. If builders are blocked because they don’t have access to something that they should, it’s a frustrating experience. It also means they’re not building the next cool app I didn’t know I needed, solving healthcare challenges, or innovating as fast as they can. My goal, and what I love about my work, is getting to innovate in ways that make security easier by default. People can operate safely in the cloud, and they can still move fast to build exciting things.
In your opinion, what’s a challenge facing cloud security teams right now?
AWS innovates really quickly. We send out a lot of new features that continually change the game in terms of how a central security team can approach security, monitor security, or author their permissions. Keeping up with all of this game-changing information is really, really hard. I follow Twitter and the What’s New announcements for up to date information, and of course the AWS Security Blog.
Five years from now, what changes do you think we’ll see across the security/compliance landscape?
I think we’ll see more preventative security controls turned on by default, rather than controls that rely on you to go turn them on. If you have a use case where you need to turn things off, you’ll still be able to do so. But I think turned on will become the new default, and that more management tools and services will be able to “do” security for you. This might mean that the job of the central security team will move away from building out systems and toward consuming information that comes from these systems and using it to make judgment calls based on environment and workload.
If you had to pick any other job, what would you want to do with your life?
I’ve always thought it would be fun to build and run my own sleep-away camp for girls. I’m an avid horseback rider, so there would be a lot of horseback riding. If I had to do something else, I’d go buy a plot of land somewhere and make it happen.
The AWS Security team is hiring! Want to find out more? Check out our career page.
Want more AWS Security news? Follow us on Twitter.