I got the opportunity to attend the inaugural AWS re:Inforce conference in Boston. It felt a little like home the day I arrived because the Chicago White Sox were all over the news. They were in town to play the Boston Red Sox later that evening –Chicago won by a run! Also, my daughter gave me a plush toy from her collection to help document my travels. I introduce you to Fantasia.
This was my very first AWS conference so I didn’t know what to expect. The more I spoke to people, the more I understood that if you snooze, you lose when it comes to getting into a session, or getting in on the best swag!
A handful of the sessions I was hoping to attend were already full. But, I showed up anyway to see if someone would take pity on me and let me in –it worked a couple times… Speaking of swag, AWS knows how to swag. I brought back a few things to share with my fellow colleagues around the office.
Why I attended the conference and what I was hoping to learn
Recently, the Enova tech leadership team shared with us the cloud strategy for 2019 and beyond. The strategy was not surprising but did highlight that AWS will be our cloud service provider. I work in IT Risk, the team at Enova charged with ensuring information security and compliance. From that perspective, the main reason for attending the conference was to increase my understanding of the risks associated with using the AWS infrastructure and storing our data in the cloud, as well as understanding what tools and controls we can utilize to continue to enhance how we secure our footprint in the cloud. Data in the cloud is among the most susceptible to being stolen if proper security measures are not in place. Even if the data is properly secured at rest, the transmission over the internet is a major risk factor because it can be intercepted en route to its final destination. Understanding these risks and implementing controls to mitigate them helps Enova with the overall security posture and signals to our partners and customers that security is top of mind.
What the conference was about
The 2019 AWS re:Inforce conference focused on security, identity, and compliance in terms of your AWS footprint. It became clear to me that cloud security at AWS is the highest priority for them. They offer numerous security specific services to help organizations like Enova quickly scale and innovate, while maintaining a secure and compliant cloud environment. Additionally, there was a lot of focus on helping attendees understand the Shared Responsibility Model. Although AWS takes responsibility for operating, managing, and securing physical facilities, running applications or storing data in the cloud is not secure unless we (the customer) execute on our responsibilities.
As the chart below shows, this differentiation of responsibility is commonly referred to as Security “of” the Cloud versus Security “in” the Cloud.
Overall, the conference sessions were built around topics that align to the security pillars that make up their security framework:
Identity and Access Management
- There are numerous services that can help organizations with managing access to their AWS infrastructure (IAM, Cognito, Secrets Manager). This topic focused on the importance of defining, enforcing, and auditing permissions across the AWS services in use.
- This topic focused on spotting issues before they impact the business. Detective controls help to improve our security posture and reduce the risk profile of our AWS environment. There are numerous AWS services to help in this domain including CloudTrail, CloudWatch, and GuardDuty.
- As with the other topics, there was a focus on AWS services that can be used to reduce surface area to manage and increase privacy and control of the overall infrastructure on AWS. These services include AWS Web Application Firewall (WAF), Inspector, and VPC.
- This topic was very popular among the numerous auditors I spoke to during the conference. Protecting data in the cloud requires a holistic approach and not just focused on encryption. Managing data obviously includes encrypting it in transit and at rest, but it also means understanding what type of data you’re storing and what is the best method for protecting it. For example, data can take many forms (backups, high availability, long term storage) and each may require a unique protection strategy based on your risk tolerance and reasons (proprietary, compliance) for wanting to protect it. Not surprisingly, AWS offers services to help encrypt data (AWS Key Management Service) as well as a service to help manage encryption keys (AWS Cloud HSM). In keeping with the Shared Responsibility Model, these are tools AWS makes available for clients to utilize as part of their overall strategy for data protection.
