Few noticed as Amazon began to morph from the world’s largest bookstore to the world’s largest cloud computing company. Now, ten years later, the eCommerce giant not only revolutionized computing, it transformed itself in the process. They still sell books, but Amazon is now a cloud company.
Spoiler alert: What made it possible was a unique information security model.
A decade after launching Amazon Web Services, AWS dominates the cloud computing market. Combined market share of its closest rivals (IBM, Google, Microsoft) is far less than Amazon’s, and Amazon is finally profitable after years in the red. As they recently told shareholders, this new profitability is due in large measure to a jaw-dropping 10 billion dollars in annual revenue generated by AWS from over a million customers. The fast-growing AWS division is already bigger than all of Amazon was at ten years old.
Amazon Web Services chief Andy Jassey marked the division’s ten-year anniversary with some public talks about how AWS was born. Back in 2000 Amazon tried to build a white-label B2B eCommerce platform called merchant.com. It was harder than expected, mainly due to rigid, inefficient IT infrastructure. So Amazon’s IT team began a six-year journey of virtualization, standardization, scaling, dev ops, and API oriented architecture that led them to what today we call IaaS cloud computing. In 2006 Amazon formally launched its first AWS service offering, the Elastic Compute Cloud (EC2).
Amazon's IT transformation required a radical approach to data security. They needed to protect their customer data, while opening their data centers to the Internet and other companies. And they had to give those other companies means to safeguard their data too. Amazon achieved this with an innovative architecture that virtually segregates networks, servers, and data through a combination of segmentation, encryption, access, and monitoring controls at every layer of the computing stack. The result is a honeycomb of logical compartments that share physical resources without leaking data. This kind of pervasive security takes vision and discipline, and it's very hard to retrofit to a legacy environment.
Companies often dip a toe in the AWS water with a low risk application, learn how its security works, and grow comfortable with it. Amazon’s open model encourages them to layer in security controls of their own. Capital One’s CIO said Amazon helped them “develop a security model which we believe enables us to operate more securely in the public cloud than we can even in our data centers”. Netflix built a Simian Army on the AWS platform to police security in its own applications, including a Security Monkey that hunts for instances that don’t comply with Netflix policy. It terminates them without mercy.
You might think any company with enough underutilized servers and data centers would jump into the cloud computing business, renting out excess capacity at high profit margins. A big reason many don’t is they have the wrong security model. Their server environments rely on physical data center security to protect data, and were never designed to be opened up to other companies or the public Internet.
Facebook is a case in point. Their massive computing capacity (over a million VMs running on hundreds of thousands of servers in six global data centers) would seem to put them in a similar position to Amazon. But their security model was tailored to enable their “move fast and break things” development culture known internally as the Hacker Way.
As Facebook CEO Mark Zuckerberg says, “If you never break anything, you’re probably not moving fast enough.” Security controls that add friction to the development process are incompatible with the culture that Facebook believes made them successful. To secure data in this free-wheeling environment, Facebook likely relies heavily on physical data center controls. (A recent job posting for a data center security manager emphasized physical security expertise and credentials.) Because of security, Facebook can’t make a B2B cloud play without changing its most cherished beliefs.
The contrast between Amazon and Facebook highlights an important lesson: Security doesn’t have to hinder business; it can enable it. IT security is more than keeping bad guys out of the data center. The right security model frees business to innovate, take bold risks, and pivot into new markets.
Those who learn this lesson today will be the winners ten years from now.
Michael McCormick is in information security consultant, researcher, and founder of Taproot Security.