The recent AWS re:Invent conference in Las Vegas saw the release of several new AWS services for security. Some of these announcements such as AWS Web Application Firewall and AWS Inspector seemed to take many in the security press and blogosphere by surprise.
Cloud-native security companies like Evident.io however, weren’t surprised by these announcements. In fact, AWS has been actively partnering with their security ecosystem to create opportunities for partners to innovate on top of these new base services.
Both incumbent and emerging partners need to remember that a platform is not a product, it is a constantly growing and evolving entity that will continue to adapt as the cloud ecosystem continues to change.
If you want eternal stability, consider investing in a pet rock. If you want to be part of continuously improved technology ecosystems, then strap in because AWS is the rocket ship of platforms in this space.
AWS, no matter what they innovate, will encroach on similar value positions of its ecosystem as a matter of existence. However, this is the best situation possible for customers of the platform.
Customers win out because they receive constant technology innovation and improvement as part of their platform experience, which is something that was never present in the datacenter ecosystem.
Let me paint some color to what these services mean for the ecosystem:
AWS Web Application Firewall (WAF)
AWS WAF enables customers to create filtering rules that whitelist or blacklist application calls coming inbound from the internet towards a customer’s deployed CloudFront CDN resources.
For example, a customer could write a WAF Rule that filters requests to their web application based on source IP address matching or pattern-matches against the request string.
If I was running an e-commerce store that only sold products to the US, I would ensure that my WAF rules contained blocking request patterns for IP Address ranges from China, Syria, Sudan, North Korea, and other embargoed countries (and huge sources of malicious traffic).
While this appears to be a direct attack on some cloud security providers, it really creates a new market path and opportunity for them to deliver their WAF intelligence to the customer.
Let’s be honest — there’s nothing differentiating about building a big x86 appliance and having it run the rules intelligence for your infrastructure.
AWS has removed that barrier of virtualizing the appliance and created a direct path for these companies to deploy their core value proposition — curated and powerful rulesets that protect customers from historical, existing, and future attacks.
Expect to see branded rulesets available through some kind of marketplace or other delivery mechanism here, as that is what customers need.
AWS Inspector
Inspector, in our eyes, was the most important announcement in recent AWS history. We’ve finally seen the true convergence of cloud-based security begin to emerge: Continuous API-centric security intelligence accessibility that is pervasively built into the platform’s diverse feature-set.
With the advent of Inspector, security providers can directly interface to the hosts and applications to provide deep, thorough security visibility for customers without deploying additional third-party agents.
Let’s face it, customers were already overburdened with agents before they ever got to their security stack, and the value delivered by security agents has been questionable at best in cloud environments.
Expect security platforms to integrate singular-views of workload-wide security intelligence in order to provide customers a complete picture of their security posture, risk profile, and attack surface.
Config Rules
Config Rules was, perhaps, the least exciting of AWS announcements in the security space. Unfortunately for Config-based service interactions, the limitations of the service are still apparent a year after initial launch.
Config Rules offers no exception, where interesting capabilities for customers to define custom rules that help them understand what changes impact security in their environment are hampered by limited service support, a cost model that is too unpredictable for small customers and of minimal security value beyond the “ping” that happens when rules fire.
These challenges are compounded by the barrier to entry of writing well-structured and contemplated security rules by a broad audience of non-security experts, which delivers an almost false sense of protection.
Contrasted with CloudTrail, which gives valuable audit information that makes sense at an operational level, Config Rules anticipates the customer will have strong security experience and operational knowledge to leverage the service.
But some customers in every user base are satisfied with what we call “good enough” security in the industry, which defines a scope of offerings that barely make the cut to be called security technology.
The platforms and vendors slinging “good enough” security tend to be at the international buffet, where you get a below-average pizza, a mediocre taco salad, and a poor hamburger.
Nothing you get leaves you with a feeling of being satisfied, because not enough effort was put into the final product to actually change the way you think about the experience.
But mature, focused products will always deliver a superior customer experience, and in security that should never be considered optional.
A vendor who divides their attention between cost management, security, optimization, etc. will never provide the same quality or attention to protecting your infrastructure as a focused innovator in the space can offer.
Users can expect a waiting period for service support for new AWS services, meaning that your security controls are dependent on Config’s roadmap.
But security savvy customers, are not keen on waiting for security to grow up around them – they need it now, they need it on 100% of their cloud infrastructure, and they need it to be actionable.
This is why many will continue to choose the leaders in each security layer over the basic security features tied into the platform itself.
Expect Config Rules to grow over time – but if Config is any indicator, it will be a long time before Config Rules provides real value for customers on the platform.
The real value here is that innovators in the security space will continue to fill the gaps left by services in the platform and innovate customer value atop the technology that does make the cut.
Wrap-Up
Well, that was a journey – and we only covered three services! AWS re:Invent 2015 was a whirlwind of sessions, 19k participants, and awesome discussions on every topic under the sun.
It’s hard to believe we have to wait another year to see this massive gathering happen again, but that leaves a lot of time for innovation, new customer success stories, and to sort through the giant piles of swag that everyone picked up in that madhouse of an expo hall.
Author: Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level. After years of building, operating, and securing services in AWS, he set out to make security approachable and repeatable for companies of all sizes. Tim led technology teams at Adobe, Ingenuity, Ticketmaster, and McAfee.