AWS re:Invent 2019: Leadership session: AWS security (SEC201-L)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

good afternoon everybody and welcome back from lunch hopefully this is gonna be a little discussion about security in AWS it's a continuation of some of the conversations we've had over the last few years we're gonna talk a little bit more in depth about some of the things that Andy announced in his keynote we're also going to start talking more about some new services that we've launched or are launching today and these are all about empowering you to take advantage of the skill of our engineering teams when you look at what we do a lot of what AWS focuses on is the democratization of security and this is something I'm particularly proud of because I I say this routinely and I think it's still true the biggest constrained resource that any of us have our skilled security engineers there are simply not enough humans in the world with the have the right skills to do the work that we have to do we have that problem at AWS hiring people is hard I hire hundreds and hundreds and hundreds of people a year and we still can't keep up with the pace of our own business and our customers say the same thing now of course there are ways to manage that through automation etc and we'll talk a little bit more about that but one of the things that I value quite a bit then is taking the knowledge the learning the expertise that we have and finding ways to distill it down into services that we can then vent to you so that you don't have to do that work yourself or use those skills within your own organization if you've seen anything I've talked before you know I love quotes I think that they set the right tone for things they get people thinking about stuff and this one's particularly the interesting Abigail Adams if you don't know was the wife of John Adams the president but more importantly she was his most trusted adviser and I think that that the point here is that we have to continue learning intentionally throughout our business and that means security is never done there is always a new threat there's always a new vector for bad guys there's always new opportunity for us to improve and it's something that we have to be constantly focused on do we have mechanism in place that allows us to keep up with the changes in the business that changes in the landscape and one of the things that's really interesting about AWS and and focuses a lot of our energy in our effort of course is scale now the scale of the cloud is of benefit obviously financially for you organizationally it can help support your business but it also is immensely helpful in the security space many people are used to focusing on security issues that appear in their business or in their vertical but since we have an incredibly broad swath of customers we see things before most of the rest of the internet can when we see those things we build that information that knowledge those signatures the behavioral profiles into the services that we've end so that every single one of our customers can take advantage of them not just the biggest customers like Goldman Sachs was on the stage with Andy today but literally the University student who's using the free tier gets exactly the same security services that the big guys do and I think that's really empowering especially for small businesses where you don't have the expertise to build a lot of that stuff yourself there so we talked about advantages of scale just to give you some interesting numbers there 1 quadrillion observations per month in cloud watch that's 1,000 trillion that power gives you an incredible statistical view on what's going on on the Internet and by carefully examining that understanding what happens we can build models for certain kinds of behavior that we can then alert our customers to things that are interesting there are 230 services that we have that have security compliance governance features as part of them these are pieces that we didn't have before that we've added in the recent past but most importantly it says that we've got this incredible effort to continually up the bar in the security space all of our services support server-side encryption I think encryption is a fundamentally important part of any business operation I am happiest when our staff have no access to your data period the best way that can be accomplished of course is by encrypting the data and making sure you control the keys now of course that's a complex process sometimes which is why we give you the option of using everything from server-side encryption where we manage the process and the keys for you all the way up to services like our key management service where an HSM manages the keys and you get to decide who uses those keys we don't do it for you on your behalf now of course in order to use services for actual workloads you have to ensure you're compliant with regulatory restrictions many of our customers have to be compliant with gdpr we're really proud of the fact that we've been GPR compliant from the day that that particular regulation announced and that a hundred percent of our services our GDP already which means you can use them for anything that requires access to PII control of PII etc now talking about designed at scale guard duty is one of the services that my team vens in fact the the services that are on the screen here are all representative work that is fundamentally in my team or adjacent teams that is focused on the security of your workloads your networks or your data guard duty is analyzing hundreds of millions of events across the internet every single day to determine where a threat might be evolving and when it sees something it raises alerts to you the biggest beauty of guard duty of course is the fact that it is incredibly difficult to enable no it's not it is literally one check box and if you're not using an intrusion detection system you should be try guard duty turn it on there's a free trial period it is probably the most effective way to reduce the amount of noise that you've got coming in the front end and understanding where your actual risks and vulnerabilities lie inspector is our service that helps you understand the security posture of your systems themselves and again back to democratizing security inspector was to meet the requirements of large financial institutions and governments etc but anybody