AWS Security Blog
AWS Security Profiles: Nihar Bihani, Senior Manager; Jeff Lyon, Systems Development Manager
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.
How long have you been at AWS, and what do you do in your current role?
Jeff: I’ve been with AWS for four years. I started as a Product Manager before transitioning into my current role as a Systems Development Manager where I lead the AWS DDoS Response Team. The AWS DDoS Response Team is the group that defends the Amazon infrastructure against denial-of-service attacks, in addition to protecting many of our customers against the impact of those attacks on their own applications.
Nihar: I’ve been with AWS for nearly 10 years. I started as an intern. I’m now a Senior Manager for two customer-facing services. The first is AWS WAF. The other is AWS Firewall Manager. I’m responsible for managing the team that builds those services.
How do you explain your job to non-tech friends?
Jeff: We help AWS defend against outside attacks — external threats that might otherwise cause problems for people.
Nihar: I usually tell people that my job is to make sure the applications that are running on AWS stay secure. My team writes the software that helps keep these sites safe and secure.
What are you currently working on that you’re excited about?
Jeff: I’m excited about some things that are happening behind the scenes. When people hear about the DDoS Response Team, I think the picture that comes to mind is engineers answering tickets and working on individual problems. We do a bit of that, but we’re mostly focused on building automation to solve these problems at scale. What we’re trying to do is to remove the undifferentiated heavy lifting from something that used to be really complicated and difficult for developers to solve, allowing them to focus more on the applications running on our platform.
Nihar: Lots of things! Security is an area that customers take very seriously—and it’s also an area that we take very seriously. My team is working on initiatives in three broad areas. First, we’re going to make our existing services scale more, perform better, and be more available. Second, we’re investing in adding new features for both AWS WAF and AWS Firewall Manager — something that our customers tend to get very excited about because they can use those features right away to help make their applications more secure. The third major project is geographic expansion. We’re working on expanding the AWS WAF presence across more AWS regions.
What’s the most challenging part of your job?
Jeff: Solving problems at scale. If you think about the many different problems in distributed systems, solving them individually tends to be relatively easy. But when you think about them on a large scale, and then think about the number of points of presence within AWS regions that we have, and even the size of some of our customers’ applications, it becomes quite a different story. Being able to think through those problems and figure out how to implement solutions on a much larger scale is a unique challenge.
Nihar: The most challenging part of my job is to deliver everything that our customers need fast enough. It’s not because we don’t want to. We do. And we want to build solutions that are of high-quality. But we have limited resources, and there’s a finite number of things we can do with them. It’s really helpful when customers help us prioritize against their needs, since that allows us to iterate as quickly as we can while knowing that what we’re delivering will have the most impact for customers.
How did you choose your particular topic for re:Invent this year?
Jeff: Our session is about orchestrating perimeter security. Perimeter security is the concept of taking threats and mitigating them far away from the application itself. The session focuses on how to build a layer of defense that people can use to defend against things like external threats, application vulnerabilities, bad bots, and DDoS attacks. Our customers are interested in this topic, and we field a lot of questions like, “What are the best practices? What architectures should I consider?” So the goal of the session is to help people protect their AWS resources so that they can spend more time building their applications and less time worrying about security threats. The “orchestration” component comes into play for large organizations, who need to answer the question, “How do you do that and manage it at scale?” For a large organization with a lot of applications, you have to ensure that if you build out a security policy, any given change will take effect across the entire application. You need a centralized way of doing that. So we’ll also talk about the capabilities that AWS offers via AWS Firewall Manager, which allows customers to orchestrate security policies on behalf of AWS WAF. We’ll discuss ways you can lock down your VPC network access control list, plus other strategies that a centralized security team can use to make sure that there’s a ubiquitous protection layer for the entire application.
Nihar: I also want to emphasize that this approach allows customers to achieve a strong security posture for their applications without the need to re-architect any of the applications or any of the infrastructure that’s already running on AWS. We want to dispel the idea that customers will have to do a ton of work. You won’t, and yet you’ll be able to improve the availability of your applications and benefit from being compliant with many regulatory requirements. Perimeter security is like building a wall around a castle you’ve already built. You don’t have to renovate the castle. You can build the wall, and maybe fill it with security guards, or put cameras on it: you haven’t changed your castle at all, but it’s so much more secure.
What are you hoping that your audience will take away from your session? What should they do differently as a result of it?
Jeff: I hope our customers will realize that there are lots of ways to architect and build things on AWS. And one of those ways is by using the AWS edge network as a tool to mitigate threats. We want them to understand the differentiating capabilities that we provide with that edge network and to be able to up-level their security when they get back to the office.
Nihar: I want people to understand that making their applications more secure doesn’t take a lot of effort. There are tools available, and we’ll show them how to use those tools in their own service architectures. Some customers might not be aware of all the threats they should be protecting their applications from, so the session is also about educating our customers on potential threats and how to mitigate against those threats. Jeff and I live in this world, so we’re very aware.
Does your session require existing knowledge about the topic?
Jeff: There’s a lot of a value in this session for developers at different experience levels and across different applications, but it’ll be especially useful for application developers who’ve built on AWS and who’ve gone through our security best practices — but are looking for opportunities to do more.
