Mission Talks: AWS Security Session re:Invent 2020 Insights [Video]

Transcript

Jonathan LaCour:

We are back again with another opportunity for us to chat about some great stuff that is going on in re:Invent. It continues to be overwhelming with all of the activity spread out over three weeks. I really wanted to sit down and chat a little about this leadership session that we heard from Steve Schmidt on security, identity, and compliance. This is a hot topic for us and for our customers. I thought we would just react a little bit. Just a reminder for everybody who is watching, my name is Jonathan LaCour and I am the CTO here at Mission.

Jaret Chiles:

I’m Jaret Chiles, Vice President of our Consulting Services group. I am really excited about this session. Earlier in my career I led some security operations teams and was an auditor and things like that so I am always super passionate about the security space and excited to hear all of the things going on in AWS right now.

Jonathan LaCour:

Indeed. I definitely have a long history in this area as well with sort of a love-hate relationship with compliance and audits of things of that nature. Let’s start with some of the philosophy - it was one of the things that struck me. AWS tends to lead with their philosophy. It is who we are and this is our view of the world. It really ties in to what we talked about last time about reinvention. I think AWS is thinking about security compliance and identity in a vision of how can we reinvent this? One of the quotes that was pulled out was from Mario Andretti, the famous racecar driver, and he said: “If everything seems under control, you’re just not going fast enough.” If you told me that someone was going to open up the conversation with security professionals and compliance professionals with “you’re not going fast enough” I would have laughed at you and said that’s crazy. But that’s exactly what they did.

Jaret Chiles:

With AWS specifically it is interesting because we are a long ways into the game now. They are still scratching the surface on one hand but at the same time, security has long been one of the primary blockers for adoption of the cloud. There is a gap in the skills market and security challenges. There has always been a back and forth between these top two things regarding finding that balance between going fast and gaining benefits. How do you get the auditors comfortable? How do you solve the compliance problems and help your operations teams? It seems like these were big parts of the theme today.

Jonathan LaCour:

There is another quote he said which was talking about “a culture of optimism and accountability.” This relates exactly to what you’re talking about. There has been a fear of the cloud for many years from a security and compliance perspective. Now it is about being optimistic, being accountable, using the tools, and removing the friction. 

Jaret Chiles:

Optimism is interesting. We were talking about this earlier. There are a couple different ways this can be interpreted. I was also thinking about the pessimism in cloud adoption but then there is also the optimism in general around security in the culture right now. There is a lot of fear and there is a lot of brand damage that companies have gone through that I think has probably stifled innovation a lot for a little while. There were some immature stages where people were moving fast in adopting the cloud and didn’t really know what they were doing. Maybe the tools weren’t as robust and mature at that time. Now we are in a much better place and it's a time where we should be optimistic about what benefits the cloud can bring and how much security can actually bake into your applications when you leverage the cloud.

Jonathan LaCour:

They really were talking in this notion of reinvention and optimism. It is all about friction reduction. If you look at some of the core areas they were diving into, centralization was a big one they talked about. Centralization and giving you visibility was another one. Then there is automation. On the cost front, one of the big ones they talked about was an 80% cost reduction to Macie. I know that when we talk to our customers about implementing Macie, that's one of the big concerns that always pops up - how much is this going to cost? Making this much more affordable is reducing the friction point. 

Jaret Chiles:

Cost specifically as it relates to security is a really interesting topic. Many items announced today were actually free. You can actually leverage these tools. In the old data center days, one of the terms I had heard for a while was “the security poverty line.” It cost so much to get a baseline set of security that enabled you to meet certain compliance regimes and things like that and it was prohibitive for some people. Their ability to do this and drop that barrier means security is more widely available for everyone for cloud adoption. 

Jonathan LaCour:

I completely agree. The interesting thing there is the costs now come in your time, your expertise, and the investment you can make in making those things happen. This is great news for us as a partner because that’s what we do. We help companies adopt these tools - especially when they are free, such as native tools provided with AWS. Once you get these implemented, we help you get trained and get these things enabled in your environment. Boom, you are off and running. 

Jaret Chiles:

The tool may be free, but the expertise and time it takes to implement are not free. The ability to do that stuff efficiently can drive cost; that is why you need strong partners.

‍
Jonathan LaCour:

It does relate to our MDR service (Manage, Detection and Response) which we developed in consultation with Alert Logic. The big benefit there is that the Alert Logic tool is great but what you’re really getting is our 24/7 team and their 24/7 team working together to respond. While it is important that these tools are free from AWS and we should turn them on in all of our environments, it doesn’t matter if you’re not acting on it. It kind of pushes it down where you don’t have any excuse. It is not about the tools anymore. It is about everything else. 

Jaret Chiles:

With what Alert Logic offers specifically I think it is very complementary to a lot of the things that they announced today. There is some really good synergy there.

Jonathan LaCour:

I was excited about that as well. We’re not getting “sherlocked” where someone invents a product that decimates one of our services. It is actually highly complementary.

The second area that I brought up was centralization. I think it has been very interesting. One of the things Mission has been doing over the past couple of years has been evolving our AWS account structuring, leveraging AWS organizations, helping customers leverage AWS Organizations, helping customers with the infrastructure of their infrastructure (things like AWS Control Tower and provisioning). That was a big theme as well.

