At re:Invent, AWS emphasizes role of governance in cloud security
December 23 2020
by Fernando Montenegro
Every year, in late November or early December, anyone having anything to do with cloud computing either makes the trek or turns their gaze to Las Vegas, where Amazon Web Services hosts its re:Invent conference to show its progress in delivering on its customer-focused mission. This year, those gazes were turned to screens when the conference went virtual because of the pandemic. Still, the same type of content was there, from keynotes to multiple sessions and partner participation.
Also as expected, security remains a key message for AWS, and the company presented its approach to how security and governance teams can address their needs as cloud consumption grows within enterprises.
The 451 Take
As another re:Invent conference wraps up, a couple of key messages emerge from AWS in the context of security. First, AWS continues to place significant importance on security and continues to release increasing security functionality covering both new detections and workflows as well as increasing scale and security: releases such as Audit Manager can help bring auditors to a better understanding of cloud environments, while Nitro enclaves and other enhancements represent delivering additional security capabilities. Second, customers should take a good look at the set of features that AWS already makes available and then take the plunge, moving faster with challenging goals for cloud transformation, with the understanding that AWS has put together a set of security capabilities that is very likely to support those initiatives.
Tying these two key messages together is a broader underlying theme: as critical as security is for successful cloud transformations, getting the cultural and organizational aspects right is foundational. As AWS rolls out new offerings focused on organizational aspects, the company should be mindful of the idiosyncrasies of larger organizations and the complex relationships between technology, processes and people.
Physical editions of re:Invent are usually very large conferences with over 50,000 participants. Virtual re:Invent, freed from most physical logistical demands and made available for free online, was significantly larger in attendance: the company indicated roughly 500,000 registered to watch content and it delivered nearly 500 sessions on a rolling basis over three weeks.
What this significantly larger crowd saw was AWS making announcements along several key areas, from many new compute instances and other hardware announcements to developments along the use of machine learning (ML) via SageMaker and much more. Interestingly, many of the new features and services being offered by AWS are enabling better support for industry verticals – healthcare was highlighted this year – and a broader theme that its enterprise customers are looking for a combination of innovation, evolution and governance: innovation to support both hybrid and cloud-native delivery methods – there were several announcements related to containers and serverless, for example – evolution to support transitions from legacy infrastructure and also governance that fits into how these customers manage themselves beyond the cloud.
Much like its shared responsibility model for security, AWS obliges, if customers understand there's also a role they must play. Indeed, a key message from CEO Andy Jassy and other executives has been about customers being able to recognize all that AWS is offering now, how customers can use this broad set of offerings for their own competitive advantage and move quickly into further adoption of cloud.
To get there, AWS recognizes the importance of two key constituencies: partners and, within customers themselves, operators. On the partner side, the company emphasized changes to how partners can reach AWS customers – its marketplace added enhancements around private offers, entitlements and services offerings – but also how partners can be enabled via individual programs and new competencies. Still, AWS's position of 'customer-centric innovation' means it keeps pushing partners to focus on specific value delivery above what the company itself can provide. AWS also removed tiering requirements for ISVs and now provides expedited access to AWS Partner Network resources for activities such as co-selling support.
The broad emphasis on operators is more of a nuance than specific offerings. The general flow of announcements just before and at re:Invent tracked more toward how those operating enterprise environments – complementing those developing new digital products and experiences – can successfully harness the power of AWS services while respecting their overall governance of IT infrastructure. As expected, security plays a large part.
It's important to remember that security and governance topics are important enough for AWS to have hosted an entirely separate event in 2019 – AWS re:Inforce – focused specifically on security. While re:Inforce 2020 was canceled due to the pandemic, the company reaffirmed that security is a priority and has added governance and security functionality throughout the year. Many of the announcements during the year and at re:Invent were centered around expanded use of concepts such as AWS Organizations – used to enforce broader controls over sets of cloud accounts – and Security Hub, which consolidates security information from AWS and third-party vendors.
