140 shares, 162 points

Hear from CIOs, CTOs, and different C-level and senior execs on knowledge and AI methods on the Future of Work Summit this January 12, 2022. Learn extra

As the biggest cloud supplier, Amazon Web Services (AWS) actually has just one selection in relation to safety—and that’s to strategy issues “holistically,” the corporate’s prime cybersecurity govt mentioned this week throughout AWS re:Invent 2021.

“You don’t want to secure just one thing or one edge—or use one technique or one approach,” mentioned Stephen Schmidt, chief data safety officer at AWS, throughout a session on the convention in Las Vegas Thursday.

“By using separate—often overlapping—tools and techniques, and different procedures, we build far more robust protections that’s resilient to individual faults,” Schmidt mentioned. “One of the things that we look for in the internal design of our services is, we never want one security control to be the definitive barrier between adversaries and our services. There must be multiples here. And I encourage you to think the same way.”

Top bulletins

In that spirit, AWS unveiled new safety merchandise and options at re:Invent 2021 to assist safe every part from infrastructure to functions to the app improvement course of itself. Key themes included bringing extra automation to many safety processes, new capabilities to allow safe entry to knowledge, enhanced community and IoT safety, and improved safety for containers.

Security is pivotal in any firm’s knowledge journey, AWS CEO Adam Selipsky mentioned throughout his keynote at re:Invent on Tuesday.

“You need to have complete control over where your data sits, who has access to it, and what can be done with it at every step,” Selipsky mentioned. “AWS knows how important this is to every customer.”

Ultimately, years of developments in safety from each AWS itself and cloud companions now imply that safety can truly be extra of an asset than a legal responsibility in cloud environments, executives from plenty of cloud safety companies advised VentureBeat this week.

“We are finally moving past the days where security is perceived as a hindrance to cloud adoption,” mentioned Glen Pendley, deputy chief expertise officer at cybersecurity vendor Tenable, in an e-mail. “It was a big obstacle years ago when people were trying to force technology that was designed to function on-prem into a cloud environment. Now you are seeing a real shift for security tools to be designed and built as cloud-native.”

George Gerchow, chief safety officer at Sumo Logic, a cloud log administration and monitoring vendor, mentioned he’s “seeing security as a huge driver for cloud now—for the first time ever.”

In the previous, the motives for transferring to the cloud have “always been opex cost, end-user experience, being able to deliver a solution to the market faster,” Gerchow advised VentureBeat. “But now, I do believe that security is a driver for cloud. Because people want to reduce that footprint of what it is they’re securing—and focus on the data, focus on the application.”

What follows are particulars on the highest 12 safety bulletins from Amazon Web Services at re:Invent 2021.

Enhanced cloud vulnerability administration

AWS used re:Invent to announce a number of new options for enhancing and automating the administration of vulnerabilities on its platform, in response to evolving safety necessities within the cloud.

Newly added capabilities for the Amazon Inspector service will meet the “critical need to detect and remediate at speed” so as to safe cloud workloads, AWS mentioned in a weblog publish.

In the publish in regards to the Amazon Inspector updates, AWS acknowledged that “vulnerability management for cloud customers has changed considerably” for the reason that service first launched in 2015. Among the brand new necessities are “enabling frictionless deployment at scale, support for an expanded set of resource types needing assessment, and a critical need to detect and remediate at speed,” AWS mentioned within the publish.

Key updates for Amazon Inspector embrace evaluation scans which might be continuous and automatic — taking the place of guide scans that happen solely periodically — together with automated useful resource discovery.

Using the up to date Amazon Inspector will allow auto-discovery and start a continuous evaluation of a buyer’s Elastic Compute Cloud (EC2) and Amazon Elastic Container Registry-based container workloads — in the end evaluating the client’s safety posture “even as the underlying resources change,” AWS wrote.

The firm additionally introduced plenty of different new options for Amazon Inspector, together with extra assist for container-based workloads, with the power to evaluate workloads on each EC2 and container infrastructure; integration with AWS Organizations, enabling clients to make use of Amazon Inspector throughout all of their group’s accounts; elimination of the standalone Amazon Inspector scanning agent, with evaluation scanning now carried out by the AWS Systems Manager agent (so {that a} separate agent doesn’t should be put in); and enhanced danger scoring and simpler identification of probably the most important vulnerabilities.

A “highly contextualized” danger rating can now be generated by means of correlation of Common Vulnerability and Exposures (CVE) metadata with elements resembling community accessibility, AWS mentioned.

Securing containers from public registries

To assist improvement groups which might be utilizing containers from publicly accessible registries to safe the containers, AWS introduced pull-through cache repository assist in Amazon Elastic Container Registry.