who uses it gets that same access to knowledge and capability about how to properly configure virtual machines and operate them and look for vulnerabilities on them and you usually want services that deliver far more than you need and if you've been in the retail space by the way you've heard probably Jeff Bezos say no customer has ever said I want a worse selection or I want to pay more for my stuff or I want slower delivery those just simply aren't realities and the same thing is true in security there are a lot of features and capabilities of security services that you may not need initially but as your business grows as your workloads evolve you may need to be able to evolve into those spaces as well so planning in advance to begin layering on those services makes a lot of sense in many circumstances if you're using a web application firewall for example like AWS laughs you really want the one that's got the experience that comes with running a massive portion of the Internet similarly shield which is our DDoS platform has seen it all so you get the advantage of all of those different types of workloads and all of the threats that are associated with them when you use those services scale is also something as geographic when you think about security everybody thinks immediately about confidentiality of information but security also should include availability and durability of information in addition to compliance with regulations or similar laws and one of the reasons we have regions around the world is obviously durability and availability but it's also because we recognize that there are jurisdictions around the world who would like the data that they're responsible for located within their borders so when we build regions one of the contractual guarantees we give you is that your data stays in that region unless you give us instructions otherwise and that's really powerful this is nada we're gonna move it around the world transparently to you and try and you know balance it bla bla bla this is about you say I want to put my data in it's gonna go in Germany and it's gonna stay in Germany unless you decide to move it somewhere else or tell us to move it somewhere else we've got 69 availability zones which are equivalent of data centers of course around the world in 22 geographic regions we've announced 13 more availability zones and four more regions Cape Town Jakarta Spain and Milan and connecting of all is a rather cool network of about 2.6 million miles of network pipes which gives us the ability to move customer data between our facilities when we are instructed to do so across our own network now we're gonna talk about security at scale we talked about security basics I want to draw your attention to this slide I know reinvent attendees love to take pictures of slides this one I would encourage you to do so this is one of those circumstances where if six people take a look at this and say hmm I need to do something differently in my own organization I've succeeded in my talk today because I really want people to focus on those elements that I think give them the biggest bang for the buck and also represent the areas where people stub their toe the most in the security space here all of these things are little individual components but add up to big value let's talk about them a little bit here accurate account info do you know that we identify threats across the internet and proactively inform our customers when we identify that their resources may be vulnerable to a particular attack that we're seeing accelerating we do that all the time but it only works when we can actually contact the customer the email address that you have on your account is it current is it monitored by a human or a system that automatically notifies you and there's something interesting there if your email address isn't current we can't talk to you really give us that opportunity please multi-factor authentication that's not a surprise to anybody MFA is a thing you should be using it especially for the route account that you have an AWS it's trivially easy to set up it's something that's extremely important and completely blocks whole swaths of attacks against your resources so please take a look and intentionally decide yes or no on mfa secrets usernames passwords keys do not belong in code ask your developers the people you're working with where do they store their secrets how do they store them how do they rotate them who has access to them if they say oh it's in the git repository no no don't do that we give you a lot of ways to handle that whether you're using secrets manager whether they're using our SDKs etc but please don't put secrets in code limiting security groups this is basic security stuff this is making sure the firewall rules associated with your virtual machines or with your V pcs are constrained to the ports and individual addresses or address blocks that are necessary for your business to function you may be serving the entire Internet so having port 443 open to the whole world may be appropriate that's awesome but makes that decision intentionally if you're configuring security groups you know that we start off closed and then you have to make a decision to open them up sometimes developers get lazy and they say well it's just easy to debug if I just open it up to 0-0 oh goodness oh no one will find me the Internet's a big place sure right no make sure people are locking things down to where they should be intentional data policies note that I use the phrase intentional here a lot of people focus on data process limitations or data access limitations and say things like well you can't put that data here are you really helping your software development engineers if you do that you may think that you're actually doing a good thing but you're probably doing something bad you shouldn't be saying don't do this instead you should be saying do this instead so policies that read don't store PII in insecure places are useless a policy that says if you want to store PII it must be stored in this particular service using these credentials with this access this logging etc then the development engineer knows what to do they've got a guide they can make a good decision centralized logging well first of all do you have logging turned on it is extremely hard to recreate logs that have been sent to dev null in fact if you figure that one out let me know I'll