AWS Security Profiles: Chad Woolf, VP of AWS Security
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.
How long have you been at AWS, and what do you do in your current role?
I’ve been at AWS for over eight years now, and I work in security assurance. The essence of my work is to help customers move critical and regulated workloads to the cloud. We own and manage security process, tech, and functions that customers can’t individually validate themselves. My job, and my team’s job, is to make those functions transparent to our customers, allowing them to rely on our processes, procedures, and controls. We work toward this goal by facilitating extensive independent audits and making those reports available. We also engage with regulators and customers to help them understand how the cloud works, what things they’ll have to do differently here, and what new opportunities are available to them in terms of better ways to govern their IT and protect and secure their data.
How do you explain your job to non-tech friends?
Sometimes I simplify by telling people, “I do information security at Amazon,” or “I do data protection and privacy at Amazon.” Mentioning the word “privacy” usually hits the limit of many people’s interest and they stop asking questions. To my kids or other family I usually say something like, “I work to keep Amazon safe for everybody.”
What are you currently working on that you’re excited about?
The world of traditional security assurance is complex and broad, so it’s full of interesting challenges. While working on that we’re also looking ahead at augmenting traditional security assurance and quality assurance models with more effective and newer models. A traditional approach might involve auditors doing sample testing and evaluating the narrative of how systems work. But this approach isn’t always technically deep and sometimes it doesn’t provide full, comprehensive insight into the environment, or into the presence of threats and vulnerabilities in the environment. From the onset of this program, we’ve worked to take these traditional models and modify the approach that will provide true assurance for our customers.
In addition, recently we’ve kicked off something I’m really excited about — the work our Automated Reasoning Group (ARG) is doing around developing mathematical proofs of certain aspects of a system. For example, a mathematical proof might be used to prove that there’s no instance of a weak key being used anywhere in the entire system. That’s a much higher bar than just having a “reasonable assurance” of no weak keys, which is the objective that auditors traditionally use. Auditors can’t evaluate all the code and they can’t evaluate all of the instances where keys are being used. With automated reasoning, if we’re able to tell them, “this proof can examine the entire system for a certain value,“ it’s a much higher bar than even today’s advanced control measures, such as automated controls, preventive controls, or detective controls. It’s a proof. We (and our auditors) are really excited about this possibility, because systems are becoming so immense and so complex that it’s hard for us humans to wrap our minds around around the complexity — so we’re using math to do it for us.
What’s the most challenging part of your work?
Most of the challenges I deal with stem from complexity. Each of the new services we release — including all of the things being launched at re:Invent this year — introduces a new, sometimes complex function into our environment and into the environments of the customers who use it. It’s becoming more and more challenging to effectively govern these disparate services, and for people to be certain that they’re applying the right standards across all of them. We have some services to deal with this, and I think we’ll see AWS release more governance-like features to help deal with this challenge more comprehensively in the future.
Another major challenge is that the many governments and regulators hold an understanding of the cloud that hasn’t kept pace with the cloud’s incredibly rapid evolution. Years ago, the cloud was defined in fairly simple terms — infrastructure, platform, and software as a service. Many people still understand it in those dated categorizations. But it’s getting much more complex the more we offer and the bigger this space gets.
What’s the most common misperception you encounter about cloud security and compliance?
The misperception I encounter the most is that the cloud is unfit for regulated data and workloads. Regulators and auditors — many of whom haven’t operated an IT infrastructure — often have only a high-level understanding of the cloud, many times learned through colleagues, high level reports and media reports. They hear things and may not have a way to technically validate whether those things are true. Years ago, it was a pretty common misunderstanding that accessing your data securely using the internet was the same as, “all of your data is openly available on the Internet,” which of course isn’t the case. I’ve had many personal interactions where someone said they absolutely could not have certain data stored in the cloud, because then the whole world would be able to see it. But this basic misperception is pretty much debunked at this stage. Now we spend a lot to time clearing up the misperception that regulated and audited data can’t be moved to the cloud. The reality is that because of the comprehensive control you have, regulated/audited data is actually better suited for the cloud. My team and many other teams at AWS work to help regulators, auditors, security teams and their leadership reach the right technical depth and understanding to give them the confidence to move these kinds of workloads to AWS.
