Public Safety committee  Thank you.

Public Safety committee  I think that's a very fair summary. They certainly feel that they have a leg up in building proper defences, because we're taking care of a lot of things they would otherwise have to worry about.

Public Safety committee  It's very safe, because we constantly build and test our systems to assume that we have hostile customers. We assume we're being attacked by our customers, and we take that into account and make sure that the isolation properties of the system are very strong.

Public Safety committee  Yes.

Public Safety committee  There are the known unknowns and the unknown unknowns.

Public Safety committee  That's one of our core services. It's called EC2, but we literally have a hundred other services. The trend is away from using virtual machine services, because that's where the customer has to take the most responsibility. People would prefer the higher level services where we t

Public Safety committee  Again, it depends on the use case. You don't care what the compute model is for a storage service, as you're just storing data. Databases are in the middle. There are a range of choices and options, but people do tend to prefer what are called “abstract services”. Over time, you'

Public Safety committee  There's something called the “many eyes” hypothesis for open-source software. The fact that people can see the code makes it more likely that security and other flaws will be discovered. I'm not sure there's a really strong empirical backing for that, because lots of security fla

Public Safety committee  There's more power in the key fob, probably. It's a 32-bit microcontroller.

Public Safety committee  No, I don't think so. Technology changes rapidly, but there are people driving those technological changes. In general, experts who build the systems understand how they work and how to secure them. There may be a lag time in terms of broad understanding of those cutting-edge te

Public Safety committee  There's often a lot of confusion. First, there's this idea, what is out there? People think that there must be something out there. There's also the confusion between consumer-use cases. People think Facebook and Google are like a cloud, but provisioning IT services from a cloud-

Public Safety committee  It's certainly possible, in using any technology, to not use it properly. We see a big part of our mission as education and training of our customers, and we do a lot of that. A lot of it's actually free as part of the process of helping them to understand this kind of new paradi

Public Safety committee  Yes. The shared responsibility also includes the line between who takes that responsibility. If there were a problem in one of our systems, we would be responsible for that. If a customer misconfigures or misuses one of our systems, then they are responsible for that. Again, we

Public Safety committee  It can be a very long and nuanced conversation, but just to give a kind of summary, if you look at something like what they have in the United States, there's a security control framework based on a NIST standard called FedRAMP that lists something like 250 controls—in other word

Public Safety committee  Good afternoon, Chairman and members of the committee. My name is Mark Ryland. I'm the director of security engineering with Amazon Web Services. I work in the office of the CISO, so I work directly for the chief information security officer. Thank you for giving us the opportuni