How AWS helps Customers Meet their Security, Risk, and Compliance Objectives
Hart Rossman’s job is to help customers build the confidence and technical capability to operate their most sensitive workloads with AWS in the cloud. His team spends their waking hours obsessing over how to continually raise the bar for the customer experience in addressing urgent needs around security, risk and compliance.
AWS Enterprise Strategist Clarke Rodgers spoke to Hart about how solutions are borne out of listening deeply—and truly understanding—what’s at stake for the customer, what he looks for when hiring for his team, what services are trending with customers who are moving their security services to the cloud, and how AWS goes above-and-beyond to ensure that its tools and partners are aligned and optimized.
Conversation in detail
Tell us about your background, how you came to AWS and what your current role is?
Sure. So, before AWS, I was working in the defense contractor intelligence space, doing a lot of systems integration work, and I really liked it, I loved the mission, I loved supporting the U.S government and governments around the world and what they did and some regulated industries as well. But I had always kind of maintained this list in the back of my head of the top security companies, right. And in the early part of my career, those were largely consumer focused. So, antivirus, personal firewalls on your desktop, stuff like that. But over time, that list migrated into companies that were providing the infrastructure that makes the world go. And so, companies like Amazon, right, and other big infrastructure providers. And so, I was really at a point in my career, I was looking for that next move. And I wanted to go someplace where they were really innovating on security. That was going to make a difference, not just to a few customers who were very important, but really to the world. And so, I had this opportunity to come to AWS and took it.
And what is your current role at AWS today?
So, these days, I'm the director of the security and infrastructure global specialty practice and professional services, which is a bit of a mouthful. But what it really means is that my job is to help customers build the confidence and technical capability to operate their most sensitive workloads with us in the cloud.
Got it. So, when you're looking at the different professional services offerings that your group offers to customers or makes available to customers, are there any particular mechanisms you follow to make sure that what you're offering is in fact what customers want and, or need?
I’ll give you a very specific example. There was a time a few years ago where we had a couple of customers thinking about migrating payment card systems into the cloud. And what they really needed was a team that both had expertise in cloud and modern operation of payment card systems and also understanding of PCI standard. And so, the first time that happened, we thought let’s bring in a partner, who's got PCI capability. And that really worked well. It's often the case that customers get the best outcome when they work with AWS and a partner.
We also heard that they want to make sure though that the expertise and the guidance we're getting from AWS is authoritative, that partners themselves, like PCI, are qualified. And so, what we ended up doing was writing six page narrative, working backward and developing a team that ultimately became a wholly owned subsidiary, AWS security assurance services, which is a PCI QSA company. And now also a high trust assessor.
We took that initial feedback from customers, do some experiments, bring in partners and ultimately build a new business to really delight customers. And, keep partners involved.
That's fantastic. So, there's no internal process that you will offer service X, if there's not an ask for it from customers?
There isn't. And actually in the conversations I've been in, I've been in AWS now a little over nine years, that's frequently discouraged. What is a common trope or meme is, you'll say something in a meeting and somebody will say that's really insightful Hart, we appreciate that point of view, but what are your customers saying? And it's not that they're discounting my expertise, but they recognize, and I recognize, we recognize that we're going to get the right solution for customers when we deeply listen, when we help customers think about their solution through some back and forth. And then we filter that through the lens of expertise. And identify that unique Amazonian solution, we can then take forward to the customer.
So, I imagine everything within your organization, you're constantly having to hire new consultants to satisfy the need of the customer asks. What are some things that you're looking for from that next great AWS security consultant that you're hiring? Is it a deep and broad security expertise? Is it a builder mindset that I just want to fix problems? What kind of backgrounds and talent are you really looking for when you're hiring for Proserve?
So, there's a couple of things, at its core, we're looking for technical aptitude and cultural fit. Cultural fit is alignment with our leadership principles and the ability to kind of think through and internalize them and help us learn more about the leadership principle as we go. And then we also look at technical aptitude, what are they amazing at? And what I really look for there is subject matter expertise in a particular domain and demonstrated ability to work in complimentary domains as well.
So, if you're an identity expert, have you also demonstrated that you can apply that in cryptography? Or can you apply that in forensics or in other natural areas? Because, what we find here is that we bring in people who are just absolute experts in their field. They have a tremendous amount of depth, but that depth pushes you to breadth. Because, everybody wants your expertise to help solve their problem, which is just a little bit different from what you do day in and day out. And so, we look for that agility, that flexibility, the ability to look around corners, the ability to apply your practice in unconventional ways.
And then we absolutely look for builders. And we insist that everybody from my EA through our delivery consultants, as well as our managers all gain technical proficiency on the platform. That's why we're here is to help customers. And if you've never uploaded a CAT picture into S3, or if you've never launched an EC2 instance or deployed some code in Lambda, you can't credibly talk to a customer about how they will solve their problem or build their next business on those selfsame services. And so, the ability to roll up your sleeves and really work with the technology and build credible solutions is really important to us.