Governance, Risk, Compliance
- This topic was perhaps the most relevant from an IT Risk perspective. The sessions focused on establishing a foundation for meeting security and compliance objectives, and to develop a proactive approach to cybersecurity. As Amazon likes to tout, “Security is job zero”. That statement was repeated in many of the sessions I attended during the inaugural AWS re:Invent conference in Boston. At first I had no idea what it meant. By the end, it was clear that AWS takes security (their portion of the reasonability model) very seriously. Of the many overarching topics of the conference, cloud security was a major focus. The AWS infrastructure puts strong safeguards in place to help protect customer privacy. But just saying it is not enough. AWS manages dozens of compliance programs which provides us with a leg up on our own compliance requirements because segments of the requirements have already been completed. Let’s look at HIPAA as an example. HIPAA is the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA). This Act was created to provide protection for personal health information. To be clear, there is no HIPAA certification for a cloud service provider (CSP) such as AWS. However, in order to meet the HIPAA requirements, AWS aligns their risk management program with FedRAMP and NIST 800-53, which are higher security standards that map to the HIPAA Security Rule. NIST supports this alignment and has issued SP 800-66, An Introductory Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800-53 aligns to HIPAA. But again, AWS can’t do it all for you – AWS does lay a strong foundation of compliance and provides a framework for customers’ governance models, but many of these measures are up to the customer to incorporate – or not, potentially to their detriment.
Fantasia picking a fight…
I learned about…
The AWS environments are continuously audited by third party service providers. As a customer, we have access to the AWS Artifact service which is a self-service portal for on-demand access to their compliance reports such as their Service Organization Control (SOC), and their Payment Card Industry (PCI) reports.
Another interesting thing I learned is that AWS has hundreds of services covering a broad range including computing, storage, databases, analytics, networking, mobile, developer tools, security, and enterprise applications. During one session they talked about an end-user computing service named “Workspace” which I had no idea existed. This service allows the provisioning of either a Windows or Linux desktop in a just a few minutes and quickly allows you to scale to thousands of desktops across the globe.
Would I go again…
Yes. There were hundreds of sessions available but not enough hours in the day to get to them all. A properly secured AWS environment results in a compliant environment. Therefore, as Enova expands their cloud presence, it’s important to continue using these events to stay informed on how AWS manages security and compliance. Also, understanding the controls that AWS has in place to keep the environment secure, helps us to continue developing and enhancing our own security policies and standards to both fit our business requirements and protect our data in the cloud.
What I will do differently…
Although I spent time prepping for the conference before I got there, it was not nearly enough time. I attempted to register for sessions three weeks before the conference and many of the ones I wanted were full and no longer accepting requests. Because of this, I did not have a focused track, instead I jumped from topic to topic and that made it difficult to get a concentrated understanding of a specific topic. Two things that I must do earlier is pick and register for the sessions early to ensure I attend more of the governance and compliance related sessions.
Being in IT Risk, one of the things that keeps me busy with auditors is proving that we take network and data protection seriously. Therefore, it’s important to continue to get out there and learn about the different ways of ensuring that our cloud environment and data stored in the cloud is secured using the latest techniques and partners. But more importantly, security focused events such as this helps me see the connection between my day-to-day work and the security of our data in the cloud. Additionally, it provides IT Risk with additional tools and ideas to continue strengthening the culture of security that exists here at Enova.
Finally, there’s no way this tiny blog post covers my experience or even the level of work being done at AWS specific to security. But If I can leave you with something to help you further explore the topic, it’s that a few patterns stood out during the conference specific to the security of the AWS environment.
- Permissions Management (control your infrastructure)
- Data Encryption (control your data)
- Network Security Controls (control your network)
Check these out from the AWS re:Inforce 2019 conference:
- Keynote with Steve Schmidt
- Aspirational Security
- The Fundamentals of AWS Cloud Security
- The Evolution of Automated Reasoning Technology at AWS
- Evolving Perimeters w/ Guardrails, Not Gates
- Securing Serverless and Container Services
- Network Visibility into the Traffic Traversing Your AWS Infrastructure
- Best Practices for Privileged Access & Secrets Management in the Cloud
Here’s the link to the AWS re:Inforce conference page.