build a service around it but in all seriousness there is no excuse not to log no excuse when you look at the price of things like glacier Deep Freeze where it is hundredths of a cent per gig it is ridiculously inexpensive to store logs logs are fantastically compressible objects we generate something like 22 petabytes the logs of day and you know what our retention period is the default of 10 years because I guarantee you I'm gonna have to go back and look at something sometime and if I don't have the logs I can't do my job so think intentionally about are you keeping the logs that you should be keeping do you have the right retention policies do you have the right storage migration policies in place so you can save yourself money you know putting logs you need immediately an s3 makes sense leaving them there forever no put them in a lower tier storage so you save yourself some bucks validating I am roles are you using roles who has permissions for what what can they do with them there's no one-size-fits-all here and by the way anything that starts off with service star ask yourself questions is that the right thing chances are it's probably not so scope the roles to the narrowest possible portion that's appropriate for your particular job and we'll talk in a little bit more detail about some tools that we have that can help you understand that better take action on guard duty findings alarm systems are awesome alarm systems that are monitored or better alarm systems where people actually go do something when alarm fires are the best guard duty is not about making noise and blinking lights etc it's about triggering you to say I have to go do something whether you do that thing manually or whether you use one of the partner integrations that we have there take action on those findings rotating keys keys that sit around get old and moldy keys that sit around or a vulnerability waiting to be exploited rotate your keys they should be programmatically rotated whether using tokens that we've end whether you're using secrets manager or whether you're using something you roll yourselves make sure that you're rotating your keys regularly the other thing that that's really helpful for is avoiding outages when things expire quite often we learned the hard way at Amazon for example that certificate rotation is a difficult problem and we had outages in the past because of it which is why we built certificate manager the way we have where you can auto rotate certificates so take advantage of the tools that give you the ability to rotate things quickly as a security practitioner one of the things I love doing to service teams is saying okay rotate your creds right now and they get this packed look and they're like I don't even know where they are and you'd like okay that's a problem we're gonna go dig into this we're gonna make sure because you should be able to rotate your credentials regularly the last one is bolded it's tough to see on the on the way that the presentation shows up on the board here but it's being involved in the development cycle itself the dev cycle is an interesting place and it's an area where a security team can either be of extreme benefit or extreme hindrance to services software development engineers don't want to build garbage software they want to build good stuff when you approach them and say hey we're going to try and improve the security of this by digging into how you did this and see if we can help you do better etc you're gonna get one reaction if you walk in the door and say whoo that is some ugly code would you write it's gonna be a different response and you'd laugh because it's intentional that I'm giving you some of the sort of a joking view on this but the reality is that a lot of engineers are averse to talking to the security teams because they view them as adversaries be involved in the security lifecycle of the products be involved the development process of the products making sure that you understand how something is all the way from being written to being deployed on systems I guarantee you'll find interesting places that you can go look to see where you can do better as an organization I love automation one of my constant talks is about get the humans away from the data humans do not belong in contact with data the primary reason is humans make mistakes mistakes take the form of a typographical error that causes an outage they make the mistake of clicking on an email that they really shouldn't no matter how much training we give them and they make mistakes of having a bad day and intentionally doing something sometimes so keeping the people away from data is super important but you can take that down a level and actually focus on discrete automation tasks that I think will really change the way your security team zod operate ticketing automation seems pretty straightforward ticketing automation is an important thing in many worlds but usually we focus on creating the tickets automatically my team focuses a lot on resolving the tickets automatically we create hundreds of thousands of security tickets every year when we look at the employees across our company and the way they use services and do things and ninety six point four percent of those tickets are resolved by our automation on the security team side as opposed to requiring a security engineer to go look at something why is that important what is my most constrained resource my smart humans and also frankly your security professionals do you want to be going to check to see if the salesperson who left an s3 bucket open fixed it or do you want to be doing something that actually is engaging interesting focusing you want to do stuff that expands what you think about as opposed to the drudge work so automate your ticketing process I am policies it is far easier to generate I am policies using software and get it right repeatedly than it is by asking humans to do it so take a look at how you can automate that process and use the automation to your advantage for minimization of footprint logging yep creating logs is cool it's awesome do you actually use them do you know where they are can you get to them when you need them how long does it take you to take that raw log material and turn it into something useful for a security investigation how long between when someone says oh - the first question being asked of the logs build the automation pipeline that does