The assist will “offer developers the improved performance, security, and availability of Amazon Elastic Container Registry for container images that they source from public registries,” AWS mentioned in a weblog.

“Images in pull-through cache repositories are automatically kept in sync with the upstream public registries, thereby eliminating the manual work of pulling images and periodically updating,” the weblog mentioned. “Pull through cache repositories provide the benefits of the built-in security capabilities in Amazon Elastic Container Registry, such as AWS PrivateLink enabling you to keep all of the network traffic private, image scanning to detect vulnerabilities, encryption with AWS Key Management Service (KMS) keys, cross-region replication, and lifecycle policies.”

Threat detection for container workloads

AWS mentioned it’s responding to the rising want for container safety with plans to launch new menace detection capabilities for container workloads throughout the first quarter of 2022.

Schmidt mentioned the corporate doesn’t usually pre-announce options which might be nonetheless below improvement. But given the rising significance of container safety, the cloud large is making an exception in revealing its new container menace detection options, he mentioned.

The first new container menace detection options, launching in Q1 of 2022, will contain extending the Amazon GuardDuty menace detection service to Amazon Elastic Kubernetes Service (EKS) audit logs, he mentioned.

“This will provide customers intelligent threat detection for their container workloads — scanning for unusual resource deployments [and] things like malicious configuration changes, or escalation of privilege attempts,” Schmidt mentioned.

Automated secrets and techniques detector

At re:Invent 2021, AWS unveiled a brand new automated secrets and techniques detector function for its Amazon CodeGuru Reviewer instrument.

The function addresses the problem of builders inadvertently committing secrets and techniques to supply code or configuration recordsdata, together with passwords, API keys, SSH keys, and entry tokens.

The new functionality leverages machine studying to detect hardcoded secrets and techniques throughout a code assessment course of, “ultimately helping you to ensure that all new code doesn’t contain hardcoded secrets before being merged and deployed,” wrote AWS in a weblog publish.

Secure entry to delicate knowledge

AWS introduced new options for offering safe entry to delicate knowledge within the AWS Lake Formation knowledge lake service, with the introduction of row- and cell-level safety capabilities.

AWS Lake Formation permits the gathering and cataloging of knowledge from databases and object storage, nevertheless it’s as much as customers to find out the easiest way to safe entry to completely different slices of knowledge.

To make that simpler, row- and cell-level safety capabilities for Lake Formation at the moment are typically obtainable, Selipsky mentioned throughout a keynote at re:Invent.
To get custom-made entry to slices of knowledge, customers have beforehand needed to create and handle a number of copies of the info, preserve all of the copies in sync, and handle “complex” knowledge pipelines, Selipsky mentioned.

With the brand new updates, “now you can enforce access controls for individual rows and cells,” Selipsky mentioned.

For securing gross sales knowledge, for example, slightly than creating a number of tables for every gross sales crew and nation, “you just define a set of policies that provide access to specific rows for specific users—without having to duplicate data or build data pipelines,” he mentioned. “It puts the right data in the hands of the right people—and only the right people.”

Amazon WorkAreas Web

In phrases of enabling safe end-user computing, AWS introduced common availability for Amazon WorkAreas Web, described as a “low cost, fully managed WorkSpace built specifically to facilitate secure, web-based workloads.”

“WorkSpaces Web makes it easy for customers to safely provide their employees with access to internal websites and SaaS web applications without the administrative burden of appliances or specialized client software,” AWS mentioned in a weblog publish. “With Amazon WorkSpaces Web, corporate data never resides on remote devices. Web sites are rendered in an isolated container in AWS, and pixel streamed to the user. The isolated browsing session provides an effective barrier against attacks packaged in web content and prevents potentially compromised end-user devices from ever connecting with internal servers.”

Additionally, “every session launches a fresh, always up to date, nonpersistent web browser. WorkSpaces Web supports enterprise controls that allow administrators to set browser policies (e.g., set default home page, bookmarks, enable/disable extensions, allow/deny list specific URLs, or any of Chrome’s 300+ policies) and user settings (e.g. clipboard, file transfer, or local printer controls),” the weblog says. “When the session is complete, the browser instance is terminated, ensuring sensitive corporate web content is never outside enterprise control.”

S3 entry administration

AWS introduced an replace for its Simple Storage Service (S3) that goals to simplify entry administration for S3 knowledge.

A brand new Amazon S3 Object Ownership setting lets customers disable entry management lists (ACLs), whereas the Amazon S3 console coverage editor now “reports security warnings, errors, and suggestions powered by IAM Access Analyzer as you author your S3 policies,” AWS mentioned in a weblog.

