Hybrid Clouds and Cybersecurity Front and Center at AWS re:Invent

presenter_on_stageThe contrast of the DJ music pumping out bass lines and drum beats over hits from the 70s was quite apropos for the mix of hipster and middle age attendees at last week’s AWS re:Invent where the word of the week was hybrid. This year’s AWS re:Invent show had a decidedly different feel to it, one of enterprise IT. AWS holds an enviable position as the leading provider of infrastructure-as-a-service (IaaS) cloud computing services where they are Coke and we’re still waiting for Pepsi to show up. With that ground staked out, AWS is now clearly intent on being a major IT brand and that means embracing hybrid clouds and putting security front and center. 

Citing cloud as the “new normal,” Amazon’s AWS Chief Andy Jassy provided an impressive overview of not just the state of their business and new services further expanding the breadth and depth of the AWS platform, but an appreciable set of enterprise logos utilizing the platform for greater agility. To ground what Jassy characterized as a “seminal shift” in computing and address enterprise concerns about security in the cloud, security was prominent at this year’s re:Invent. Two of the four major AWS functional areas are security-related: Encryption to protect the what and Access to control the who. AWS also rolled out new security services including its first foray into the workload, creating questions around AWS staying true to the hypervisor demarcation line in their shared responsibility security model as well as some agita with affected ISV partners. 

In my last blog I mentioned 3 things I was shopping for at re:Invent. Here’s the scorecard. 

  • Enterprise Customer Case Studies (CHECK): The hybrid theme of re:Invent was reflected as a major focus area with enterprise brands on stage sharing their use of AWS. Capital One’s CIO used the event to announce a new app for the digital banking era and declare they feel more secure in a public cloud than in their own data centers. Maybe so, but with one’s security posture predicated on people and processes as much as tools, mileage will vary – i.e. there is no abdicating to your cloud service provider. GE’s keynote presentation and a new business unit launched with Accenture were also notable indicators of an enterprise IT focus. The CIOs and CISOs I spoke with at the event reflected similar hybrid deployment milestones en route to the cloud with a healthy dose of pragmatism where their own data center foot print was not only being reduced, but fully eliminated while they also wait for a Pepsi to be a viable alternative as insurance against vendor lock-in. Hello, Azure? 
  • Hybrid Solutions from AWS Partners (CHECK): Managing dual stacks requires security controls that can normalize policies and enforcement across disparate infrastructures. Matching the hybrid theme on stage, security partners on the show floor echoed the requirement to unify. By consuming a variety of AWS native interfaces along with logs from on-prem entities, Sumo Logic’s analytics engine provides visibility across hybrid deployments. On the threat prevention side, Trend Micro’s Deep Security offering allows IT to secure cloud and on-prem resident workloads with consistent policies. Cloud Passage takes a similar hybrid approach with a compliance focus comprised of vulnerability management, firewall management, file integrity monitoring and additional functionality. 
  • Below The Line Visibility from AWS (HUH?): While a host-level offering wasn’t what I was looking for from AWS itself, Amazon’s new AWS Inspector offering does provide incremental visibility nonetheless and will be a compelling offering for CISOs well aware of the need to deploy additional host-based controls to compensate for the lack of network visibility. While AWS did release VPC Flow Logs earlier in the year for visibility into network traffic in a virtual private cloud, CIOs and CISOs I spoke with still want more transparency at the network level. There are proprietary and logistical scaling issues associated with AWS doing so, but enterprises bent on replicating their on-prem network-centric security stack in the cloud will rightfully continue to push AWS on this point. Meanwhile, cloud security startups that have focused on AWS will need to think long and hard about the implications of Amazon's entry into workload security from how they innovate and thus differentiate by correlating data consumed from AWS APIs and host-level instrumentation to an increased focus on securing other IaaS environments, another variant on the hybrid theme. AWS’s WAF offering will be an opportunity for WAF vendors such as AlertLogic, Imperva, and Barracuda who enable hybrid use cases by leveraging their WAF rule set. 

Just like Charles Phillips’s (CEO, Infor) now somewhat famous “Friend don’t let friends build data centers.” quote from re:Invent 2013, there were a few memorable lines from this year’s event including Jassy noting that “there is no compression algorithm for experience.” That experience, along with a focus on security, has AWS well positioned on helping enterprises in their migration to the cloud, a journey that will include use cases beyond disaster recovery and analytics and the bifurcation of some workloads in the public clouds, others on-prem where they may even sit in the same data center as a tape library. Gasp! Yes, enterprise IT goes hybrid.

 

threat intel infographic

Topics: Cybersecurity AWS re:Invent