the enrichment of logs ahead of the problem occurring know okay I need to take this log and I need to figure out which account that belongs to and what resources that had access to and who are the humans who had access to that account you shouldn't be doing that heated battle that's something you should be thinking about in advanced building the tooling to do it and exercising that tooling to make sure that it's still current because your world evolves as fast as ours does and everything changes so we got to constantly keep exercising those muscles threat detection this one's pretty obvious to everybody threat detection is not something you can do by hand it's not something you do by eye if you're depending on a human being sitting in a sock looking at a screen to say am i detecting threats you're behind so there should be tooling that you're building here that helps you identify when you need to be focusing on your your humans on something interesting and of course all of that leads to alerting which is about telling the right people that something's going on but take it a step further does your tooling automatically escalate your alerts one of the things that is most valuable about the way AWS works is we have these incredible tool systems that are built for the whole company that do automatic escalation meaning my on-call security engineer yes the on-call security engineer for security at any one time we don't have a whole fleet of people sitting in a sock they are responsible for responding to tickets in severity order and they have an SLA a window in which they have to respond and it's somewhere between five and fifteen minutes depending on what's going on if they don't respond within that time frame the system automatically escalates to the next person up the food chain and that goes all the way up to Andy Jesse so if I don't respond promptly and he gets paged that has not happened I'm very careful about that but in all seriousness does your automation keep going until it gets a human to answer the door you don't want to be that person who has to go in and talk to the boss at some point say oh yeah the alarm went off and we didn't do anything about it so automate the process of alerting and responding to those alerts champions of security you want to be the person that others look to in the company as a beacon for how security should be proud on you want to be the person that the software development engineers in your service teams say I want to go talk to to learn more about to help me solve this problem in companies that are large like ours we intentionally develop champions of security in each of the service teams the larger service teams have their own specific security teams built within them but every small severy small service team also has somebody who we identify and say you are gonna be the person who's going to bring our message to the service team and we love that because it's a very short cycle time when people sit across the desk from each other or across the room from each other and there's a security question or it's something they need help with as opposed to thinking I gotta call that person do you know what I'm gonna go lunch because inevitably things drop when that happens so we want security to be the intimate part of the business and it's something that everybody can help with one of the wonderful things about AWS as we launch lots and lots of features one of the challenging things about AWS is we launch lots and lots of features all the time so there are an enormous number of innovations that I want to go through here we're gonna hit some of them that are the highlights and talk about some of the new things that are coming here sixteen hundred and eighty announcements on the what's new page is a heck of a place by the way three hundred and twenty of those are about security and compliance so it shows you a lot about the focus and investment we have it also shows you an area that's worth your time investment to understand what are applicable to you and your job let's talk about some of the newer or more impactful ones guard duty is a service that we've had for a while it's an intrusion detection it is the fastest growing security service in the company and always has been it is something that our customers tell us they love the onboarding experience because of the checkbox enablement it's been focusing a lot of the effort recently on data security so simple storage sir block public access if you are not using that feature on your s3 buckets why not go look at that it is that failsafe that keeps you from opening a bucket up accidentally and causing data leakage guard duty will alert you if somebody turns that off somehow s3 server access logging is disabled remember when I said you need to have the logs to understand what goes on we thought that was important enough that we built it in to guard duty as an alert so it'll tell you if you don't have the right logging going on permissive policies are something that are odious they sneak up on you and you don't realize people have them so we've built tooling in to guard duty that allows you to say okay this person just all of a sudden got a lot more privileges than they used to have and allows you to make a decision then on is this the right thing yes or no cloud watch cloud watch has specific alarming in place now for traffic mirroring changes this is an interesting one because it's an application of machine learning to understand your traffic flows and then identify anomalies in those flows it doesn't tell you whether it's good or bad it says something has changed and here what here's what changed that allows you to use that smart human to go figure out is this a reasonable thing a good thing or a bad thing it's all about giving you clues and pointers to what's going on and what you need to focus on there now one of the other things that's interesting about cloud Watch is that it supports Canaries Canaries are synthetic tests that look at the functionality both positive and negative services one of the things that the security team requires of all of our services that we've End is they don't get to launch unless they have the right Canaries in place Canaries are test functions they say is this authentication or authorization path working the way we expected and that means does it authorize those we are expecting to be authorized does it reject those who we expect to be rejected