Evidence of meeting #157 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was security.
A video is available from Parliament.
4:05 p.m.
Liberal
4:05 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you, Mr. Chair
Thank you for being here today, gentlemen.
Mr. Ryland, my first question is for you. In terms of your services, I am not sure whether you are in a position to explain to us how the responsibilities between you and your clients are separated.
What role do your clients play in ensuring the security of the data they store on your servers when they use your services?
4:05 p.m.
Director, Office of the Chief Information Officer, Amazon Web Services, Inc.
It can be a very long and nuanced conversation, but just to give a kind of summary, if you look at something like what they have in the United States, there's a security control framework based on a NIST standard called FedRAMP that lists something like 250 controls—in other words, the security properties that you want in a system—and if you take that whole security framework, our platform covers more than one-third of those controls. There are simply things that we literally take care of on behalf of our customers. They don't have to worry about them at all. Roughly one-third are shared in that we take care of some of the things but the customer has to do certain configurations and make certain choices that are correct for their requirements. Those are optional because it's reasonable to do either one, but depending on what their needs are, they have to choose. Then roughly one-third are pretty much all the responsibility of the customer.
So we have decreased the scope of concern for the customer. We delineate pretty clearly, and we literally have control documents that say who's responsible for what, and then we have a lot of material—white papers, best practices documents, and what we call a “well-architected framework”—to help people with that one remaining responsibility. We want them to be very successful at that, so we put a lot of effort into helping them design secure systems.
But when you get to that level, it all depends on the needs of the application, so there's not a correct answer to some question. It's going to be “it depends”. It depends on the application. It depends on the requirement.
In general, I think that's a good summary of the kind of model we use with our customers. We take care of a number of things that they normally would worry about; we describe some areas in which we do some things and they need to do others, and then we help them be successful in the remaining parts of building a secure system with lots of tools and features that make it easy to do the remainder.
4:05 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you.
I want to make sure I fully understand. You said that about one third of the responsibility to configure everything appropriately lies with your clients. Does that create a barrier for people, and especially companies that might wish to use your services, by which I mean that the expertise must already exist in the company or the government agency?
Let me explain. Here is the example that comes to mind. I believe that Shared Services Canada has a contract with you. However, according to what we have been seeing in the news for some time, that organization has a quite dismal record in terms of implementing information systems.
Could the potential shortcomings or lack of expertise in a company or government agency limit the ability of a client to do business with you or with any other company comparable to yours?
4:10 p.m.
Director, Office of the Chief Information Officer, Amazon Web Services, Inc.
It's certainly possible, in using any technology, to not use it properly. We see a big part of our mission as education and training of our customers, and we do a lot of that. A lot of it's actually free as part of the process of helping them to understand this kind of new paradigm of cloud computing.
That said, there's a lot of commonality with things they've already been doing for a long time. I'll just make up an example. Say, you're running a citizen-facing web application for a government. You already have some kind of understanding of how to secure a web system; you have an authentication system, password reset, those kinds of properties that are built into the system. If you use that similar kind of system on a cloud platform, the security properties of that would be similar to the one you've been doing historically.
It's not a completely new world. It's not a 100% new skill set that is required for security professionals, but there are definitely differences and changes. It's part of the progress of the industry, just like 20 or 30 years ago when we spent a lot of time on mainframe security. Now that's not something people focus on. There are still mainframe systems running, and they still need to be secure, but the focus tends to be on the new things, the new systems and new applications.
I think the transition to cloud computing has a similar property. In any type of modernization and use of new technology there's definitely some learning curve, but you can also get a lot more done with less labour, with fewer actual human beings. Sometimes when automation comes up it's considered controversial because, well, what if we remove people? Will we be taking away jobs from workers? In the cybersecurity area, everyone recognizes we have a huge labour shortage of skilled labourers in this area. Any type of technology that increases automation and enables a skilled worker to come up with a solution and then replicate that broadly is a big win, so everyone can get behind greater automation in the security realm.
I think that's one of the main reasons that people find the cloud platforms to be advantageous. Yes, there's a learning curve, but the ability to automate things is really quite dramatically better than using traditional technology.
4:10 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
I have two quick final questions.
Here is the first one. Perhaps you are not in the best position in your organization to answer it. However, say there was a leak of data, given the shared responsibility, who would ultimately be responsible for the data in legal terms? In the financial sector specifically, if a client were to lose money, would the fault lie with the bank or with the company that allows them to store data in the cloud?
How do you see that?
4:10 p.m.
Director, Office of the Chief Information Officer, Amazon Web Services, Inc.
Yes.
The shared responsibility also includes the line between who takes that responsibility. If there were a problem in one of our systems, we would be responsible for that. If a customer misconfigures or misuses one of our systems, then they are responsible for that.
Again, we do a lot to support customers and we have many cases in the security team that I work in where customers have an issue and some kind of incident, and they ask for our help. Although technically we're not at fault at all, we still are very aggressive in responding to help them get out of the problems that they've caused.
I'll take a simple, non-controversial example. We have systems where customers have accidentally deleted data without having proper backups, and come to us in a panic. At one level, we could say, “Well, the system was working just the way it was described. You made a mistake. There's nothing we can do”. But we will go to great lengths to help them try to figure out solutions to those kinds of problems, and similarly with security incidents.
4:15 p.m.
Liberal
The Chair Liberal John McKay
Thank you Mr. Dubé. I'm sorry about that.
Mr. Graham, you have seven minutes, please.
4:15 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
Thank you.
I'd love to continue on that line, but I'll come back to that in a second.
Mr. Fadden, I don't think anybody will disagree with your assessment that our study is really about national security as opposed to financial cybersecurity as the pigeonhole..
