Security is top priority for Amazon Web Services at re:Inforce 2022

Introduction

Amazon Web Services Inc. recently held its annual re:Inforce conference — dedicated exclusively to security for AWS environments — at the Boston Convention and Exhibition Center. Amazon.com Inc.'s AWS team used the opportunity to announce new security services, showcase cutting-edge capabilities in key security categories and formalize its managed security services provider, or MSSP, partner program. Re:Inforce 2022 demonstrated the company's focus on community engagement and training for customers and partners, underscored by a clear message that security is AWS' top priority.

Innovation and improvement across AWS' security portfolio were evident, as were continued efforts to streamline and simplify security for customers and partners. This has resulted in growing customer adoption of AWS security offerings. For example, the company notes that 75% of its top 2,000 customers now use AWS Security Hub as the central platform to consolidate security findings from their cloud environments. However, AWS faces growing competition from cloud rivals Microsoft Corp. and Google LLC, both of which have invested heavily in managed security services and continue investing in security for their cloud-native offerings. Thus, AWS' goal at re:Inforce 2022 was to send a message to customers and partners that security is its top priority. The company announced continued improvements to its MSSP partner program to keep pace with Microsoft and Google. Additionally, its substantial education and training efforts demonstrate that the company is committed to winning the crucial talent war for developers, DevOps engineers, and security and compliance professionals.

Keynote

This year's keynote was delivered by Chief Security Officer Stephen Schmidt, along with AWS Chief Information Security Officer CJ Moses and Vice President of AWS Platform Kurt Kufeld. The talk focused primarily on AWS' new security services and partner program and included several security-focused "calls to action" for users and partners.

Schmidt kicked off the keynote by highlighting the important work AWS is doing to help the Ukrainian government during the ongoing crisis. According to Schmidt, Ukraine desperately needed to migrate critical data to the cloud to prevent it from being destroyed or stolen by Russian forces. After meeting with AWS, Ukrainian officials decided to leverage AWS Snowball — AWS' secure edge computing devices — to securely transfer data to the cloud. Schmidt remarked that AWS has migrated data from 27 Ukrainian ministries, 18 universities, 61 government agencies and Ukraine's largest bank, PrivatBank.

Among the calls to action, the recommendation to "encrypt everything" leveraged AWS data protection and zero-trust strategies and services such as AWS Key Management Service, or KMS. "Enable multi-factor authentication (MFA)" leveraged an effective security control that AWS offers free of charge. "Block public access" spoke to a common cloud configuration problem that can be avoided with proactive controls. "Review IAM access analyzer" highlighted the importance of understanding identity and continuously monitoring using native tools. Kufeld then demonstrated automated reasoning use cases, such as eliminating internet access to sensitive data, ensuring that no one outside the organization can access KMS keys, and answering questions such as: Is this S3 bucket open to the public?

New security services

The AWS team also announced the launch of several new security services during the keynote, followed by deep-dive training sessions for customers and analysts. While the number of launches was relatively small compared with previous AWS events, the launches at re:Inforce 2022 were significant. First, AWS launched GuardDuty Malware Protection, which provides agentless malware detection on AWS workloads. This enables customers to scan Amazon Elastic Block Store, or Amazon EBS, for malicious files on EC2 and container instances. Malware scans automatically initiate when GuardDuty detects suspicious activity and alerts surface to AWS Security Hub. Customers may prefer this to third-party offerings due to ease of deployment and tight integration with GuardDuty.

AWS also improved its container security capabilities with the launch of Amazon Detective for Kubernetes environments. GuardDuty, AWS' continuous security monitoring service, monitors AWS CloudTrail data events for Amazon S3 logs, CloudTrail management event logs, DNS logs, Amazon EBS volume data, Amazon Elastic Kubernetes Services, or Amazon EKS, audit logs, and Amazon VPC flow logs for suspicious activity. GuardDuty's detection capabilities were extended in early 2022 to monitor Amazon EKS, with functionality that can be enabled with one click. With this launch, Amazon Detective has also been extended to cover Kubernetes environments. Detective enables customers to conduct deep investigations of security findings that surface to Security Hub by leveraging machine learning, statistical analysis and graph theory. These launches are a continuation of AWS' strategy to extend core security offerings for container and Kubernetes use cases.

Service updates

AWS also used re:Inforce to provide deeper dives into recently launched or recently updated security services. AWS improved its identity and access management portfolio with the recent release of IAM Roles Anywhere, which extends IAM roles to workloads that are running outside of AWS environments. Common use cases include backup of on-premises data to Amazon S3 buckets (sending security alerts from on-premises to AWS Security Hub) and enabling hybrid workloads to access AWS services via secure API following the best practice of using short-term credentials. AWS has added AWS Single Sign-On to its IAM portfolio. The service, renamed AWS IAM Identity Center, builds on the per-account access management capabilities of IAM and the multi-account governance capabilities of AWS Organizations.