AWS chose to emphasize a select number of enhancements. Chief among them were the AWS Nitro Enclaves functionality, the new AWS Audit Manager and the AWS Network Firewall.
Nitro Enclaves was announced shortly before re:Invent and is AWS's proposed approach to address confidential computing needs. The offering uses the capabilities of the custom Nitro architecture to create isolated environments, which is compatible with any Nitro-enabled EC2 instance. The offering aims to support a broad set of use cases where customers want to minimize human access to sensitive private information being processed by EC2 instances. Early use indicates that popular initial use cases include, but are not limited to, using Nitro to set up a cryptographic root of trust because authenticated certificate operations can be done safely within the enclave, and using the enclave as another option for offloading processing of TLS computations. Conceptually, Nitro enclaves can represent an alternative to CloudHSM for protecting sensitive keys.
The new Audit Manager service is aimed at eliminating much of the 'undifferentiated heavy lifting' (an expression popularized by AWS's CTO Werner Vogels) of collecting, analyzing and reporting on the overall compliance state of AWS configurations. The service is clearly aimed at governance needs by organizations of all sizes that need to demonstrate that their cloud presence is complying with key mandates, be they external or internal. The service operates continuously and automates the collection of configurations and user activity sourcing from different services including CloudTrail, Security Hub and AWS Config. Recognizing the importance of auditing and compliance in supporting broader adoption of cloud services within enterprises, AWS also announced a new training program aimed specifically at professionals in auditing and compliance roles.
Last, the new AWS Network Firewall service was announced shortly before re:Invent. Here, AWS is providing firewalling functionality delivered as a network service, aimed at supporting numerous network security use cases.
Zero trust and area of focus
AWS also took the opportunity to offer its position on 'zero trust' and to summarize recommendations to security leadership at customer organizations.
Rather than release specific offerings related to zero trust as rivals Google Cloud and Microsoft have, AWS has taken the position of zero trust as an architectural approach, one that it can address by combining existing products and by looking at customer needs from a use case-centric perspective: is it a matter of supporting machine-to-machine communication, human-to-application or a broader case of digital transformation initiatives where edge devices need to interact with the AWS cloud? In each case, AWS argues for a combination of network- and identity-centric constructs to address customer needs.
Last, AWS consolidated some of its guidance for security practitioners around tactical and strategic initiatives. For tactical considerations, the company again emphasized the use of AWS Organizations to manage security policies consistently across large number of accounts, plus pushing customers to leverage cryptographic services where appropriate, alongside ongoing measurement and automation of security controls. On the strategic side, AWS's message to customers was to evolve security architecture beyond the traditional perimeter-based models as well as improve security culture with a focus on agility, transparency and diversity.
AWS goes to great lengths to emphasize the role that its partner ecosystem has, which translates into a normally vibrant sponsor exhibition hall. With the pandemic, this had to be converted to a more subdued virtual expo hall, which nevertheless still had broad industry participation. There were just over 151 sponsors in total and nearly 45% of them (64 out of 143) had direct, specific security offerings either as part of their broader portfolio or as their main offering. The chart below illustrates the proportion of vendors with security offerings, broken down by sponsorship level (n=143).
Proportion of Sponsors With Security Offerings
As with similar analysis that was done for the KubeCon/CNCFcon conference, the numbers above don't include sponsors focused on data protection (backup & recovery).
While security-specific vendors numbered only 22, with Trend Micro being the only security-specific Platinum sponsor, the 45% share of vendors with security in their offerings was actually higher than at the recent KubeCon/CNCF conference, reflecting just how important security and governance has become to broader cloud adoption efforts. Other security-specific sponsors of note at AWS included Palo Alto Networks, Fortinet, McAfee, Check Point, Rapid7, CrowdStrike and DivvyCloud (itself now a part of Rapid7), among others.