I realized I promised to start writing more again to finish off the year and then promptly disappeared for over a week. Not to worry, it was for a good cause, since I spent all of last week at Amazon’s re:Invent conference. And, umm, might have been distracted this week by the release of the Rogue One expansion pack for Star Wars Battlefront. But enough about me…
Here are my initial thoughts about re:Invent and Amazon’s direction. Although it seems I’m biased towards Amazon Web Services that’s due to two reasons. First is that they still have a lead in the market in terms of both adoption and services offered. That isn’t to say other providers aren’t competitive, especially in certain areas, but Amazon does have a strong across the board lead still. This is especially true of security features and critical security capabilities. Second, since most of my client work is still on AWS I have to pay more attention to it (selection bias). Although Azure and Google are slowly creeping in.
With that out of the way, here’s my analysis of the event’s announcements:
The biggest security news wasn’t security products. With security we tend to get a bit myopic and focus on the security products and features, but the real impact on our practices nearly always come with changing IT adoption patterns and technologies. Last week Amazon laid out the future of computing and there is plenty of evidence that Microsoft and Google are well along (if not ahead) the same path:
The future is serverless: When you use a load balancer on a cloud provider you don’t run an instance/virtual machine, you just say “give me a load balancer”. Sure, somewhere it’s running on hardware and an operating system, but all that is hidden from you and the cloud provider takes responsibility for managing nearly all of the security. Now that’s great for things like load balancers, message queues, and even the occasional database, but what about your custom code? That’s where AWS Lambda comes in and Amazon tripled down on it. Lambda lets you load code into the cloud that AWS runs on demand (in a linux container). You just write your code and don’t worry about the rest. AWS announced enhancements to Lambda but the big product piece is Step Functions that allow you to tie together application components with a state machine (I’m simplifying). The net result? More, bigger serverless applications and closing a gap that inhibited Lambda use on more complex projects. Security take? Serverless blows apart nearly all our existing security models. I’m not kidding, it’s insanely disruptive. This post is already going to be too long so I’ll start a series on it soon.
The future is serverless AI: Amazon released a quad of artificial intelligence tools. Image recognition, conversational interfaces (like Alexa, Google Now, and Siri), text to speech, and accessible machine learning (a set of features that doesn’t require you to program machine learning from scratch). Go read the descriptions and watch the demos, these are really interesting and powerful capabilities. Security take? Prepare for more data to flow into the cloud and… stay there. You simply can’t compete with these capabilities with on-premise options. On the upside we can also harness these to improve security analysis and operations.
The future is distributed and ever-present: Those Lambda functions? Amazon announced they are now accessible on edge routers (sorry Akamai), in big-storage Snowball appliances (a smart NAS you can drop anywhere that will process locally and communicate with the cloud, or you just ship it all to Amazon for data storage), and in IoT devices on the friggen silicone. All of them feeding back into the cloud. Amazon is extending its processing engine to basically everywhere (IoT FTW). Security take? This is enterprise-targeted IoT combined with distributed mesh computing. Hang on to your hats.
Security is still core to AWS, but the focus is on reducing friction. None of what I described above can work without a bombproof security baseline. This was the first re:Invent I’ve been to where there were no security announcements in the Day 1 keynote. They announced DDoS on Day 2 and a bunch of enhancements during the State of Security track lead-off presentation. It seemed almost understated until you went to the various sessions and saw the bigger picture. When AWS builds security products like KMS or Inspector it’s mostly to reduce the friction of security and compliance when customers want to move to AWS. They step in when they see existing products failing or slowing down AWS adoption, or when it is a core feature they need themselves or they think will bring more clients. Don’t assume a low level of announcements means a low level of commitment or capabilities, it’s just that security is becoming more of the fabric. For example, Lambda gives you basically a super-hardened server to run arbitrary code… that’s way bigger than…
Multiple account management. Finally. It’s easy for me to recommend using 2-5 accounts per project, but managing accounts at enterprise scale on AWS is a major pain in the ass. Organizations is the first step into enabling master and sub accounts. It’s in preview, and although I applied I’m not in yet so I don’t have a lot of details. But this helps resolve the single biggest pain point most of my cloud-native customers have.
DDoS. Finally. You can’t use BGP based DDoS with AWS which has limited everyone to cloud-based web services. I’m a huge fan of them but they don’t necessarily work well with all AWS services, especially if you use the CDN. Now everyone gets basic DDoS for free and advance DDoS (humans watching and troubleshooting) is pretty darn cost effective. Sorry Akamai (and Cloudflare and Incapsula). Actually, Amazon’s WAF capabilities are still limited enough that DDoS + cloud WAF vendors should be okay… for a while.
Systems Manager adds automated image creation, patch, and configuration management. EC2 Systems Manager is a collection of tools to knock down those problems. However, it’s definitely rough around the edges and looks like it will work best if you manage it programatically. It has the potential to really disrupt patch and configuration management tools, and combined with Inspector to also hit security vulnerability assessment products under the belt.
Improved compliance reporting. Remember when Hoff started up the CloudAudit project for automated reporting of cloud provider compliance? It isn’t standards based but AWS Artifact revives the concept and will make life easier for anyone who needs to work with auditors and their Amazon deployments.
IPv6 Suppport. Fortunately, it’s optional and on-demand.
This really only scratches the surface. I skipped over VMWare end of lifeing their on-premise virtualization (seriously, hard to see this any other way), a ton of database announcements (including serverless SQL), and most of what’s on this list.
One big point is that in the cloud, everything is software defined. Many of the services I just described really work best if you manage them programmatically over APIs. The web console will only get you so far and doesn’t work well once you start dealing with multiple accounts. Software Defined Security and DevSecOps are really the only ways to keep up with the cloud, especially Amazon.
Overall I think I captured the big security points:
The future is serverless, and this breaks a lot of how we approach things.
Cloud security is Software Defined Security.
AWS focuses on reducing the friction to cloud adoption, and security is often the friction. Vendors in the way will get gutted without a second thought.
- Rich
(0) Comments
Subscribe to our daily email digest