AWS Public Sector Symposium - Aug 2023

This week I had the awesome opportunity to represent Telstra Purple at the AWS Public Sector Symposium. This is an annual event run by AWS specifically targeted at the needs of public sector agencies. While a big part of my time there was spent manning the Telstra stand attempting to explain what Telstra Purple in fact was in relation to the monolith of Telstra, I did also manage to get to some sessions.

On Tuesday 29th there was the Partner Exchange where AWS specifically addressed partners (like Telstra) who work with public sector clients. One of the first speakers tackled the question of “why” work with the public sector, admitting that it often isn’t as easy to work with public sector as with private. Like many of us, his answer came down to the idea of “making a difference”. There were other sessions that talked about accelerating transformation, using AWS Market Place, what’s new in partner programs etc…. The afternoon culminated with a fireside chat lead by Donna Edwards (my former boss), discussing different strategies for finding and fostering the talent required to be successful. This was followed by networking drinks where I was able to connect with many different people from partners doing many different things. Many of them either partners of Telstra, or direct competitors.

alt text

The next day was the symposium. I started the morning attending a talk on “zero-touch Amazon EKS”, where the Senior Manager of NBN co described how they created a suite of secure guard-rails for developers and enabled them to “vend” an EKS environment by creating a ServiceNow ticket. This really interested me, and I began to see the real power of AWS Service Catalog. This made me think about my own approach to Isolated Stacks when creating serverless applications, and I feel like adding this concept to Service Catalog would be a fairly easy uplift to this concept (stay tuned for a future blog post).

I spent the next 3 hours on the Telstra stand giving away Telstra Purple socks, and discussing DevOps, MLOps, App Dev, modernisation, migrations, and a host of other things with… well anyone who would listen… or just wanted a pair of socks.

alt text

In the afternoon, I managed to get to some more talks. First up was a talk on Big Data where the speakers dived into the challenges faced by the ABS during the pandemic, and how they were able to rapidly and securely develop important new indicators for the govermnet to track household earning. The key takeaway here is to use more of the AWS Managed services rather than trying to provision EC2 instances and DIY. This shifts more of the security compliance controls towards AWS, and means you are able to do simpler “Gap” audits for important security compliance tasks like IRAP.

Next I went to a talk on the importance of “Secure by Design and Default” delivered by Jayden Cooke from the Australian Cyber Security Centre. He made a great analogy with the car industry describing how manufacturers where very reluctant to put in basic safety features because they were more focussed on features that would apply to everyone (not just drivers who were inept enough to crash). It’s hard to believe that there was once incredible resistance to the idea of a seat belt, which we now take for granted. I think it also demonstrates where we are as an industry, and potentially offers a way forward to get to where we need to be. What I found particularly interesting was that even after all these years, the top 3 security issues found in software are:

  1. Out-ofbounds Write
  2. Cross-Site Scripting (XSS) and
  3. SQL Injection

Ref MITRE CWE 2023 Top 25

The idea behind Secure By Design and Default is that a software system should be designed from the outset to be secure i.e. it should have the security features “designed” into it, and should not require any effort to ensure these features are enabled and functioning correctly by “default”. One call out was that instead of having a “Hardening Guide” aimed at assisting people to imrpove the security posture of the software, you should favour a “loosening guide” at the expense of usability. In other words, the “default” position of the software should enable MFA, SSO etc… out-of-the-box, but guide users on how to disable certain features if these are not required, but also detail the risks in doing that.

The symposium was a great opportunity to meet people working in the public sector and discuss what challenges they are having. It was also an awesome opportunity to connect with other Telstra and Telstra Purple folk and workshop how we can help people in the public sector “make a difference”.

*****
Written by Scott Baldwin on 03 August 2023