Nihar: You don’t need to have an extensive background in security because we’ll cover some of the current threat landscape, in addition to covering some of the ways that you can defend against these threats.
What are the biggest misconceptions that people have about perimeter security?
Jeff: People sometimes think that the on-premise capabilities they’ve built for themselves are going to be lost when they move to the cloud. One of the things we do in our session is demonstrate how our customers actually retain all those capabilities. We’ve just made them easier to consume and understand.
Nihar: People also think sometimes that perimeter security isn’t beneficial, or that it’s too hard, or too expensive. To the first point, I’d say that there are a lot of “bad actors” out there, and consumers have high standards for availability and security when they use any application. As for difficulty and expense, these are exactly the things we have in mind — we’re doing our best to ensure that it’s a simple experience that’s affordable for everyone.
Can you tell us about some of the innovations AWS has made in perimeter security?
Jeff: My favorite is the way we’ve leveraged the AWS global infrastructure to be able to detect and mitigate threats at the point of ingress. If you think about distributed denial-of-service attacks, historically, the network of any given company might have multiple points of presence. But these individual points of presence might not all be prepared to handle a DDoS attack, and so you’d have to shunt the traffic off to much larger locations called “scrubbing centers” and then pull it back to the point of presence in order to serve your customers. That approach can be costly, it can be difficult to build at scale, and it can add a performance penalty—but it was historically the industry standard. One of the things we’ve created at AWS is a way to do this such that every point of presence in every AWS region has a system right there at the point of ingress that will inspect the traffic, decide if it’s valid to be passed to the customer’s application, and pass it without a noticeable performance penalty. That’s difficult to accomplish at scale.
Nihar: AWS WAF offers a flexible rule language with full API access, so many of our customers have built automations with it. For instance, customers see traffic coming to their applications and they evaluate their logs using some of the data processing tools AWS AWF has, and then they immediately turn around and programmatically create a new WAF rule, submit it to AWS WAF, and within minutes AWS WAF is starting to block that bad traffic. All of this can be automated, and that’s powerful. In addition to customers writing their own rules, we offer Managed Rules that are written, curated and managed by AWS Marketplace Sellers and can be easily deployed in front of your web applications.
AWS Firewall Manager is integrated with AWS Organizations and AWS Config with the goal of providing a consistent, reliable security posture for customers that have potentially hundreds or thousands of applications running on AWS. These customers often find it beneficial to use AWS Firewall Manager to programmatically protect all of their applications in a simple way rather than having to do a lot of undifferentiated heavy lifting by building Lambda functions and working with AWS Config and doing a lot of scripting. All that is doable, but AWS Firewall Manager simplifies the experience.
What does cloud security mean to you, personally?
Jeff: Cloud security to me means two different things, both related to the Shared Responsibility Model. There is security in the cloud and security of the cloud. Security of the cloud is AWS’s responsibility, and security in the cloud is our customer’s responsibility. Our engineers are responsible for building security into AWS services, so that when customers move to the cloud, some aspects of security are taken care of automatically. But there are other aspects that our customers remain responsible for. To me, cloud security means that we will take care of all the things we’re able to take care of for our customers. And for the things we can’t take care of — the things that our customers remain responsible for and will have to manage themselves — we’re going to at least make them easier to think about, easier to configure, and easier to manage at scale.
Nihar: Security is our highest priority. If we’re not secure, we don’t have a business. So in one word, cloud security for me is trust. Our customers have a high bar because their customers, their consumers, demand a very high security posture. And as Jeff said, security is certainly a shared responsibility. But for the pieces for which we’re responsible, we have set a very high bar for ourselves so we continue to earn customer trust.
Five years from now, what changes do you think we’ll see across the security and compliance landscape?
Jeff: If you’re developing on AWS, you don’t have to worry about a lot of foundational things, like building a data center, figuring out where the power comes from, or managing the infrastructure. Security is the next frontier, where we can abstract and make it easier for our customers. I think that over the next several years, customers will see things get easier to manage and easier to think about. People won’t have to worry as much about the engineering behind the security. They’ll be able to express intent, which will be translated into security.
Nihar: I think we’re going to continue to add more learning and intelligence to our security services over the next several years, so we can be more proactive when it comes to the security and compliance of our customers’ applications. In practical terms, I think this means that we’ll innovate by building solutions that are really simple to use, targeted to each specific application, evolve with that application, yet work at AWS scale.
If you had to pick any other job, what would you want to do with your life?
Jeff: My dream job growing up was to be a police officer. I went through school and college thinking I’d pursue that dream and actually joined the Navy as a Master at Arms, which is a police officer in the Navy. I did that for nine years and was also an auxiliary Sheriff’s Deputy for two years. So I got a lot of law enforcement experience, which has actually benefited my career. Really law enforcement is all about problem solving. So coming to AWS, I was able to bring a lot of those skills with me.
Nihar: I like building things. It just resonates with me. Here at Amazon, we like building new things, launching them, and then going back to square one to do it all over again. I’m organized and meticulous, so I like to have the end goal in mind and then build up to that. If I weren’t in software engineering, I’d like to do something involving construction: You start with a vision and a flat piece of land — and how you get from there to the end goal of a finished building is a fascinating process to me.
The AWS Security team is hiring! Want to find out more? Check out our career page.
Want more AWS Security news? Follow us on Twitter.