AWS re:Inforce: Bridging the Shared Responsibility Divide

AWS re-Inforce- Bridging the Shared Responsibility Divide

The News: AWS hosted re:Inforce, its annual security conference, in Anaheim, California. On display in general and analyst-specific breakout sessions as well as one-on-one meetings attended by Futurum Group include development to secure the infrastructure that AWS uses to host customers’ data and workloads, as well as developments to help customers utilize the cloud more securely. See the AWS News Blog for more.

Where You Have Access, You Have Responsibility

Analyst Take: “With great power comes great responsibility.” It might seem cheesy to quote Uncle Ben’s famous words to Peter Parker in Spider-Man, but this general theme rang true across AWS re:Inforce 2023, the hyperscaler’s annual security conference. That is, with one tweak. As articulated by CJ Moses, CISO and VP of Security Engineering for AWS, on the general session mainstage: “Where you have access, you have responsibility.” The more access we have to IT systems and data, the more responsibility we carry when it comes to security.

A common industry adage is that security is a team sport, and AWS used re:Inforce to provide the market with a healthy reminder of the “shared responsibility model.” While technology providers have the responsibility of delivering secure systems and software, customers have the responsibility of facilitating secure access to and use of those systems and software.

AWS Shared Responsibility Model
AWS Shared Responsibility Model (Source: AWS)

In the words of AWS, while AWS is responsible for securing the cloud, customers have responsibility for securing what they put in the cloud (including their data). This is a big responsibility, too, with credential theft representing a real issue that is contributing to the perpetuation of cyber-attacks including ransomware and data theft and extortion.

Security “Of” The Cloud

AWS clearly takes the security implications of its architectural decisions and hardware and software engineering to heart. As articulated by J.D. Bean, Principal Security Architect, Amazon EC2 and Peter O’Donnell, Principal Solutions Architect, Security for AWS, in a private session for analysts, “obsessive and rigorous ownership” is the “secret sauce” driving the hyperscaler’s hardware and software engineering from a security standpoint.

This is evidenced by AWS Nitro System, the virtualization infrastructure for the next generation of AWS EC2 instances, and Firecracker, the open-source virtualization software underpinning AWS “serverless” compute and container instances such as Fargate and Lambda. Both Nitro and Firecracker were highlighted early on the re:Inforce mainstage, with Moses emphasizing the years of development that have gone in to both technologies, and their key value for customers, which includes inhibiting access to customer data by AWS, and a reduced attack surface via a minimalist, “micro VM” design.

Like other widely deployed and utilized infrastructure providers (per AWS, it operates across 99 Availability Zones and 33 geographical Regions) AWS’ scale means that its infrastructure is more likely to be targeted for attack, when compared to smaller-scale IaaS and PaaS providers. The benefit is that, at the same time, this scale also makes it more likely for AWS to have visibility into attackers’ latest tactics, techniques, and procedures. AWS is capturing this intelligence to improve security for customers. For example, it can use telemetry from its globally distributed threat sensors to reduce mean time-to-resolution of cyber-attacks and better learn the tactics of malicious threat actors. According to Moses, AWS interpreted signals from 5.4 billon threat sensors and 1.5 billion network probes in 1Q23 alone, contributing to its ability to mitigate 1 million outbound botnet driven DDoS attacks during the timeframe.

Potentially, this stands to address one of the most pressing challenges that consistently comes up in Futurum Group’s conversations with IT operations: limited headcount, and as a result difficulty when it comes to keep pace with the rate that cyber-threats are evolving. As a prime example of this, Moses put it simply: “The best patching is the kind you don’t have to do because AWS does it for you.”

Of course, the reality isn’t quite that simple. Tools, such as AWS Backup Vault Lock for WORM and encrypted data copies, the Route 53 Resolver DNS Firewall that can be used to control access to, and block DNS traffic from, virtual private cloud (VPC) environments, as well as the new ability to apply two layers of encryption to objects stored in Amazon S3 buckets still need to be utilized appropriately and effectively. To help, security is one of the core pillars of AWS’ Well-Architected Framework program, which provides architectural best practices and supporting resources such as hands-on labs.

