AWS Adds More Tools to Secure Cloud Workloads

This article originally appeared on Security Boulevard.

Amazon Web Services (AWS) today expanded its portfolio of cloud security tools as part of an ongoing effort to make it simpler to secure application environments running on its infrastructure.

The additional services, announced at the AWS re:Inforce event, include support for Amazon EBS Volumes within the Amazon GuardDuty Malware Protection service and the ability to automatically share security findings between Amazon GuardDuty and AWS Security Hub.

In addition, the Amazon Macie data security service can now review and validate sensitive data found in an Amazon S3 cloud storage service, while Amazon Detective can now analyze logs generated by the Amazon Elastic Kubernetes Service (EKS).

AWS is also making it possible to assign a numeric compliance measurement value to Conformance Packs to make it easier to identify major deviations in security posture and is making available in preview an encrypted collaboration service dubbed AWS Wickr.

Finally, AWS is making available in preview tools to assess the security of third-party applications in its marketplace and revealed that the AWS Single Sign-On service (AWS SSO) has been rebranded AWS IAM Identity Center to better reflect the expanded role of the platform.

CJ Moses, CISO and vice president of security engineering for AWS, reminded conference attendees that they should be encrypting everything in the cloud and that they should only be providing external access to data and applications when required. Organizations should especially block access to cloud storage services, he noted.

The rollout of the latest AWS security services comes at a time of intense focus on cloud security as part of a larger effort to better secure software supply chains after a series of high-profile breaches. In general, cloud platforms are more secure than on-premises IT environments; however, the processes used to build and deploy cloud applications are often problematic and can introduce risk. Developers routinely employ open source tools like Terraform to provision cloud infrastructure and accelerate application development. Most of those developers have limited cybersecurity expertise so, inevitably, mistakes are made. The chronic shortage of cybersecurity expertise means most organizations are not able to keep pace with the rate at which workloads are being deployed in the cloud.

AWS contends its platform is more secure than rival platforms because of what it describes as automated reasoning technology that employs mathematical logic to, for example, detect entire classes of misconfigurations. As a result, AWS said it is able to empirically prove a cloud environment is secure. The issue that organizations encounter is that every cloud service provider assumes the organization using its service assumes responsibility for both configuring the infrastructure correctly and then securing the applications deployed on it. Developers, unfortunately, tend to assume more automation is being applied to secure workloads.

On the plus side, more organizations are also starting to embrace DevSecOps best practices to make software supply chains more secure. The challenge is that no matter how much time and effort is made to educate developers, there will always be a development team that makes a mistake— and cybercriminals will find a way to exploit it.