CISO Insight: Every AWS Service Is a Security Service
Amazon Web Services customers have many services to contemplate, and perhaps integrate into their cloud footprint, irrespective of where they are in their cloud journey. The relentless pace of innovation continues to be one of the main attractions for customers with AWS as their cloud provider; knowing that new services and features are always coming, customers feel confident that many (if not all) of their organization’s needs can be fulfilled by one or more AWS products. Customer CISOs (or their respective teams) may want to take the time to ensure that they are well versed with all AWS services because there may be a security, risk, or compliance objective that can be met, even if a service doesn’t fall into the “Security, Identity, and Compliance” category.
As one might imagine, when I meet with customer CISOs, the topic quickly turns to AWS’s security services. “How many are there?” “How does a particular AWS security service help me meet a certain security, risk, or compliance objective?” and “How do I integrate an AWS security service into my existing portfolio of security tools?” are just a sampling of common questions. In these conversations, I encourage CISOs to think broader and focus on security outcomes rather than security “check the box” exercises, like making sure you have a firewall. Those conversations get very interesting when I propose that with some open-mindedness and creativity, most AWS services (perhaps not Amazon Lumberyard, but maybe I’m not creative enough) can be used to achieve security, risk, or compliance outcomes.
This approach is contrary to the security industry’s barrage of FUD messaging over the years, where only their expensive, proprietary point solution can possibly protect a customer from faceless, hoodie-wearing bad actors wishing to do them harm. Just as other parts of the customer’s business are reinventing the way they look at services and build solutions (e.g., using purpose-built databases vs. an attempt at a catchall solution), security organizations can use their cloud adoption as an opportunity to do things differently as well.
As of this blog post’s writing, AWS has over 175 services for customers to use. If we look at the ones identified as Security, Identity, and Compliance services, the count is 25. Some of the no-brainers are here, and they are absolutely fundamental to securing one’s cloud workloads: AWS Identity & Access Management (IAM), AWS Security Hub, Amazon GuardDuty, and Amazon Inspector, to name a few.
So a CISO has 25 services to work with to secure their environments. Seems fair enough, right? Well, not so fast. I would argue that virtually every service within the AWS cloud either enables a security outcome by itself, or can be used (alone or in conjunction with one or more services) by customers to achieve a security, risk, or compliance objective.
A few examples of nonsecurity services that deliver security outcomes:
Amazon Workspaces—Desktop as a service. CISOs love Amazon Workspaces, because it gives them the flexiblity to deploy fully featured desktop computing environments globally, in minutes. Data can be encrypted in transit and at rest; antitamper features (e.g., no USB device usage, no copy/paste in or out of workspace) can be used to protect company data; and of course, Workspaces supports native integration with best-practice identity (e.g., MFA), detection (e.g., Cloudwatch, Cloudtrail), and encryption products (e.g., KMS), as well as other security best practices. Some customers have used Amazon Workspaces to help comply with regulatory or other compliance obligations such as HIPAA, PCI, and SOC 1/2/3.
AWS Systems Manager—Infrastructure visibility and control. Some of the most foundational best practices in security are covered via the proper implementation of AWS Systems Manager. Whether it’s used for patching, inventory management, configuration management, or compliance management, this service helps CISOs meet or exceed their security bar and helps meet many compliance and regulatory objectives. AWS Systems Manager can also eliminate the unnecessary risk of maintaining a bastion host or opening up SSH/RDP protocols for server/systems administration. An included feature called Session Manager does away with the need for any of those things, resulting in an elevated security posture.
AWS Lambda—Serverless computing. What’s the most secure server? No server. Unfortunately, no server may also mean no business and no paycheck, so we need to compromise a bit. What if we had a service that allowed code to run in a hardened environment, only long enough to fulfill the business need and then shut off until that function was needed again? Adversaries can’t attack what’s not there, and when it is there, it’s not there for long. But wait, there’s more! CISOs and their teams have used AWS Lambda as part of their automation workflows to either alert on or remediate “bad” activity automatically!
Let’s look at a real-life example with AWS customer Goldman Sachs. In their effort to focus on least privilege, just-in-time access for administrative activities, and a supporting audit trail, they looked to AWS for a corresponding service that did just that. Unfortunately, there wasn’t a service that did all those things in one neat package. Instead of looking for a third-party solution, two innovative security engineers decided to tackle the problem themselves. By combining a couple of security services along with several nonsecurity services like Amazon DynamoDB, AWS Lambda, Amazon Athena, and others, engineers Chana Garbow Pardes and Jewel Brown built their own solution to solve the problem. Not only did they solve this specific problem for Goldman Sachs, but they also demonstrated to their peers what’s possible when you think creatively with the tools that you have. I encourage you to view their talk on this subject from re:Invent 2020 here.
As modern day CISOs transform from technical security-focused experts to business-focused risk assessors/advisors, understanding all the tools available and potential use cases will help them select or build the solutions they need to support their organization’s objectives. There is often a security, risk, or compliance use case for AWS services other than those listed specifically as “security” services. Hopefully, this will encourage CISOs to think more broadly about what is possible across their enterprise as their organizations adopt more workloads in the AWS cloud. I encourage CISOs to work with their Infrastructure and Development peers to understand what services they are adopting and see if there’s a security, risk, or compliance objective that can be met by using those services.
Other resources that readers may find helpful: