At Amazon Web Services (AWS) security is ‘job zero’. We’ve built an extensive set of security and encryption services to help customers innovate and stay secure in the cloud.
Under our shared responsibility model, AWS is responsible for the security ‘of’ the cloud. This means protecting the infrastructure that runs all the services offered in the AWS Cloud, which includes 230 security, compliance, and governance services built to satisfy the security requirements for defence, global banks, and other high-sensitivity organisations. AWS customers manage the security of their own applications and data and are responsible for security ‘in’ the cloud.
Cybersecurity incidents currently cost Australian businesses up to $29 billion a year, which is increasing the need for organisations to bolster their cyber strategy and invest in capabilities to maintain the highest level of security in the cloud. The need for these skills is also supported by findings from a recent report commissioned by AWS and prepared by AlphaBeta, which shows that cloud architecture design and cybersecurity is anticipated to be two of the top five in-demand digital skills in Australia by 2025.
Improving cybersecurity capability can help organisations to better calculate residual risk, respond quickly to threats, and accelerate their move to the cloud. However, cybersecurity often demands considerable time and resources which is a big task for any organisation. AWS has created a community of organisations, AWS Partners, who leverage AWS to build solutions and services for AWS customers. AWS Partners can remove some of the heavy lifting for customers by specialising in AWS Security Competencies. These companies have deep technical ability and proven success in securing every stage of cloud adoption, from initial migration through ongoing day-to-day management. The breadth and depth of our security services means AWS Partners are able to easily build secure solutions for their customers to free up the customers’ resources and help them to focus on driving growth and innovation.
Here are some examples of how AWS Security Competency Partners have assisted our customers by delivering security-focused solutions.
Secure from the start
The first Australian organisation to gain the AWS Security Competency was Melbourne-based cloud consulting firm Versent in 2017.
Versent Practice Director for Security, Simon Morse, says the company used its experience to build automation that helps security tools and protocols can be implemented quickly and safely, and also to invest in building strong relationships with its customers. This approach has seen the business grow to more than 400 staff since its launch in 2014, with a diversified offering in professional services, managed services, and product development.
Versent has many customers within the Financial Services Industry (FSI), so Morse tasked his team to set up a digital bank to help prepare for industry changes such as open banking, and to test and develop new solutions to support its customers in a simulation environment.
“The goal is to upskill our staff to become well-rounded engineers that understand what they need to do technically, but also to develop the skills needed to communicate and cooperate with customers, and quickly address and pre-empt security threats as the FSI landscape changes,” Morse says. “That sort of maturity is something we encourage in our teams.”
Morse says Versent has also created a separate team focused on identity and access management, with more than 45 local employees dedicated to supporting Australian customers to manage their security on AWS.
Helping customers of all sizes
AWS Partners help organisations of all sizes to keep customer data secure.
Trent Haag and his co-founders created Brisbane-based, Itoc, which is focused on helping startups, software developers, and mid-sized organisations accelerate their journey to the cloud.
“Small and medium businesses, and mid-market companies don’t always have large security risk and compliance team to manage their environments. Partners can play a crucial role in helping organisations to build out their security capability in the early stages as they scale,” Haag says.
Many of Itoc’s startup customers have grown into high scale, high growth organisations, including Australian challenger bank, Judo Bank a purpose built, relationship focused small and medium sized business lender.
Judo Bank is challenging the status quo in business banking, by providing businesses with the lending they need and the service they deserve, via enhanced relationship banking supported by the latest, legacy free technology to improve loan application and servicing times—making it considerably more straight forward and efficient for both bankers and customers.
Haag says Itoc helped Judo Bank build the first proof of concept (POC) for Judo’s loan management workloads. The POC was designed to gain regulatory and investor confidence, and ensure the company could meet the requirements of the Australian Prudential Regulation Authority (APRA) to receive its banking licence and other accreditations. Judo Bank and Itoc have continued to work together, with Itoc also managing the bank’s entire AWS environment and data architecture, and providing 24/7 service support.
Judo Bank needed to deliver a platform to help its relationship bankers enhance the efficiency of the entire loan process, while securely managing private and confidential data in the cloud. Leveraging the scalability of AWS, Itoc helped Judo Bank launch in just three months and embed a range of security services, such as AWS Identity and Access Management (IAM). IAM is a web service that allows customers to securely control access to AWS resources, to ensure is customers have the confidence their data is managed securely in the cloud.
Itoc’s business and staff numbers are now growing at 100 per cent annually, and the company has gained a range of AWS certifications in competencies such as AWS Financial Services Competency, AWS SaaS Competency, AWS DevOps Competency, and AWS Migration Competency.
Creating a culture of security
Australian AWS Security Competency Partner, CMD Solutions, has focused on embedding security into all its solutions from the outset. This focus stems from the CMD founders’ expertise with highly regulated entities like governments and FSIs.
“When we started CMD, we had more than 35 years of collective experience working in regulated environments between the three founders, so we knew the requirements that enterprises operate under and could also help them address common challenges, like complex legacy systems and strict data and security regulations,” says CMD Chief Executive Officer, Andre Morgan.
Through this experience, CMD identified the need to help customers achieve greater security using AWS, delivering the benefits of modern cloud environments without compromising on compliance.
In 2019, CMD and AWS achieved a major milestone by undertaking one of the earliest migrations of an insurance system of record to the cloud in Australia for health insurer, nib. It was made possible following extensive technical work and ongoing consultation with nib's regulator, APRA.
CMD is also investing in developing the skills of its people through initiatives such as Learn CMD, which is for new employees that have extensive IT experience but haven’t gained professional experience on AWS. The company has also certified more than 200 employees on AWS.
“We are growing the next generation of cloud consultants,” Morgan says. “When consultants join CMD, we put them through a bootcamp program that teaches them AWS specifics from security, migration, and machine learning.”
Supporting regulated customers
Sydney-based Cloudten (recently acquired by CyberCX) specialises in helping customers implement cloud projects that comply with industry and government regulations. This includes those seeking certification through the Australian Signals Directorate’s Information Security Registered Assessors Program (IRAP) which is designed to provide high-quality information and communications technology (ICT) security assessment services to government, and ensures a very high level of care is taken in the processing, managing, and storing of customer information.
According to Richard Tomkinson, Executive Director, Secure Digital Transformation at CyberCX, Cloudten assisted on projects assessed at one of the Australian Government’s most secure levels, PROTECTED status, awarded by the Australian Cyber Security Centre (ACSC).
“We put an IRAP certified workload on AWS with a large federal government agency, which was one of the first government department to run PROTECTED workloads on AWS. We started with a pilot project that helped define the customer’s data strategy and governance policies, and adapt to ASIC’s policies and standards relating to security and remote access,” Tomkinson says.
Tomkinson says CyberCX is now building out capabilities in data analytics, including its use of machine learning tools. “We found two years ago that data analytics was a prime workload for cloud, because it required scalable storage and compute. However, it’s important to ensure customers are able to manage the security of this data in the cloud.”
“We have been able to ingest and aggregate significant amounts of data sets securely using AWS, then process them centrally and present them in a report to deliver business insights to a range of Australian Federal Government agencies,” Tomkinson says.
You can learn more about how organisations are keeping their data secure and meeting their local compliance standards across Australia and New Zealand on the AWS Security and Privacy Knowledge Hub.