AWS re:Invent Day 2 (Wednesday)

Before I get to Day 2, I realized that I completely forgot one of the highlights of yesterday. Daniel Nelson, our AVP of Product Management, was interviewed in theCUBE yesterday on the show floor. They talked about some of the challenges that customers are facing as they try to move fast yet strive to maintain security and control. As Daniel said, “you don’t want to move the same problems to the cloud and put them on roller skates.” You need guardrails that help steer your organization to the right, secure configurations and then help you keep them there, without creating burdensome requirements on developers. The interview should be posted on theCUBE’s AWS re:Invent website soon.  

Today started off with the keynote by the AWS CEO, Andy Jassy. It was live at the Venetian, but a few thousand of us watched it on simulcast from the MGM Grand Arena. The replay was not available at the time of writing this, but you should be able to find it soon here. First, I’m pretty amazed to see a CEO talk about technology for over two hours. Often, they cover the high points and then pass it off to their team for the details. Second, AWS is not playing it safe with their lead. They are aggressively introducing new services and attacking key competitors – Oracle by name, and Microsoft, IBM and Google implicitly. 

Andy started off by talking about the breadth of services that they offer, differentiating from other cloud providers by offering more choice and flexibility, at theoretically better prices. There were really too many new services announced for me to capture (some are in this list), but I’ll mention a few that caught my eye. 

-         They announced several new instance size including a new Bare metal instance. While this might not seem like a huge thing to many, it’s been a differentiator that IBM SoftLayer has been pushing for years. I suspect that this will create major headaches for IBM going forward.

-         Improvements to database services. There were several mentioned including adding PosatgresSQL on Aurora and a serverless Aurora option. 

-         New security services including GuardDuty for managed threat detection and the ability to trigger Inspector from CloudTrail events or build it into CloudFormation so that AWS customers can trigger automated security assessments.

-         There were several Artificial Intelligence / Machine Learning enhancements to make data including voice and video, more easily ingested and analyzed.   They also announced SageMaker designed to make it easier to deploy machine learning models for everyday developers.

After the keynote I was fortunate to get into a nearly full session on AWS state of security. Steve Schmidt, the AWS CISO was the main speaker and he talked about the AWS approach to security including some of their core principles.  He said that there have been over 1000 new features or services added to AWS in the past year and about half of them relate to security. That demonstrates the focus that Amazon is applying to this issue. I’ll restate some of the more salient principles here:

-          Get buy-in from leadership. To this end, And Jassy meets with the team to talk about security one hour per week.

-         Radically restrict and monitor human access to data. Steve said leaders need to challenge their teams to reduce human access to data by significant amounts, say 80% to have a real effect on behavior. And to reduce access this dramatically, you need to automate.

-         Patching. Don’t do it. Fix the image, kill the AMI and redeploy. 

-         Credential blast radius reduction. Use IAM to limit where bad actors can go. 

-         Reduce the lifespan of credentials.

-         Canaries and invariants for security functionality. You need both positive and negative canaries to ensure that it’s doing what it should and not doing what it shouldn’t. 

This feels a little abrupt, but I need to go run to a reception at the BMC booth. If you get a chance, stop by for a demo of SecOps Policy Service or SecOps Response Service.