Wait! AWS re:Invent is next week? Thankfully Amazon did not opt for the December date being bandied about and chose a date early in the quarter to avoid travelling around the holidays. And how this event has grown. When I first attended in 2013, attendance had doubled from 2012 to 6,000 and then did more than a 2X jump last year with 13,000 cloudies in attendance. But what do attendance numbers have to do with security? It’s a proxy of cloud adoption and the types of customers getting their agile on and, as such, is an indicator that enterprises transitioning at least some of their workloads to AWS require hybrid security solutions.
AWS simply owns the cloud native market where companies of the digital age have never seen the inside of a data center, just the richness of the AWS APIs and that of their automation tool of choice, and Slack, and PagerDuty, and so on. With Azure gaining steam on the back of Microsoft ELAs, the battleground in the IaaS market is capturing enterprise workloads being moved to the cloud. While some customers may argue they can achieve better economies of scale with a private cloud, AWS’s ongoing price drops equate to price elasticity for compute elasticity. That leaves security as a pivotal decision point for many organizations evaluating the merits of on-demand, utility-based compute. In looking forward to next week I am interested in learning something from each constituent at re:Invent, including customers, partners, and AWS itself.
- Enterprise Customer Case Studies: It’s happening. Established enterprises are consuming cloud services. But what are the specifics? I hope to get some live, interactive case studies from enterprises who have transitioned business critical workloads to the cloud to gain insight into what industries are leading the charge, specific use cases, and the types of workloads that are getting moved first. Given the profile of the workloads, and the associated data sets, most of these organizations are wrestling with a visibility gap due to the absence of network security controls they manage and instrument. This gap results in a greater need for host and API level visibility. Given an on-prem security reference architecture orientation, it will be interesting to discuss with customers how security requirements are vetted and what role and influence the CISO and security team have with the infrastructure/DevOps team and vice-versa.
- Hybrid Solutions from AWS Partners: While some companies move all workloads over to AWS in phases, most live in a hybrid reality with dual IT stacks. On-premises they’ve virtualized and converged and now need to manage that stack along with the software-defined and DevOps’d everything in the cloud. CISOs I talk to at such companies think about how they apply consistent policies across disparate infrastructures comprised of public, private, and micro-segmented networks. Operational overhead is an enemy of security and using disparate security tools to protect disparate infrastructures contributes to operational inefficiency. Hybrid security means more than running a security management server as an AMI. The quid pro quo consideration for customers is to be open to considering the merits of security SaaS offerings which are truly cloud native (e.g., auto-scaling, operates in a VPC, and native integration with cloud services APIs) weighed against the concerns of some metadata about their environment being stored in such a service.
- Below the Line Visibility from AWS: Expectations are everything and AWS deserves credit for consistently referencing a shared responsibility security model as a way to discuss the division of labor around securing cloud-resident assets. But even so, customers want more visibility below the water line, the hypervisor layer in the stack, which arbitrates who is responsible for what – the CSP below, the customer above. Some enterprise customers are less than comfortable with the lack of control of the egress point, and the associated visibility they are accustomed to and try to replicate their on-premises network security control with some fairly unnatural acts such as routing server netflow data to an AMI for intrusion detection. More visibility down the stack in the form of new services and interfaces would help customers transitioning to the cloud see for themselves.
Keeping my list to 3 means I had to make it thematic and leaves out a ton of other things to look for at such an exciting event, such as whether the security aspect of enterprise-readiness is such that containers will soon go from dev and test to prod. These themes are centered on enterprise adoption and hybrid deployments because enterprise participation is a major indicator of market maturity. With this phase of market development, new players will emerge, including some major brands late to the party, and more innovative startups will seek to disrupt. All of them share the need to prove success via case studies, speak to hybrid use cases, and improve customer visibility in a virtual perimeter world.