Cloud Identity Security – Key Themes from AWS re:Invent 2021

December 10, 2021 Sam Flaster

AWS reInvent Cloud Security Takeaways

Last week, CyberArk attendees from around the world joined the global cloud computing community in Las Vegas for AWS re:Invent 2021.

This year’s landmark, 10th-annual conference focused on cloud-hosted services’ critical role in transforming industries — from airlines to financial services to government. In his keynote, AWS CEO Adam Selipsky noted that “there’s no industry that hasn’t been touched by the cloud.” The full conference illustrated how cloud-hosted applications enabling remote work to the cloud-hosted infrastructure powering vaccine development have built the foundation for contemporary times.

But the distributed nature of modern computing has led to a proliferation of identities with access to public cloud resources. In highly dynamic, rapidly scaling environments, enabling secure access for all human and machine identities is increasingly important. As AWS CTO Werner Vogels said in his keynote, “Protecting your customers should forever be your No. 1 priority.”

The following are some of the key security trends and topics gleaned from the conference’s keynotes and sessions — and from the expo floor itself.

Three key security themes from re:Invent 2021:

1) Technology is changing the need for least privilege is not.

AWS is innovating at a blistering pace; at re:Invent alone, the company introduced more than 50 new features for its portfolio of services.

At the conference, AWS highlighted that consistently securing access to these powerful technologies requires organizations to implement least privilege access — helping to ensure that all human and machine identities possess only the minimum necessary permissions to complete their tasks.

Through dedicated sessions on implementing least privilege with AWS Identity Services and hyper-focused sessions on security for next-gen infrastructure such as serverless functions, AWS experts stressed the need for thorough authorization and authentication controls.

Another telling detail illustrating how core least privilege and other Identity Security controls are core to AWS and the philosophy of its practitioners was on display in the re:Invent security leadership session — AWS Identity’s principal product manager presented a photo of her six-word vanity license plate: “USE MFA.” Yes, it’s a driving force.

2) Shift left: simple, automated security for modern infrastructure

At the scale of the modern enterprise, consistent security is essential. In his keynote, Vogels emphasized the need for straightforward security policies that can reach hyperscale, providing the “under-the-hood” example of AWS Identity and Access Management (IAM) handling more than a half billion API calls per second. Any service operating at that scale would have once been unfathomable. Not in 2021.

Vogels said, AWS needs “… to keep simplicity in mind because, otherwise, you cannot [reach] the scale IAM needs to meet.” He also noted the foundation for this principle is Gall’s law — which states that all complex systems that work evolved from simpler systems that worked.

Sessions and announcements throughout the conference echoed the connection among automation, scalability and security.

Additionally, several sessions positioned infrastructure-as-code (IaC) deployment methods like AWS CloudFormation as the key to automating simple, scalable and secure configurations for new environments and services.

For example, one session titled, “Best practices for securing your software delivery lifecycle,” underscored the importance of enforcing both security in the CI/CD pipeline (through tools like secrets management and application vulnerability scanning) and security of the pipeline (through ongoing monitoring and threat detection). This language, of course, deeply echoes the AWS shared responsibility model that underpins the provider’s security philosophy.

Another popular session focused on the role of automation in both generating and validating appropriate IAM policies on the fly within CI/CD pipelines. Collectively, these sessions and details indicate a future in which least privilege access and just-in-time provisioning will remain essential ingredients in cloud security.

Automation is even more important as AWS continues to, yes, reinvent enterprise infrastructure. AWS continues to make container-based and serverless deployments increasingly accessible — and increasingly secure. Several AWS services, including RedShift (big data) and Amazon SageMaker (machine learning), added serverless deployment options at re:Invent, lowering the total cost of ownership for these groundbreaking technologies.

Simultaneously, AWS used the re:Invent spotlight to reveal easier than ever before adoption of containerized environments. The company introduced a new AWS Marketplace for Containers, which enables organizations to identify and deploy subscriptions to third-party Kubernetes applications. And following its own advice, AWS also pre-announced that its Amazon GuardDuty service for discovering threats will extend into containerized environments.

3) Securing cloud migrations requires people, processes and technology

Securing all identities accessing sensitive resources during a cloud migration is no easy task. It requires deep expertise, tailored technologies and careful planning. This message resonated throughout our meetings with CyberArk customers and peers at AWS, who repeatedly called back to the AWS Migration Acceleration Program (MAP).

MAP emphasizes the importance of assessing cloud readiness, mobilizing resources and technologies, and ultimately, migrating and modernizing workloads with the help of expert partners.

In the re:Invent Security Leadership session, AWS leaders emphasized the importance of people, processes and technology for all cloud security processes. The company even spotlighted its own security culture and teams to demonstrate some cybersecurity best practices in action, including:

  • Investing heavily in employee education on cybersecurity awareness training (people)
  • Consistently verifying least privilege and reviewing unintended access to company resources — both technological and physical (processes)
  • Widely investing in threat detection and consistent monitoring that covers all identities accessing cloud resources (technology)

Want to learn more about the value that CyberArk Identity Security Platform can quickly add to your cloud migration? Check out our listings on AWS Marketplace.

Previous Article
AWS + CyberArk Cloud Entitlements Manager
AWS + CyberArk Cloud Entitlements Manager

This joint solution brief highlights how CyberArk Cloud Entitlements Manager can help AWS customers meet IA...

Next Video
The Evolution of PAM - Episode 3: More of Today. ‘If you combine the 3 majors (AWS, Azure, GCP), we are at 24,000 plus (cloud) permissions’
The Evolution of PAM - Episode 3: More of Today. ‘If you combine the 3 majors (AWS, Azure, GCP), we are at 24,000 plus (cloud) permissions’

Privileged. Access. Management. CyberArk’s Global Technology Office goes Podcast