Archive · · 7 min read

What AWS re:Inforce 2021 Means for Cloud Security…and Cybersecurity in General

The second installment of AWS re:Inforce was entirely virtual and gave a great view of the state of security in the AWS Cloud. Here's what the event says security practices and how to set yours up for success.

What AWS re:Inforce 2021 Means for Cloud Security…and Cybersecurity in General

Index

AWS re:Inforce 2021 Videos

The content from AWS re:Inforce 2021 has been published on the AWS Events YouTube channel. It’s all in this handy playlist.

The Vision

In 2017, AWS VP & CISO Stephen Schmidt took the stage during “Tuesday Night Live.” Over the next twelve and a half minutes, Stephen delivered a vision of what security could be. In fact, what security was for AWS themselves.

Security that is dynamic, highly automated, and deeply integrated into the core mission of the business.

It’s a vision that few have realized and not nearly enough are chasing. This talk has been in the back of my head since that fateful night in 2017. During the talk, Stephen voiced many of the things I’d been advocating for on stages myself.

The tools are available from AWS, APN partners, and the community. We can build our security practices in this way today, why don’t we?

This is question I continue to struggle with but before I dive in that challenge, watch this talk for your self here. 👇

AWS re:Inforce 2019

AWS launched re:Inforce in 2019. It was—and still is—the only major security-focused event that AWS has held. Yes, there are smaller events happening regularly but, as we gathered in Boston, MA, USA, that event felt like the third or forth AWS re:Invent did.

It was a moderately sized (about 8,000 people) event of highly technical professionals focused on the same area of interest. That generated a lot of great conversations and a lot of excitement.

You can watch the keynote from the event here. 👇

In that video, Stephen Schmidt lays out the state of security in and on the AWS Cloud. Beyond the typical feature and service announcements you would expect from a major AWS event, Stephen took a pragmatic approach to his message.

He and his guests talked about resiliency and actionable visibility. Stephen made specific references to the robust feature set of AWS Global Infrastructure, the low cost of security controls like access management and encryption, and the utility of the core AWS security services.

The rest of the AWS re:Inforce program hit on these key points time and time again. Overall, it was a great event that helped practitioners dive deeper into security in the AWS Cloud.

AWS re:Inforce 2021 - Tweet Storms 🐦🌩

AWS re:Inforce 2021 was entirely virtual and the content track was significantly cut down. In fact, it was just the keynote and five breakout sessions.

I live tweeted most of the day. If you want the play-by-play you can read those here…

. @awscloud #reinforce // here we go…

🎙🧵

☁️ #cloud #security #devops pic.twitter.com/0uRdtcGlT5— Mark Nunnikhoven (@marknca) August 24, 2021
up now at @awscloud #reinforce, “Data Protection & Privacy” with @JKenBeer, @jennybrinkley, & @clean_freak

☁️ #cloud #devops pic.twitter.com/jKtIoNuCsg— Mark Nunnikhoven (@marknca) August 24, 2021
new thread to cover, “Governance, Risk, & Compliance” @awscloud #reinforce pic.twitter.com/cFNq9Oa0QB— Mark Nunnikhoven (@marknca) August 24, 2021
Eric Brandwine up now at @awscloud #reinforce

he’s talking about building a culture of #securitypic.twitter.com/iyuUCqEDeV— Mark Nunnikhoven (@marknca) August 24, 2021
next up is IAM with Karen Haberkorn@awscloud #reinforce pic.twitter.com/AwcA6dy4yk— Mark Nunnikhoven (@marknca) August 24, 2021
up soon at @awscloud #reinforce, “Threat Detection & Incident Response” with Ryan Holland and Bill Shinn@awscloud #reinforce pic.twitter.com/W70OXqzwAM— Mark Nunnikhoven (@marknca) August 24, 2021

AWS re:Inforce 2021

I wrote up my thoughts on the event in general for the Lacework blog. That post has some of the key takeaways on each of the five categories of the event;

I also live tweeted the event and that thread has a play-by-play of the day. What I want to talk about here is the bigger picture.

You can also watch my thoughts on that picture in this 👇 YouTube video or read the transcript below…

📹💬 Transcript of 👆

Information and cybersecurity are traditionally activities that happen at the start of the project and just before that project goes into production. From there, you call security when you think there’s an incident and security shows up once a year when there’s an audit.

