Main menu


AWS re: Inforce details how to enhance your enterprise security culture and tools

featured image

Join Transform’s AI & Edge Week as an executive from July 26th to 28th. Listen to top leaders and discuss topics surrounding AL / ML technology, conversational AI, IVA, NLP, Edge and more. Book your free pass now!

The building should be wooden, not papier mache.

In short, building a security program from scratch and incorporating it into production and throughout the development lifecycle, Amazon Chief Security Officer Stephen Schmidt told the audience this week at AWS re: Inforce.

“You want visibility and everyone rowing together,” he said.

The annual re: Inforce event, as the name implies, emphasizes the importance of security and provides best practices from Amazon Web Services (AWS) and its partners.

This year’s event includes boot camps, labs, and several leadership sessions. These focus on proactive security. “Security Mindfulness” Streamlined identity and access management. Large-scale compliance, governance, and security operations. Encryption; Leverage research and innovation in protecting customer data.

“This event is aimed at practitioners, but I like how security basics, such as blocking public access and using multi-factor authentication (MFA), are described and studded throughout the keynote. Security needs to be part of everything. One job, “keynote speaker MongoDB CISO LenaSmart told VentureBeat.

Lessons learned as a security leader

In the keynote, Schmidt emphasized the importance of access (or lack of access). He said it was important to decide who had access to what and why. What do people need for their work? For example, does the builder need live data for testing, or, as he says, does the data need to be “obfuscated, masked, anonymized no matter where it is stored”?

“An overly tolerant environment guarantees your headache,” Schmidt said.

The components of a security program need to incorporate “thinking and rigor” into each use case. When you store your data, you need to “intentionally control it, intentionally encrypt it, and intentionally protect it.”

Schmidt pointed out that AWS has a decentralized team environment and said the entire organization needs to work together on security. The AWS security team also meets regularly with the company’s C-Suite. “It would be a problem,” he said, if the security team only had sporadic time in the C suite.

Similarly, security tools are always powerful when used as part of an overall strategy. Instead of siling your security team, you need to be a “close partner” with your development organization. He emphasized AWS principles. “We will be stronger together.”

Smart agreed and called employees “our strongest link and best supporters to foster a strong security culture at MongoDB.”

“We have access to all the tools in the world, but after all, people are the key to a robust and ever-expanding cybersecurity program,” Smart told VentureBeat.

This has been proven through MongoDB’s “Security Champion” program, she said. It has more than 90 employees worldwide, with members volunteering to act as security conduits for individual teams.

“This program provided unprecedented insights across MongoDB and helped mature security programs and internal collaboration,” Smart told VentureBeat.

Multiple layers of defense

The “clear worst-case scenario,” Schmidt pointed out, is to gain access to your organization’s data. He said effective intrusion detection was needed if an attacker had access to the network, adding that a robust cryptographic program could be the last line of defense.

Security differentiators include a minimum privilege scheme and reliable active logging that an attacker cannot remove. According to Schmidt, controls need to be integrated across the service so that a single aspect of the security program does not affect the entire defense portfolio.

Similarly, having complementary services is the foundation of a zero trust process. He suggested building the system in such a way that multiple problems had to occur before the organization had bad consequences.

“A single control fails,” Schmidt said. “For security programs, we need multiple layers of defense.”

Foster a culture of security awareness

CJ Moses, AWS Vice President and Chief Information Security Officer, emphasized the importance of ownership between teams. Ownership should not be solely about profits and losses, and the success or failure of a business.

“It’s a mechanism that strengthens our security culture,” Moses said. “It’s the type of mentality you want to have and want to inherit.”

He said it was just as important to have a conference room full of people with different perspectives. This includes both introverts and extroverts, as well as those from different backgrounds and cultures. It’s about “having multiple perspectives and backgrounds because diversity brings diversity,” he said.

In addition, new employees can provide a high level of clarity to their teams without years of prejudice or “groupthink”.

Best practices ultimately come down to “whatever your culture allows you to see things differently and challenge each other,” Moses said.

Detailed defense mechanism

As for the security tools themselves, Moses says that the tools that are automated, embedded, and make it easy for people to do the right thing are the most important.

“I don’t want security to bring more work to people,” he said. “They just find a way around it — we all know it’s true.”

He also emphasized the importance of minimal privileges, vulnerability reporting, and ransomware mitigation. The process of revoking access to new software or granting administrative access should be performed on a regular basis.

