Published : 07.29.2022
Last Updated : 08.22.2022
Published : 07.29.2022
Last Updated : 08.22.2022
If you missed AWS re:Inforce and you are looking for the highlights, or just simply want a refresher on the major themes, we’re going to review what stood out. The re:Inforce conference was back in Boston with Amazon Chief Security Officer, Stephen Schmidt, leading the charge alongside AWS Vice President and Chief Information Security Officer, CJ Moses, and Vice President of AWS Platform, Kurt Kufeld, all discussing the latest innovations in cloud.
The AWS keynote left peers walking away with one major takeaway we can get behind: the number of cloud services is quickly expanding. Infrastructure, instances, applications, and more are demanding a level of urgency in enterprise security that previous cloud security strategies can’t keep up with.
Big trade show events like re:Inforce are a wonderful way to get a temperature check on what customers are looking for and what the latest peer conversations are. Sonrai experts noted several topics catching the public’s attention:
The cloud giant, Amazon Web Services, has spoken and they’re calling for security posture to be ‘rethought’ to meet the scale and speed of cloud security. AWS Chief Security Officer, Stephen Schmidt, explains the need for least privilege and least access saying that,“an overly permissive environment guarantees you headaches.” And he is 100% correct.
In AWS, the effective permissions of an identity is oftentimes much broader than what it appears to be. Broader meaning often an identity can do more, see more, and access more than your organization thinks it has configured. This happens because, in the cloud, an identity’s permissions are constructed not only by the policies attached to them, or the groups that they belong to, but also influenced by the roles that they can assume. These are known as identity-based policies. But still there is more. Effective permissions include the combination of resource-based policies, session policies, service policies, organizational policies, and even access to native or third-party secret stores (such as HashiCorp Vault). On top of all of that, the manner in which a policy is implemented can greatly affect an identity’s effective permissions. Now, what happens if you were to bring an additional public cloud into the mix? It gets complicated. Many organizations are blind to the identity risks in their cloud, it’s a ticking time bomb.
Shifting Left Still
Amazon Chief Security Officer Stephen Schmidt said in his opening remarks, “You must not bolt on security after you build something it has to be in from the very beginning of when [you] build things.” He continues,”this is a best practice to be recommended to customers – weave security into your development lifecycle and your operations.” One area that’s problematic for many DevOps we talk to is security.
Not only are cyberthreats rapidly evolving in sophistication, making things more complicated, traditional structures of control, like IT teams, are no longer relevant to the cloud. Security falls on the DevOps teams now, who historically have leaned in more to the development side rather than operations. As a result, security testing is no longer something teams can dash off during the final stage of production.
At the Aurora Theater, CTO and Co-founder of Sonrai Security, Sandy Bird, presented ‘Beyond Vulnerability: Four Risks that Create Paths to Sensitive Data.’ The session discusses the larger picture of total cloud security, outside of just considering vulnerability management, and calls for a focus on identity and data relationships. We’ll highlight some major takeaways and stats:
Season 2 of the AWS Startup Showcase was filmed live at AWS re:Inforce. This episode featured Sonrai Security CRO, Denise Hayman. Denise and host John Furrier discussed security beyond traditional concepts like vulnerabilities, and focusing on identity and data at the center of security strategies. You can find the full interview available here, but we’ll highlight some major points below:
AWS secures its customers “behind the scenes” by widely sharing its findings and learnings, having security baked into its services from the start, and working with partners and customers together to make sure they have multiple layers of defense. “We’re stronger together, I think it’s very, very true,” Amazon CSO, Stephen Schmidt, remarked during his keynote.
AWS and Sonrai Security have in fact proven to be stronger together. Sonrai is part of the AWS Advanced Technology Partner Network, and strives to assist AWS customers by reducing risk and embracing the cloud. Sonrai received AWS Security Competency status in Identity and Data Protection due to our integration with AWS Control Tower. With the Sonrai Dig integration, Control Tower users can quickly configure accounts to meet security and compliance requirements in addition to receiving full visibility of all identities — both person and non-person — and data stores in the cloud. Sonrai Dig delivers real-time actionable information on the security and compliance of customer workloads on AWS.
More recently, Sonrai Dig worked with AWS to sponsor a Forrester research report titled, “Identity Controls Are Central to Enterprise Plans for Cloud Security.” This survey study focused on the relationships between cloud security and identity controls and found that organizations continue to increase both their usage of public clouds and the number and types of tools they use to secure their data in them. In fact, organizations use on average 6 tools, yet 56% say that machines and non-people identities are out of control in the cloud. For the complete findings, explore the full report.
Gathering the bright minds leading an industry together to collaborate, share, and learn will always be impactful. Not only does re:Inforce focus on securing and protecting an AWS cloud environment specifically, but the conference provides attendees with educational experience and practical information they can use right away.
We had plenty of the Sonrai team at this year’s event and we walked away with new experience and a good time. Thank you AWS for gathering us all together, until next time!