Security “In” The Cloud

Following the theme of “where you have access, you have responsibility,” Zero Trust is at the forefront of how AWS is helping customers to secure what they are putting in the cloud. As external hackers remain innovative and as the threat of malicious insiders rises, Zero Trust is a critical architectural concept, but it is one that risks becoming an overused marketing term if not well-defined. For AWS, its approach is to avoid forcing a decision between Identity- and Network-centric controls, and instead make these controls work in concert with each other. Technological examples of what this looks like in practice includes:

  • Amazon Verified Permissions, a service for authorization and permissions management for customer-developed applications that became generally available at re:inforce 2023. Authorization can quickly become extremely complex and cumbersome, given how fine-grained and quickly evolving business requirements, and as a result, policies can be complex, as well – especially at the scale at which enterprise operate, spanning a diverse and seemingly countless range of applications. The idea behind Amazon Verified Permissions is to decouple the authorization process from the process of coding applications, to maintain simplicity and agility for developers, while still enabling consistency and control for IT and security teams.
  • EC2 Instance Connect Endpoint (EIC Endpoint), which was also launched at re:Inforce 2023. EIC Endpoint allows users to connect to EC2 instances using private subnets via SSH and RDP connectivity, as opposed to public IPs.
  • Both of these announcements follow the May 31 General Availability (GA) of AWS Verified Access, which provides access to AWS-hosted resources without requiring a virtual private network (VPN). Effectively, the service grants or denies permissions to an application based on rules that are created by the customer and that support the AWS Web Application Firewall (WAF).

Security and Compliance Visibility

Obtaining intelligence into threats is simultaneously critical and a major challenge for enterprises, IT Operations, and security teams today. Moses demonstrated on the re:Inforce mainstage his deep understanding of this, largely resulting from his experience on the FBI’s Behavioral Unit, stating that “There is always a human behind the keyboard; understanding the ‘why’ and ‘how’ will lead you to the ‘who.’”

The list of Amazon’s security and compliance tools is vast. While this provides the benefit of addressing a host of use cases and requirements, it can be difficult at times to navigate. This mirrors a key challenge faced by SecOps teams – obtaining real-time visibility into the continuously evolving threat landscape, across the myriad of resources in use, with limited staff resources. Three of the tools that jump out to me the most when it comes to helping SecOps teams make the most of limited staff resources are:

  • Amazon GuardDuty, which uses machine learning (ML) and anomaly detection to uncover threats. Users can obtain visibility across a variety of AWS services (Aurora databases, EKS runtimes, and Lambda workloads were highlighted at re:Inforce). Threat intelligence is enhanced through integration with third-party technology providers including Bitdefender, CrowdStrike, Lacework, and Proofpoint, and remedial actions can be automated.
  • Amazon Detective, which aggregates and applies ML to log data to correlate discrete security findings (e.g., software code vulnerabilities, risks flagged by AWS Identity and Access Management Access Analyzer, and AWS EC2 and EKS logs). Of note, Amazon Detective now supports findings from GuardDuty as well as Amazon Inspector, which uncovers network and software vulnerabilities.
  • AWS Security Hub, which provides a risk posture assessment across the organization’s AWS resources, utilizing security alerts from a host of AWS security services including GuardDuty and Inspector, among others. At re:Inforce, AWS announced the addition of features to Security Hub that are designed to reduce alert fatigue. In conversations with IT teams, Futurum Group frequently hears of this challenge, which largely entails sifting through alerts to uncover what is relevant and what is most critical. Security Hub now has a more streamlined, rules-based capability to automatically suppress superfluous findings and update their severity.

