This article originally appeared on VentureBeat.
Your building must be constructed of wood — not papier-mâché.
That is: Build your security program from the ground up and have it embedded within operations and throughout the development lifecycle, Amazon chief security officer Stephen Schmidt told the audience at AWS re:Inforce this week.
“You want visibility and everyone rowing together,” he said.
The annual re:Inforce event — as its name suggests — underscores the importance of security and offers best practices from Amazon Web Services (AWS) and its partners.
This year’s event has included bootcamps, labs and several leadership sessions. These have focused on proactive security; “security mindfulness;” streamlined identity and access management; compliance, governance and security operations at scale; cryptography; and leveraging research and innovation in the protection of customer data.
“While this event is aimed at practitioners, I liked how security basics — such as blocking public access and using multifactor authentication (MFA) — were noted and sprinkled in throughout the keynote as it reiterates a broader point: Security needs to be part of every single person’s job,” keynote speaker and MongoDB CISO Lena Smart told VentureBeat.
Lessons learned as a security leader
In a keynote, Schmidt emphasized the importance of access (or lack thereof). It is critical, he said, to determine who has access to what and why. What do people need for their jobs? For instance, do builders require live data for testing, or as he put it, should data be “obfuscated, masked and anonymized wherever it’s stored?”
“An overly permissive environment guarantees you headaches,” said Schmidt.
The building blocks of any security program require putting “thought and rigor” into each use case. When you store data, it should be “intentionally controlled, intentionally encrypted and intentionally protected,” he said.
An entire organization needs to work together on security, Schmidt said, pointing out that AWS has a decentralized team environment. The AWS security team also regularly meets with the company’s C-Suite. He noted that if a security team is only getting sporadic time with the C-suite, “that’s going to be an issue.”.
Similarly, security tools are always stronger when used as part of a holistic strategy. Security teams should not be siloed — but rather, an “intimate partner” with development organizations. He underscored an AWS principle, “We’re stronger together.”
Smart agreed, calling employees “our strongest link and best advocates for cultivating a strong security culture at MongoDB.”
“While you can have all the tools in the world, at the end of the day, people are the key to a robust and ever-expanding cybersecurity program,” Smart told VentureBeat.
This has been evidenced through the MongoDB “security champions” program, she said. This has more than 90 employees globally, with members volunteering their time to serve as security conduits for their individual teams.
“The program gives us unprecedented insight across MongoDB and has helped us mature our security program and internal collaboration,” Smart told VentureBeat.
Multiple layers of defense
A “definite worst-case scenario,” Schmidt pointed out, is an organization’s data becoming accessible. If an adversary does gain access to your network, you need effective intrusion detection, he said, adding that a robust encryption program can be a last line of defense.
Security differentiators include a least privilege scheme and reliable active logging that is not deletable by attackers. Controls should be integrated throughout services so that no single aspect of a security program is on the hook for everything in a defense portfolio, said Schmidt.
Similarly, having services that complement each other is foundational to the zero trust process. He suggested that organizations build out systems in such a way that requires multiple things to go wrong before resulting in a bad outcome.
“The single controls will fail,” said Schmidt. “You need to have multiple layers of defense when it comes to your security program.”
Fostering a culture of security awareness
AWS vice president and chief information security officer CJ Moses underscored the importance of ownership across teams — because ownership shouldn’t just be around profit and loss and business success or failure.
“It is a mechanism that reinforces our security culture,” said Moses. “That’s the type of mentality that you want to have and you want to have passed down.”
It is equally important to have a meeting room full of multiple people with different outlooks, he said. This includes the introverts and the extroverts alike, as well as those from different backgrounds or cultures. It’s about “having multiple viewpoints and backgrounds, because diversity brings diversity,” he said.
Also, new hires can offer a team high levels of clarity, as they don’t have years of bias or “groupthink.”
Best practices ultimately come down to “whatever enables your culture to be looking at things differently and challenging one another,” said Moses.
In-depth defense mechanisms
As for the security tools themselves: Those that are automated, embedded, and allow people to do the right thing — and easily — are paramount, said Moses.
“You don’t want security to become something that’s causing more work for people,” he said. “They’ll just find ways around it — we all know that’s true.”
He also highlighted the importance of least privilege, vulnerability reporting and ransomware mitigation. The process of revoking access to new software — or granting administrative access — should be practiced regularly.
