rvlsoft - Fotolia

New AWS cloud security features fill gaps

AWS is on pace to deliver more than 1,800 new features and services this year, and many target cloud security.

BOSTON -- Security concerns have long been among the top reasons enterprises avoid the cloud. But cloud security is, in fact, stronger than most on-premises data centers, and providers continue to roll out new safeguards.

Here at re:Inforce, AWS delivered new security features and worked to convince attendees its services are highly secure.

"We are in a position strength as an industry," said Stephen Schmidt, chief information security officer (CISO) at AWS, in the opening keynote of the dedicated AWS cloud security conference. "I really object to the 'sky is falling' mantra that some security vendors put out there.

"We have to be at the point where security is not scary," he added. "Let's dial down the fear, uncertainty and doubt, and focus on solutions."

One such "solution" is to embed security in the development process, he said. "The real goal is that security and development are embedded throughout."

One AWS' more prominent reference customers, Capital One, has embraced this approach, said CISO Michael Johnson, who also spoke during the keynote.

"Cyber is evolving from a tradecraft to a science," Johnson said.

Capital One is moving its data center operations to AWS en masse and expects to have exited all them by the end 2020, according to Johnson.

The cloud provides a reduced attack surface, because IT resources have generally shorter life spans, as systems can be spun up and down as needed, Johnson said. It also provides greater speed for innovation, improved transparency and better data protection, he added.

Johnson recalled Capital One's response to the infamous Spectre hardware vulnerability that emerged in early 2018. The bank had to patch all its systems when fixes became available, and it took hours to tackle this for cloud-based ones, compared with days for those that remained on premises, he said.

Re:Inforce attendees like Jason Morris believe the cloud can provide a better foundation for security than traditional data centers.

"Security's always a No. 1 thing, especially for a professional services company," said Morris, CTO of Next Rev Technologies, an IT services provider in Washington, D.C.

"It's interesting, especially for serverless computing. I've shifted a lot of workloads [to cloud providers] because of that," Morris said. "I basically need this compute to do this thing for a few seconds or a minute, and then I don't care about it anymore. I don't want to have to patch it and maintain it, scan it with antivirus, and make sure it's the latest and greatest version of whatever. I just need it do a thing and die."

AWS cloud security services broaden

AWS is on pace to deliver more than 1,800 new features and services this year, and many target cloud security, Schmidt said.

They certainly give you a lot of the building blocks, but it's up to you to integrate it all and expand it with custom code.
Michael IsbitskiAnalyst, Gartner

To that end, AWS launched a new service called VPC Traffic Mirroring. Customers can capture and scrutinize network traffic in a large-scale fashion with their existing virtual private clouds, AWS said.

This fills a key gap in AWS cloud security capabilities, said Scott Piper, an AWS security consultant at Summit Route in Salt Lake City, who attended re:Inforce.

"Previously, for insight into a network, you had VPC Flow Logs, which gives hardly any insight, or you had to run something on your EC2s to monitor traffic, or you had to do some craziness with routing tables, creating a single point of failure and high costs," he said.

In other news, AWS Control Tower, which is used to set up multi-account AWS environments in a secure manner, is now generally available. AWS Security Hub is also generally available. The service provides a single place to view and manage security alerts and automate compliance checks.

This is one area where AWS is playing catch-up, given Microsoft's Azure Security Center has been generally available since 2016, and Google Cloud Security Command Center launched in April, said Michael Isbitski, an analyst at Gartner.

"The core message is that a lot of [those] security processes should be integrated and seamless in your app development and infrastructure builds and maintenance," Isbitski said. "A lot of what they presented is tools that help facilitate this for companies. ... They certainly give you a lot of the building blocks, but it's up to you to integrate it all and expand it with custom code."

Dig Deeper on AWS infrastructure

App Architecture
Cloud Computing
Software Quality