Good afternoon, Chairman and members of the committee. My name is Mark Ryland. I'm the director of security engineering with Amazon Web Services. I work in the office of the CISO, so I work directly for the chief information security officer. Thank you for giving us the opportunity to speak with you today.
I suspect you all know a bit about Amazon.com, generally speaking, but allow me to add some Canadian details.
Amazon.ca has been serving our Canadian customers since 2002, and we have maintained a physical presence in the country since 2010. Amazon now employs more than 10,000 full-time employees in Canada, and in 2018 we announced an additional 6,300 jobs. We have two tech hubs, which are important software development centres with multiple office sites in Vancouver and Toronto. We employ hundreds of software designers and engineers who are working on some of our most advanced projects for our global platforms. We also have offices in Victoria with AbeBooks.com and in Winnipeg with a division called Thinkbox.
We also operate seven fulfillment centres in Canada—four in the greater Toronto area, two in the Vancouver area, and one in Calgary. Four more have been announced. Those will be coming online in 2019 in Edmonton and Ottawa.
But why am I here? What is this cloud thing? You might be wondering why we're here discussing the cybersecurity of the financial sector at all. Well, roll back the clock. About 12 years ago, we launched a division of our company we call Amazon Web Services, or AWS for short.
AWS started when the company realized that we had developed our core competency in operating very large-scale technology infrastructure and data centres. With that competency, we embarked on a broader mission of taking that technological understanding and serving an entirely new customer segment—developers and businesses—with an information technology service they can use to build their own very sophisticated, scalable applications.
The term “cloud computing” refers to the on-demand delivery of IT resources over the Internet or over private networks, with pay-as-you-go pricing, so that you pay only for what you use. Instead of buying, owning and maintaining a lot of technology equipment, such as computers, storage, networks, databases and so forth, you simply call an API and get access to these services on an on-demand basis. Sometimes it's called “utility computing”. It's similar to how a consumers flip on a light switch and access electricity in their homes. The power company sort of takes care of all the background.
All this infrastructure is created and built. There is of course physical equipment and infrastructure behind all of this, but from the user perspective, you simply call an API. You call a software interface or click a button with a mouse, get access to all this capability and are then charged for its usage.
It's all fully controlled by software, which means that it's all automatable. That's a really important point that I'll make several times, because the ability to automate things is a big advantage in the security realm. Instead of doing things manually and using.... We don't have enough experts, believe me, to do all the command typing that needs to be done, so you need the right software to automate.
As of today, we provide highly reliable, secure, resilient services to over a million customers in 190 countries. Actually, you can think of our cloud platform as a federation of separate cloud regions. There are 20 of those around the world and 61 availability zones. Each region is made up of separate physical locations to create greater resiliency.
Montreal is home to our AWS Canada region, which has two availability zones. Each availability zone is in one or more distinct geographic areas and is designed with redundancy, for power, for networking, for connectivity and so forth, to minimize the chance they could both fail. With this capability, with these multiple physical locations, our customers can build highly available and very fault-tolerant applications. Even the failure of an entire data centre need not result in an outage for our customers and their applications.
The companies that leverage AWS range from large enterprises such as Porter Airlines, the National Bank of Canada, the Montréal Exchange, TMX Group, Capital One and BlackBerry, to lots of start-ups, such as Airbnb and Pinterest, as well as companies like Netflix, which many of you have heard of, all of which are running on the AWS cloud.
We also work a lot with public sector organizations around the globe, including the Government of Ontario, the Ministry of Justice and the Home Office in the U.K., Singapore, Australia, the U.S.A. and many customers globally in the public sector area.
What are the advantages of moving to the cloud? There are three primary benefits that I want to highlight.
The first is agility and elasticity. Agility allows you to quickly spin up resources, use them, and shut them down when you don't need them. This really means that for the first time, customers can treat information technology in a more experimental fashion because experiments are cheap. You can actually try things, and if they don't work, you spend very little money. Instead of this large capital expenditure with large software licensing costs, you can do this in a much more dynamic model. Experimentation is very helpful when it comes to innovation, so that leads to greater innovation.
