AWS Security Profiles: Akihiro Umegai, Japan Lead, Office of the CISO

In the weeks leading up to the Solution Days event in Tokyo, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.

How long have you been with AWS, and what is your role?

I’ve been at AWS for six and a half years. I’m the Japanese representative for the Office of the CISO, a team that’s led by Mark Ryland. We play a supporting role for Steve Schmidt, the Chief Information Security Officer for all of AWS. I help with external-facing functions as well as handling some internal cloud security mitigation tasks.

What are some differences between your role as Japanese representative for the CISO versus what your US counterparts do?

When US companies want to do business in Japan, they face a language and cultural barrier. Perhaps as many as 95% of Japanese companies don’t fully utilize English, which makes it hard to effectively communicate with most US companies. Japan also has traditional business systems and cultural ways of doing things that can seem very unique to outsiders. We put a lot of emphasis on communication and trust-building. Those might be the two most unique elements of doing business in Japan.

There are challenges, but the market size is potentially huge. I tell people that I function as the shock absorber, or stabilizer, between Japan and US headquarters. I interpret the directions of the AWS US team, adapt them to the Japanese market, and then communicate with our Japanese customers.

What’s the most challenging part of your job?

At a certain level, the Japanese market tends to follow the trends of the US market. For example, in Japan, there is a similar need to have Chief Information Security Officers: people who makes decisions about comprehensive security issues on behalf of their companies. However, the concept of a CISO is just beginning to take hold, and CISOs might not be fully considered a primary part of corporate C-level functions. I feel that we need to support our customers’ security leaders in order to help them solidify their security posture.

Historically, Japanese companies have also outsourced many of their IT functions, with Japanese local system integrators supporting these processes. Our customers often need to work with their partners to make decisions, including decisions about security operations and even some compliance matters. It’s critical to involve these local partners, who are very familiar with Japanese customs and business. When I create a security and compliance reference document for any guidelines in the Japanese market, I always form a partner group with three to six partners who know the specific domains in their particular market. Our combined effort allows us to produce practical, customer-centric solutions. These types of partnerships also help us get remarkable attention from the Japanese market: “Big, local, and traditional Japanese system integrators are working with the US cloud vendor AWS!” That process of developing great relationships with partners is the tough part of my job. I might spend 30 – 40 percent of my time in direct customer communication, and 60 – 70 percent of my time communicating with partners.

What are some of the broad differences between global and Japanese markets with respect to the cloud?

As one example, in the financial arena, Japanese regulators are very serious and tough. The main regulator is the Financial Service Agency — the FSA — which controls the issuance of bank licenses. It’s hard to get those licenses in the Japanese market. In contrast, bank regulators in the EU have already issued a license for “challenger banks” that primarily utilize cloud environments for their systems. The total cost of establishing this type of “cloud-based” bank is significantly lower than establishing a traditional on-premise, mainframe-based banking system. It’s a remarkable use case for Japanese regulators and customers. Such new, cloud-based systems usually employ “ready-made” banking system middleware, which is already configured to serve banks’ main functions — customers can purchase the middleware, put it on AWS, and then start a bank within a short period of time. The US-based bank Capital One is another interesting use case: they represent an “all-in” approach of moving all their workloads from an on-premise environment to AWS. You can read the case study here.

However, I do not mean Japanese regulators or banks are behind. They are very rigorous about following rules, and they are very diligent about keeping the trust of their customers. They’re handling the adoption of new technology with care and precision, and they’re interested in listening. In fact, Japanese regulators and related entities, like the FSA, the BOJ (Bank of Japan), and the FISC (Center for Financial Industry Information Systems) are keen to learn good practice from global case studies and new technology use cases in order to enhance Japanese financial business. I’m always looking for interesting, attractive use cases from outside to openly share with them.

What’s the most common misperception you encounter about cloud security and compliance?

