In the ever-expanding IT universe, the majority of my tech career has been spent orbiting the giant orange star that is Amazon Web Services (AWS). Pulled in by the massive gravitational force that is AWS, thousands like me descended on the Anaheim Convention Center for two days of cybersecurity demos, thought leadership, and new service announcements at this year’s AWS re:Inforce. As we move toward the even greater cosmic event that is AWS re:Invent at the end of 2023, I wanted to share some thoughts on how AWS is securing customers along the way.
One thing I found myself discussing often as my organization prepped and planned for re:Inforce was why? Why does AWS have a security-centric conference sandwiched between two very large and established IT security events — RSA and Black Hat? It should not be lost on anyone what AWS represents — more than 1.5 million customers (and that number grows every day) ranging from startups to small businesses to the largest enterprises to governments, banks, media, health care, etc. That’s 1.5 million organizations and teams of people running on a distinct suite of infrastructure and platform solutions who demand security. When you are the world’s largest hyperscaler and originator of the public cloud as we know it, it makes sense to have your own security-focused conference.
If I could distill the overarching message of this blog and re:Inforce down to a single phrase, it’s this: AWS not only cares about security, but it is adamant that its customers and partners care about it as well.
Cloud Security Starts with the Basics
First, the basics of security still apply to AWS. Despite swelling to more than 200 fully featured services, the CIA triad of cybersecurity — confidentiality, integrity, availability — is woven throughout these services and in every new feature and service AWS releases. Identity and access governance plays such a critical role in a business’ security posture that AWS announced a slew of new access control services including AWS Verified Access Zero-Trust, Amazon Verified Permissions, AWS Management Console Private Access, and Amazon EC2 Instance Connect Endpoint.
While not new this year, AWS even has a specialization for partners within its Level 1 MSSP Program devoted to Identity Behavior Monitoring. I’ll admit keeping track of all of the identity and access-based controls in AWS can be challenging, but AWS views your data and workloads as sacred and seeks to enable customers with every measure of protection to ensure they are not infringed upon. While these controls and features may not resonate with the same allure as the aptly named “GuardDuty” or “Inspector,” they form much of the foundation of customers’ security in the cloud.
And Around the Watercooler at AWS re:Inforce
New AWS tools to “shift left”
Securing the cloud is no longer limited to active cloud-hosted environments but securing the journey to get there. “Shift left” has been a buzzword for a few years now; it refers to securing an application or workload upstream before it’s ready for end users to interact with it. In shifting left, the new Amazon Codeguru Security scans for vulnerabilities in CI/CD pipelines. AWS Built-In also was announced at re:Inforce; it will allow for accelerated and secure deployments of security partner SaaS solutions in a customer’s environment. What this means is an AWS consumer can leverage a participating security partner’s Built-In to easily deploy software alongside AWS Foundational Services with the assurance that these deployments are leveraging Best Practices.
Generative AI
As can be expected, everyone’s favorite topic these days, Generative AI, was in the air at re:Inforce. ChatGPT busted through barriers and opened the flood gates of creative uses for AI, ML and LLMs. While it may seem like an overnight sensation, it was years in the making. AWS and countless partners have engaged with this technology for more than a decade.
While this is a great opportunity to namedrop bespoke AWS services associated with the technology, what struck me as different, even intentional, was what I heard from AWS at re:Inforce surrounding the subject. AWS encouraged partners to explore the benefits of Gen AI while at the same time analyzing the potential risks. AWS is looking both within and to partners to ensure we develop technology and services to protect organizations against threats and attacks generated from AI. To me, this highlights the seriousness and level of responsibility AWS is approaching this technology with. Rather than mindlessly hopping on the bandwagon, they’re moving to ensure we first establish a protective perimeter around the bandwagon where we might otherwise be susceptible to the misuse of generative AI.
Cyber insurance
Taking a page from the litany of home and auto insurance ads which guarantee you a quote within minutes, AWS is moving to making similar outcomes possible for customers with cyber insurance. This really underscores how AWS operates. They innovate backwards from the customer — customers seeking cyber insurance policies today have to jump through all kinds of time-consuming hoops to get cyber insurance quotes from cautious insurance providers. The AWS Cyber Insurance Partner Program enables customers to share outputs from security posture management tools (AWS Security Hub) in their AWS environment with partner insurance providers who, in turn, can validate and get quotes drafted within just a few days.
As I initially referenced, many attendees at re:Inforce were drawn by the gravitational pull of AWS. A lot of them were among the 80+ sponsors who, like me, represent security ISVs and MSSPs proud to partner with AWS. Part of what makes AWS unique is that as enormous as they are, they are a partner-first organization. I once asked an AWS leader how they effectively manage relationships with 1.5 million customers. The answer was short and sincere: “That’s why we work so closely with partners.”
There’s a shared responsibility model where cloud security is concerned; AWS recognizes this and leads from a better together position. My organization and many others have seen the resounding benefits of this. At the end of the day, so have our customers and after all, that’s really what all of this is about.
