AWS will hold its first dedicated cybersecurity conference this month, and the show’s session catalog provides clues into the company’s plans for security now and in the future.
About 8,000 people are expected to attend AWS re:Inforce in Boston on June 25 to 26, AWS said. That number would make re:Inforce larger than the first AWS re:Invent show. It also underscores the demand for information about cloud security challenges across the full spectrum of AWS’ services — particularly given AWS’ torrid rate of feature releases — and how the company plans to plug holes in its cloud security strategy.
One notable session will discuss how to use graph databases in conjunction with cloud security audits, a scenario in which AWS finds itself playing catch-up.
“Graph databases are becoming the new hotness for incident response,” said Scott Piper, an AWS security consultant at Summit Route in Salt Lake City who plans to attend re:Inforce.
Google has been busy in this area, as well, with an open source project called BadWolf. Microsoft also hosted a special focus on the use of graphs in security at last year’s BlueHat conference, Piper added. “Amazon has been behind in doing anything interesting here,” he said.
Piper also pointed to a session on Amazon Cognito, the company’s user authentication service. Security researcher Andres Riancho is set to deliver a talk at Black Hat in August about configuration weaknesses in Cognito’s design, and Piper said he wants to hear AWS’ side of the story.
Another AWS re:Inforce session will discuss the use of AWS Control Tower, its follow-on to AWS Landing Zone to govern multi-account AWS environments.
“Landing Zone was a mess,” Piper said. “The purpose was to set a baseline of security for new accounts and make new account creation easier, but the setup was a monster … Hopefully Control Tower will be better, but we’ll see.”
Other re:Inforce sessions include a look at how AWS has used and will evolve its automated reasoning capabilities, which generate mathematical proofs that show services such as S3 and Macie are properly secured.
Another, titled “Cryptography in the Next Cycle,” will discuss how AWS uses techniques such as post-quantum cryptography to avert the potential for quantum computers to someday break common encryption schemes.
AWS re:Inforce’s broad agenda reflects cloud security challenges
Aditya JoshiExecutive vice president of products, Threat Stack
Rob Fry, CTO of security information and event management vendor Jask in Austin, Texas, also plans to attend. He has worked closely with AWS for 10 years, both at Jask and in his former role as a senior security architect for Netflix, where he was involved with the streaming service’s move over to AWS. He said he expects re:Inforce also will present a needed high-level picture of modern security practices for companies on the move into the cloud.
“Just because you do your due diligence and GRC [governance, risk and compliance] and find out that several public clouds are secure, the operational usage of [them] is not,” he said.
Attendees will get advice on how to run cloud operations securely from one of AWS’ higher-profile customers in banking, which, like other highly regulated industries, faces a tougher path to the cloud. Michael Johnson, chief information security officer of Capital One, is set to keynote. Capital One has spent the past few years moving the bulk of its data center operations to AWS.
“Think of the maturity [growth in cloud services] that’s happened over the past 10 years,” Fry said. “These entities that are protecting your dollars or the USA are going to the public cloud.”
Thematically, the event should speak to a broader audience than security professionals, said Aditya Joshi, executive vice president of products at Boston-based cloud security platform vendor Threat Stack.
“Security cannot be an isolated, separate thing within a company,” said Joshi, who also plans to attend the event. “It’s great to have a security conference, but security is a mindset or culture within anyone who’s developing software.”