“Entertainment” and “security” often go together like sugar and a lead balloon, but this year’s keynote was a surprisingly fun start to re:Inforce, AWS’s annual security conference.
Only two weeks ago, re:Inforce was scheduled to be a live event hosted in Houston, Texas. During two confusing weeks due to the surge of COVID-19’s Delta-variant, AWS initially canceled re:Inforce completely, before re-announcing it as an online-only event. And to the credit of the team at AWS, they’ve pulled together a good show.
Let’s share some highlights from the keynote session!
New Shiny Thing: AWS Backup Audit Manager
We have a new service, AWS Backup Audit Manager!
Okay… so the terms “backup” and “audit” could send a caffeinated chipmunk dozing, but hold up. Backups are a messy business and every compliance framework under the sun has requirements for them.
AWS Backup Audit Manager is made to solve the headaches of defining your backup strategy across all of your AWS resources, systematically codifying your compliance requirements, and having the ability to pull reports straight from the AWS console.
Along with making conversations with auditors a lot clearer, I can see this being useful for setting clear policies to meet internal requirements as well, beyond a nebulous direction to “back up everything, all the time, forever”. People also dramatically underestimate the value of “boring stuff” of security, so kudos to AWS for giving some love to the fundamentals.
With the service being only hours old at the time of writing, we haven’t had a chance to dive into it yet, so we’re curious to see how it works in practice.
The CEO has ascended; long live the CEO!
For some background, Adam previously served at Amazon for 11 years and was a member of the infamous S-Team — the inner circle of advisors to Jeff Bezos — before serving as CEO of Tableau for five years.
Speaking for about four minutes at the opening of the keynote, he reinforced a lot of things that AWS is well known for around security, including the fact that security is Job Zero. One quip he made was that when it comes to security “we don’t have a business without it.” This is something true not just to AWS, but every company around in the modern world.
We’ll be counting down to December with AWS re:Invent when we’ll hopefully get a chance to hear more from him speaking to the AWS community.
Key themes from AWS re:Inforce 2021
Amazon Web Services CISO Stephen Schmidt’s presentation covered a huge amount of information, covering current security trends, fundamental information security concerns, and of course, AWS services.
The session was broken up into five topics, but there were some common themes that flowed through the whole keynote:
1. Security is a human problem
This isn’t news to information security practitioners, but it’s always refreshing hearing a senior executive from a company who wants to sell you stuff to admit that technology isn’t the sole solution.
Even the most ironclad technology can be bought down by human error or maliciousness; whether it’s clicking on a phishing link, working around security controls, or creating overprivileged users. Cutting corners on security administration is more common than you might expect.
If you can keep humans away from your data entirely, leaving your systems to handle as much as possible with automation, significant amounts of risk are removed.
But humans can also be a solution with programs like Security Guardians, where people beyond your infosec team champion security practices around the business (more info coming at re:Invent 2021).
The last 18 months have bought a raft of new challenges with remote work and the attendant security risks that often had to go unmitigated in the early days. But it’s not enough for security to say “No, that’s too risky”, which leads us to…
2. Security has to be an enabler
One of the golden quotes from Stephen Schmidt from the keynote: “You never want Security to be a department of ‘No’”. And historically, that’s how the practice has been perceived. Building modern solutions means we need to flip that on its head.
Modern security means building guardrails for your organization and people to work within, rather than hard limitations. Instead of “working from home is too risky,” we talk about how to mitigate the risk. Instead of “you need explicit permission for that,” we talk about detecting when things go wrong and remediating them quickly.
By eliminating friction from security processes, you enable the organization to become faster and more adaptive, therefore better serving your customers. Brian Lozada, CISO at HBO Max espousedcustomers who dictate how we do business, not fear.
This isn’t as easy as it sounds. Security threats are becoming more complex every day, and most of our organizations aren’t equipped to handle them. So finally, we come to…
3. Security is best solved at scale
Here’s the sales pitch. In the modern age, every company is a technology company — whether it’s a global search engine, a trendy cloud education company (hey there! 👋 ), or your local coffee shop.
Tech is fundamentally woven into all of our organizations. This includes the security risks, even if we aren’t built to cope with or understand them.
Since AWS provides security services for so many customers (including themselves), they have an enormous amount of data and experience to draw on. This gets wrapped up in their products, like GuardDuty, Security Hub, and IAM.
With most being very turnkey ready, you don’t need to be a security expert to have incredibly powerful alerting capabilities and protections for your resources in AWS. They do underplay just how expensive these services can be (looking at you, GuardDuty 👀 ), but some very powerful services like those attached to IAM have no charges attached.
Another brilliant Stephen Schmidt quote: “Free is a solid price point.”
Watch: What Leaders Need To Know About Cloud Security
Is your business safe in the cloud? The answer is largely up to you. Watch this free on-demand webinar with Mark Nunnikhoven as he tackles the keys to cloud security that sticks.
Wrapping it up
Stephen Schmidt delivered a solid presentation with a brilliant thread of wit and humor. For security engineers, the talk probably isn’t revolutionary. But for decision-makers and architects who may not work with the details every day, it’s a very worthwhile watch.
With re:Invent not far away, we’re all left wondering what kind of announcements will be on the way then, including whether the plans for a physical event will go ahead. And we’ll all be watching the news there closely over the next three months.
I’m just hoping there’ll be more virtually available swag options…
Looking for more AWS re:Inforce and security-related goodness?
- Check out some of the highlights from what people had to say about re:Inforce 2021 online. You can also check out ACG’s lists of 21 AWS builders to follow for more commentary on re:Inforce and all things cloud.
- If re:Inforce has you thinking about security, check out this month’s free ACG courses, which include AWS Security Essentials and How to Properly Secure an S3 Bucket.
- Also, check out these recent posts around security from the ACG blog:
Lock down your cloud security skills
Learn faster. Move faster. Get started with ACG and transform your career with courses and real hands-on labs in AWS, Microsoft Azure, Google Cloud, and beyond.