Amazon Web Services Inc. held its annual re:Inforce conference, dedicated to security for AWS environments, at the Anaheim Convention Center in California on June 13–14. The company used the opportunity to launch new security services, expand upon those recently launched and solidify its overall security strategy.
AWS continues to set a high bar for security in the cloud industry. The company focuses on solving cloud security challenges using proprietary technology and internally developed methodologies. AWS seeks to embed security at the most basic level of its services, which it believes helps make security simpler and more effective for customers. The new services, which are tightly integrated with core AWS services, aim to tackle important cloud security problems and position the company for future growth in key security market categories.
Keynote
The 2023 re:Inforce keynote was delivered by AWS Chief Information Security Officer CJ Moses, who was a featured speaker at last year's conference. Moses said AWS' ultimate goal is to make security "more affordable, effective and straightforward" for its customers, and discussed how security revolves around people and requires a deep understanding of human behavior and psychology. It is an approach informed by Moses' time working for the FBI.
According to Moses, everything built at AWS takes the human element into account. An example is how AWS built its own virtualization platform, the AWS Nitro System, from the ground up, and specifically designed it to protect data from both operators (AWS employees) and users. The theme of AWS embedding security into services from the ground up — or starting with the "primitives," as Quint Van Deman, principal in the office of the CISO for AWS Security, said — was prevalent throughout the conference keynote and breakout sessions.
Context
The most notable new service launches were AWS Verified Access and Amazon Verified Permissions, formalizing the company's zero-trust cloud access strategy. AWS Verified Access applies to corporate applications and allows access for remote users without a VPN. Amazon Verified Permissions aims to solve a long-standing enterprise challenge in embracing "authorization as a service."
AWS also targeted expanding recently launched services such as Amazon Inspector, Amazon Security Lake and the AWS Nitro System, which provides intrinsic confidential computing protections to customers of Amazon Elastic Compute Cloud (EC2).
Educating users about the benefits of these services is another primary objective of re:Inforce. The company continues to formalize its partner program and has demonstrated early success in getting buy-in from partners, including software providers, managed security service providers and global systems integrators.
New services and extensions
Senior Principal Engineer Becky Weiss joined Moses for the keynote and provided an overview of key service launches. Among the most notable was the general availability of Amazon Verified Permissions, which followed the introduction of AWS Verified Access in April. Both were featured prominently in the keynote and leadership sessions, and both of these launches emphasize authorization.
AWS Verified Access authorizes application requests and provides secure access to applications using a "VPN-less" approach, which helps reduce the remote access risks. Amazon Verified Permissions offers granular and scalable authorization and permissions management, which helps customers define, evaluate and enforce zero-trust authorization within their own applications. This service employs Cedar, a permissions policy language and authorization engine developed by AWS and recently made open source.
Weiss said while zero-trust principles are baked into core AWS services, both of these services represent the "next chapter in zero trust," which we see as an evolution of functionality into more readily adopted packaging of key AWS controls for zero-trust access and authorization, further enabling developers to use controls designed for this purpose and decoupling this necessary functionality from application logic.
AWS has also invested significantly to improve and expand its confidential computing capabilities. Secure connectivity, meanwhile, was exemplified by the introduction of Amazon EC2 Endpoint Instance Connect, a service that enables users to connect to cloud instances through a private endpoint, securely and in a simplified manner. This further augments AWS implementations, from its global backbone to connectivity services such as Amazon VPC Lattice, to avoid exposing data over the public internet and to ensure that all data is encrypted in transit. We expect to cover additional recent data security announcements in further reports.
AWS made a number of enhancements to its application security capabilities as well. Amazon Inspector, its vulnerability management service, now offers exporting capabilities for software bills of materials, which helps customers understand their software supply chain and associated risks and vulnerabilities. Meanwhile, Amazon CodeWhisperer introduces an "AI code companion" that provides code recommendations and helps improve security by identifying code vulnerabilities. These enhance capabilities such as Amazon CodeGuru, a static application security testing tool that can identify and resolve code vulnerabilities at any stage of the development workflow. We expect to elaborate on these initiatives in our ongoing coverage of application and software security.
