AWS re:Inforce 2024
Accelerating Innovation Securely Featuring Jpmorgan Chase Grc303

Title: AWS re:Inforce 2024 - Accelerating innovation securely, featuring JPMorgan Chase (GRC303)

Insights:

  • Introduction and Overview: The session, led by Alexis Robinson and Scott Cruikshanks, focuses on embedding security into AWS services to accelerate innovation without compromising security. The presentation includes insights from JPMorgan Chase on their secure innovation journey.
  • AWS Security Integration: AWS integrates security into its services from the ground up, ensuring that security measures are not blockers but enablers of innovation. The approach is likened to a marble run, where security controls act as guardrails to keep innovation on track.
  • Five Ps of Security Controls: AWS's security controls are guided by five principles: Purposeful, Partnership, Painless, Provable, and Progressive. These principles ensure that security measures are intentional, collaborative, user-friendly, verifiable, and continuously improved.
  • Customer-Centric Approach: AWS emphasizes starting with the customer in mind, understanding their journey, and ensuring that security measures align with customer needs and expectations.
  • AWS Services for Secure Innovation: Key AWS services that facilitate secure innovation include Control Tower, AWS Organizations, CloudFormation, AWS Config, CloudTrail, IAM, and SCPs. These services help in planning landing zones, customizing accounts, and enforcing security standards.
  • JPMorgan Chase's Secure Innovation Journey: JPMorgan Chase has developed a centralized process and tooling mechanism to enable secure use of AWS services. They emphasize the importance of not letting security be a blocker to innovation and highlight the need for a standardized process to ensure consistency and efficiency.
  • Challenges and Solutions: Common challenges include misconfigurations and regulatory compliance. JPMorgan Chase addresses these by establishing a controls catalog, defining configuration settings, and implementing both preventive and detective controls.
  • Testing and Evidence Collection: Before going live, JPMorgan Chase tests preventive and detective controls to ensure they work as intended. They also collect evidence to streamline regulatory and audit processes.
  • Continuous Improvement: Both AWS and JPMorgan Chase stress the importance of continuously testing and improving security controls to adapt to new risks and ensure ongoing compliance and efficiency.

Quotes:

  • "Security is not necessarily a blocker for innovation. It should really accelerate how you think of innovation."
  • "The best security control is something that an engineer barely even feels."
  • "It always starts with the customer. You always have to think of the customer first, not about just security."
  • "The option of saying no may be the most secure way of doing it, but it's just not an option."
  • "We don't want 10 different marble runs. We want one process, one marble run."
  • "Misconfiguration of cloud services is the number one cause of public cloud breaches."
  • "Shifting those controls as far left in the process as possible speeds up the process."
  • "Make sure your process is repeatable. Get that muscle memory. Do it, refine it, get the engineers involved."
  • "Continuously test everything's working. Somehow, somewhere, I'm sure something will break, so you just want to be testing it and aware of it."
Accelerating Auditing and Compliance for Generative Ai on Aws Grc302Accelerating Privacy Security in Ai with Amazon Bedrock and Tines Tdr324 S