“Because each overly permissive access is an opportunity for an adversary,” said Moses. “If you’re on vacation, your access would be as well.”
Along with this, there should be internal and external ways to report vulnerabilities, he said. Give customers a contact platform that automatically opens tickets, even if they’re unsure about whether it’s a bona fide security issue or not. And when it comes to ransomware, validate your critical processes and run exercises regularly.
“You don’t want to find out about a critical flaw in the plan during a real issue,” said Moses.
It is also important to have a comprehensive inventory of software and how it’s being used, he said, while always analyzing third-party products to ensure that they are updated to the latest versions and patch levels.
Also, Moses emphasized: “Logging, logging, logging, logging — did I mention logging?”
Encryption and automated reasoning
Ultimately, the advent of quantum computing over the next few decades means that professionals in the security space will also need to rethink encryption, noted Kurt Kufeld, vice president of the AWS platform.
“The emergence of quantum computing means that some encryption algorithms will be unsafe,” he said, adding that the National Institute of Standards and Technology (NIST) and the cryptographic community have collaborated and announced standards for the post quantum crypto world.
AWS has also implemented a hybrid post quantum key exchange and made that available in open source, said Kufeld. It offers quantum safe algorithms and options for transport layer security (TLS) connections. Furthermore, AWS is working with the Internet Engineering Task Force (IETF) to define a quantum key agreement and hybrid technology.
This area of computer science applies reasoning in the form of logic to computing systems. Leveraging this allows users to enable “provable security” and the ability to make universal statements — such as, “is this bucket open to the public?”
Automated reasoning was applied to Amazon S3 to ensure that it was “strongly consistent,” explained Kufeld, and this revealed edge cases that had not shown up in the past.
“The power of universal statements is amazing when it comes to security,” said Kufeld.
Enhanced AWS capabilities
In addition to its swath of enhanced security features, AWS also announced several new tools during re:Inforce. These include:
- Amazon GuardDuty Malware Protection: This new service helps detect malicious files residing on an instance or container workload running on Amazon EC2 without needing to deploy security software or agents. It adds file scanning for workloads utilizing Amazon EBS volumes to detect malware that can place resources at risk. When issues are detected, the service automatically sends security findings to AWS Security Hub, Amazon EventBridge and Amazon Detective. Existing customers can enable the feature in the GuardDuty console or through the GuardDuty API.
- AWS Wickr: A new enterprise grade, secure collaboration product providing end-to-end encrypted (E2EE) messaging, file transfer, screen sharing, location sharing and voice and video conferencing capabilities. It also includes message and content expiration, perfect forward secrecy, message recall and delete, and administrative controls to support information governance and compliance.
- New categories of AWS security competency partners: Eight additional competency categories include identity and access management; threat detection and response; infrastructure security, data protection; compliance and privacy; application security; perimeter protection; and core security. The service helps customers identify software and service partners that have expertise in specific security categories.
- AWS Level 1 MSSP competency specialization categories: Six new categories include identity behavior monitoring; data privacy event management; modern compute security monitoring for containers and serverless technologies; managed application security testing; digital forensics and incident response support; and business continuity and ransomware readiness to recover from potentially disruptive events. The goal of the latter two rollouts, according to Ryan Orsi, global partner practice team lead for security consulting and MSSP at AWS, is to help customers discover partner solutions validated by AWS security experts and provide 24/7 monitoring and response services. This new tool “showcases how we’re aiming to meet customers where they are at and make securing these environments easier,” Orsi told VentureBeat. “We’re enabling a one-stop-shop experience where (customers) can find security software specific to their needs, as well as the expertise, needed to properly deploy it.”
- AWS Marketplace Vendor Insights: A new tool to simplify third-party software risk assessments by compiling security and compliance information in a unified dashboard. This helps streamline the procurement process by granting buyers access to evidence made available by AWS Marketplace sellers related to data privacy and residency, application security, and access control. Buyers can receive notifications about security events such as expiration of a vendor’s compliance certificate, and can have ongoing visibility into the security posture of their third-party products.
This ultimately underscores AWS’ dedication to its “partner ecosystem” and streamlined procurement processes, said Chris Grusz, general manager of worldwide ISV Alliances and Marketplace at AWS.
“Not only do customers move through the procurement process without delay,” Grusz told VentureBeat, “but partners are enabled to make more deals, and faster.”