I spent the last few days at AWS re:Inforce 2019 in Boston, the first AWS security conference presented by Amazon Web Services (AWS). It was also the first AWS event that I've been to, and I came away with a few strong impressions:
- Amazon is putting a lot of skin in the game. Amazon is not really a security technology vendor, yet it organized and sponsored a top-notch cybersecurity conference that attracted about 7,000 attendees. There are several big cybersecurity technology and services vendors who haven’t gone nearly this far, so in my humble opinion, the AWS folks deserve credit here. Why go to all this trouble for cybersecurity? Because Amazon wants its fingerprint on the cloud security narrative and technology direction. Given its market leader position, what’s good for Amazon cybersecurity should be good for cloud security in general.
- Amazon wants customers and prospects to know that AWS security has them covered. Yes, there is still a shared responsibility model for cloud security, but Amazon wants CISOs to know that they can confidently move their most sensitive workloads to AWS. To underpin this message, AWS CISO Steve Schmidt highlighted security services such as Amazon GuardDuty (threat detection/continuous monitoring), AWS Security Hub (an alert monitoring dashboard across AWS accounts), Amazon Inspector (automated security assessment), and Amazon Macie (a machine language-based tool to discover, classify, and protect sensitive data). Schmidt hammered his points about sensitive data protection by further emphasizing that the Amazon cryptographic stack spans up and down the OSI stack, protecting sensitive data as it crisscrosses AWS data centers. Finally, Amazon paraded out customers such as CapitalOne and Liberty Mutual to demonstrate that large enterprises have already bought into AWS security coverage.
- Partners are welcome. The show floor was packed with name-brand security vendors eager to demonstrate product support and integration with AWS. Aside from tradeshow traffic, Amazon also made several announcements for partners to build upon. For example, Amazon announced a VPC traffic-mirroring feature, enabling customers to mirror EC2 instance traffic within Amazon Virtual Private Cloud (VPC) and then forward that traffic to security and monitoring appliances. Partners such as Corelight, Fidelis, and Riverbed jumped on this, supporting this new service with their network traffic analytics tools. As for the AWS marketplace, Amazon’s goal is to get every security software vendor that matters to participate. To make this happen, Amazon employs a team to recruit vendors, provide development support, and work them into go-to-market programs.
Clearly, Amazon wants to lead and disrupt the security market, and the company is willing to resource this effort on a continual basis. As proof, Schmidt announced re:Inforce 2020 in Houston a year from now. Meanwhile, Amazon will use its re:Invent to reinforce AWS security technologies and positioning in December.
Impressed, but questions linger
I left AWS re:Inforce very impressed, but my colleague (cloud security guru) Doug Cahill and I will continue to monitor a few remaining questions around:
- The partner ecosystem. Some partners we spoke to had nothing but good things to say about AWS, while others felt like Amazon hogged the stage at re:Inforce a bit too much. A few partners we spoke with are concerned that the AWS marketplace co-opts their pricing and business model, while others aren’t sure whether Amazon will remain a partner or turn into a competitor. Amazon must continue to pitch its, "all for one, one for all" partner programs and keep partners whole – even if it steps on a few toes.
- AWS hybrid cloud security ambitions. Amazon partners are in a great position to bridge hybrid cloud security gaps as organizations move workloads to Microsoft Azure, Google Cloud Platform (GCP), the IBM Cloud, and Oracle Cloud. Amazon offered a few details about supporting hybrid cloud security, but this will continue to be a tough balancing act for AWS, partners, and customers. We will follow this dynamic situation.
- The new security demarcation line. When it comes to security and compliance, Amazon has always emphasized the shared responsibility model where AWS is responsible for security "of the cloud" and customers are responsible for security "in the cloud." As part of this model, customers have always been responsible for operating system security. OK, but how does this change with serverless computing when services like AWS lambda replace OS services and calls with API-level integration? Amazon must come up with an addendum to the shared responsibility model specific to Lambda and then communicate it far and wide before, during, and after re:Invent.