AWS also showcased innovative data protection and privacy offerings at the conference. The AWS team hosted deep-dive sessions covering its Confidential Computing offering, powered by the AWS Nitro System, which launched in fall 2020. AWS Nitro Enclaves enables customers to isolate and protect sensitive data while it is being processed using specialized hardware and associated firmware. The offering helps customers to meet stringent data privacy requirements and enables two customers to collaborate without providing raw data access to the other party. AWS expects the adoption of Nitro Enclaves to increase rapidly in upcoming years, driven by compliance requirements and data privacy legislation, but acknowledged that it would need to boost awareness and education to drive adoption.

The company also used the conference to clarify its position on zero trust, given the explosion of customer interest and industry marketing around the concept. While AWS does not offer a distinct zero-trust offering, as many security providers claim to do, zero-trust principles are often inherent in AWS cloud environments and can be applied in zero-trust implementations if they are properly architected. For example, all application programming interface calls are authenticated and authorized using transport layer security and AWS digital signature processes, while AWS Identity and Access Management enables strong identity-centric controls. These capabilities allow resources to be locked down to communicate only with validated sources, and encryption can be enabled easily. These types of controls provide the building blocks that enable customers to build cloud environments that adhere to zero-trust objectives.

Expanded MSSP partner program

AWS also launched a new Security Competency Program for MSSP partners. Unlike Microsoft and Google, AWS does not offer its own managed security services, instead relying on partners to deliver managed security services. The company launched the first version of its MSSP certification program in August 2021 with 27 launch partners. The expanded program takes this a step further by dividing the MSSP Level 1 certification into six specialization categories: identity behavior monitoring, data privacy event management, modern compute security monitoring for containers and serverless, managed application testing security, digital forensics and incident response, and business continuity and ransomware readiness. The goal of the program is to standardize managed security services and improve consistency and quality of delivery from its partners — a top priority for AWS given the recent moves of cloud rivals Microsoft and Google.

Community engagement, education

AWS continued its focus on community engagement, education and training at this year's re:Inforce event. The company has taken several technologies and programs developed internally and made them available externally. AWS Security Awareness Training, a set of training sessions for technical and nontechnical audiences, will be publicly available in October. AWS has also started offering MFA tokens for "qualified" accounts free of charge and simplified the ordering process with a new ordering portal. This move follows Google Cloud's introduction of its Titan security keys free of charge in 2021. Making tokens more widely available should help the adoption of MFA, supporting the zero-trust messaging at re:Inforce. Additionally, AWS Marketplace Vendor Insights enables AWS customers to assess software vendors in the AWS marketplace and share information and product reviews among their peers.

AWS also supports open-source software security with its premier-level membership in the Open Source Software Foundation, which is developing strategies for more secure development practices in open-source communities. The company is also investing in its Libcrypto (AWS-LC) cryptographic library to support developers looking for a range of security functions. The library is available in the C language and has optimized assembly versions for x86 and Arm processor architectures, the latter being the basis of AWS' Graviton processors. Implementation issues in the use of cryptographic functions are often cited as a cause of security vulnerabilities; a comprehensive library can help to reduce the burden on developers for closing such gaps while reducing risk.

AWS Cloud Audit Academy is a certification program that teaches governance, risk and compliance professionals auditing aligned with common compliance frameworks and AWS security best practices. The current focus is Payment Card Industry-Data Security Standard, or PCI-DSS, with a new federal compliance course planned. The company hosted breakout sessions at re:Inforce to fully introduce AWS Audit Manager, a compliance automation and management tool that launched in 2020. AWS' substantial education and training efforts demonstrate the company's commitment to helping its customers and AWS users gain an edge in meeting critical demand for security and compliance expertise.

Conclusion

The AWS team used the conference to launch several new security services and showcase cutting-edge capabilities for data privacy and protection, encryption, IAM and zero trust. AWS has also made significant improvements to its MSSP partner program to keep pace with the new managed security services business units of Microsoft and Google. The company's education and training efforts demonstrate AWS' commitment to meeting critical demand for developers, DevOps engineers and security professionals armed with cloud security expertise.

Survey data suggests that there will be significant cloud security growth ahead for AWS and its cloud rivals, despite the intense competition. According to our Voice of the Enterprise: Information Security, Budgets and Outlook 2022 study, information security managers note that 37% of their security spending is being allocated to securing cloud infrastructure. Additionally, 65% of respondents note that they plan to adopt premium security services from cloud providers in 2022. AWS re:Inforce continues to demonstrate not only Amazon's commitment to this opportunity but its distinctive range of capabilities advancing the field of security for the cloud.