Amazon.com CTO Werner Vogels is warning enterprises against treating security as an afterthought, as the pace of software development and innovation in their organisations increase.
During the final day keynote at the Amazon Web Services (AWS) Re:Invent partner and user conference in Las Vegas, Vogels said every software developer has a duty of care to ensure security is factored into every step of the product design process.
“Security is all of our jobs now. It’s no longer just the security team. If you’re doing continuous integration and continuous development, you have to make sure everyone [in the team] is a security engineer,” he said.
“Maybe in the past you could have a three-month [software] development cycle, [and] have a review afterwards by security team engineers, but that’s no longer the case.
“We move fast, we do 20 to 30 deployments a week or a day, in fact, so the pace of innovation needs to meet the pace of protection,” Vogels added.
He also used part of the three-hour keynote presentation to emphasise why it is so important for enterprises to encrypt their customers’ personally identifiable information (PII) and their own corporate data, when in transit and at rest.
“I believe we [the enterprise] have not taken encryption seriously enough. But you should encrypt like everyone is [watching],” he said.
“Encryption is the only tool you have to be absolutely sure that you are the only one who controls access to your data,” he added.
Avoidance of encryption
Vogels said enterprises may have been put off of using encryption technologies in the past because of how difficult they were to configure, but organisations can no longer cite this as a barrier to adoption.
“It’s a whole different story today. Encryption is integrated in almost all of our AWS services and ready for you to use,” he said.
“Five years ago or six years ago, we were still talking about if https was too expensive, now every consumer service runs off https. And so encrypting your data – both in transit and at rest – should be your default behaviour.
Read more about AWS
- The second-day Re:Invent keynote saw AWS lift the veil on 22 new cloud products and services, and aim a few more jabs at Oracle's database proposition.
- Ahead of Re:Invent 2017, AWS CISO Stephen Schmidt discusses how the cloud giant addresses user demand for new products and services, without compromising on cloud security.
“There is no excuse anymore not to use encryption. At minimum, encrypt PII of your customers and your critical business data…[and] make sure you can protect your business and customers at all costs,” he added.
Vogels’s words of warning come hot on the heels of a spate of incidents whereby misconfiguration errors made by users of its Simple Storage Service (S3) system have resulted in organisations inadvertently leaking data.
In response, AWS recently introduced default encryption on S3 buckets to prevent other companies from suffering a similar fate.
At this year’s Re:Invent, the company also beefed up its cloud security portfolio through the introduction of its managed threat protection service, GuardDuty.
The service is one of 70 new products debuted at the 2017 show, and is designed to continuously monitors users’ AWS accounts and workloads for signs of malicious use, unauthorised access or evidence of possible reconnaissance work being carried out by hackers.