Some customers assume that they still need to perform physical data center audits, even if there is no clear objective to visiting the data center. When customers ask me about physical data center audits, I always encourage them to leverage our third-party audit reports (like our SOC-2 reports) and refer to our digital tour of an AWS data center to get a sense of how AWS operates. However, I think risk residing in physical data centers is just one part of the entire process of risk control, and other, more important controls must be emphasized. For example: How will you detect and catch unauthorized access? How will you process detailed logs from various sources? Can you automate security operation by utilizing new, cloud-based security functions to reduce human-based operational risk? Part of the challenge is that AWS needs to translate more of our audit reports (something that is partially my duty). It’s difficult for Japanese customers to interpret a SOC-2 report in English when even native English speakers might have difficulty with the extremely detailed security language. Better translations would directly help us do a better job of explaining these concepts to our customers.

Another common misunderstanding stems from how to perform system audits in a cloud environment. Most existing audits are like a sample base. You can’t read through every log or piece of evidence like a book. For example, auditors might check page 10, skip to page 30, finish sampling, and end the audit. There are “not-yet-checked” portions of the accumulated logs that could have potential residual risk, which is skipped. But in a cloud system, we can gather every detailed log. Most AWS service functions produce lots of detail, and we can process the logs either with Amazon GuardDuty, or machine learning, or third-party log consolidation tools. Ultimately, we’re able to perform a much more detailed, accurate audit — and many customers miss this fact. There’s a gap between what the “compliance audit guy” knows and what the cloud security engineer knows. Compliance professionals don’t always have a deep understanding of technology. They don’t always know how to gather logs from cloud-based systems. But security engineers do. We need to connect these people and go through how to perform audits in cloud systems in a more effective, holistic way to truly secure systems and reduce risk.

What’s your favorite part of your job?

Disruption via new concepts and offerings. Let me give you an example: The Center for Financial Industry Information Systems (FISC) develops and publishes general system security guidelines for financial institutions in Japan. Five years ago, when I called on regulators or regulated customers, they’d all ask me, “What is cloud? How is it different from on-premise? The regulations don’t have any mention of cloud, so we aren’t sure how it could be utilized under the current guidelines.” Customers didn’t know what sort of reaction they’d get from regulators if they moved to the cloud. But over the past five or six years, I’ve shared our security practices and knowledge step-by-step — what’s going on in the US and global markets, which big customers have started using AWS for regulated workloads, and so on. And regulated customers have come to understand that the cloud is a more efficient way to achieve their security compliance. I share market information and techniques that regulated customers can use to think about cloud security controls. Regulators and regulated customers have started to slowly change their perception and become more accepting of the AWS concept of security and compliance. For the last two years, I’ve actually been an official member of some of the expert councils at FISC. Helping to change peoples’ perceptions like that is exciting!

What do you hope your audience will gain from attending AWS Solution Days?

Our goal is to share how AWS can help customers get one step ahead in the fields of cloud security and compliance. We recently announced two major security services, AWS Security Hub and AWS Control Tower, and I hope Japanese customers will see how they can use these services to continue improving their security posture. In addition, the Japanese government has recently become interested in changing their policy for employing the cloud for government systems. They have a lot of interest in how cloud is used in the US. One of the goals of AWS Solution Days is to share what’s going on in US government systems. It should be equally interesting to people in the commercial sector, in terms of learning how high-security systems are being achieved in AWS environments.

What should first-time travelers to Tokyo do or experience?

When you visit Japan, I would suggest trying new foods, especially if you like sushi. The sushi bars have fish that is fresh and super high quality, so order something new off the menu, even if you think you might not like it. It could disrupt your perception of seafood! You might leave with a new appreciation!

Also, American people are sometimes surprised to find that Japan is a very westernized country, although it still retains its own very unique culture. You’ll see McDonalds, Starbucks, lots of US-based companies. There’s lots of American culture, in fact, but it’s all modified by Japanese language and culture, resulting in a new, interesting experience.

You are a DJ: What’s a recently released album that you’d recommend?

I really like club music, like techno and American heavy metal. In addition to being a DJ, I sometimes play the electric guitar. So I would instead recommend one old song which changed my life and turned me from a heavy metal guitar kid into a synthesizer geek. The band is Orbital, and on their 1992 album “Diversions,” there is a song called “Impact USA” that’s my all-time favorite. It’s a beautiful track — it has beautiful melodies and an atmosphere that I think make it universally appealing, even if you don’t typically like techno.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

The AWS Security team is hiring! Want to find out more? Check out our career page.