LAS VEGAS — As with everything else in Amazon’s thriving empire, making security as adaptable as possible is a premiere focus for Amazon Web Services and its partners as more enterprises turn to the cloud.
Over the course of Amazon’s re:Invent conference this week, experts displayed how the cloud can be used to enable security — even going so far as to automate functions normally tasked to teams of developers or engineers. Numerous attendees told CyberScoop that moving toward automation is ultimately driven by a need to progress at the speed customers expect from a wide array of companies.
“We’ve been working with you to get the nasty heavy lifting off your hands,” said Amazon Web Services’ CISO Stephen Schmidt.
AWS has been preaching that message for awhile, but it’s only been over the past few years that enterprises have really bought into it.
“What’s interesting in the world of security is that enterprises have always been concerned about moving their workloads out of their own data centers into their own cloud,” said Aaron Jacobson, a principal with venture capital firm New Enterprise Associates. “Amazon for the longest time has been telling the industry, ‘That’s not true, our data centers are more secure than yours.’ Back in the late 2000s when Amazon got started, CISOs and CIOs weren’t receptive to that message. In the past couple years, there has been that shift.”
For years, AWS has offered its own solutions, from its automated security assessment tool, Inspector, to key management systems, web application firewalls and identity management tools. However, as new security incidents arise, Amazon has reacted. The company released Thursday AWS Shield, a new managed service that protects web applications against DDoS (Distributed Denial of Service) attacks. A standard version will protect against SYN/ACK floods, Reflection attacks and HTTP slow reads for free, while an advanced version will provide round-the-clock access to a response team for custom mitigation during attacks.
“I really believe you have no business on the internet if you do not make protecting your business and customers at the top priority,” said Werner Vogels, Amazon Web Services CTO. “You really need to be able to react to security events in a very fast manner.”
While AWS has its suite of tools, Jacobson says it’s the robust third-party network that gives CISOs the confidence to find the services they need.
“You can’t trust the hens to guard the hen house,” Jacobson told CyberScoop. “You need a third party in there. As an investor, I like the idea of finding companies that are offering security on top of Amazon, simply because if I’m a Fortune 500 customer, there’s value to having a third party protect my infrastructure. If you have all the endpoint security in the world, if you don’t configure or deploy it right, you have a thousand alerts to sift through. So anything that adheres to automation really adheres with Amazon’s approach to infrastructure.”
Automating and providing context to these alerts is where third-party companies are planting a flag. Boston-based Rapid7 released a beta of its InsightOps tool during the conference, allowing IT operations professionals to combine endpoint visibility with log analytics. The service gives security teams the ability to solve problems in clicks when they previously might have lasted for hours or even days.
“Today you have to buy five or six tools, you have to look in one and then look in another and try to correlate the pieces,” said Trevor Parsons, Rapid7’s Senior Director of Log Management. “What we’ve developed is you go to one place, pay for it once, and it saves you time.”
St. Louis-based Observable Networks has a similar tool, but concentrates on helping enterprises secure hybrid cloud instances, which contain a mix of on-premises and cloud systems.
“We are recognizing that [enterprises] are not just jumping all the way into the cloud all at one time,” Observable CEO Bryan Doerr told CyberScoop. “[Enterprises] are gonna be split across these environments, sometimes on an app-by-app basis. So the best thing we can do is have similar controls across those two environments that come from on premise, but don’t impact performance. Can we achieve all of that with security?”
Beyond the network, there are companies that are trying to automate security during the development process. Los Altos, California-based Contrast Security pushes its Interactive Application Security Testing (IAST) tool to enterprises, which notifies developers when security errors are made while code is being written. The service, which is used in the public and private sectors, pushes enterprises to embrace the secure DevOps workflow.
“The reality is every company we talk to embraces [secure DevOps] in a slightly different way,” said Surag Patel, Contrast Security’s Chief Strategy Officer. “Organizations are thinking about AWS, and then layering on things like Contrast to allow for them to be comfortable in the security of things that are developed in the cloud.”
Jacobson says the flurry of automated tools is even pushing organizations past Secure DevOps and into a concept he called “No Ops.” The idea behind No Ops is allowing the tools to carry the load due to the lack of skilled security talent in the workforce. Development can then concentrate on its own goals.
“There is some push for [No Ops] on the security side, not because they want to automate security, but because they have to,” he told CyberScoop. “They can’t hire enough people to find threats and use the tools they have.”
The companies who spoke to CyberScoop backed Jacobson’s workforce sentiment.
“It’s getting harder and harder to find people who are real experts,” Parsons said. “If you look at systems today that are a combination of cloud, IoT devices, on premise, it’s a complete mishmash. To have someone that is an expert in all of those things is very difficult. The real challenge is how do we solve with a very simple technology that is very smart in the background.”
“Companies are figuring out that things like security and performance sat in-between dev and ops, and they can’t afford to have separate teams doing that,” Patel said. “So what the companies are doing is building a foundational technology layer their whole tech team can use.”
In some cases, the realization of what security automation can do for companies has come the hard way. Healthcare provider Anthem, Inc., which suffered one of the biggest breaches in history, will soon be rolling out adaptive authentication for 10 million of its customers.
Craig Lund, the CEO of Irvine, Calif.-based SecureAuth, the company providing Anthem with this service, said companies are realizing that the simplicity of getting security in front of consumers is crucial to the overall health of a business.
“For companies like Anthem, they had the biggest breach in healthcare history, they can’t get it wrong,” Lund told CyberScoop. “We have been there on premise, but now we need to put adaptive authentication in front of everything. The fact that the delivery mechanisms are such that you can do that and do it effectively, our customers are now opening it up and saying we want to protect our consumers.”
Given how big of a headache security can be for companies both small and large, it shouldn’t be long before more companies follow Anthem’s lead into making cloud-based security as easy as possible.
“Automation is the thing that makes security wonderful once you get it right,” AWS’s Schmidt said.