Dave Vellante and John Furrier, on SiliconANGLE’s theCUBE, sat down on Thursday with Steve Schmidt, VP and Chief Information Security Officer for Amazon Web Services. Before joining Amazon, Schmidt was a section chief with the Federal Bureau of Investigation and he has degrees in economics, law and computer science.

Furrier started the conversation noting this must be a very interesting time as security is the primary concern of anyone who is thinking of adopting the cloud for their enterprise. He points out the cloud and Amazon have quite definitely proved themselves on this front. However, Furrier was curious to know what the security conversation was that was occurring, not only internally at Amazon, but also among attendees at the conference.

According to Schmidt, “The biggest conversations we have internally is how we reduce the perimeter around information. Customers are just demanding we keep shrinking the boundaries around information and give them more and more control over who can see what from where and when.” He continued, “It used to be people fell into one of two buckets. You were a normal user or maybe you were an administrator. And there wasn’t anything in between. That’s no longer sufficient. People want to make sure that you can access this data from your smartphone. But somebody else who’s not authorized can’t.”

Schmidt also spoke to the idea of perimeter security in relation to the burgeoning API economy. “It’s all about making sure that when you expose information, you do so in a manner that is consistent with customer expectations. So, it’s ensuring you’ve got the right crypto that customers can use to wrap their data up in and keep safe.

“It’s also about giving them visibility into their network and the use of their data. Like with Amazon CloudTrail, which we just announced here at the show. It allows customers to see every API call they make into some of our services. And more importantly, it allows them to see behind the scenes on API calls that our services make on their behalf.” Schmidt believes, in relation to data breaches, the industry needs to move to a real-time approach. He makes this in light of the fact it takes, on average, 400 days for a breach to be noticed. “One of the things we aimed for with launching CloudTrail is to give customers logs every five minutes.” This, he says, will give them more rapid access to be able to identify interesting behavior and to then investigate it and learn what is going on.

Security is all about people

Schmidt also seems to have a very well-rounded philosophy and approach to understanding security and its implementation:

“Security is all about people. Quite often security practitioners focus on ‘this particular piece of data’ or ‘this particular control’ when in reality it’s understanding humans. It’s all about figuring out how people need to work versus want to work,” he said. “Or how bad guys think and how they want to access information inappropriately. So, there’s a lot of transference about knowledge about understanding the behavior of humans into this technical world.”

Taking that philosophy into account, Vellante queried of Schmidt, “What is security the Amazon way?”

“Security the Amazon way is all about ensuring you build security in from the start. A lot of people, especially in an older technology environment have to bolt security on after the fact. That’s really tough to do well. And more importantly, it’s really tough to do well that doesn’t cause the user headaches.” Continuing he stated, “So one of the things we focus a lot on is designing in, at the very beginning, the appropriate security that our customers are demanding. It means putting security engineers into service teams rather than having them sit outside in a separate organization. Every time a decision is made in the design process, it is made with security in mind.”

Schmidt and his security team are based in the Washington, DC area. This, he notes, is very advantageous for a couple of reasons. First and foremost, the Federal government, a huge Amazon customer also happens to be in the neighborhood. And they, more than some, have many security concerns that shear proximity makes it easier to address. The second advantage, according to Schmidt, is the number of universities in the region that turn out very sharp security engineers.

The renaissance perspective to security

The interesting and varied background Schmidt brings to Amazon allows him to view the same security issues from two distinct perspectives. As he states, “Security is not just one thing. It’s both an art and a science.” The art he refers to is being able to balance the needs of customers to access information to get business done…with the desire to make sure you protect that which is really important.”

The science perspective points the way to design the controls that will help you and your customers to achieve those security goals. “The balancing act is often both law and economics. The science portion of building controls comes directly from computer science.”

Even though Amazon employs a ‘security through obscurity’ model, meaning no customers and almost every Amazon employee has no knowledge of actual physical addresses of their data storage facilities, Schmidt believes this is a strength for Amazon and their customers alike. He concedes security through obscurity, while not wholly sufficient, is a starting point.

Most importantly, Amazon uses the services of Ernst & Young to audit each of their data storage centers. Customers are granted full access to these audits. A typical audit will consist of review of their 60-day visitor access logs, CCTV footage and all badge access controls for a given facility.

Wrapping up the conversation, Furrier asked Schmidt to create the bumper sticker that would succinctly sum up the message of this year’s AWS re:Invent conference. Schmidt’s reply: You Can Be More Secure In The Cloud Than You Can Be On Premise.

The entirety of the conversation can be viewed here.