cloud watch can now keep track of your Canaries and identify when they are not behaving properly or a canary is failing and then alert you to that fact this is something that's got a lot of security benefit there's also quite a few operational benefits as well there you can get heads-up on customer experience problems very rapidly through this process this is one of those interesting confluences and you've probably seen this in your own lives where security tools turn out to have great visibility into the operational experience of a user where we often see problems far before anybody else does in the company and we can help others realize there's an issue going on there synthetics also can help you test your api's URLs or website content associated with your resources so you can go all the way down to the application layer and understand is it functioning properly yes or no security hub is our service that helps aggregate all of the security alerting and configuration information across your AWS estate here and it now can use cloud watch events rules to send findings directly to ticketing systems remember I talked about one of the things you should automate is ticketing the first thing you should automates ticketing so we built it into security hub to fire directly to this a ticketing system that you may already have the point here is to make it one fewer integrations that you have to decide on secrets manager I love secrets manager because it is a great weapon in the fight to get secrets off of systems but it also supports VPC endpoint policies now so you can assign policies to endpoints using secret manager and change the way they behave over time or ensure that they're reflected appropriately even if somebody tries to change them on up from underneath you automatic rotation of database credentials is something that secrets manager is especially useful for whether it's a redshift cluster or a document DB cloud formation can use it to ensure you're using current credentials and you rotate those credentials over time so take a look at how you are managing not only the credentials associated with your 8 of us resources but all the way up to your application layer and are you using tooling to rotate those appropriately let's go all the way down to the other end of the spectrum here IOT IOT is a great buzzword II thing that Ares talking about but IOT is really just small dumb the Isis that collect information and send it out to a service to be analyzed or processed that process of sending it out we designed systems for a lot of our IOT support earlier that allowed us to do that securely and customers pointed out that in many cases their networks were really difficult to get IOT traffic out of safely they had to do all these kind of crazy firewall rules they didn't like opening up ports etc so we announced and released IOT secure tunneling that allows you to define a well-understood tunnel that allows to get data off of a network but also allows you to do things like update the IOT devices over the secure tunnel one of the biggest vulnerabilities and many IOT devices is they are not updated frequently and they're not updated frequently either because the manufacturer didn't think of that when they release the device or getting an update to it is really hard so this gives you a path to do that update or employ a fix etc for new things that we want to make sure you're aware of an IOT defender IOT device defender is our intrusion detection prevention etc system for IOT devices number one is overly permissive permissions this is something I harp on all the time does that device have access to more stuff in your AWS estate than it absolutely needs to do its job device Defender can flag that and tell you yeah you should really go look at this and see is it's something that you need to modify or change open SSL open SSL has been a fertile ground for security researchers over time it's an area where there are a lot of opportunities for improvement do you have devices that are running predictable as I'm sorry devices that are running software that produces predictable cryptographic keys that is obviously a bad thing in which case we'll alert you to that there what services haven't you used recently if you haven't used the service recently should your credentials have access to that service at all the answer is probably no but you need to be told hey look at this it's interesting there so we're going to talk a little bit more about the democratization of security we know that we just went through a whole bunch of interesting pieces from 2019 but one of the things that I am most proud of is the humans that we have the people that we have working in AWS and the application of very unique skills to problems that all of us have we made a bet several years ago on something called automated reasoning automated reasoning is the science and a little bit of art about applying mathematics and logic to understanding the behavior of systems its esoteric they're probably only a couple thousand people in the world who understand it well we were really happy to have a group within AWS who is awesomely good at that and I'd like to welcome the stage Nahor unta who is going to talk to us about how we can validate and verify the way systems are functioning using software thank you Steve hi I'm Neha I work in the automated reasoning group and when IDO via security first invested in automated reasoning part of our Charter was to look for internally misconfigured resource policies so the archmaester in me I mean the logician was really excited because resource policies was just another representation for first order logic and Steve talked a lot about the need for automation and so we built a tool called zelkova and it automatically detected misconfigured resource policies and another part of the automation was ticketing it automatically ticketed when it found misconfigured resource policy and this really allowed the security team to scale in the true Amazon spirit when we build something for ourselves that is successful we say let's make it available for our customers and that's what we did in 2017 we made it available in Macy config manage rules and also the public badge that you see in the s3 console in 2018 we did more releases and we also partnered with s3 for block public access it was this preventative control to make sure that in accidental DF data leakage could never happen and