Research-supported innovation
At the industry analyst sessions at re:Inforce, AWS put a spotlight on the research underlying many of its innovations. AWS Identity Applied Science Director Neha Rungta hosted a breakout session highlighting research initiatives in AWS for automated reasoning capabilities and strategy to identify complex security issues and resolve them proactively.
The application of automated reasoning in initiatives such as Verified Permissions leverages data from key services like AWS IAM Access Analyzer, Amazon VPC Network Access Analyzer and other sources, and does not require customers to have expertise in automated reasoning because it runs automatically under the hood. Rungta says AWS' ultimate goal is to provide "provable security," which is security assurance backed by mathematical proof.
Amazon Security Lake
AWS Security Vice President Jon Ramsey spearheaded analyst discussions of the company's threat detection and response initiatives. In the last few years, this strategy has come into sharper focus. Amazon GuardDuty, for example, is a core security monitoring service. AWS Security Hub serves as the central platform to consolidate AWS security findings, including those from CloudTrail and other sources. Amazon Detective provides the ability to perform deep investigations of alerts. Amazon Inspector continuously scans AWS workloads for software vulnerabilities and unintended network exposure. Amazon Security Lake is a more recent introduction for centralizing security data management from AWS and third-party sources.
Generally available in May, Amazon Security Lake was another highlight of re:Inforce. This initiative enables customers to centralize the management of a wide scope of security data across multiple sources, in a simplified manner and using the Open Cybersecurity Schema Framework (OCSF) data format. AWS now has more than 60 partners that actively use the OCSF format, including software vendors, managed security providers and systems integrators. Amazon Security Lake offers pay-as-you-go pricing with no up-front costs and a simplified pricing model based on data ingestion and data normalization. 451 Research expects to follow Amazon Security Lake more closely in further research on the evolution of security analytics and data management.
Overall, AWS' ongoing plan is to expand current capabilities, and the company believes ongoing innovation and automated reasoning will help it move toward these goals.
Partner program updates
Several updates to AWS partner programs were also announced. First, the company announced the launch of AWS Built-In Partner Solutions, which is in preview and will be generally available later in 2023. This program enables customers to purchase AWS partner software in the AWS marketplace, integrate with AWS foundational services and deploy automatically with the help of partners.
AWS named five global systems integrator partners for the launch: Atos Inc., Deloitte LLP, PricewaterhouseCoopers LLP, Kyndryl Holdings Inc. and Accenture PLC. Other updates were to the AWS Security Competency Partner Program, which officially launched at re:Inforce last year. There are now three categories in the program — Security Services Competency, Level One Managed Security Services Provider Competency and Cloud Operations Competency, which includes cloud operations, governance and compliance capabilities.
The launch of AWS Cyber Insurance Partners Program was also announced. It eases the process of obtaining and sustaining cyber insurance coverage. Primarily targeting small and medium-sized businesses, this program simplifies customer sharing of security posture information with insurers via AWS Security Hub and identifies key security objectives to simplify attestations, obtain quotes for coverage from AWS-vetted cyber insurance partners and improve security resilience. This trend is in line with similar initiatives in areas such as the rise of cyber insurtech, which we expect to impact practices in cyber implementation.
Toward the future
AWS' take on its future in security was exemplified by the close of Moses' keynote. Addressing the topic that has been top of mind in the tech industry since the launch of ChatGPT, Moses sees generative AI as an "indispensable tool" that can help engineering and operations teams improve security.
The keynote also touched on the huge security and privacy risks and the opportunities for misuse, such as hackers using AI tools to automate phishing and social engineering attacks. An example of how major vendors invested in AI's future are responding was the built-in security and privacy controls in Amazon Bedrock, which launched in April. A new initiative for building generative AI on foundational models within AWS environments, Bedrock is a focus of AWS' AI ambitions.
Finally, Moses touched on quantum computing, which has the potential to revolutionize cybersecurity by making it possible to easily crack certain existing encryption algorithms. AWS is currently leading development of quantum-resistant, cloud-scale cryptography technology with the goal of applying this to AWS services such as AWS Certificate Manager, AWS Secrets Manager, AWS Key Management Service and the AWS Transfer family of services. These and other examples evident throughout re:Inforce 2023 showcased opportunities for AWS to drive continued innovation in the future.
This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.
451 Research is part of S&P Global Market Intelligence. For more about 451 Research, please contact 451ClientServices@spglobal.com.