AWS Security Blog

AWS Security Profiles: Sarah Cecchetti, Principal Product Manager, Amazon Cognito

Sarah Cecchetti photo

In the weeks leading up to re:Invent 2019, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.

What do you do in your current role at AWS?

I’m an identity nerd! I think most login experiences are terrible today, especially passwords. The login experience is very important. It’s usually the first way that consumers interact with companies directly and far too often it’s frustrating and off-putting. My job as principal product manager for Amazon Cognito is to build products that make that experience easy and secure. Cognito is the front door to many of the brands you use on the internet today.

How did you enter the IAM field?

I was a full-stack developer for many years before I was recruited to the University of Washington’s Identity and Access Management (IAM) team. I knew nothing about IAM, but they were happy to train me. Because the team built and maintained a lot of their own tools, “growing up” on it helped me master the subject quickly. The team sent me to some Identity and Access Management conferences, and I loved the community and the people so much that I used my vacation time and my own money to go to more conferences.

As I was establishing myself in the field, I met lots of identity teams who were struggling to find more people to bring on. There are no formal training programs for Identity and Access Management. They asked me to consider consulting in addition to my day job, and I did (and called my company Engage Identity because I have an unhealthy obsession with Captain Picard, who always says Engage!) It did so well that I eventually turned the consulting role into my full-time job.

I later accepted an offer from Ping Identity, a company that makes cloud and on-premises identity software. I continued to go to a lot of conferences but was getting tired of the travel. About this time, I had lunch with Darin McAdams (principal engineer on AWS Identity), who told me about Jim Scharf, the new VP of Identity at AWS, who was making some big team investments. Darin suggested I come talk about an open position, and I was amazed by how smart and hardworking the people I met were, and how quickly they were building things. The level of productivity at AWS is just shocking. I joined AWS this past February.

What’s the most useful piece of career advice you’ve ever received?

I have a quote on my office wall from Albert Einstein that’s provided a lot of inspiration: Try to become not a man of success, but try rather to become a man of value. If you talk to the people who started AWS, you’ll find that they didn’t do it because they thought it would make them rich and famous. They did it because they hoped the service would be valuable to lots of people. When you face decision points in your career, it’s tempting to take the path that looks like it will make you “successful.” The truth about success is unintuitive. In order to achieve success in your career, you actually have to focus on making other people successful—on providing so much value that people come to rely on the work you’ve done. That’s why the Amazon leadership principles focus so much on customer obsession and delivering results. We wouldn’t be where we are today if our leadership principles were “make money” and “get famous.”

The Amazon leadership principle “Are right, a lot” can be a source of anxiety—can you share your take on what it means and why it matters?

A lot of people think that “Are right, a lot” means that AWS hires geniuses, pundits, and people who have very high opinions of themselves—people who think they’re constantly right about everything. That’s the exact opposite of what this leadership principle is about. The description says that leaders should work to disconfirm our own beliefs and seek out the opinions of other people.

Diversity is the driving force behind “Are right, a lot.” If you’re a leader at Amazon, your job is to create a diverse team that will call you out when you’re wrong. Part of being “right, a lot” involves learning how to be wrong. It forces you to start thinking two steps ahead of your team, and then two steps ahead of customers from all over the world, from all sorts of backgrounds. If your team is all the same, and you think about technology systems in the same way, your product will never be good enough to meet the security needs of all of your customers.

Can you talk about some of the recent enhancements to IAM that you’re excited about?

Recently, the AWS Identity team has been doing more work at the multi-account level. Customers can have hundreds or even thousands of AWS accounts, and figuring out how to secure that many accounts is the sort of thing that can keep you up at night. So we’re increasingly focused on building tools that allow you to secure multiple accounts at once.

For example, we now have service control policies that you can set at an organizational level. You can say, I want all of these accounts to have AWS CloudTrail turned on, and I want to make sure none of these accounts can turn it off. If an unauthorized user gains access to an account, the first thing they’ll try to do is turn off logging. When we asked, What’s one thing that can help customers with thousands of accounts sleep better at night? the answer was, Make it so people can’t turn off logging.

You’re doing a Leadership session on AWS Identity at re:Invent with Jim Scharf. What do you plan to cover?

We’ll announce a lot of new releases at the session. We’ve been building new services for our customers, and during the session, we’ll be pairing these releases with themes that we’ve seen in the industry.

For example, one really broad theme is interoperability. Think of the IAM industry as a student getting graded in kindergarten: We’re pretty good at keeping our hands and feet to ourselves. We’re pretty good at responding to questions. But we’re absolutely terrible at playing well with others. As an industry, IAM does not play well with others. When our customers try to integrate AWS with Microsoft, Google, or Apple, it’s a frustrating experience. We know that to make it less frustrating, we have to work with our peers in the industry. We have to say, It’s not important what product customers are using, or what cloud they’re using. What’s important is that they have a great experience. Identity experiences can be especially painful because “identity” isn’t what customers are trying to do. It’s not the end goal. Identity is the process you have to go through to get into the system that actually allows you to do your work. When we get in the way of that, it’s a uniquely terrible customer experience. And so, it’s our job to make these systems work together in a simple way that’s easy for our customers.

During your time as a consultant, you worked with NIST to rewrite identity guidelines for US federal agencies. Can you talk to us about this work, and why it was important?

So, NIST is the National Institute of Standards and Technology. NIST was founded in 1901 with a mission to measure things. For example, how long is a second? How much is a gallon? How heavy is a kilogram? These standards allow for fair competition in a free market. Well, now it’s the twenty-first century, and NIST is answering questions like how secure is a given digital identity system? A few years back, I got to work for NIST to rewrite the digital identity guidelines for the federal government. We actually transformed the way the government measures identity, which was really amazing.