Jaret Chiles:

A lot of complimentary things were discussed on the organization side and I think you are going to go into this but everything is all wired for automation now which is a big part of it too. The amount of time that you spend trying to plug all these things together, trying to manually audit things, and trying to reduce that bar. When we talk about simplifying for everybody, they hit on a bunch of things.

Even as far as helping enable auditors: helping them understand the differences in on-cloud and on-premise. In AWS specifics they spent a lot of time talking about that. It is all about centralizing more tools that enable you to automate as well, and reducing friction, which helps drive cloud adoption.

Jonathan LaCour:

Yeah! You brought up on the centralization front, AWS Security Hub went GA which I think is wonderful. It is very well integrated with everything else. That’s really a critical factor. If you are trying to provide a centralized hub, it needs to be integrated with everything. They opened it up to third parties and there is so much that goes into security hub now which is, again, very complementary.

You brought up audits. I have a love-hate relationship there. I know you have gone through SOC 2, ISO, PCI, GDPR, and all of these compliance issues in the past and audits and such. It is just fraught with manual processes, documentation and evidence. It is just exhausting. Honestly, it is one of those things that I think a normal human being (that isn’t me) would not get super excited by an audit manager but I’m like “Yes! Bring it on! We need this!”

Jaret Chiles:

Yeah. Producing evidence, you mentioned that piece. Most people underestimate how much time goes into producing all of the evidence that you need. When you have tools that help do that for you from the full life chain it simplifies so much.

Jonathan LaCour:

It is a change of philosophy too, right? The old way was a once-a-year big bang approach to the problem where you go and generate an absolute mountain of documentation and throw it at your auditor and say “good luck.” They mentioned that it is an enormous amount of work, it is very manual, it is spreadsheets, and it’s not fun. With something like audit manager, it shifts your mindset from a once-a-year big bang approach to continuous access controls, continuous compliance, and continuous risk assessment. This is the mode they have been advocating for years and years but is just another piece of puzzle and another way for us to drive customers towards that, and ourselves.

He also talked about automation and visibility around patching. This is one of the best quotes in the whole thing and I don’t want to mess it up. What did he say?

Jaret Chiles:

“Security vegetables.”

Jonathan LaCour:

Security vegetables, right? You have to eat your vegetables; you have to patch and scale. If you’re not using systems manager, that is a huge thing that we use. We have our cloud manage service Mission Cloud One where we’re actually managing your AWS environment and we help you manage patches; we need SSM to do that. It is excellent at what it does. Now, it is integrated into security hub and you can get all of that visibility in one place. Have I eaten my security vegetables for the day or week or month or whatever it happens to be?

Jaret Chiles:

Yeah and this ties back in when you talk about continuous monitoring. Actually being able to develop roles for your internal audit teams, if you have those. They can in real time keep track of this. It’s just perfectly seamless. 

Jonathan LaCour:

I will say I am very interested on the audit manager front; they said the built in compliance frameworks they have today are pretty basic ones. So the CIS AWS Foundations Benchmark which is a great one that we run for customers all the time which is very useful. GDPR is a big one. I actually think that one is extremely valuable. Same with with PCIDSS. But what I didn’t hear was SOC 2, I didn’t hear ISO 27001, I didn’t hear HITRUST, I didn’t hear HIPAA. I think a lot of these sort of compliance frameworks will need to be part of this as well and I think it will be over time. 

Jaret Chiles:

I was trying to look through some of my notes to find it. The thing to consider too when you’re looking at this: if you’re trying to run your own data center or something along those lines and you have to take all of these different compliance regimes on yourself and figure it out, you have to keep in mind the scale that AWS is operating in. Who has more money to invest in their data centers and their security and making sure that their products are at least compatible with all these compliance regimes? There is a scale thing there that is just unstoppable.

Jonathan LaCour:

Yet again, undifferentiated heavy lifting. That’s what AWS loves to attack and now they are doing it on the security front which they have been doing but even more so.

Good stuff. That was a jam-packed session. I think there were a lot of other announcements that were in there that were kind of in the weeds and interesting. I encourage everybody who is listening to go and check those out.

Thematically, I think that the philosophy that AWS is pushing: the reinvention of security, zero trust, really driving for agility, speed, optimism, and accountability, leaning into removing friction from a cost centralization and automation perspective. I think it was really interesting.

Jaret Chiles

You nailed it. There were tons of product announcements but what I really appreciated about this was how they were able to weave it back into best practices and talk about trends and things like that. Zero trust is a good one too.It’s been around for a long time.

Just simple conversations around like, hey, if you have two systems that don’t need to communicate together why would you have that lateral network path? Really basic things we have been talking about for decades but are still prevalent. What is important is developing tools that help automate, analyzing and seeing those scenarios between identity and access management profiles, network paths. The more that you remove the complexity in identifying those things, the easier it is to follow a true zero trust architecture. 

Jonathan LaCour

For sure. I feel like AWS is really breaking out the sandpaper, right? They are smoothing off all of the rough edges and making everything easier for us. Pretty exciting stuff. Well, I think that is a good summary for the day and a great reaction to this particular session. I look forward to a couple more as we keep on going through re:Invent! 

Jaret Chiles

It’s been fun. Y’all track along with us!