As the Chief Information Security Officer (CISO) of Amazon Web Services (AWS), Chris Betz is responsible for ensuring the utmost safety and security of AWS's cloud infrastructure. This includes not only protecting AWS customer data but also securing the data of the customers of companies that utilize AWS. Drawing from his experience as a former AWS customer, Betz approaches this enormous and crucial task with a comprehensive and informed perspective.
Chris Betz just before AWS re:Inforce, the company's annual cloud security conference, shared seven reasons, in his own words, why security has been a company-wide priority from Day 1 and will always remain Amazon’s top priority.
- Good security is essential for experimenting with new technologies, including Gen AI
Generative AI can transform virtually every customer experience through powerful tools that are accessible to everyone. However, without clear governance, generative AI is raising security and privacy concerns. As a result, it’s not uncommon for employees at organizations keen on generative AI to see security as a gatekeeper—or the “Department of No.” That is not only wrongheaded but bad for business. At AWS, we’ve always believed that security is a business enabler. Security reduces risk, reinforces resilience, and empowers customers to innovate faster and with confidence—especially in the rapidly evolving era of generative AI.
We want to get our customers’ security teams to the place where they are seen as the “Department of Yes,” and where they work with employees to support their business objectives, understand risks, and help them put the necessary mitigations in place.
- Security is everyone's responsibility—from the CEO to the developer
A recent report from a U.S. government advisory board makes clear that a deficient security culture can be a root cause for avoidable errors that allow intrusions to succeed and remain undetected. At AWS, we made an intentional choice for the security team to report directly to the CEO. The goal was to build security into the structural fabric of AWS. Security starts at the top, but it’s just as important that responsibility flows from the bottom up. Security is not just the security team’s job—it’s a distributed responsibility.
Every product team is responsible for the security of the service or capability that they deliver. Security is built into every product roadmap, engineering plan, and weekly stand-up meeting, just as much as capabilities, performance, and cost are. The best security is not something that can be “bolted on” at the end of a process or on the outside of a system; rather, security is integral and foundational.
- A secure approach to Gen AI involves giving customers control over their data
The biggest concern I hear from customers as they explore how to adopt generative AI is how to protect their data as well as the data of their end customers. From day one, AWS AI infrastructure and services have had built-in security and privacy features to give customers control over their data. Our AWS Nitro System plays a key role here. Nitro’s specialized hardware and associated firmware enforce restrictions so that nobody, including anyone at AWS, can gain logical access the underlying infrastructure, workloads, or data running on customers’ Amazon Elastic Compute Cloud (Amazon EC2) virtual servers.
When it comes to securely building generative AI applications, our Amazon Bedrock service gives customers full control over the data they use to customize the foundation models behind their applications. With Bedrock, their data is encrypted in transit and at rest, ensuring that their data remains private and confidential.
- Generative AI has the potential to enhance customer security
The same power and ease of use that is making generative AI extremely attractive to customers also makes it an indispensable tool to IT and security administrators to help them identify and resolve issues more effectively. At this year’s re:Inforce, we announced two new generative AI-powered security features:
A new natural language query generation capability enables security administrators to easily and quickly analyze activity events in AWS CloudTrail Lake, a service that lets organizations store and query events for security investigations. Now security administrators can ask questions, such as “How many errors were logged during the past week for each service, and what caused each error?,” and CloudTrail will generate a query.
AWS Audit Manager customers can now access a prebuilt framework to understand how their generative AI implementation on Amazon SageMaker matches AWS recommended best practices. SageMaker customers can now start auditing their generative AI usage and automating evidence collection, providing a consistent approach for tracking AI model usage and permissions, flagging sensitive data, and alerting any issues.
- The best security defense is a good offense
Every day across AWS infrastructure, we scan for, detect, and thwart cyberattacks. With the largest public network footprint of any cloud provider, AWS has unparalleled insight into certain activities on the internet, in real-time. Last fall we shared details about MadPot, our globally distributed network of threat sensors (aka honeypots) that help our teams understand attackers’ tactics and techniques. Any time an attacker tries to target one of our threat sensors, we use that threat intelligence to help protect customers.
Additionally, at re:Inforce this year, for the first time we publicly discussed Sonaris, an internal tool we use to analyze network traffic to identify and stop malicious attempts to connect to a large number of customer accounts to find vulnerabilities. Between May 2023 and April 2024, Sonaris denied over 24 billion attempts to scan customer data stored in Amazon Simple Storage Service (Amazon S3) and prevented nearly 2.6 trillion attempts to discover vulnerable services running on customers’ Amazon EC2 virtual servers. This is a staggering amount of work that happens behind the scenes to ensure that a customer’s business continues uninterrupted.
- Good security includes getting the basics right
While passwords help protect digital assets, they are not enough. Multifactor authentication (MFA), which requires users to provide more than just a password to access a website or application, acts as an additional layer of security. It’s been around for more than 20 years but still isn’t universally adopted.
To help AWS customers safeguard their accounts, earlier this year we started a new program that will enforce MFA for root user accounts of AWS Organizations—a tool to manage AWS environments with multiple accounts—to further reduce the risk of account takeover, offering customers a free MFA security key. To make MFA even easier to adopt, at re:Inforce this year we announced that AWS Identity and Access Management (IAM)—a tool used to securely manage identities and access to AWS services and resources—now supports passkeys as a second authentication method. Passkeys use public key cryptography, which enables strong, phishing-resistant authentication that is more secure than passwords.
- Ensuring security demands a continuous commitment to innovation.
Every day, the world’s fastest-growing startups, largest enterprises, and most trusted governmental organizations use AWS to run their technology infrastructure. They chose us because security has been our top priority from day one. We designed AWS to be the most secure way for our customers to run their workloads, and we’ve built our internal culture around security as a business imperative. We continue to innovate on behalf of our customers so they can move quickly, securely, and with confidence to enable their businesses, and our track record in the area of cloud security is second to none. Cybersecurity challenges will continue to evolve, and while we’re proud of our achievements to date, we’re committed to constant improvement as we innovate and advance our technologies and our culture of security.