“Because each overly forgiving access is an opportunity for the adversary,” Moses said. “If you’re on vacation, access is the same.”

In addition to this, he said, there should be internal and external ways to report vulnerabilities. It provides customers with a contact platform that automatically opens tickets, even if they are not sure if it is a genuine security issue. Also, when it comes to ransomware, validate important processes and perform regular exercises.

“I don’t want to know about the serious flaws in the plan during the real problem,” Moses said.

It’s also important to create a comprehensive inventory of your software and how it’s used, while constantly analyzing third-party products to ensure they’re updated to the latest versions and patch levels.

Moses also emphasized: “Logging, logging, logging, logging-did you mention logging?”

Encryption and automatic inference

Ultimately, the advent of quantum computing over the coming decades means that security experts will also need to rethink encryption, said Kurt Kufeld, vice president of the AWS platform.

“The advent of quantum computing means that some cryptographic algorithms are insecure,” he said, working with the National Institute of Standards and Technology (NIST) and the crypto community to create a world of post-quantum cryptography. He added that he announced the standard for.

AWS has also implemented hybrid post-quantum key exchange and made it open source, Kufeld said. Provides quantum security algorithms and options for Transport Layer Security (TLS) connections. In addition, AWS is working with the Internet Engineering Task Force (IETF) to define quantum key sharing and hybrid technologies.

This area of ​​computer science applies inference to computing systems in the form of logic. By leveraging this, users can enable provable security and the ability to create universal statements such as “Is this bucket open to the public?”

Kufeld explained that automated inference was applied to Amazon S3 to ensure “strong consistency.” This reveals an edge case that was not seen in the past.

“When it comes to security, the power of universal statements is amazing,” said Kfeld.

Enhanced AWS features

In addition to the enhanced security swath, AWS also announced several new tools during re: Inforce. These include:

  • AmazonGuardDuty Malware Protection: This new service helps detect malicious files present in instance or container workloads running on Amazon EC2 without deploying security software or agents. Add file scans for workloads that utilize Amazon EBS volumes to detect malware that can endanger your resources. When a problem is detected, the service automatically sends security results to AWS Security Hub, Amazon EventBridge, and Amazon Detective. Existing customers can enable this feature through the GuardDuty console or the GuardDuty API.
  • AWS Wickr: A new enterprise-grade secure collaboration product that offers end-to-end encryption (E2EE) messaging, file transfer, screen sharing, location sharing, voice and video conferencing capabilities. It also includes message and content expiration dates, full transfer secrecy, message invocation and deletion, and administrative controls to support information governance and compliance.
  • A new category of AWS Security Competency Partners: Eight additional competency categories include identity and access management. Threat detection and response. Infrastructure security, data protection. Compliance and privacy; Application security; Perimeter protection; Core security. This service helps you identify software and service partners with expertise in a particular security category.
  • AWS Level 1 MSSP Competency Specialization Category: Six new categories include monitoring identity behavior. Data privacy event management. State-of-the-art computing security monitoring for container and serverless technology. Security testing of managed applications. Digital forensics and incident response support. Business continuity and ransomware preparation to recover from potentially disruptive events. According to Ryan Orsi, AWS Security Consulting and MSSP’s Global Partner Practices Team Leader, the latter two rollout goals are to help customers find partner solutions validated by AWS security experts, 24/7 monitoring and 24/7. To be able to provide a response service. “It shows how we aim to meet customers where they are and make it easier to protect these environments,” Orsi told VentureBeat. “We enable a one-stop shop experience where (customers) can find security software that is specific to their needs and the expertise they need to deploy it properly.”
  • AWS Marketplace Vendor Insights: A new tool that simplifies third-party software risk assessment by consolidating security and compliance information into an integrated dashboard. This helps streamline the procurement process by giving buyers access to evidence provided by AWS Marketplace sellers related to data privacy and resident, application security, and access control. Buyers can be notified about security events such as vendor compliance certificate expirations to stay on top of the security posture of third-party products.

Ultimately, this highlights AWS’s dedication to the “partner ecosystem” and its streamlined sourcing process, said Chris Gruz, general manager of AWS’s Worldwide ISV Alliance and Marketplace.

“Customers can go through the procurement process without delay, and partners can make more transactions faster,” Gruzz told VentureBeat.

Venture Beat’s mission It’s about becoming a Digital Town Square for technical decision makers to gain knowledge about innovative enterprise technologies and transactions. See membership details.