AWS watchers saw a flurry of announcements last week at re:Invent, but what I found most interesting was Werner Vogels’ commentary on cloud security. In a wide-ranging keynote presentation that went almost three hours, Werner laid out a case for why security is critical, along with some of the key aspects that should be top of mind for cloud users. In it, he validated what Evident.io has advocated since we started our company four years ago.
A few key topics stood out in Vogels’ comments, among them:
- There is no greater mission than to protect your customers
- Implement a strong identity foundation
- Encrypt. Everything.
- Security is everyone’s job
- Developers are the new security engineers
This was music to our ears, as the foundation on which Evident.io was built has, from the beginning, been focused on these things, whether they be classified as best practices, policies, or just a smart mindset. For four years, the Evident Security Platform (ESP®) has been helping businesses monitor the security state of their cloud environments and quickly fix issues. As one of the first movers in the world of agent-less cloud security, Tim, Justin and the original Evident.io team aligned their focus closely with the security best practices as defined by AWS.
The Evident.io position was not, and never has been solely about security and compliance monitoring. Rather, it’s based on the notion that security events have a lifecycle from detection to solution, and that the discipline of security and compliance never stops. Yes, customers rely on ESP to detect issues, but also to automatically alert players to those issues with details on where they exist and how to remediate them. That ultimately leads to control of their cloud environment, all done through the actions that Werner highlighted:
Use security as a customer-first strategy
Our whole purpose for being in business was formed through an understanding that lack of visibility of one’s security posture can be damaging to their business, but it’s because it can damage customers. There is an agreement between provider and customer, and while there may be a contractual element in some cases, the informal trust that an organization must engender stems from its ability to protect its stakeholders. Vogels says that this is more important than any feature development, and he’s right. A solution that can give you more, do it faster, and save you time isn’t worth much if you can’t be assured that the company you’re working with isn’t protecting your privacy. Many of customers use the Evident Security Platform (ESP) both to identify and fix vulnerabilities, and also help embed a security-first mindset in the teams that use it. Our feeling is that you cannot be customer-first if you aren’t security-first.
Restrict and reduce to least possible privilege
AWS IAM policies give us a ready-made and very practical way to both assign and restrict access, and this is core to how we advise our customers. An IAM entity is one of users, groups and roles that can be created in the IAM service, so you can grant and limit access as needed. When an IAM control is misconfigured, we believe it should be a high priority alert that warrants immediate attention.
Identity and access management determines what parts of the cloud stack a person has access to, and what they can do once they are there. If a bad actor can gain access to your systems using your credentials, you’re done for. Least Privilege Roles give users access only to the least amount of accounts and systems that allow them to be productive. We always advocate that you remove access until a person can’t do their daily job. If they only need occasional access to a system or service, then grant them temporary access when needed. Don’t increase your risk by granting continual access that’s rarely used. This limits the damage that can be done if an accident is made or a bad actor gets access to the account.
Encryption is critical
Vogels had a slide that stated his philosophy of encryption: “Dance like no one is watching. Encrypt like everyone is.” I thought it was hilarious and original, but also insightful. Encryption is like the flossing of enterprise cloud; people know they should do it, but they don’t always follow through.
Our very own John Robel put it this way: “The bottom line is to make sure your data in encrypted from the start. It is much more challenging to go back and sort through data to try and re-encrypt it after the fact. Much like enabling the service itself, this will help keep your data secure.
Now is also a good time to start to consider encryption overall. AWS provides encryption for most all data types now both in flight and at rest. As your usage of AWS continues, enable encryption…the recommendation is to enable encryption everywhere all the time. Ideally, decryption should briefly happen in memory for processing of data, but in all other aspects, encrypt the data. It just makes good security.”
Security never stops
Hackers operate at scale; they go after multiple targets and keep up their offensive until they find a way into something valuable. Eventually, they WILL find a way. Even if you’ve secured all the layers of your cloud stack, unless you’re continuously monitoring it, you just don’t know where the potential risks are. Far too many organizations treat security as a one-and-done proposition, which could be a killer, and it’s easy to get beholden, literally, to a false sense of security. The fact is, security never stops and enterprises need to maintain scrutiny over the security of their cloud, and that of their cloud vendor, at all times.
There’s also a continuous integration and delivery element to this, because as your organization seeks speed as a competitive advantage, your security posture must adapt accordingly. Doing that manually is onerous and likely to inadvertently ignore settings and configurations.
Developers as security experts
First off, we see security experts come in all forms and this is good for our field. Diversity brings different points of view to bear on assessment and solutions, and security organizations must be able to call upon a breadth of experiences in order to out-think hackers.
But as Vogels suggested, developers are among the groups that will increasingly be called upon to address issues of security. Especially in an environment that is built upon the need for flexibility, developers must be trained to use their building and delivery skills throughout the entirety of application lifecycles. Security teams can no longer depend on pre-deployment scanning, penetration tests, or presence-based discovery methods, and instead will need to rely on automated, API-centric tools that can handle the firehose of data that the cloud produces. DevOps and SecOps need to collaborate, and “security needs to be part of the fabric.”
Vogels wore a Foo Fighters shirt during his keynote, which made my mind wander to how “My Hero”(great song, brilliant video) could be parlayed into an anthem for security experts. I realized that those heroes aren’t just the experts, however, as Vogels suggested. All of us who play some part in mitigating risk and creating a more secure environment for our customers are fighting the good fight. Cloud security best practices are certainly manifested with controls, compliance, and signatures, but they are borne from a mindset that makes sense of all those things. We have created a framework for the ingredients necessary to foster that kind of mindset, and Vogels validated them. In the cloud, it’s security-first, and anyone contributing to that goal is a hero.