AWS Security Blog

AWS Security Profiles: Myles Hosford, Compliance Specialist

Amazon Spheres and author info
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been at AWS for about two and a half years. I’m based in Singapore, and I work within the Financial Services Security and Compliance team as a Compliance Specialist. My responsibilities cover about nine different countries. I spend most of my time working with financial institutions like banks and insurance companies, helping them identify their security and compliance requirements as they move into the cloud. I’ve only been in this particular role for six months — I actually moved internally from a security position. Since I was already spending a lot of time with a couple of financial services accounts, it made sense for me to move into a more focused vertical. My new role gives me the chance to dive deeper into some of the challenges in the financial services space.

How do you explain your job to non-tech friends?

In the simplest terms, I advise customers on their journey to the cloud. The cloud itself is a pretty new technology, especially to more traditional organizations. Between the regulatory landscape and the way that large enterprises traditionally consume IT, this presents some unique challenges. So I help break those challenges down into small, manageable chunks.

What’s the most challenging part of your job?

Because the cloud is such a new model, financial organizations and large enterprises often need to do a lot of rethinking about security. What used to be appropriate for on-premise controls might not be suitable for the cloud — and there might be ways of “doing” security in the cloud that were just never conceived of before. This is especially true around automation and the use of APIs, both of which can provide real-time visibility into your environment that you just couldn’t get before. That’s not the only shift in perspective that needs to happen, though. The shift also involves people and processes. By that, I mean that there’s often a lot of retraining that organizations need to undertake. Say you’re an on-premise database administrator: If your company shifts to the cloud, you’d probably continue to be a database administrator. But the job is going to look a little different, and a lot of organizations haven’t started thinking about how to retrain and reposition their existing staff. This is an especially pressing problem when coupled with the existing global shortage of cybersecurity professionals.

What do you enjoy about your work? What makes you excited to get out of bed in the morning?

From a security perspective, I genuinely believe that being in the cloud is more secure than being on-premise. Before I joined AWS, I worked with some large investment banks and saw how much they struggled with foundational security requirements, like patch management, or configuring firewalls, or enabling least-privilege access for users across their estate. Tasks like this can be very difficult to accomplish with a traditional, on-premise approach. So once an organization really leans into the idea of cloud security — once they realize that everything can be automated — they tend to respond very positively and very quickly. One of my favorite parts of my job is when a customer’s internal security team starts to realize this. At the outset, not everyone is optimistic, so it’s very satisfying to see customers start to trust us and start to dive into services like Amazon GuardDuty. Watching their growing excitement makes it all worthwhile.

Do you have advice on how to handle the increased amount of data that organizations are now receiving as a result of automating their processes in the cloud?

The cloud is great, but it’s definitely possible to go overboard with tools and vendor products, until you suddenly have twenty or thirty different dashboards with data coming in all over the place. What I emphasize to my customers is this: It’s great to have real-time visibility and collect all the data that you can, but you always need to think about connecting that last mile. In other words, you need ways to get the right data in the right format to the right analysts. It’s really nice to be able to turn on a service like Amazon GuardDuty and have a dashboard. But unless someone is constantly monitoring that dashboard — which can be a pretty boring job — you need to think about what kinds of decisions you want to make based off of your data, and then you need to start automating that response. In a traditional security setting, you’d receive an alert, you’d go investigate, and you’d follow up on any issues. Even if you switch to AWS services, you still need to make those decisions, but the decision-making process can typically be compressed down to seconds or minutes, and you can set things up so that the cloud responds and protects itself. Say you’ve got a developer or a malicious actor making changes in your environment. Maybe someone accidentally disables multi-factor authentication or turns off encryption. You can protect against that in near-real time, maybe thirty or forty seconds after the fact. And then, using features like Amazon CloudWatch Events and AWS Lambda functions, you can get your system to stop the threat and self-heal by re-enabling the encryption or the password policy or what-have-you. This type of automation and self-healing — the next generation of cloud security — is what customers get really excited about once they start to understand the possibilities.

Speaking of “next generation,” what kinds of changes do you think we’ll see across the security and compliance landscape within the next five years?

Right now, we’re at a point where organizations just need to get the basics down, and I think AWS is doing a very good job of allowing people to start standardizing their infrastructure and applications. But one trend I’ve seen in the last year or so is an uptick in machine learning and AI. Within AWS, those technologies are starting to power some of our other services, like Amazon GuardDuty and Zelkova. I think that this trend will continue, with more and more capabilities like cyberthreat intelligence and cyber-hunting. This will enable organizations to move beyond patch management and basic infrastructure security, and toward more advanced tools that will allow them to track down bad actors within their estates, hopefully both raising their security bar against fresh vulnerabilities and making more efficient use of their security personnel’s time — which, again, I think is very important given the general shortage of skills and headcount within cloud security.

You’re co-presenting a 2018 re:Invent session with Phil Rodrigues about debunking cloud security myths. How did you choose this topic?

When I meet with new security and compliance teams, they typically have lots of questions (and rightfully so). It’s important that I earn their trust since I’m asking them to trust AWS with their assets and data. And in my experience, there’s this journey of questions that many people go through. The re:Invent session is meant to guide people through this journey and to debunk some of the most common cloud security myths that I encounter. The session is tailored to organizations and customers who don’t have much experience with the cloud. I expect them to have some foundational questions, like “Is my actual data stored in an actual data center somewhere?” So I’ll talk about the way that our regions work, and where data is stored across AWS. This lets people get comfortable with the idea that yes, your data is in a data center with strong physical security controls. Then we’ll move to some specific questions around AWS and the support that we can provide to organizations, whether through contractual commitments or regional compliance programs. After that, I’ll pick out a couple of notable services that have gotten a lot of press. Take Amazon Simple Storage Service (Amazon S3): There’s been some discussion of open S3 buckets — but people might not realize that S3 buckets are actually private by default. You to go out of your way to make them public. We’ll wrap up with some questions from the audience. I want people to walk away from the talk feeling like they have a high-level understanding of cloud security from start to finish.

Do you have any tips for first-time conference attendees?

Obviously, take a look at the agenda ahead of time and try to reserve seats for the sessions that you’re most interested in. Beyond that, network with as many of your peers as possible. Reach out to people that you meet, whether on LinkedIn or social media, and as you see people around the conference, try to interact with them. Everyone’s coming to learn, and everyone’s hopefully friendly and approachable. Find out what other people are working on, share your best practices, take away some new best practices, and just have fun with it all.

You’re based out of Singapore: What’s one thing that a visitor to Singapore should make time for?

If you come to Singapore, make sure that you spend some time trying local food. Singapore has amazing food. If you don’t mind spicy, I’d recommend the national dish, which is Singapore Chili Crab — a big crab poured over with chili oil and served with bread for dipping. It’s amazing.

Do you have anything else that you’d like to touch on?

Using the cloud to protect the cloud is a great idea. And obviously, developments around AI and automation really help out. Once people start to understand that you can move away from a static, point-in-time based security posture and toward a self-healing infrastructure that fixes itself when it attacks misconfigurations is a pretty cool place to be.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Myles Hosford

Myles is a Compliance Specialist on the AWS Financial Services Security and Compliance team. He’s based out of Singapore, where he helps financial institutions in the APAC region transition to the cloud.