In terms of elasticity, customers often had to over-provision for their systems. They had to buy too much capacity, because only once a year or once a month was there a need for a great deal of capacity.
Most of the time, the systems are relatively idle. You have a lot of waste in this over-provisioning model. In the cloud, you can provision what you need. You can scale up and add more capacity or subtract capacity dynamically as you go.
Another advantage is cost savings. Part of what I just described also leads to cost savings. You're using only the amount of capacity you need at any one time. You can also treat your expenditures in terms of moving from capital expenses to operational expenses, which many people find very helpful.
In short, our customers are able to maintain very high levels of infrastructure at a price that is very difficult to do when you buy and manage all your own infrastructure.
The third reason, and the one that I really want to emphasize here in my testimony, is actually the benefit of security. The AWS infrastructure puts very strong safeguards in place to protect customer security and privacy. All the data is stored in highly secured data centres. We provide full encryption very easily; you just literally check a box or call an API. All your data is encrypted, which acts as controls in logging, to see what's going on and to monitor and control who has access. Also, our global network provides built-in inherent capabilities for protecting customers from DDoS and other network-type attacks.
Before the cloud, organizations had to spend a lot of time and money managing their own data centres and worrying about all the security of everything inside, and that meant time not focused specifically on their core mission. With the cloud, organizations can function more like start-ups, moving at the speed of ideas, without upfront costs and the worry of defending the full range of security threats.
Previously, organizations had to either adopt this big capital investment program or enter into long-term contracts with vendors. Really, the most difficult part was that the companies and organizations were responsible for the entire stack. Everything from the concrete to the locks on the doors and all the way to the software was completely the responsibility of the customer. With cloud, we take care of a number of those responsibilities.
What about cloud security? More and more, organizations are realizing that there's a link between IT modernization and using the cloud and improving their security posture. Security depends on the ability to stay a step ahead of rapidly and continuously evolving threat landscapes and requires both operational agility and access to the latest technologies. As the legacy infrastructure that many of our customers use approaches obsolescence or needs replacing, organizations move to the cloud to take advantage of our advanced capabilities.
Increased automation is key, as I mentioned before, and the cloud provides the highest level of automation. The possibility of automation is maximized using the cloud platform. Cloud security is our number one priority. In fact, we say that security is job zero, even before job one, and organizations across all sectors will highlight how commercial cloud can offer improved security across their IT infrastructure.
Therefore, many organizations, such as financial institutions, are modernizing their capabilities to use cloud platforms. We've been architected for the security of organizations, and for some of the most security-sensitive organizations, such as financial services.
Now, there is a shared responsibility. Customers are still responsible for maintaining the security of their environments, but the surface area, the amount of things they need to worry about, is greatly reduced, because we take care of a lot of those things and they can focus their attention on what remains. From major banks to federal governments, customers have repeatedly told us—and we have quotes that we can supply to the committee—that they feel more secure in their cloud-based deployments of their applications than they do in their on-premise physical infrastructure in their own data centres.
In sum, cloud should not be seen as a barrier to security, but as a technology that helps security and is therefore very helpful in the financial services realm as a part of a general solution for modernization and improving security.
We also have a few policy recommendations, which we'll provide in our written testimony.
One of the things is that we think there's an overemphasis on the physical location of data. Very often, people think, “I've got to have data physically here in order to protect it.” Actually, if you look at the history of cyber-incidents, everything is done remotely. If you're connected to a network and the network has outside access, that's where all the bad things happen.
Physical location of data, especially when you can encrypt everything, such as physical access to storage drives or whatever, literally is not a threat vector. Really, there should be some flexibility for banks and other institutions as to where they physically place their data, and they should be able to run their workloads around the globe, reaching their global customers with low latency and storing data potentially outside of Canada.
There are another couple of recommendations, including data residency. We believe also that centralizing security assessment makes a lot of sense. Instead of having every agency or every regulatory body separately evaluating cloud security, centralize that in an organization like the CCCS, where they can do a central evaluation and determine whether clouds are meeting the requirements. Then, that authority to operate can be inherited by other organizations throughout the government and under industries that are regulated.
Thank you very much for your time.