You are currently viewing AWS CISO CJ Moses on cybersecurity in the cloud

AWS CISO CJ Moses on cybersecurity in the cloud

Hello and welcome to Protocol Enterprise! Today: AWS CISO CJ Moses lays out the company’s approach to cybersecurity, the FTC takes a closer look at AI and what former Cisco and Nicira exec Steve Mullaney is working on at Aviatrix.

Owned, not pwned

If Amazon EC2 has a security issue, the AWS leader in charge of the service is ultimately responsible, according to AWS CISO CJ Moses.

This is because AWS’s internal security model is based on parent company Amazon’s single-threaded ownership culture – leaders have end-to-end responsibility for their team’s products, and that includes the security of those products.

  • “If EC2 has a security issue, the owner of EC2 knows it’s their responsibility,” Moses told Protocol in a recent interview.
  • “It’s also my responsibility to allow them and make sure that doesn’t happen…but right away they know it’s their business, and they’ll be the ones…responding to that.”
  • AWS works to prevent such issues from occurring by building security into the design of its products and services from the start, according to Moses.
  • “Finding a problem after something has gone into production and is released to the public, and you have a CVE and all that process, it’s very expensive to mitigate that and then fix it,” Moses said. “We moved as far to the left as we could and mechanised things.”

Moses became CISO of AWS in January, succeeding Stephen Schmidt, who is now Amazon’s CISO. He first joined AWS in 2007 after leading technical analysis of computer and network intrusion efforts for the FBI’s Cyber ​​Division and serving as a computer crime investigator for the Air Force Office of Special Investigations.

  • Moses, Schmidt, Andrew Doane, and Eric Brandwine started at AWS around the same time. “Our job was the dedicated Utility Computing team – the DUC team, also known as the Federal Government, [because] you had a group of us from the FBI,” Moses said.
  • AWS’ security history was “very weak” from day one, according to Moses.
  • “We thought about the mission we had previously and how we could create from scratch the environment we needed to be able to do the highly secure work we were doing,” he said.
  • “No other cloud provider has ever had this kind of capability built from day one by the paranoid group that we have, with the expertise, that has pursued hackers around the world,” Moses said.

Read Protocol’s full interview with Moses here.

— Donna Goodison (E-mail | Twitter)


Shortage of microchips could harm national security: The global shortage of semiconductors has hampered production of everything from pickup trucks to PlayStations. But there are more serious implications than a shortage of consumer goods. If the United States does not ensure continued domestic access to advanced semiconductor manufacturing, experts say our national security could suffer.

Learn more about Micron

FTC flags AI rules, wants companies to comment

Think the Federal Trade Commission’s proposed rules on commercial surveillance and data security are only for advertisers or social media companies? Think again.

Any company using algorithmic or automated systems to make decisions that affect people – the technology often referred to as AI – could be subject to the potential rules, particularly if it harms or discriminates against protected groups in housing decisions, employment or health care.

But there are no new rules yet. For now, the agency wants companies and other stakeholders to comment on any data use restrictions for automated systems. Thus, it solicits public comments on nearly 100 questions.

What could the FTC’s AI rules look like? Here are some clues:

  • Prove the accuracy of AI – The FTC asks several questions about the prevalence of algorithmic errors, whether and how companies could mitigate them, and whether they should be allowed to use automated systems even when they make errors “in critical areas, such as housing , credit and employment. ”
  • Prohibit or limit discriminatory AI – In recent years, companies have touted their commitments to prevent unfair and biased AI-based decisions, and some have adjusted algorithmic models to ensure they are not using certain types of data that could cause these problems. Now the FTC is questioning whether that’s enough and asking whether it should ban or limit the use of discriminatory automated systems.
  • Require AI audits and reports – Some federal bills have called for audits or assessments of algorithmic systems, and New York City law requiring “bias audits” will take effect in January. But the FTC wonders if it should intervene. Question number 92 on the FTC’s survey list asks whether the commission should require self-reported or third-party audits of commercial surveillance practices, and if so, how often.

Want to comment? A link to submit comments to the Federal Register will be posted here “as soon as it becomes available”. Meanwhile, the FTC will hold a public forum on the proposed rules on September 8. You can find more information on how to submit comments here.

-Kate Kaye (E-mail | Twitter)

Network effects

Steve Mullaney describes himself as a “37-year-old networking veteran,” with stints at Cisco, Force10 Networks and Palo Alto Networks, among other companies. He was the CEO of Nicira, a network virtualization and software-defined networking company, when VMware acquired it for $1.26 billion in 2012.

“I stayed at VMware for a few years and then I said, ‘That’s it, I’m done, I’ve had a great career, and I’m just going to retire and travel the world, be a part of boardrooms and have a great life,'” Mullaney told Protocol. “And then this thing called the cloud happened.”

Mullaney was a board member of Aviatrix — then a networking tools company helping to plug holes in AWS networking — and had been retired for five years when he became one. CEO in 2019.

“If you had asked a company eight or more years ago, ‘Are you going to move to the cloud,’ they would have said, ‘No, it’s too expensive, it’s not secure enough,'” said Mullaney. “It was just DevOps people swiping a credit card and spinning workloads, and it wasn’t enterprise IT that was part of it. Suddenly, the conversation changed overnight.

Mullaney knew immediately that enterprises would embrace multicloud strategies, and he saw that an enterprise could become the equivalent of what Cisco Systems was for on-premises networking. It wasn’t going to be Cisco, Arista Networks or Juniper Networks, he said, “because when you have a transformation that happens where on Monday nobody does something and then Tuesday everybody does it. fact, the incumbents can’t handle that.”

“I said why not Aviatrix?” Mullaney said. “At that time, we had about 100 customers. We were completely born in the cloud.

Today, Aviatrix is ​​a cloud networking and network security company that expects to hit $100 million in ARR this fiscal year, up from $3.5 million when Mullaney became its chief. It landed an additional $200 million in funding last September, bringing its valuation to $2 billion, and expects an IPO within 18 months.

“It’s a whole other level of intelligence that we’re building into the network,” Mullaney said. “People will get rid of their MPLS [multi-protocol label switching]. They’re going to leverage the backbones of AWS, Azure, and Google, and they need a control plane to basically be the global route control plane on top of that. It will be us.

— Donna Goodison (E-mail | Twitter)

Around the company

South Korean SK Hynix is ​​looking for a site in the United States for a proposed chip fab, and construction could begin as early as next year, according to Reuters.

Huawei’s cloud business jumped 28% in the first half of the year, helping it offset an overall drop in revenue and gain ground over rivals Alibaba and Tencent.


Shortage of microchips could harm national security: To ensure America’s security, prosperity, and technological leadership, industry leaders say the United States must encourage domestic chip manufacturing to reduce our dependence on chip producers. East Asia for critical electronic components.

Learn more about Micron

Thanks for reading – see you Monday!

Leave a Reply