I would say that there are a lot of votes in national security, but only after an incident has happened.
4:15 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
You said that national security is not national; it's supernational. Does Canada have a network backbone strong enough to handle Canadian needs? Do we have enough intercontinental connections to handle Canadian needs, and does it matter?
4:15 p.m.
As an Individual
I think it matters a great deal.
Do we have the backbone or the intercontinental connections? I find it difficult to answer that question, because I think it's an answer that requires two parts: one dealing with governments generally, and one dealing with the non-governmental sector.
I think that insofar as governments are concerned, we have very close alliances with the Five Eyes—the United States in particular—and there's an immense sharing of information. I would argue that it's pretty effective, notwithstanding the dysfunction I was talking about.
When I was still working, the approach taken to deal with some of these issues.... It's a bit like talking about cancer. That's not particularly helpful. I notice that some of you have your cancer pins on. Talking generally about cancer is not particularly helpful, because the cure for cancers goes to the 130-odd kinds of cancer. I find that talking generally about cyber is not often very helpful. You have to break it down into its component parts.
We used to divide up the Canadian economy into strategic sectors, such as telecoms, financial, nuclear.... There were 11 or 12 of them. Quite honestly, I think the connections they have with their home offices—with each other in Canada and abroad—vary. For example, our nuclear sector is pretty well organized, and I think the general view, as sectors go, is that financial sector is not doing badly. Some of the others are less so.
I'm not trying to avoid answering your question, but I think it's difficult to just give you a yea or a nay. I think there's no one entity—government or non-governmental—that's responsible. It's just as things have evolved.
4:15 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
I'll come to Mr. Ryland for a bit more.
You talked about the over-provisioning model. You were talking about the the vast resources and being able to balance them across systems, which we couldn't have before. As an example, what's the computing power of a key fob today versus that of the Apollo?
4:15 p.m.
Director, Office of the Chief Information Officer, Amazon Web Services, Inc.
There's more power in the key fob, probably. It's a 32-bit microcontroller.
4:15 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
When we have that kind of massive change in computing capacity, what's the security impact of that change? Is the technology changing faster than we're able to keep up with it?
4:15 p.m.
Director, Office of the Chief Information Officer, Amazon Web Services, Inc.
No, I don't think so.
Technology changes rapidly, but there are people driving those technological changes. In general, experts who build the systems understand how they work and how to secure them. There may be a lag time in terms of broad understanding of those cutting-edge technologies, but often those experts are also designing things to make them more secure by default.
I think IoT is a great example. We don't have time to go into the details, but we've all recognized the problems in the past with the Internet of things—home devices, etc.—being deployed in a very insecure fashion. Historically, it was the cheapest and easiest thing to do. If you look at the newer technology that we provide, or that Microsoft or other large-scale providers give you, by default their systems are far more secure. They're updatable in place, which they didn't use to be. They use secure protocols by default; they didn't use to do that. You can go right down the list of how the business interests of these large providers align with building systems that are secure by default, whereas previously, that was left to the person who was building the smart refrigerator or the smart toaster or whatever.
Technological shifts can actually raise the bar across whole industries by investment and by alignment of business interests with higher security.
4:15 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
I'll go back to clouds. Does the public or even the organizations you deal with truly understand what a cloud is?
4:15 p.m.
Director, Office of the Chief Information Officer, Amazon Web Services, Inc.
There's often a lot of confusion. First, there's this idea, what is out there? People think that there must be something out there. There's also the confusion between consumer-use cases. People think Facebook and Google are like a cloud, but provisioning IT services from a cloud-computing vendor is a completely different model. First of all, we don't monetize your data; we lock it down and never look at it. We have a totally different way of thinking about it.
The one thing they typically have in common is network accessibility. It would be able to reach them from anywhere.
There's a lot of confusion. Often when we start our presentations, we'll put up a world map. We actually have little dots on the map showing where our stuff is in that city or that region, so that people know there's physical equipment behind all of this capability.
4:20 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
Is AWS essentially virtual servers, or is there another system besides that? Are they virtual machines?
4:20 p.m.
Director, Office of the Chief Information Officer, Amazon Web Services, Inc.
That's one of our core services. It's called EC2, but we literally have a hundred other services. The trend is away from using virtual machine services, because that's where the customer has to take the most responsibility. People would prefer the higher level services where we take increased responsibility and they just have to do very minimal configuration.
4:20 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
If you're not on a virtual machine and you're using the services provided, how much control can the client actually have? There's a balance to be had. As a client, could I choose what operating system to put on my virtual machine? I could put a Debian system on there, or whatever you want, but what could you put on a non-virtual machine? What are the other options?
4:20 p.m.
Director, Office of the Chief Information Officer, Amazon Web Services, Inc.
Again, it depends on the use case. You don't care what the compute model is for a storage service, as you're just storing data. Databases are in the middle. There are a range of choices and options, but people do tend to prefer what are called “abstract services”. Over time, you'll see more and more use of what those abstract services. I just upload my JavaScript function to this function as a service and the code executes whenever certain events fire. I have no concept of the operating system or anything else; it's handled for me.
4:20 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
I only have about 40 seconds left, so my last question for both of you is about the security advantages versus disadvantages of open versus closed-source software.
4:20 p.m.
Director, Office of the Chief Information Officer, Amazon Web Services, Inc.
There's something called the “many eyes” hypothesis for open-source software. The fact that people can see the code makes it more likely that security and other flaws will be discovered. I'm not sure there's a really strong empirical backing for that, because lots of security flaws have existed in open code, but there is the big advantage that people have more control over their own destiny because you can do your own investigation. You can make your fixes. You're not dependent on a vendor to discover and fix security problems. On the whole, there are some real advantages to open-source software, but it's not completely black and white.