The new Amazon S3 Object Ownership setting, referred to as Bucket proprietor enforced, “lets you disable all of the ACLs associated with a bucket and the objects in it,” the weblog says. “When you apply this bucket-level setting, all of the objects in the bucket become owned by the AWS account that created the bucket, and ACLs are no longer used to grant access. Once applied, ownership changes automatically, and applications that write data to the bucket no longer need to specify any ACL. As a result, access to your data is based on policies. This simplifies access management for data stored in Amazon S3.”

Automated application-layer DDoS mitigation

For serving to clients with the mitigation of distributed denial-of-service (DDoS) assaults, AWS introduced an replace to AWS Shield, the corporate’s managed DDoS safety service for apps that run on AWS.

The new replace brings computerized application-layer DDoS mitigation to AWS Shield Advanced, AWS mentioned.

“This is a new set of capabilities included for all Shield Advanced customers that automatically mitigate malicious web traffic that threatens to impact application availability,” the corporate mentioned in a weblog publish. “This feature automatically creates, tests, and deploys AWS WAF rules to mitigate layer 7 DDoS events on behalf of customers.”

Network handle administration and auditing

AWS introduced community handle administration and auditing “at scale” with the Amazon Virtual Private Cloud (VPC) IP Address Manager (IPAM).

The new function “provides network administrators with an automated IP management workflow. IPAM makes it easier for network administrators to organize, assign, monitor, and audit IP addresses in at-scale networks, lowering the management and monitoring burden and eliminating the manual processes that can lead to delays and unintended errors,” AWS mentioned in a weblog publish.

VPC Network Access Analyzer

AWS introduced the launch of a brand new providing, the Amazon VPC Network Access Analyzer, that permits customers to determine configurations which may end in unintended entry to the community.

“It will point out ways that you can improve your security posture while still letting you and your organization be agile and flexible,” AWS mentioned in a weblog publish. “In contrast to manual checking of network configurations, which is error-prone and hard to scale, this tool lets you analyze your AWS networks of any size and complexity.”

IoT ExpressLink

In the realm of IoT, AWS introduced the brand new IoT ExpressLink providing—”a easy, highly effective resolution that permits you to simply shortly develop safe IoT gadgets,” mentioned Michael MacKenzie, common supervisor for AWS Industrial IoT and Edge, throughout a session at re:Invent.

“Modules that use AWS IoT ExpressLink make it faster and easier for developers of all skill levels to securely connect almost any device to the cloud and seamlessly integrate with over 200 AWS IoT services, including AWS IoT Core,” AWS mentioned in a weblog publish.

Modules with AWS IoT ExpressLink assist overcome the standard challenges confronted by builders across the constructing of IoT gadgets—together with safety challenges, AWS mentioned.

“A typical IoT application adds 50,000 (or more) lines of new embedded C code to a project … The challenge is that this increase in code is difficult to manage and maintain while security vulnerabilities are concealed across hundreds of folders and files,” AWS mentioned. “AWS IoT ExpressLink helps developers with the complex and security-critical code by packaging it into a single hardware component.”

IoT Greengrass safe administration

IoT Greengrass is an AWS cloud service for the event, deployment, and administration of IoT system software program and functions. At re:Invent, AWS introduced a brand new functionality for safe administration of IoT Greengrass gadgets through AWS Systems Manager (SSM).

“Managing vast fleets of varying systems and applications remotely can be a challenge for administrators of edge devices,” AWS mentioned in a weblog publish.

In response, the corporate has built-in IoT Greengrass and SSM “to simplify the management and maintenance of system software for edge devices,” the publish says. “When coupled with the AWS IoT Greengrass Client Software, edge device administrators now can remotely access and securely manage with the multitude of devices that they own – from OS patching to application deployments. Additionally, regularly scheduled operations that maintain edge compute systems can be automated, all without the need for creating additional custom processes.”

Ultimately, for IT directors, “this release gives a complete overview of all of their devices through a centralized interface, and a consistent set of tools and policies with the AWS Systems Manager,” AWS mentioned.


VentureBeat’s mission is to be a digital city sq. for technical decision-makers to realize information about transformative expertise and transact.

Our website delivers important data on knowledge applied sciences and methods to information you as you lead your organizations. We invite you to turn out to be a member of our group, to entry:

  • up-to-date data on the topics of curiosity to you
  • our newsletters
  • gated thought-leader content material and discounted entry to our prized occasions, resembling Transform 2021: Learn More
  • networking options, and extra

Become a member

Like it? Share with your friends!

140 shares, 162 points

What's Your Reaction?

confused confused
lol lol
hate hate
fail fail
fun fun
geeky geeky
love love
omg omg
win win