My hope for the AWS re:Inforce 2022 keynote
The keynote at AWS re:Inforce 2022 will contain the typical AWS updates, new functionality, and—I believe—a theme that might surprise some.
In this post, I’m going to lay out what I think we’re going to hear from AWS CISO, CJ Moses, Amazon CISO Stephen Schmidt, and the other speakers. Ok, maybe it’s more of a prediction and a hope. Here’s what I hope we hear from these key leaders in our security community.
AWS re:Inforce is focused on security in the AWS Cloud and the business updates during the keynote are going to reflect that. We’ll probably see quick updates on how security has progress within the AWS Cloud and how it’s security services are helping customers meet their side of the Shared Responsibility Model.
Unlike the “standard” AWS keynote format, these updates will probably be woven into the hour and a half session.
Security of the cloud
Kurt Kurtfeld, VP of AWS Platform is also listed as a keynote speaker. This says to me that we’re going to get more of a peek behind the curtain of how AWS is building security into everything they do.
This services two purposes.
The first is to reassure customers that the services they are using are built with world class security (something the wall of compliance attestations vouches for).
The second is to hold AWS up as an example of how you can implement security by design thinking into everything that your organization is building. We’ve seen examples of this from previous sessions at AWS re:Inforce and in keynotes from AWS re:Invent.
AWS has accepted something that most organizations still rail against. There is simply too much security work to be done for one, centralized security team to take it all on. Everyone involved in building needs to be thinking about security by design.
Expect Kurt’s section of the keynote to shine a light on some fantastic work by the automated reasoning team, the identity team, and a host of other key groups within AWS whose work you see everyday but might not know where it came from.
No major keynote would be complete without at least one major new service or cool functionality for existing services. What will that be for AWS re:Inforce 2022?
I have no idea. But I’m excited to find out.
The main theme
A main topic in the AWS re:Inforce 2019 keynote was building a security culture. Eric Brandwine, VP & Distinguished Engineer, AWS Security, went event deeper in a breakout session during the virtual AWS re:Inforce 2021.
I believe/hope that this year’s keynote is going to take this theme a step further.
AWS has millions of customers. This means that they—and by extension AWS Security—see trends on a scale that few others do. Based on the information they’ve shared over the years, they’ve modelled their own structure based on what they’ve learned.
The AWS Security Speciality certification launched in 2018 was the first step in making sure that individuals were able to validate their AWS security knowledge.
The Cloud Audit Academy was launched in 2020. It differs from the certification in that it’s an educational and influence effort aimed at shifting how a specific audience—in this case auditors—look at their work in the cloud.
I’m hoping that this year, AWS takes the next step and advocates for the wider adoption of security thinking. Stephen mentioned the concept during the 2021 keynote (1:13) as “Security Guardians.” During that segment, he also teased that more would be coming at AWS re:Invent 2021.
During that event, we didn’t see any official mention of “Security Guardians” or anything similar. Now a lot of things slipped in 2022 and 2021 for very understandable reasons.
The closest thing we got to this as a program from Amazon is the freely available Cybersecurity Awareness Training. While admirable, this is targeted at all employees, not builders.
I’m hopeful that this is the year when we’re going to hear more about a formalized effort from AWS (not Amazon) aimed at all builders with the specific goal of getting security by design thinking as the only way to approach building well.
Why does it matter?
Getting everyone on board with security by design thinking is important because the current centralized approach just isn’t scalable. Yes, a centralized team of deep security expertise is still advisable but they should be working on showstopper level problems, not lower level day-to-day issues that are better solved by teams with more context.
That word, context, is the key to success.
The teams that have built a system and operate it daily are in the best position to understand if various behaviours are negative. They are the ones that can map out the impact of any mitigations or controls that could help reduce risk. Context is what drives security success.
A push from AWS—beyond just the security pillar in the broadly applicable AWS Well-Architected Framework—that focuses on getting more builders thinking about security early and often will go a long way to improving the security posture of what they are building and its resiliency.
Don’t forget, the goal of security is directly aligned with the goal of the business. It’s to make sure that what you’re building works as intended and only as intended.
Regardless if my hope—or is it more of a wish?—comes true next week, AWS re:Inforce is jam packed full of fantastic content.
There are opportunities to learn about specific AWS Security Services, security functionality in other services, architectural approaches that can help improve security, and more. Best of all, it’s a chance to connect with other security minded builders.
If you’re following the conference remotely, we’ll be active on social throughout the event (@Lacework on Twitter). We’ll also be publishing new content here on the blog based on what we’ve learned during the show.
If you’re on-site, Lacework will be there in booth #406. Stop by and say hello.