Table of Contents
Share this entry
If you missed AWS re:Inforce and you are looking for the highlights, or just simply want a refresher on the major themes, we’re going to review what stood out. The re:Inforce conference was back in Boston with Amazon Chief Security Officer, Stephen Schmidt, leading the charge alongside AWS Vice President and Chief Information Security Officer, CJ Moses, and Vice President of AWS Platform, Kurt Kufeld, all discussing the latest innovations in cloud.
The AWS keynote left peers walking away with one major takeaway we can get behind: the number of cloud services is quickly expanding. Infrastructure, instances, applications, and more are demanding a level of urgency in enterprise security that previous cloud security strategies can’t keep up with.
What were people talking about at AWS re:Inforce 2022?
Big trade show events like re:Inforce are a wonderful way to get a temperature check on what customers are looking for and what the latest peer conversations are. Sonrai experts noted several topics catching the public’s attention:
- Interest in graphing and visualization capabilities in cloud security solutions, specifically relating to identity management and identity entitlements. This emphasizes a desire for digestible and clear visibility into the complexities of identity permissions.
- There is interest in leveraging automation capabilities like recommended policy changes, automated remediation, automated prioritization and more.
- Many users expressed a lack of confidence in knowing where their sensitive data is or how to find it.
- Similarly, many peers asked about data classification and tagging best practices. This is a topic the Sonrai team was asked about back at FS-ISAC earlier this year. Data classification is a core and critical step in building a data security strategy, as it allows you to prioritize data based on the gradation of sensitivity and business impact.
- The call for building a cloud security strategy around identity and data began to ‘click’ for many. This concept is part of a larger conversation around the need for context in understanding cloud vulnerabilities. Vulnerability management is useless without knowing how your workloads tie back to platform configurations, identity permissions and data access.
- Lastly, customers expressed frustration due to the gaps in their current tooling and their needs not being met. The concerns were many false positives, alert fatigue (one peer from a major investment firm noted 1.5M alerts on Prisma!), and not enough focus on data and identity.
Keynote Takeaways
The cloud giant, Amazon Web Services, has spoken and they’re calling for security posture to be ‘rethought’ to meet the scale and speed of cloud security. AWS Chief Security Officer, Stephen Schmidt, explains the need for least privilege and least access saying that,“an overly permissive environment guarantees you headaches.” And he is 100% correct.
In AWS, the effective permissions of an identity is oftentimes much broader than what it appears to be. Broader meaning often an identity can do more, see more, and access more than your organization thinks it has configured. This happens because, in the cloud, an identity’s permissions are constructed not only by the policies attached to them, or the groups that they belong to, but also influenced by the roles that they can assume. These are known as identity-based policies. But still there is more. Effective permissions include the combination of resource-based policies, session policies, service policies, organizational policies, and even access to native or third-party secret stores (such as HashiCorp Vault). On top of all of that, the manner in which a policy is implemented can greatly affect an identity’s effective permissions. Now, what happens if you were to bring an additional public cloud into the mix? It gets complicated. Many organizations are blind to the identity risks in their cloud, it’s a ticking time bomb.
Shifting Left Still
Amazon Chief Security Officer Stephen Schmidt said in his opening remarks, “You must not bolt on security after you build something it has to be in from the very beginning of when [you] build things.” He continues,”this is a best practice to be recommended to customers – weave security into your development lifecycle and your operations.” One area that’s problematic for many DevOps we talk to is security.
Not only are cyberthreats rapidly evolving in sophistication, making things more complicated, traditional structures of control, like IT teams, are no longer relevant to the cloud. Security falls on the DevOps teams now, who historically have leaned in more to the development side rather than operations. As a result, security testing is no longer something teams can dash off during the final stage of production.
Beyond Vulnerability: Four Risks that Create Paths to Sensitive Data
At the Aurora Theater, CTO and Co-founder of Sonrai Security, Sandy Bird, presented ‘Beyond Vulnerability: Four Risks that Create Paths to Sensitive Data.’ The session discusses the larger picture of total cloud security, outside of just considering vulnerability management, and calls for a focus on identity and data relationships. We’ll highlight some major takeaways and stats:
- Attack path mitigation looks different in the cloud, typically it follows the killchain of recon, vulnerability, infiltration, privilege escalation, lateral movement, exfiltration and impact. What’s different is how attackers get in, and the medium in which they move through: identities.