And, like most things in the cloud, you can continue to conduct your security practice in this traditional manner.

It’ll “work” as well as it ever has.

But there is potential to change how you conduct your practice and to modernize your approach to both information and cybersecurity.

AWS re:Inforce 2021 gave us a glimpse of what that type of a security practice could look like.

The content will be available on YouTube soon but the day was structured into five categories;

VP and CISO of AWS, Stephen Schmidt’s keynote gave an overview of these categories and highlighted some minor new features and functionality that AWS has shipped in the past year to help boost these areas.

The other five breakout sessions for this event went deeper into one of these categories. They were all solid but two particular sections stood out to me.

First was the customer segment during the keynote features Brian Lozada from HBO Max and then second was the breakout section by Eric Brandwine on the security culture at AWS.

These talks are worth watching in their entirely when they are available on demand.

While the specific discussions and talks were valuable, what really struck me was the bigger picture they painted.

They followed up on Stephen Schmidt’s fantastic talk at AWS re:Invent 2017 showing how deeply integrated the security functions at AWS are with the rest of the business.

A lot has changed since 2017, both globally and in the AWS Cloud but if anything, it appears that the deep integration has only gotten deeper.

What do I mean by a deep integration?

Let me answer that with a quote from that talk in 2017. When talking about security operations at AWS, Stephen Schmidt said,

“How many security engineers are performing operations work at AWS on any particular shift?”

His answer?

One.

At any given time AWS has one security engineer doing normal operational work. No massive security operations center, not unwieldy security team centralizing all of the work.

AWS has deeply integrated security into everything they do. At AWS re:Inforce 2021, Eric Brandwine said that the AWS security team is over 1,000 people strong now.

But, those 1,000 people are distributed throughout AWS working directly with other teams.

Stephen, Eric, and the rest of the team realized early on that having one team doing all of the cybersecurity and information security work won’t scale in any organization, let alone one the size of AWS.

So how does this work?

Again, I go back to that fateful talk in 2017. Another quote from Stephen shows us the way,

“We love mechanisms. They drive repeatable correct behavior”

Automation is the key to modern security success. Not only because it scales but also because the speed at which is works.

Again, from Stephen,

“If you have people sitting in a room, looking at screens to make your security detections actionable, you’re probably too late.”

I would go as far as saying you ARE too late if your plan is to catch everything in a security operations center.

Building up security as it’s own big, heavy process and team means that you’re constantly fighting for resources and no matter how many resources you gather, you won’t be able to move past one simple truth.

The security team isn’t the one responsible for the operations of the systems they are working to security.

Sure, security is accountable for them but it requires negotiation to get visibility into those systems. It takes finesse to get patching prioritized. A centralized security team simply can’t scale and can’t handle the communications overhead required to maintain the proper context to align directly with the business.

Thus the AWS approach of deeply integrating into the business.

And just like serverless systems use servers, AWS does have a centralized security team.

The difference is what that team is doing and how they measure their performance.

By pushing cybersecurity duties like system configuration, patching, and monitoring to the teams building and running the services allows the central team to take on the tougher challenges.

They get to focus on high level issues and overall standards. This allows the organization to leverage there unique talents instead of bogging them down with day-to-day minutiae better handled in the context of the affected system.

This also creates a clear escalation path for all of the other teams. If they can’t solve it with their embedded security talent, the centralized team has the capacity to assist.

Instead of everything being a priority, this distribution of effort allows the organization to maximize the talents of every team member.

In 2017, Stephen Schmidt and the AWS team laid out not a vision but an explanation of what they were doing for security in their organization.

At each event since, AWS has continued to elaborate on how they practice security in their organization. The information is presented purely as educational, it’s not prescriptive but IT SHOULD BE.

This model is highly effective and very scalable. Can you say that about your security team?

/end 📹💬

Getting Started with AWS Security…

Ok, that’s a lot on the bigger picture of a security practice and how you should be thinking about how you are running yours. But if you’re at the start of your journey what do you do?

I would start learning security in the AWS Cloud with this fantastic talk by AWS Sr. Principal Engineer Becky Weiss. “The fundamental of AWS Security”, is well titled. Over the 48 minute talk, Becky covers the core principles of security in the cloud and how to take the first steps on your security journey.

Check it out here. 👇

Thoughts or all of this? Let me know on Twitter, where I’m @marknca.

Read next