AWS Security Profiles: Phil Rodrigues, Principal Security Solutions Architect

In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.

How long have you been at AWS, and what do you do in your current role?

I’m a Principal Security Solutions Architect based in Sydney, Australia. I look after both Australia and New Zealand. I just had my two year anniversary with AWS. As I tell new hires, the first few months at AWS are a blur, after 6-12 months you start to get some ideas, and then after a year or two you start to really own and implement your decisions. That’s the phase I’m in now. I’m working to figure out new ways to help customers with cloud security.

What are you currently working on that you’re excited about?

In Australia, AWS has a mature set of financial services customers who are leading the way in terms of how large, regulated institutions can consume cloud services at scale. Many Aussie banks started this process as soon as we opened the region six years ago. They’re over the first hump, in terms of understanding what’s appropriate to put into the cloud, how they should be controlling it, and how to get regulatory support for it. Now they’re looking to pick up steam and do this at scale. I’m excited to be a part of that process.

What’s the most challenging part of your job?

Among our customers’ senior leadership there’s still a difference of opinion on whether or not the public cloud is the right place to be running, say, critical banking workloads. Based on anecdotal evidence, I think we’re at a tipping point leading to broad adoption of public cloud for the industry’s most critical workloads. It’s challenging to figure out the right messaging that will resonate with the boards of large, multi-national banks to help them understand that the technology control benefits of the cloud are far superior when it comes to security.

What’s your favorite part of your job?

We had a private customer security event in Australia recently, and I realized that: We now have the chance to do things that security professionals have always wanted to do. That is, we can automatically apply the most secure configurations at scale, ubiquitously across all workloads, and we can build environments that are quick to respond to security problems and that can automatically fix those problems. For people in the security industry, that’s always been the dream, and it’s a dream that some of our customers are now able to realize. I love getting to hear from customers how AWS helped make that happen.

How did you choose your particular topic for re:Invent this year?

Myles Hosford and I are presenting a session called Top Cloud Security Myths – Dispelled! It’s a very practical session. We’ve talked with hundreds of customers about security over the past two years, and we’ve noticed the types of questions that they ask tend to follow a pattern that’s largely dependent on where they are in their cloud journey. Our talk covers these questions — from the simple to the complex. We want the talk to be accessible for people who are new to cloud security, but still interesting for people who have more experience. We hope we’ll be able to guide everyone through the journey, starting with basics like, “Why is AWS more secure than my data center?”, up through more advanced questions, like “How does AWS protect and prevent administrative access to the customer environment?”

What are you hoping that your audience will take away from it?

There are only a few 200-level talks on the Security track. Our session is for people who don’t have a high level of expertise in cloud security — people who aren’t planning to go to the 300- and 400-level builder talks — but who still have some important, foundational questions about how secure the cloud is and what AWS does to keep it secure. We’re hoping that someone who has questions about cloud security can come to the session and, in less than an hour, get a number of the answers that they need in order to make them more comfortable about migrating their most important workloads to the cloud.

Any tips for first-time conference attendees?

You’ll never see it all, so don’t exhaust yourself by trying to crisscross the entire length of the Strip. Focus on the sessions that will be the most beneficial to you, stay close to the people that you’d like to share the experience with, and enjoy it. This isn’t a scientific measure, but I estimate that last year I saw maybe 1% of re:Invent — so I tried to make it the best 1% that I could. You can catch up on new service announcements and talks later, via video.

What’s the most common misperception you encounter about cloud security?

One common misperception stems from the fact that cloud is a broad term. On one side of the spectrum, you have global hyperscale providers, but on the opposite end, you have small operations with what I’d call “a SaaS platform and a dream” who might sell business ideas to individual parts of a larger organization. The organization might want to process important information on the SaaS platform, but the provider doesn’t always have the experience to put the correct controls into place. Now, AWS does an awesome job of keeping the cloud itself secure, and we give customers a lot of options to create secure workloads, but many times, if an organization asks the SaaS provider if they’re secure, the SaaS provider says, “Of course we’re secure. We use AWS.” They’ll give out AWS audit reports that shows what AWS does to keep the cloud secure, but that’s not the full story. The software providers operating on top of AWS also play a role in keeping their customers’ data secure, and not all of these providers are following the same mature, rigorous processes that we follow — for example, undergoing external third-party audits. It’s important for AWS to be secure, but it’s also important for the ecosystem of partners building on top of us to be secure.

In your opinion, what’s the biggest challenge facing cloud security right now?

The number of complex choices that customers must make when deciding which of our services to use and how to configure them. We offer great guidance through best practices, Well-Architected reviews, and a number of other mechanisms that guide the industry, but our overall model is still that of providing building blocks that customers must assemble themselves. We hope customers are making great decisions regarding security configurations while they’re building, and we provide a number of tools to help them do this — as do a number of third-parties. But staying secure in the cloud still requires a lot of choices.

Five years from now, what changes do you think we’ll see across the security/compliance landscape?

I’m not losing much sleep over quantum computing and its impact on cryptography. I think that’s a while away. For me, the near future is more likely to feature developments like broad adoption of automated assurance. We’ll move away from a paper-based, once-a-year audits to determine organizations’ technology risk, and toward taking advantage of persistent automation, near-instant visibility, and being able to react to things that happen in real-time. I also think we’ll see a requirement for large organizations who want to move important workloads to the cloud to use security automation. Regulators and the external audit community have started to realize that automated security is possible, and then they’ll push to require it. We’re already seeing a handful of examples in Australia, where regulators who understand the cloud are asking to see evidence of AWS best practices being applied. Some customers are also asking third-party auditors not to bring in a spreadsheet but rather to query the state of their security controls via an API in real-time or through a dashboard. I think these trends will continue. The future will be very automated, and much more secure.

What does cloud security mean to you, personally?

My customer base in Australia includes banks, governments, healthcare, energy, telco, and utility. For me, this drives home the realization that the cloud is the critical digital infrastructure of the future. I have a young family who will be using these services for a long time. They rely on the cloud either as the infrastructure underneath another service they’re consuming — including services as important as transportation and education — or else they access the cloud directly themselves. How we keep this infrastructure safe and secure, and how we keep peoples’ information private but available affects my family.

Professionally, I’ve been interested in security since before it was a big business, and it’s rewarding to see stuff that we toiled on in the corner of a university lab two decades ago gaining attention and becoming best practice. At the same time, I think everyone who works in security thrives on the challenge that it’s not simple, it’s certainly not “done” yet, and there’s always someone on the other side trying to make it harder. What drives me is both that professional sense of competition, and the personal realization that getting it right impacts me and my family.

What’s the one thing a visitor should do on a trip to Sydney?

Australia is a fascinating place, and visitors tend to be struck by how physically beautiful it is. I agree; I think Sydney is one of the most beautiful cities in the world. My advice is to take a walk, whether along the Opera House, at Sydney Harbor, up through the botanical gardens, or along the beaches. Or take a ferry across to the Manly beachfront community to walk down the promenade. It’s easy to see the physical beauty of Sydney when you visit — just take a walk.

The AWS Security team is hiring! Want to find out more? Check out our career page.