It is worth noting that re:Inforce 2023 closely followed the GA of Amazon Security Lake, which aggregates data from a variety of AWS environments, leading SaaS providers, on-premises environments, and cloud sources into a data lake on top of Amazon S3 storage, and layers on top a host of the services we’ve discussed in this piece, including Route 53, GuardDuty, Inspector, IAM Access Analyzer. The objective is to create a normalized and secure environment for sensitive and mission-critical data, so that security events can be more quickly and easily identified and responded to.

Final Thoughts

Security has long been one of the chief considerations – and barriers – for migrating to the public cloud. With this in mind, it is no surprise that AWS would use re:Inforce to both demonstrate its architectural innovations to secure cloud environments, as well as the new services designed to better empower customers where THEY have responsibility over security. And yes, we as an industry still do need a reminder of the shared responsibility model.

Architecturally speaking, re:Inforce underscored that AWS’ scale allows it to add value on top of what most enterprises are capable of. The hyperscaler has certainly come far when it comes to bolstering the security of the systems themselves that are used to deliver AWS’ IaaS and PaaS services. At the same time, AWS has steadily built a robust (if not oftentimes overwhelming) portfolio of more than 300 security and governance services that customers can use to customize the level of security for their organization. The developments pertaining to GuardDuty Detective and Security Hub can help to streamline the security dimension of using AWS.

The prevalence of cyber-attacks, such as ransomware and data extortion to the C-Suite, is driving an ongoing shift to “SecOps,” which is the intersection point of security and operations teams. Futurum Group sees this in practice in customers’ organizations, and for AWS’ part, the tools it is providing to enhance visibility and analysis from a security perspective across the AWS environment stand to add material value from the standpoint of overcoming security as a hurdle to achieving broader business goals and innovation. What remains to be determined, over the long term, is the level of multi- and hybrid-cloud support that AWS will provide with these services.

Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.

Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.

Other insights from The Futurum Group:

Infrastructure Matters, Episode 1: Why Does Infrastructure Matter?

Simplifying Payment Processing with AWS Payment Cryptography

AWS’s Amazon Aurora I/O-Optimized Cluster Configuration Goes GA, Focused on Delivering on Cost Savings

Author Information

With a focus on data security, protection, and management, Krista has a particular focus on how these strategies play out in multi-cloud environments. She brings approximately a decade of experience providing research and advisory services and creating thought leadership content, with a focus on IT infrastructure and data management and protection. Her vantage point spans technology and vendor portfolio developments; customer buying behavior trends; and vendor ecosystems, go-to-market positioning, and business models. Her work has appeared in major publications including eWeek, TechTarget and The Register.

Prior to joining The Futurum Group, Krista led the data center practice for Evaluator Group and the data center practice of analyst firm Technology Business Research. She also created articles, product analyses, and blogs on all things storage and data protection and management for analyst firm Storage Switzerland and led market intelligence initiatives for media company TechTarget.

Krista holds a Bachelor of Arts in English Journalism with a minor in Business Administration from the University of New Hampshire.


Latest Insights:

All-Day Comfort and Battery Life Help Workers Stay Productive on Meetings and Calls
Keith Kirkpatrick, Research Director with The Futurum Group, reviews HP Poly’s Voyager Free 20 earbuds, covering its features and functionality and assessing the product’s ability to meet the needs of today’s collaboration-focused workers.
Paul Nashawaty, Practice Lead at The Futurum Group, shares his insights on the Aviatrix and Megaport partnership to simplify and secure hybrid and multicloud networking.
Paul Nashawaty, Practice Lead at The Futurum Group, shares his insights on AWS New York Summit 2024 and the democratizing of Generative AI.
Vendor Leverages Amazon Q on AWS to Drive Productivity and Access to Organizational Knowledge
The Futurum Group’s Daniel Newman and Keith Kirkpatrick cover SmartSheet’s use of Amazon Q to power its @AskMe chatbot, and discuss how the implementation should serve as a model for other companies seeking to deploy a gen AI chatbot.