5 Hot Takes from AWS re:Inforce 2022

The city of Boston was hot this July – and we’re not just talking about record-breaking temperatures. The cybersecurity community showed up and turned up the heat, exploring Identity Security-fueled strategies at CyberArk Impact, then advancing critical cloud conversations on identity, security and privacy at AWS re:Inforce. With so many burning topics on our minds, we’re coming in hot with five key takeaways from AWS’ annual cybersecurity conference.
1. Identity Security is the Core of Cloud Security
“Identity,” as Karen Haberkorn, director of product management for AWS IAM, described it, “is any uniquely recognizable entity that requires access to [AWS] resources.” Your cloud or hybrid architecture is sure to be crowded with identities – from human identities like internal employees and third-party vendors to machine identities like service accounts or AWS Lambda serverless functions. Any of these identities can be exploited to gain access to critical cloud infrastructure, steal or alter sensitive data, or interrupt cloud-hosted services. The message was clear: Identity is the core of cloud security.
Haberkorn stressed fundamental Identity Security best practices worth repeating: Federate human access, require multi-factor authentication (MFA), apply least privilege least privilege permissions, rotate access keys regularly, safeguard root user credentials, and regularly review and remove unused access. Many presenters echoed this guidance, while emphasizing consistency, simplification and granularity as keys to strong identity-based security, access control and resource management.
2. Least Privilege Access Is Essential – and It Must Balance with Business Needs
AWS Chief Security Officer Stephen Schmidt believes that “who has access to what, and why?” is one of the most important security questions. “An overly permissive environment guarantees you headaches,” agreed AWS CISO CJ Moses. Why? Because “humans and data don’t mix!” Having a least privilege scheme is a non-negotiable defense-in-depth mechanism – now more than ever, given the key roles of lateral movement and privilege escalation in ransomware and software supply chain attacks.
Moses pointed out the central role of just-in-time provisioning in a least privilege model, as always-on, standing access presents notable risk. “If you’re on vacation, your access should be as well,” he noted. Further guidance from AWS leadership on restricting access to sensitive resources based on user location drove this point home. But don’t jump into privileged access management without a plan, cautioned a speaker from a major financial institution. Long-term security controls cannot be exclusively tied to short-term organizational structures. Security needs a stable foundation, it needs to strike the right balance between control and flexibility, and it needs a solid roadmap.
3. You Can’t Buy Zero Trust — Defense in Depth Is How to Get There
Least privilege is a cornerstone of Zero Trust – another hot topic at the show. But there isn’t a security tool on the planet that can flip on a Zero Trust switch. Every organization needs multiple lines of defense because “single controls will fail,” said Moses. He emphasized the need for independent, yet integrated, controls that talk to one another as part of a cybersecurity mesh architecture, and urged organizations to embrace their responsibilities in protecting data, applications, endpoints, networks and identities in their hybrid cloud environments. Some defense-in-depth directives were inescapable, like one keynote slide featuring just two words: “Enable MFA.” If you haven’t done it, do it. Full stop.
And speaking of hot topics, “user experience” would have been a winning buzzword bingo square. Winston Churchill’s “we shape our buildings; thereafter they shape us” quote captured the need for security programs built for actual people. Enhancing the end-user experience with things like native session isolation and unified administration of security controls, for instance, makes it easier for people to do the right thing.
4. Provable Security Starts with People
While AWS re:Inforce is a technology conference, the human side of cybersecurity was featured prominently. We heard about AWS’ goal of creating a “culture of provable security” – one in which everyone is accountable. Look for “changing moments” to reinforce security culture and remember that diversity brings more diversity to give your cybersecurity program a critical edge, encouraged AWS leaders. BUT, they also warned against “relying on heroics” from staff. Even the best security practitioners need ways to automate and simplify their work so they can stop threats before they stop business. This, too, makes interoperability and technology integrations essential.
5. Software Supply Chain Security Must Be Smart and Simple
Log4j and SolarWinds-type attacks are a reality, which is why it’s so important to bake security and continuous risk monitoring into CI/CD pipelines and application portfolios, noted AWS and third-party experts. Weaving security into the development lifecycle and operations also makes security reviews quicker and more uneventful, helping to keep projects – and budgets – on track. At the end of the day, keynote speakers said, the goal should be to make the secure path the path of least resistance. Otherwise, people will keep finding ways around it.
AWS Marketplace Vendor Insights is a great example of smart software supply chain security in action. Announced at the show, the new service provides continuous risk monitoring for all vendors on the AWS Marketplace, so if a vendor’s security risk profile changes, AWS customers using that vendor’s services will be notified.
We’ll wrap things up with a favorite soundbite from the show: “Security can’t be the office of no, but rather partners to enable the business by saying ‘Yes, but …’ or ‘Yes, and …’” We couldn’t agree more – in fact, allowing developers to use their preferred cloud-native tools while security teams can manage secrets with CyberArk is exactly what our newly announced Secrets Hub aims to do. We had a lot of fun at the AWS re:Inforce CyberArk booth demonstrating how developers can keep using native tooling while security teams gain centralized visibility and control of application secrets.
We also showed how CyberArk Identity SSO now integrates with AWS Control Tower, unlocking better security and governance in the cloud.
Read “Identity Security: Why It Matters and Why Now” to learn more about how an Identity Security-first mindset can help strengthen and reinforce your cybersecurity program.