now in 2019 we have we just launched iam access analyzer so what makes it different than things that you can already do zel cola was really powerful at answering a yes or a no question if you knew the question you wanted to ask such as is my bucket public and what we heard from you the feedback was this is great but often I don't know what to look for or even the questions I want to ask so instead can you just tell me who has access to my resources and then I can decide if the sharing is intentional or not and now with access analyzer you can do that so what does access analyzer give you it gives you findings about who outside your account has access to the resources in your account which accounts which VP sees which IP addresses and the finding is not something that happened in the past but it analyzes the resource policies to tell you what can happen in the future and it allows you to protect your resources from unintended access before it occurs with a single click you can create an analyzer for your account it scans the policies attached to your iam roles as three buckets lambda functions Kim as Keys sqs queues and based on the findings if the sharing is intentional you can archive it if it is not intentional you can go to the respective service consoles and update the policy the change will be automatically detected and the analysis will be rerun and the finding will be resolved in a workflow similar to guard duty you can also create filters for automatic archiving based on hey this sharing is from an IP address from my data center or this is just to read access from my security audit account so I do want to give you a little bit of taste of what's under the hood as I mentioned zelkova is great at asking yes or no questions so to answer the larger question who has access to my resource we need to ask many questions essentially we'd have to ask for like every account every IP address every V PC and you may say well that's a lot of questions here's where AWS really helps it's secure by default no outside entity has access to your resource unless you explicitly grant them access in your policy and access analyzer leverages this fact it looks at the entities the accounts the IP addresses the sort the VP sees that you've specified in your policy and asks question about that it asks all possible questions about it it's come free hence if so what are some of the things that our customers have found with access analyzer one customer found that they had a role in all their production accounts that could be assumed from a developer's personal account another customer found leftover permissions from tutorials that they done way in the back and just forgotten to clean up when a third customer discovered buckets that did not comply with their least privilege best practices so go turn on access analyzer now we believe this is so foundational to cloud security that it's we've made it available to all customers at no additional charge everyone should be using it the findings are simple they're declarative statements you do not even need to be a security nerd or an identity expert a logician or even an archmaester to understand what those findings are and the goal is to get you to have the number of active findings to zero and for you to continuously evaluate the sharing of your resources you can subscribe to the cloud watch events that access analyzer generates you can also view the findings in your security hub console to have an aggregated holistic view of your findings with respect to the other security services as well as partner solutions all in one place so go turn on access analyzer now it's available at no charge I'd like to bring Steve back to the stage to talk about crypto and getting to course a few new announcements thanks so some of the tooling that we've renowned steer is really pretty groundbreaking in the industry when you look at the spaces we've been before a lot of stuff has been rule-based and it's been fragile as a result one of the the real benefits of access analyzer is it is not only based on the ability to recompute the access that permissions have on a regular basis but that it automatically does so when you change your permissions so you didn't even have to ask it to take on that particular task Nihao said we're going to talk more about crypto and we are it's an interesting space and crypto is not the be-all and end-all it's not a panacea for all problems but is an important lever in your arsenal of protecting your data and I had said earlier that I really believe strongly that humans need to be kept away from the data one of the best ways to do that is to encrypt the data as close to the source as possible so one of the changes that we made recently was introducing in the AWS encryption SDK JavaScript encryption why might this be useful well think about it this way what if I was running say a large bookstore and I needed to take in a whole bunch of personal identifiable information and store it securely is the way to do that to take in clear text in the front end and pass clear text through each of the systems in the process and use it in the back end no because then I have to concentrate on the whole chain from where it's brought in the door until it's used at the other end what instead if I encrypted that material right in the user's browser so that it didn't matter what happened with the rest of the food chain along the way I'm still gonna put in a TLS pipe and I'm still gonna store it securely etc but gives me that extra layer of control so push the encryption out as far as you possibly can as close to the data as you can hear kms kms has always been able to produce symmetric encryption keys for you one of the changes that we made recently is that you can produce a symmetric keys where might that be interesting if you think about it this way an asymmetric encryption key is useful in many circumstances where you don't want to share the ability to decrypt something with the producer of the encryption itself but also it's really useful in situations where you don't have devices that are online all the time think about a device that's in an area that may not have coverage an IOT device that's low on battery power and you don't want to have a communicating all the time you want to use public key cryptography as a way to allow you to encrypt the material locally on that machine and have it be decrypted at whatever time frame in the