As a cybersecurity industry analyst, I am admittedly guilty of being myopic in looking for security to be the leading act in the keynote at major industry events. Such was the case at AWS re:Invents of the past when security was front and center starting with a discussion about the shared responsibility security model, the foundation of any cloud security program. That started to change in the last few years with security playing more of a supporting role in Andy Jassy's and Werner Vogels' keynotes. To be clear - it’s not that AWS is now being dismissive of security by any stretch, it’s simply that security is no longer an impediment to the adoption of public cloud platforms, at least those operated and secured by major CPS such as AWS, who has always treated security as job #1. AWS no longer needs to convince the market the cloud is secure, the conversation is now about how to meet your part of the shared responsibility model.
The focus for CISOs and security practitioners I speak with is now one of how to catch up with the growing amount of cloud services their organization is already using. That is, there is a readiness gap with respect to the degree to which organizations have already adopted cloud services and their ability to secure that usage. As mentioned, the requisite retooling starts with a clear understanding of the shared responsibility security model and spans the fundamentals of people, processes, and technology. But closing the gap will continue to be a game of catch up as AppDev teams embedded in the lines of business utilize new technologies such as a function-as-a-service (FaaS) as a cost-effective means to expedite the building and delivery of new code.
So, at this year’s AWS re:Invent I expect the “how” security conversation to reflect the macro trends of AppDev, the hybrid cloud complexion of the modern data center, and the opportunity IaaS platforms such as AWS offer to solve security challenges that require massive scale.
- Securing the modern API-driven, micro-services application stack of cloud-native applications: While serverless computing is coming on strong as the microservices brethren of containers, fleets of VMs, both on-prem and cloud-resident, not to mention bare metal servers, will persist representing a heterogenous application infrastructure stack. Organizations will need security controls up and down the stack including those that are host-centric, such as cloud workload protection platforms (CWPP), API-based controls such as cloud security posture management (CSPM) products, application layer controls such as runtime application self-protection (RASP) capabilities, and now a newer set of controls that secure the use of function-as-a-service (FaaS). Serverless or FaaS security looks more like application security than workload security – scan code to inventory APIs (shadow APIs is a thing), inspect their use for possible vulnerabilities in how they’re being used in terms of authentication and encryption, and maintain an audit trail. But, ugh, does that mean yet another separate FaaS security control? We will see standalone offerings as well as container security companies extending into FaaS. Ultimately, however, we need to unify the security stack by converging all of the above into a single cloud security solution for cloud-native apps that is agnostic to the increasingly abstract heterogenous underpinnings.
- CloudSecOps - expanding the purview of the SOC into the Cloud: Security operations centers are expanding the security telemetry feeds they’re ingesting from their network and endpoint sensor to include cloud security event data as well. Security analysts will need to evolve their organization’s threat model to account for how their public cloud footprint could be attacked. And how is that? Well, if we don’t want to get fooled again we’ll find that the new boss is the same as the old boss, just retrofitted for the cloud – admin cred gets phished from an unwitting developer and from there it’s off to the attack chain races, with lateral movement in this world characterized be cloud service hopping to the intended target.
- Leveraging elasticity for security analytics at scale. Speaking of SecOps, the challenge of triaging the firehose of event telemetry already coming into the SOC will be exacerbated when organizations flip the switch and start receiving event data from the cloud services their organizations are using. The default orientation of bringing all the data into the on-prem SOC needs to be re-thought. As my colleague Jon Oltsik often notes, cloud platforms are purpose-fit for the big data analytics work of aggregating and analyzing these massive data sets at scale, including the ability to store time series data for incident response purposes. The elasticity of the cloud also allows for on-demand compute to train and apply AI/ML algorithms to the streaming events from across the control points of network, endpoint, and cloud.
I was recently asked if AWS re:Invent is an event where cybersecurity is discussed. Given my expectation these will be some of the security themes at the event, the number of cybersecurity vendors who are participating, and already oversubscribed security-related breakout sessions, my answer was absolutely. See you in the congested hallways of re:Invent.
Check out the video for more of my expectations for the show.