You’re hosting two sessions for re:Invent 2018. How did you choose your particular topics?
I’m co-presenting a session with Byron Cook, the director of ARG, on Automating Compliance Certification with Automated Mathematical Proof. This session stems from what I mentioned before, the trend that traditional assurance methods are becoming less effective as complexity grows. We’ll be talking about new assurance models. But the session isn’t just us saying, “Here’s what we did! Good luck! Go hire your own PhDs to figure this out.” We’re going to give customers the chance to experiment with automated reasoning in their own cloud environments. It’s a chalk talk, so it’ll be a smaller audience, which will let us go quite in-depth with some of our examples. The CEO of one of our assessors will also be there and will talk about what these changes mean for his firm.
I’m also hosting “peer problem-solving roundtable” at the Executive Summit that will focus on staying ahead of privacy regulation. GDPR, which went into effect in May 2018, made a lot of customers push to reach that date in a compliance state, but many didn’t and are still working on it. It’s a big challenge to sustain the effort around GDPR privacy and data protection. It’s not even like you can reach that state and then say, “Okay, we’re done.” It requires ongoing effort. Additionally, all kinds of laws are starting to be enacted all over the world that either match GDPR’s stringency or exceed it. So the session will be a workshop on how to deal with these challenges, and how companies can sustain their efforts and create frameworks that can handle additional regulation that might be enacted down the road.
What are you hoping that your audience will take away from your sessions?
For the automated reasoning session, I want people to leave with ideas about how they can tinker with automated reasoning and proofs of compliance in their own environments. This approach requires experimentation, so I want to empower people to just go ahead and start tinkering.
For the GDPR session, I want people to leave with some good ideas for how to proactively think about compliance — and with some specific actions they can take to move their companies’ privacy programs into a better state. The exact direction of our conversation will depend on the audience, since it’s an interactive workshop, but I’m hopeful that people will walk away with good ideas.
Five years from now, what changes do you think we’ll see across the security and compliance landscape?
I think that security and compliance will follow a trajectory similar to computing in the mid-2000s. Ten to 15 years ago, we all had PCs that required us to install software, which was all over the place in terms of quality — sometimes it worked on your laptop and sometimes it didn’t. We went from that to mobile devices, where the entirety of an installation is in a single container on an app. There might be some limits on what you can do, in terms of exchanging data with other apps and systems, but everything you need as a user is contained within that app. It’s a kit, rather than a bunch of building blocks. You launch it, set some configurations, and then forget about it. I think more of that is going to happen. The compliance scene is becoming exponentially more complex as we move forward with more services, more IT, and with multiple, diverse environments. We’ll need ways of securing it all in a simple way. IT providers will need to offer more app-like experiences, in which we think of the user and what they need to do rather than just providing a bunch of building blocks.
What does cloud security mean to you, personally?
As a consumer, I care about security a lot. When I use an app that’s on the cloud, or access contacts or photos that are stored in the cloud, I’m concerned about it. I make sure that I use encryption when I can. I have random passwords that I don’t reuse. I follow the best practices that security professionals all know and use. But I’m always shocked by how many people don’t really think about these things, or don’t understand the risks involved with not securing your account or encrypting your data, or in using services that clearly don’t follow best practices. For me personally, cloud security is an essential consideration before I actually use or buy anything.
If you had to pick any other job, what would you do with your life?
I’d move into IT transformation. Moving from one IT environment to another involves a lot of organizational change management, from people and process to technology and projects. It’s super complex, and hardly anyone is truly excellent at it. So that’s what I’d get into. I find the complexity there fascinating. Organizational IT transformation takes all the complexity of tech, and then adds to it with the complexity of people, processes, and culture.
As a personal passion, I’d do search and rescue for people who’ve gotten into trouble hiking or biking or rock climbing. It’s a complex, real-world challenge with life-or-death stakes. If I could use my motorcycles to help achieve that, it would be better. It might help justify further motorcycle purchases and help my wife understand the wisdom in this.
The AWS Security team is hiring! Want to find out more? Check out our career page.
Want more AWS Security news? Follow us on Twitter.