AWS Security Blog

AWS Security Profiles: Steven Laino, Security Architect

Amazon Spheres and author info
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.


How long have you been at AWS, and what do you do in your current role?

I’ve been with AWS for about 18 months, and I’m a Security Architect in the Global Security, Risk and Compliance Practice. My role is to help customers build the confidence and security capabilities they need in order to migrate their most sensitive applications to AWS.

What are you currently working on that you’re excited about?

So many things. I enjoy working on frameworks and methodologies, like the Cloud Adoption Framework. These resources help customers understand security in the cloud and more easily meet their security and compliance requirements. While security and compliance in themselves might not sound exciting, they really are an exciting piece of my work—as a customer, I’ve been through the experience of migrating to the cloud within a financial services company, and I’ve taken that experience with me to AWS. Now, I get to help other customers navigate the same process. Another area I’m focused on is innovating new ways to accelerate invention on behalf of our customers by developing tools and methods that help consultants more easily get their ideas to the proof of concept stage so customers can benefit even faster.

What’s the most challenging part of your job?

Time management is an ongoing challenge. There are so many areas in which we’re helping customers and doing really interesting work, and I want to be involved in as much of that as possible. It’s difficult to prioritize your passions like that. This leads me to one of the things I love most about my job: looking at the customer experiences, figuring out the pain points, and reinventing them.

What does cloud security mean to you, personally?

I care a lot about technology. I’ve been in IT for 30 years, and I’ve founded companies, one of which was an internet service provider. I think a lot of my passion for the cloud comes from the fact that I’ve been a customer and I’ve been on that adoption journey. It’s important to me to help customers understand the attention to detail and the standards we have at AWS. All of this enables them to keep their data secure which, in turn, allows them to pass that confidence to their own customers—more so than they’d be able to do on their own with their own data centers. Technology can help our customers make a better experience for their customers.

What’s the biggest challenge standing in the way of cloud adoption right now?

From a customer perspective, the biggest challenge is just achieving the understanding and education to reach that ah-ha moment where you understand how it really works and just how much due diligence AWS is putting in. AWS is vigilant about our customers’ security and privacy, and one of the great things about the cloud is that all of our customers get the benefit of all the best practices, AWS policies, architecture and processes that we’ve built to satisfy the requirements of our most security-sensitive customers, which is really a big deal once you start to put the pieces together. The other challenge a lot of people face is just knowing where and how to begin the cloud adoption process. And that’s where the Cloud Adoption Framework comes in. It’s an organizational tool that helps people identify the controls that they need, align them with their current compliance regime, and then actually implement them in a methodical way.

What’s the most common misperception you encounter about cloud security and compliance?

A lot of people think cloud security means only technical controls. The truth is that the move to the cloud requires an organizational and process transformation as well. Organizational shifts might include having developers, operations and security teams work very closely together, plus the integration of current processes to the cloud — for example, integrating the new cloud constructs into your current incident response workflows. Speaking from my own past experience, and from working with customers over the past 18 months, it’s common to encounter this misperception. But once you dive into the details and start to realize that security means people, platform and process that perception shifts. And again, part of my job is to build confidence in our customers by helping them understand that and guiding them through the process.

Initially, many people also think that they’re going to have to rewrite all of their security policies and standards for the cloud. But they often don’t really need to do that. That’s because the “what” and “why” behind the security policies does not change, although the implementation of those policies does. So instead of a rewrite, it becomes more of a translation.

Five years from now, what changes do you think we’ll see across the security and compliance landscape?

I think we’ll see more automation, compliance implementation, and related tools, like compliance and audit checks, coupled with automated remediation for things that aren’t compliant. I also think we’ll see more AWS Quick Starts, which are preconfigured reference deployments that customers can use to build complete environments in just a few steps.

Another shift we’re already seeing has to do with security professionals changing their skill sets: traditionally, these folks were more likely to have backgrounds in system administration or networking, and they probably weren’t developers by practice. But that’s led to challenges as organizations shift to the cloud and need employees who know how to do things like write security as code and understand how policies are codified. These skills are starting to develop, so I think we’ll continue to see more security professionals growing their skills in cloud formation and programming. More and more, it’ll be a true DevSecOps environment.

How did you choose your 2018 re:Invent topic?

I’m really excited to be presenting at re:Invent, and I initially chose a topic that I was passionate about—The AWS Cloud Adoption Framework. After I pitched to the re:Invent team, they asked if I’d be interested in co-presenting with Ben Potter and expanding the session to include both the Cloud Adoption Frameworks and the Well-Architected Framework. They’re a natural fit. So together, we’re presenting a session called Security Framework Shakedown: Chart Your Journey with AWS Best Practices.

What are you hoping that your audience will take away from it?

I want them to leave saying, “I finally understand how to begin helping my company migrate to the cloud.” My hope is that people will leave feeling like they know where to start and what the journey will look like, and that they’ll return to their jobs, read up on the Cloud Adoption Framework, and then piece together the foundational components that they need in order to begin the adoption process—things like inventorying their security controls and their tools and then mapping them together. Based off my own experience, once you realize that it’s not as difficult as you originally thought, you feel very energized. It tends to be another ah-ha moment.

If you had to pick any other job, what would you want to do with your life?

I would want to continue my previous path in law enforcement, which is interesting because there’s a parallel: If working as a security architect wasn’t an option and AWS didn’t exist, I’d still be doing work that helps ensure a secure environment.

The AWS Security team is hiring! Want to find out more? Check out our career page.

Want more AWS Security news? Follow us on Twitter.

Author

Steven Laino

Steven is a Security Architect with AWS Professional Services. His career in Information Technology spans three decades and includes the founding of a physical security company as well as one of the first internet service providers in the US. For the past ten years, he’s helped financial service companies move sensitive workloads to the cloud. Steven holds CISSP-ISSAP, CCSP & CISM Security certifications and is a contributor to the Center for Internet Security Controls Framework.