You meet with a lot of customer C-Suite executives, and of course you have consultants deployed throughout the world, solving customer problems and helping them build different capabilities. Are there any particular trends that you're seeing as far as the security offerings that are being booked through AWS ProServe that customers need help with these days?
One of the things that we really say, and this is, going back really at the beginning of the business, is that customers really don't want to buy insecure infrastructure. And of course at AWS, we provide a very safe and secure set of services. Customers want to know the best way to implement them for their particular business need. And so, these days, for example, containers are all the rage. Everybody's containerizing, they're implementing new, or they're using containers to speed and smooth out a migration. There's a lot of interest from senior executives on how do they get the container security model right. How do they get the operational security things like vulnerability management, scanning, right about their containers and container security. Another area is incident response. Unfortunately, we're seeing in the news a lot of issues around ransomware and other types of attacks.
And again, they want to understand what are the features they can use on AWS to best protect against those kinds of insidious activities. And then how do they best enable their responders to be effective in the cloud, because it might be new to them. They might be absolutely excellent on premise, but now they've got a different set of environments to work with. And so, we see a lot of interest into response. And then the other area is in security engineering. A lot of customers come and talk to us and say, we want to build the way Amazon does. We're comfortable with your services. We think you've done a very good job and the way you expose your APIs, we want to harden our APIs the way you do. We want to have the same dev ops type of software development life cycle that you do. And so, we've recently actually developed a customer engineering capability that has a very strong emphasis on security. And we're working with customers on that as well.
When customers are starting out, they may use Proserve, they may use a partner to help identify what their initial landing zone is. And of course we have Control Tower and other ways to do that these days. What types of services or even documentation do you all offer? And this'll be sort of a two-part question, one as a customer, how do I know I'm setting things up, the quote unquote, right way and in alignment with AWS best practices and then B, even if I do all of those things, I might miss something and I may have a problem, whether it's a ransomware event or something like that, is there an opportunity for Proserve to help me there as well?
I'm glad you asked Clarke. So, there's a couple of things in both parts of your question. And the first part of the question, I always like to ensure customers are very familiar with some of our top line, I'll say inspection tools, need to be comfortable with well-architected. There's a good set of guidance there, need to be comfortable Trusted Advisor, you need to be comfortable with Security Hub and Guard Duty. These are the kinds of services that kind of help you understand where you are. And if you've implemented those fundamentals and if they're operating in a way that you would expect them to. And then from the sort of broader education and planning standpoint, we can look at services like APG, AWS prescriptive guidance. Which is this really phenomenal treasure trove of best practices and lessons learned from Amazon and our partners on how we do things.
And then we've recently launched a security reference architecture, which is very prescriptive guidance, both in words and in code. So, there's some text where we talk through a variety of use cases and architectural principles and what was important for me when we were developing that security reference architecture, was that it wasn't a notional. It's like real architectural drawings that show you how the AWS services function across your account from a security standpoint. So, it's not just vague white boarding and arm waving, it's really kind of the physics of security on paper and then to compliment that real implementation. And so, on every use case in the security reference architecture guidance comes with source code that shows you how to implement it in a true reference implementation. And that's something we're going to build on over time.
We're going to add different points of view. We've already gotten phenomenal feedback from customers, not only do they love using it, but say, what about this use case? What about this use case I have? And so, we're looking on iterating on that as well. And then you also asked about incident response. So, we recently at Reinforced talked about our customer incident response team capability. That's homed in Proserve. And that's really an opportunity for us to do two things. First, most importantly, help customers look around corners and plan ahead. So that, we can prevent any incidents from occurring. But if something does happen, go from a bump in the night to everything's all right. All right. And then there's an opportunity through our support system, where if you have a security event and you need some elevated or escalated help within AWS, we do have this customer incident response team that's in my organization.
And they live, really to help customers out of a jam. And so, they provide a lot of hands-on support and a lot of guidance in resolving incidents. And in most cases, customers are well attuned to responding to incidents and doing incident management. I think for them, it's often the newness. They maybe haven't done it before in the cloud, or it may be maybe the newness of the attack. And so, what they're really looking for is some experts outside their organization. To provide another point of view, to be able to confer right. And kind of have a conversation around.
About the Leaders
AWS Director Global Security & Infrastructure Practice
Hart Rossman is the Director of Security for AWS Global Services. In this role he is responsible for building with customers, building with AWS Service teams, partner enablement, growth strategies, engagement security, and engagement operations. As a customer or partner you might have experienced some of our innovative work on your behalf including the AWS Cloud Adoption Framework Security Perspective, AWS Security Reference Architecture, Jam Service & events, Security Epics, or the Control Tower Account Factory for Terraform.
AWS Enterprise Strategist
As an AWS Enterprise Security Strategist, Clarke is passionate about helping executives explore how the cloud can transform security and working with them to find the right enterprise solutions. Clarke joined AWS in 2016, but his experience with the advantages of AWS security started well before he became part of the team. In his role as CISO for a multinational life reinsurance provider, he oversaw a strategic division’s all-in migration to AWS.