future on a service on the backend of course we have to make this supportable for all of our customers so it's using the same FIPS 140-2 validated AWS HSMs that have been protecting our master keys for years and to use it it's really really simple all you have to do is ask kms to produce an asymmetric key for you and then assign that public key for example to an IOT device so it can use it to encrypt whatever it is it's collecting on the the end of that circuit there now all developers always implement encryption properly right sure encryption is hard doing it is really difficult we have a lot of really smart developers our developers make mistakes sometimes when they implement crypto so one of the things that we're really proud of here is we created something called shortcut resistant authentication mode crypto in AWS this is something that's been added into s 2 n s 2 n is our open source replacement for open SSL the TLS protocol implementation that we've ended people and the important thing here is it is designed to cryptographically prevent a saw a developer from taking shortcuts such as looking at decrypted data before it's been verified to be intact this eliminates whole classes of attacks things like Oracle attacks etc so this is a really interesting little lever that you can use to help your internal consumers of encryption resources do their job correctly as opposed to succumbing to pitfalls in development life cycles now no talk about crypto would be appropriate without a discussion on quantum cryptography quantum is one of those buzzwords that everybody loves to bring up we don't really know when quantum cryptography is going to be necessary quantum resistant to cryptography we don't know when quantum computers will be able to attack our existing implementations or protocols which is why we decided to get ahead of the problem we've think very deeply about your protection and the ability to help you protect yourself in the future as well as just against the attacks that you see today so to that end we launch support for hybrid post quantum TLS last month as part of s2m again the the open source package that we've been for TLS encryption and this particular enhancement uses both classical and post quantum crypto to negotiate session keys that are used in the TLS connections that s 2n operates we integrated this by the way into the API endpoints for AWS kms so that means you can go out right now and start using quantum resistant crypto in your connections to us test it out see how it works see how it works in your environment in your software there of course we just talked about quantum which is on one end of the complexity scale it's kind of ironic that I put a quote up here that talks about simplicity but it's actually reflective of the way we think about building services we should take something that is inherently extremely complex quantum resistant crypto and reduce it to an SDK or a service that is consumable by normal people consumable by customers no matter their level of expertise and that's something that we think is really liberating getting back to that democratization of security theme that I love so much it's about giving you the tools to help protect yourself against esoteric problems but do so without breaking your head in the process let's talk a little bit more about what reinvent has brought us in terms of security features arm instances wait how our arm interests instance is interesting from a security perspective well arm instances are something that have incredible performance benefits in some circumstances have great price benefits but can I operate my air place workload on there the answer is yes we have a number of partners we're going to be announcing their endpoint protection software for a Tobias graviton process in the near future so keep an eye on it because it'll allow you to do work securely on systems that you may not have been able to choose before ultra warm we're talking about decoupling storage and compute here in an elastic search service how is that relevant to security remember that discussion about logs I bet a number of you in here use elk stacks to look at your logs ultra warm gives you the ability to scale up and scale down and save yourself a ton of money when you're doing log analytics using elastic search rather than keeping everything hot it's a way for you to do that better job of actually using the logs that you generate and making sure that you're looking through them on a regular basis while still giving you an interactive analytics experience nitro enclaves Nitron clays is a new ec2 feature that provides customers a mechanism to create an isolated compute environment within Amazon ec2 this is an environment that is designed so that nobody no human has access to that environment it's a separate set of V CPUs a separate set of RAM on an ec2 instance that you can use to do workloads which you consider to be highly sensitive for example let's assume that you're a large video streaming company and you have to apply erm to the streams that you send out where do you want those DRM keys in a virtual machine that's exposed to the public Internet no probably not but put it inside a nitro Enclave and you can be assured that there is no path for a human being to get in there the nitro Enclave by the way communicates with the base instance that is associated with over V sock so it is a very constrained protocol that has a limited set of features available so that it doesn't expose the kernel or the applications to outside risks or vulnerabilities if you're doing highly sensitive workloads if you're processing PII if you are tokenizing things like credit cards or names or things like that that is the perfect application for a nitro Enclave if it gives you the ability to do that in fashion where you're certain that nobody's got access to that data except the content that's already within the Enclave so we all know the problems that we run into when we have to investigate something when the system says oh there's a problem first of all there's an enormous amount of log mangling that has to happen the signal-to-noise ratio is really really off you've got to sort through piles and piles of logs to find the stuff that's interesting then you got to transform those logs into something that's useful then you've got our enriched those logs with information about the systems they were on the accounts they were using