- How evaluating and prioritizing risks must be done by exposure, not just vulnerability. In the cloud, risk cannot be analyzed in silos, but instead considering workload protection, cloud configuration, identity, and data governance together.
- Identity should be the primary defensive control in cloud deployed workloads. Sandy noted 81% of all breaches use an identity exploit – the stat is self-evident in answering why identity should be your focus.
- Finally Sandy walked through an attack path simulation, emphasizing that while a workload vulnerability may be the entryway for an attacker, your focus needs to be on how your workloads connect to your identities, your platform configurations and your sensitive data.
theCUBE with Denise Hayman
Season 2 of the AWS Startup Showcase was filmed live at AWS re:Inforce. This episode featured Sonrai Security CRO, Denise Hayman. Denise and host John Furrier discussed security beyond traditional concepts like vulnerabilities, and focusing on identity and data at the center of security strategies. You can find the full interview available here, but we’ll highlight some major points below:
- John comments that, ‘overly permissive environments create chaos’ and Denise follows by sharing a recent AWS, Forrester, and Sonrai study finding around 95% of clouds being over privileged.
- John inquires where the future of DevOps is headed, Denise shares that customers are frequently inquiring about automated remediation and leveraging automation to help prioritize their security issues, and that’s what lies ahead.
- Denise shares Sonrai’s estimation that there is about a 5:1 ratio of non-person identities to person identities in your typical organization and emphasizes the need for focusing security strategies there.
- John asks what the greatest challenge CISOs are facing today, Denise shares her experience of hearing the gap in resources and skills, as well as trying to make the most of their current headcount and investments
- Denise and John discuss what a best-of-breed solution has today, while Denise notes ‘continuous monitoring’ and ‘depth (of visibility into identities and their entitlements.)
Stronger Together with AWS
AWS secures its customers “behind the scenes” by widely sharing its findings and learnings, having security baked into its services from the start, and working with partners and customers together to make sure they have multiple layers of defense. “We’re stronger together, I think it’s very, very true,” Amazon CSO, Stephen Schmidt, remarked during his keynote.
AWS and Sonrai Security have in fact proven to be stronger together. Sonrai is part of the AWS Advanced Technology Partner Network, and strives to assist AWS customers by reducing risk and embracing the cloud. Sonrai received AWS Security Competency status in Identity and Data Protection due to our integration with AWS Control Tower. With the Sonrai Dig integration, Control Tower users can quickly configure accounts to meet security and compliance requirements in addition to receiving full visibility of all identities — both person and non-person — and data stores in the cloud. Sonrai Dig delivers real-time actionable information on the security and compliance of customer workloads on AWS.
More recently, Sonrai Dig worked with AWS to sponsor a Forrester research report titled, “Identity Controls Are Central to Enterprise Plans for Cloud Security.” This survey study focused on the relationships between cloud security and identity controls and found that organizations continue to increase both their usage of public clouds and the number and types of tools they use to secure their data in them. In fact, organizations use on average 6 tools, yet 56% say that machines and non-people identities are out of control in the cloud. For the complete findings, explore the full report.
Until Next Time, AWS re:Inforce
Gathering the bright minds leading an industry together to collaborate, share, and learn will always be impactful. Not only does re:Inforce focus on securing and protecting an AWS cloud environment specifically, but the conference provides attendees with educational experience and practical information they can use right away.
We had plenty of the Sonrai team at this year’s event and we walked away with new experience and a good time. Thank you AWS for gathering us all together, until next time!
THE ARCHITECT
The Newsletter for Cloud Security Leaders. 1x a month.
Get a Comprehensive Cloud Identity Audit
Request Your AuditSonrai cloud security platform, products and services are covered by U.S. Patent Nos. 10,728,307 and 11,134,085, together with other domestic and international patents pending. All rights reserved.