With Trust Established, Security Less of a Focus at AWS re:Invent 2016

security_lightswitch.jpgSecurity has been a pillar of the Day 1 keynote in each of the four AWS re:Invents I’ve attended, with new partners and services rolled out to assuage concerns that the cloud isn’t secure and to convey that AWS takes security very, very seriously. Not this year. Security was a modest part of the Day 2 keynote. As a security analyst, I couldn’t help but feel a bit bummed out, but I get it—there’s a bigger context here: the maturity of cloud adoption and its role in contemporary business models.

First things first: In the realm of giving credit where credit is due, AWS is all over security internally and externally with respect to securing physical data center access to the hypervisor and helping customers meet their part of the shared responsibility security model. But why the absence of an overview of that shared responsibility model, native controls, and a logo slide of its security partner ecosystem? Because companies can no longer afford to use security as an excuse not to cloud and, it seems, AWS wanted to use the air time to announce a bevy of new services and spotlight customer successes. The cross-industry set of disruptors who have exploited the agility provided by AWS is indisputable by virtue of the list of brands most of us now interact with regularly. And so the fact that security was notably less front and center at this year’s 5th annual re:Invent conference is an indicator of market maturity, not AWS taking its foot off the security pedal.

And there was still important security news made by AWS last week. The man whose t-shirt real estate may be worth as much as a super bowl ad, Dr. Werner Vogels, Amazon CTO, announced a new DDoS detection service, AWS Shield, during his Day 2 keynote. AWS Shield makes a ton of sense not just on the heels on the Mirai botnet DDoS attack that hammered Dyn’s DNS service, but also because of the perch from which AWS has visibility into Internet traffic. Like Arbor Networks vies-a-vies its service provider business, and Akamai with respect to AWS’s POPs and CloudFront CDN, not to mention its Route 53 DNS service and load balancers, AWS is uniquely positioned to detect anomalous inbound network traffic targeting its customers’ externally facing workloads. And AWS has obviously been at DDoS detection for a good long time to protect its own .com. Productizing those controls and more is likely to mean that AWS Shield is well beyond a 1.0 or MVP-level of sophistication. I could quibble that all things considered—the sheer number of ecommerce sites hosted on AWS, for example—Shield is a bit late to the party, but the vendor is also offering an extended service, AWS Shield Advanced, that is integrated with the AWS WAF, and provides incident response support and a level of insurance in the form of a cost cap. And kudos to AWS for making the base AWS Shield DDoS alerting service on by default.

Dr. Vogels also made the point that the software/API-driven methodology of CI/CD (continuous integration/continuous delivery) is such that security should be bolted into that pipeline. No longer should a workload be provisioned without the right set of security controls. It should be automatic for every single one, with policies assigned based on key value tags. Pick your metaphor (swim security upstream, bolt it in, shift let, etc.), but just do it.

The de-emphasis of security at AWS re:Invent 2016 is more about market maturation than anything else. And it maps to the theme of the conference. Last year was about hybrid, and this year was about transformation and the not so subtle subtext of adapt or get left behind while digital age companies built on AWS trample over your CapEx-laden data center. Again, no longer can security be used as an excuse to not cloud.

Topics: Cybersecurity AWS re:Invent