Cloud threats will continue to grow and proliferate in 2023, but organizations can meet the challenges head-on with the right security fundamentals in place, Amazon Web Services CISO CJ Moses said during AWS re:Invent 2022 conference last week.
Malicious activity is on the rise: The volume of DDoS events in AWS between January and September of this year rose 35% compared with the same period in 2021. AWS saw a 256% increase in compromised instances compared with the fourth quarter of 2021.
AWS unveiled new security tools to help enterprise security teams with analyzing security telemetry, permissions management, and key management.
Gathering Threat Telemetry
First up was Amazon Security Lake to manage threat intelligence data. AWS CEO Adam Selipsky said Amazon Security Lake would allow organizations to gather security telemetry and data from many sources, clean it up, and make it accessible for analysis. The challenge lies in the fact that security data exists in multiple formats. The new Open Cybersecurity Schema Framework standard, announced last August during Black Hat USA, can be used to normalize security logs and events data across a wide range of products and services, Selipsky said.
Asked whether supporting OCSF members have conducted comprehensive interoperability tests or certification efforts, Splunk distinguished engineer Paul Agbabian explains to Dark Reading how the data is normalized. “For an event class to be considered in OCSF, there must be a real implementation of the class via one of the member’s example logs,” he says. “In addition, OCSF uses a server that can test each implementation of the schema for validation, which includes showing notable errors and violations.”
“Increasing threats and risks continue driving the shift to the cloud, where security will be built into everything organizations do up and down their technology stack and across their teams,” Moses said. “More and more security can be thought of as a data science problem.”
AWS said FINRA, Salesforce, and Tinder are the first customers using Amazon Security Lake. Fernando Montenegro, a senior principal analyst at Omdia, calls Amazon Security Lake the most significant new security offering announced at last week’s conference.
“Security Lake is obviously notable as it addresses some of the security ‘undifferentiated heavy lifting’ that AWS likes to address,” Montenegro says. “It’s still early, but the expectation is that it can help simplify security analytics at scale. The use of the OCSF standard is also notable, as it can herald easier data integration even outside of AWS environments.”
Verified Permissions for Developers
A preview of Amazon Verified Permissions is now available, which Moses described as a scalable fine-grained permissions management and authorization service for custom applications. “It gives developers a consistent way to define and manage fine-grained permissions across applications, simplifies changing permission roles without a need to change code, while also improving visibility to permissions,” he explained.
Amazon Verified Permissions gives application administrators “a comprehensive audit capability that scales millions of policies using automated reasoning,” Moses added. “Authorization requests running through Amazon Verified Permissions are evaluated in milliseconds to provide dynamic real-time decisions.”
Remote Access Without a VPN
Amazon also released the preview of AWS Verified Access, a new connectivity service that provides secure remote access to corporate applications without requiring a VPN. According to AWS, the new service only grants access to applications if users and their devices meet defined security requirements.
AWS noted that Verified Access validates each application request, regardless of user or network, before granting access.
Omdia’s Montenegro says, “AWS Verified Access should help with the burden of accessing AWS resources in a ‘zero trust’ manner.”
External Key Store (XKS) for AWS KMS
Amazon also announced its AWS Digital Sovereignty Pledge, which the company describes “as its commitment to offering all AWS customers the most advanced set of sovereignty controls and features available in the cloud.”
Previously, customers have had to choose between “the full power of AWS and a feature-limited sovereign cloud solution that could hamper their ability to innovate, transform, and grow. We firmly believe that customers shouldn’t have to make this choice,” AWS senior VP Matt Garman explained in a blog post.
Effectively, AWS is promising to enable its complete offerings to maintain the growing set of digital sovereignty industry and regional regulations. Moses said the new External Key Store (XKS) for the AWS Key Management Service (KMS) supports the pledge because it lets organizations store and utilize their encryption keys outside of AWS.
“Customers can now store AWS KMS customer-managed keys outside of AWS on hardware security modules, whether they operate on-premises or anywhere else they would like to do so,” he said. “XKS supports all the critical features of KMS and works with the over 100 AWS services that already integrate with KMS customer keys.”
A user can encrypt data with external keys for most AWS services that support AWS KMS customer-managed keys, including Amazon EBS, AWS Lambda, Amazon S3, Amazon DynamoDB, and over 100 more services. The external key store forwards API calls to securely connect with a customer’s hardware security module (HSM). According to an AWS blog post, the data describing the key never leaves the HSM.