When NIST first created digital identity guidelines, they only provided one measure of security: a system could achieve an “level of assurance” on a scale of 1 to 4, and that rating had to do with identity proofing (how well you know who a person is), and authentication (how secure the person is in terms of logging in).

What we found during the process of revising these guidelines is that there are a bunch of use cases where the organization shouldn’t know who the person is when they log in—maybe the person is a political dissident, or a spy, or just a “normal” person who wants to protect their own privacy. But those people still need a high level of security. So we needed a way for organizations to verify that this person logging in is the same person who created the account, without needing to see their photo ID or verify their documentation, or even verify their email address.

So we recreated the guidelines to separate those two measures. Instead of having a single “1 to 4” scale of how secure you are, there are now three scales—how well do we know who you are, how secure is your authentication, and then if you’re going cross between two different systems, how secure is that federation?

You co-founded an organization called IDPro. What led you to found it, and what should people know about it?

The idea for IDPro stemmed from all the time I spent at IAM conferences. Industry folks would have fascinating productive conversations at those conferences but there wasn’t really a forum for discussions outside of that. Security has professional organizations, like ISACA. Privacy has a professional organization, IAPP. But there was nothing for Identity.

So I worked with Ian Glazer, one of the heads of identity at Salesforce, and together we founded IDPro. We wanted to create a grassroots movement, so we got people to join first, and later went looking for corporate sponsors. IDPro is a good way for people who are new to Identity and Access Management to learn from people who have been in the field for years. We now also support a big conference each year called Identiverse.

One of the first things we did when we started the organization was to survey identity professionals. Most of the people who took the survey had more than ten years of experience in the field. We asked how long it took them to feel proficient in IAM (because everyone learns it on the job—it’s the only way to learn IAM). The most common response was ten to fifteen years. And the next most common response was I still don’t feel proficient. As a person who loves identity and access management and wants more people to become identity nerds, those responses broke my heart.

The responses reflected a very real problem. There’s just not enough educational material out there about identity. So we looked to other professional organizations, specifically to the field of project management, for inspiration. In 1996, a group of project management professionals built a body of knowledge that outlined methodologies like waterfall and agile, and tools like stand-ups and kanban boards. Most technology professionals know these words now because back in the 90s that industry deliberately built that body of knowledge. So we began gathering a group of volunteers to build a similar body of knowledge for IAM. Some of our corporate sponsors then asked if we could build a certification, too. We’re working on creating both of those things now. It’s the most ambitious project any of us have ever taken on.

Do you think identity products will be able to replace firewall products in the next five years?

In my opinion, not completely. That said, we’re finding that whether you’re inside or outside a firewalled network is a really weak indicator of whether or not you’re an attacker.

We used to think security was all about the network: The network is the castle, and we had to defend the castle. The people inside the castle were “good,” and the people outside the castle were “bad.” But that’s simply not accurate. Security isn’t just about keeping outsiders out. Legitimate users work from all sorts of devices all over the world. But people with malicious intentions can sometimes find their way onto secure networks. For these reasons, many security professionals are coming around to the idea that identity is the new perimeter. We’re realizing that the key to separating the legitimate users from the unauthorized users is very secure authentication. By secure, I mean things like 2-factor authentication. A factor might be something you know, like a password; something you have, like a YubiKey; or something you are, like a fingerprint. Two-factor authentication requires two of those three things.

The other part of identity that’s important to this “secure authentication” story is access management. You should have access to the things you need to do your job—not more, not less. The AWS Identity team is working on intelligence tools that give administrators the ability to see what roles a person used, what resources they’ve accessed, and what type of work they’re doing, so that admins can confidently scope their users’ permissions to the actions they actually perform. This is called “the principle of least privilege.” And it’s hard. People change jobs, they need to do certain tasks only once a year, or they need access to systems that most people in their role wouldn’t need access to. It’s a complicated problem but it’s one that’s important to solve for the future of the industry.

In your opinion, what’s the biggest challenge facing Identity right now?

Recruiting and education. It’s really hard to get people in the door. The field is exciting. It’s incredibly challenging and provides a lot of value. But it’s hard to explain Identity and Access Management to people so that they know exactly what they’re signing up for. It’s a very wide and very deep field. And once people are in the door, we have to help them figure out how the whole thing works—ideally without needing to spend ten to fifteen years on it.

You sing soprano in an award-winning choir. Tell us about that.

I sing in a choir called Opus 7. One of the things that we like to do is sing more obscure pieces, and pieces by living composers. We recently gave a concert where one of our composers was in attendance. It was a piece that he had written several years ago for a teacher at University of Washington who died. The teacher’s widow was also there, which was really amazingly powerful. Then, we also sang a song by one of his composing students who was also in attendance. One of the things you get when you sing a lot of living composers is an opportunity to sing pieces by female composers. So this female composer wrote a beautiful piece that hardly ever gets sung because people sing a lot of Mozart, Beethoven, and old stuff that people have sung before. We’re bored with that, and we want to highlight the amazing pieces that are being written by new composers.

Author

Sarah Cecchetti

Sarah is the Principal Product Manager for Amazon Cognito. She co-founded and serves on the board of directors of IDPro. She is a co-author of NIST Special Publication 800-63C Digital Identity Guidelines, which outlines federated authentication standards for all US federal agencies. She has been named one of the top 100 influencers in identity. She has been quoted as an industry expert in The LA Times, Forbes, and Wired. Sarah holds a Bachelor of Physics and a Master of Science in Information Management from the University of Washington where she was a NASA Space Grant Scholar.