AWS has moved up the stack with native security tools for its customers, but it has yet to address the needs of...
an enterprise with regard to data protection.
Security remains a top priority for enterprises that make the shift to the public cloud, and the subject was front and center at AWS' recent annual user conference, re:Invent 2017, where executives repeatedly implored customers to lock down their data. The company introduced some new security services to aid in that process.
But for many companies, AWS security services only go so far.
Capital One, one of the first major corporations to embrace AWS, built its own control framework, trained internal engineers, and set boundaries on what Amazon cloud services could and could not be used.
The bank has expanded beyond basic compute and storage services into higher-level products, such as DynamoDB and Lambda, and it gives developers the ability to experiment with newer services, too. For production workloads, however, a service must meet minimum requirements for compliance, such as encryption and cross-region availability.
Capital One executives appreciate the improvements to AWS security services, but the financial company still builds its own tools to manage compliance, such as its open-sourced Cloud Custodian tool. Capital One would like AWS to make more effort around encryption, access controls and protection of sensitive data, especially with the complexity required to manage resources across multiple AWS accounts at scale.
"We're seeing more of that, and that's great, but we'll continue to build our own services until it's all there," said Biba Helou, managing vice president of cloud at Capital One, based in McLean, Va.
Shared responsibility still core to AWS usage
AWS has always operated under a shared-responsibility model, where the provider controls the underlying infrastructure and the user controls everything above that. But during the past year, in particular, it has shifted to add services that root out security threats higher up the stack.
The response comes from enterprise demand, plus a series of embarrassing public data exposures. AWS has added more encryption defaults and more prominent alerts to notify users when they're out of step with suggested best practices, and it has retooled to better track and correlate account activity metadata.
John Nicholsdirector of enterprise architecture, Pacific Gas and Electric Co.
Pacific Gas and Electric Co. (PG&E), a utility based in San Francisco, is also glad to see AWS doubling down on its message of security and shared responsibility. PG&E began to use AWS five years ago with the goal to shut down most of its data centers and ultimately move its grid operation systems into the actual operating centers that can then be connected back to the cloud. For now, the focus is on analytics, rather than moving over its compliance data.
"We're not going to put those systems in the cloud -- not any time soon," said John Nichols, director of enterprise architecture at PG&E. "At some point, that might make sense, but there are too many things that could go wrong."
And it's still early days in cloud adoption among enterprises. Many companies are like PG&E -- they still want to figure out how to operate in the cloud and embrace areas such as distributed systems principles, automation and security -- before they allow their to data to move off the premises.
"Until we actually do it and until something breaks and then you see the reaction, those are the things we've got to overcome first," Nichols said.
GuardDuty among the latest native AWS security tools
Among the new capabilities AWS introduced at AWS re:Invent 2017 was Amazon GuardDuty, a managed threat detection service that tracks AWS-generated feeds and coordinates with user logs to detect trends, patterns and anomalies. Another major upgrade was IoT Device Defender, due out in the first half of 2018, which will monitor devices for compliance with security best practices and identify abnormalities.
GuardDuty and another recent addition, Amazon Macie, tout AWS' use of machine learning (ML) to protect against threats. But AWS will see competition from security companies that offer more mature tools, said Abhi Dugar, an IDC analyst.
"They're not there so far in that sophisticated, predictive AI, ML, deep learning, neural network world," he said. "They will have to catch up with some of the capabilities of third-party companies that have much more comprehensive sets of features."
There are other AWS security services added over the past two years to track applications, such as AWS Artifact for compliance reports, Amazon Inspector for security assessments, AWS Shield for distributed denial-of-service protection and AWS WAF, its web application firewall.
Overall these AWS security services represent a larger shift to move up the stack, monetize the information they gather and funnel these tools into the rest of its existing services, Dugar said.
"This is clearly driven from the profit perspective that [AWS can upsell you] if you're already using EC2 and S3 and they already have so much visibility into their own infrastructure," he said.
AWS on security: Automate, automate, automate
At re:Invent 2017, AWS also encouraged enterprises to remove humans from operations as much as possible. Stephen Schmidt, vice president and chief information security officer at AWS, said the vendor has no security operations center, and only one security engineer is on duty to work on operations at any given time.
The message espoused by AWS CTO Werner Vogels was of the need for automation and security at all layers. He told his audience that IT pros remain the biggest vulnerability and added that companies are not taking encryption and data protection as seriously as they should. Developers must also be part of the equation, too, particularly as companies move toward continuous delivery and integration.
"The pace of innovation really needs to meet the pace of protection," he said. "The best way to do that is to use automation."
AWS does not always take its own advice, albeit in a slightly different context. The company harps on the message, but it was human error that crashed a portion of the internet earlier this year due to a Simple Storage Service outage on the East Coast. In a postmortem that detailed the outage, AWS said it planned to add more automation to prevent a recurrence.
AWS historically has put out minimally viable products and improved its capabilities over time in response to user interest. Without providing details, an AWS spokesperson said the company plans to pull these tools together to help customers choose and deploy the AWS security services they want.
But for now, there's a healthy ecosystem of startups and established security companies to fill the void. On the AWS Marketplace, which provides links to certified partners, there are 580 different entries for security services.
Houston-based Alert Logic, for example, is one of many independent software vendors with products that incorporate GuardDuty. The native service follows a trend of better visibility into AWS with streams of information, but customers need more actionable information, said Misha Govshteyn, Alert Logic's founder and senior vice president of products. Companies also are confused about the volume of data logs and how to pull together the various native AWS offerings, especially since some companies can't even keep tabs on how many accounts they have and who launches instances.
"It's not that there's not enough security tools; three years ago, that was a problem," Govshteyn said. "Now, there are [many] security tools and a lot of them go pretty deep, but nobody can cover the full breadth of things."
Even if AWS fills those gaps, it may not displace the growing ecosystem of cloud security providers. Embedding these tools into all Amazon cloud services could create pricing confusion and sticker shock, particularly at larger enterprises, Dugar said.
There's also the issue of security across multiple cloud platforms. AWS has largely dismissed the emergence of multi-cloud architectures that enterprises increasingly face, by choice or foisted on them through acquisitions or lines of business, but enterprises need an independent view to maintain consistent policies across environments.
"They're not going to make it easier to help you if you want to be on Azure and on AWS," Dugar said. "The security policies are different on each of those clouds, and third parties will be able to offer a better option."
Trevor Jones is a senior news writer with SearchCloudComputing and SearchAWS. Contact him at [email protected].