the users who were involved etc then you've got to link those pieces together and how the heck do you associate all those components and by the way you have to have a human being who's asking those questions and saying well we should connect this log to this log to this log to this log what if you don't have that human being what if you don't have the expertise on your staff or what if that person is busy doing something else oh by the way this also costs a lot in most places so we're really happy to introduce a new Amazon service Amazon detective what we did was we took the knowledge of the way my team builds an investigations platform within AWS and we externalize it as a service detective helps security teams conduct faster and more effective investigations you can enable detected with a few clicks in the AWS management console and the service automatically begins distilling and organizing your data from cloud trail virtual private cloud flow logs etc into a graph model that summarizes resource behaviors and interactions observed over time across your account so you get a graph of how your systems and your humans and your data interact across the entirety of the AWS estate how does this work using machine learning and some statistical analysis coupled with graph theory detective produces easy-to-use visualizations that help analysts quickly determine the root cause and the extent of issues the visualizations provide not only detail and context about what's going on on your infrastructure but more importantly it gives you guidance to help analysts understand the underlying reason for a finding as opposed to the fact that there just was a finding many customers told us that was the most valuable piece of the whole thing was the proactive advice about go look here or this could have been done by that the detective graph model and the analytics by the way are continuously updated as new telemetry becomes available from your AWS resources remember that whole part about where you had to go collect the logs and process and analyze detective does that for you continuously that allows you to spend a lot less time tending to constantly changing resource data streams and we retain that information for you in a graph for a year so this is what it looks like there can be too much prep around getting the data ready for making critical security calls with detective we're looking to help visualize it for you we found over time that many people are much better looking at a graph or looking at a set of metrics etc and understanding what happens that it is looking at a wall of text with detective security teams can answer questions like is this an unusual API call or is this spike in traffic from an instance expected without having to organize any of the data or developer configure tune your own queries detective is simple to setup and easy to manage in the same way that guard duty is it was designed to be a one click on and it's something where there's no software to deploy there are no agents to install and there are no complex configurations to maintain we do that all behind the scenes for you most importantly however as we get smarter at doing investigations you get the results of that in your graphs as we constantly update the ml and the rules that go associated with it now we know that you're using multiple tools and multiple technologies to manage security which is why partners are so incredibly important to us we've integrated with the workflows that you already have the technology partners integrate directly with the software they produce so you can use detective as a component of the workflows you're already managing there and the service partners on the right side of the slide have the expertise with detective to help you implement it use it and understand it so even if you don't have any security expertise on the team at all the gonna consume this we've got people who can help you do that time is the thing that's most precious to us it is the area where we have the least flexibility in how we can affect the outcome of the future and it's the area where of course our humans are the most constrained piece here and it's an area where I think that we've got some interesting opportunities in the future I want to leave you with these goals for your security teams if you can compare these to what you're doing right now I think you'll find that there's some benefit to things that you haven't thought about haven't had the opportunity to do or things that haven't given you the bang for the buck that you thought these are the ones that most of our customers say are the most important things that we can do now this is just an introductory talk a beginning look at what we've got coming this year and where we've been recently there's a lot more in depth that you can get into during the sessions here these are the sessions that I suggest everybody take a look at if they can their access control is something that many people find very hard getting it right is super important to your business getting started with identity is an awesome way to learn how to do things effectively and appropriately so take a look at these understand what they give you as an option here maybe they're right for you if you're interested in security in AWS you've probably heard that we have a conference called reinforce the next version of AWS reinforced is taking place in Houston June 30th to July 1st it's all about learning how to operate AWS securely and making sure that your customer requirements are met it's a great place to learn more if you like the conference details that you've got here by the way this talks that you can see here think about it on steroids that's what reinforces a lot more opportunity for security really down the nitty-gritty so I want to thank you for your time there's my twitter handle if you want to take a look what I would ask you to do please is there is a session survey in the mobile app fill that out we love customer feedback we want to understand what you like what you want of what you don't like etc so give us that feedback thank you very much and enjoy the rest of the day [Applause]

Info

Channel: AWS Events

Views: 7,152

Rating: undefined out of 5

Keywords: re:Invent 2019, Amazon, AWS re:Invent, SEC201-L, Security, Compliance, and Identity, Not Applicable

Id: oam8FDNJhbE

Channel Id: undefined

Length: 53min 52sec (3232 seconds)

Published: Wed Dec 04 2019