AWS held its second major security-focused event today, AWS re:Inforce. The event itself was cut short, but the take-home message was strong: To reach your business goals, security must be a core part of everything you do.
Stephen’s keynote spanned five major areas: threat detection and incident response; identity and access management; network and infrastructure security; data protection and privacy; and governance, risk, and compliance (GRC). Each of these sections started with a key quote to set the tone.
The sessions late in the day took a deeper dive into these areas. All of the content will be available on the AWS Events YouTube channel in the coming weeks. It’s well worth watching. In this post, I’ll call out some of the highlights and key takeaways.
Over the course of the keynote, he announced a couple new features and only one new service (AWS Backup Audit Manager). But that’s ok; this event wasn’t about new functionality, it was about how to get the most out of what’s currently available in the AWS Cloud.
Keynote slide from AWS re:Inforce, Warren Buffet quote
Threat Detection and Incident Response
Stephen called out the changing threat landscape. Specifically, the move to work from home and rise of ransomware. Both have changed the risks business are dealing with.
His key takeaway? Make sure to fix the underlying cause after any incident response.
Too often security teams end an incident once service has been fully restored. They leave off the final “learn” stage. They don’t work with other teams to resolve the underlying issue; the one that created the opportunity for an incident in the first place.
Surprising no one, teams that follow that philosophy end up right back in another incident quickly. Fixing the underlying issues will improve your security posture, and let the team move on to the next challenge. Also, examining the security data—using tools like AWS Security Hub and https://aws.amazon.com/detective/ and others—will help you track down those underlying causes and to help resolve them.
Keynote slide from AWS re:Inforce, Paulo Cohelo quote
Identity and Access Management
Credentials continue to be an issue. 80 percent of incidents related to the AWS environment stem from compromised or “weak” credentials. Combined with an unrelenting streak of misconfigured Amazon S3 bucket policies, it’s clear identity and access management (IAM) is a problem.
Part of it is complexity. A more critical part is the lack of security culture that allows for constant improvement. This was a key message from Brigid Johnson, Senior Software Development Manager with AWS Identity, in one of the later sessions.
All teams building in the AWS should understand the IAM system inside-and-out. The documentation is excellent and tools like IAM Access Analyzer can help ensure your configurations match your intentions.
That said, Stephen did offer some quick tips:
- Review permissions regularly.
- Use groups for IAM policies.
- Use least privilege for IAM.
If you want to get up to speed, check out these two talks from AWS re:Invent 2020:
- AWS identity: Choosing the right mix of AWS IAM policies for scale by Josh Du Lac, Principle Security Solutions Architect, AWS
- AWS identity: Next-generation permission management by Brigid Johnson
Keynote slide from AWS re:Inforce, Andy Jassy quote
Network and Infrastructure Security
This section started off with a discussion of supply chain risks. This is a topic of great concern to every security team out there. AWS provided some insight into how they view the supply chain. You can sum it up as, “it’s our part of the Shared Responsibility Model.”
If you’re wondering if they hold up their end of that model…they do. You can’t get this many compliance attestations if you aren’t focusing on security.
More importantly in this section, Stephen invited Brian Lozada, CISO of HBO Max, up to the stage…or at least to deliver a recorded segment.
Brian talking about the importance of a security culture within the organization. This was a sentiment echoed later in the day in Eric Brandwine’s (VP and Distinguished Engineer, AWS Security) talk.
Brian spoke about the need for security to gain visibility into business activities and provide guard rails. He spoke passionately about a focus on detection, enabling automatic remediation, and—most importantly—facilitating a positive developer experience.
The points that were raised in this section were a perfect example of what security should be. Innovative, modern security focuses on business outcomes. To deliver those outcomes, it works with teams to reduce the blast radius of risk, scale without slowing down, and is willing to fail fast and remediate afterwards.
Data Protection and Privacy
This section kicked off with the idea of “zero trust.” Despite the marketing buzz, this is a useful idea in data protection and privacy. Stephen did a great job cutting through the hype and drilling down on the advantages of this approach. If you’re interested in learning more, check out this great talk by Quint Van Demand from AWS re:Invent 2020, “Zero Trust: An AWS Perspective.”
A zero trust approach requires a strong foundation with security and privacy. To that end, Stephen offered a simple axiom, “Don’t store sensitive data without a plan.” And a key part of that plan is encrypting everything, whether at rest or in transit. Thankfully, that’s been much easier by a slew of features in the AWS Cloud.
Keynote slide from AWS re:Inforce, Anna Kendrick quote
Governance, Risk, and Compliance
The final section covered GRC. This is often a bit of a dry topic, and the keynote kept it blessedly short. Key points brought up here were: the expansion of attestations that AWS has received; more momentum behind the Cloud Audit Academy; and a teaser for a “Security Guardians” program material kit coming at AWS re:Invent 2021.
Sadly, the breakdown session on GRC didn’t add much other than providing some solid advice of starting small. Then iterating towards compliance. That gets easier as you learn more about your environment and its operations.
What Now for Security?
From afar, the keynote doesn’t seem like it delivered anything revolutionary. Dig a bit deeper and you’ll see it highlighted what successful security in the AWS Cloud looks like. It’s a security practice that works closely with the business to reduce friction and enable developers to get the most out of their tools.
A successful security practice doesn’t focus on zero days and obscure attacks. It’s grounded in data and obsessed with the success of other teams within the business. It’s a practice focused on delivering the context required to make reasonable risk decisions. A successful practice is one that moves the business forward…safely.
How that vision becomes a reality is a path full of nuance and challenges. The content didn’t gloss over that but it did show some steps you can take today.
Start automating everything within your security practice. To do that, you need a strong security data set. Then you can create automations to tackle a lot of the low level decisions and remediations. This frees up your limited resources to help educate the rest of the business. This helps everyone shoulder the security load.
After all, security is everyone’s responsibility.
Btw, if you want more details about the date. Check out my live tweets of the keynote.