AWS launched its new event, re:Inforce, last week and engaged thousands of security practitioners and professionals in a conversation that is top of mind for everyone: SECURITY. The buzz at the event confirmed it.
Here are some key observations from conversations on the show floor:
- Security is everyone’s responsibility: We all agree that security should be your company’s priority zero. In fact, security culture isn’t the responsibility of the security team, but everyone in the company. The increasing awareness around security was evident from my many conversations with developers and service owners. It wasn’t too long ago that these constituents were not terribly interested in discussing security. For them, it was the network and security teams that dealt with it. The tide is changing. I had many more security discussions with folks representing the IT stack than ever before.
- Decoupling security from networking is the key: Everything we have done so far to implement security is intricately tied to networking – and therein lies the challenge. The dynamic nature of today’s enterprise and need for business agility make implementing security with networking construct a big blocker. In many of my conversations with attendees, including CISOs and security architects, it became apparent that the concept of decoupling networking from security resonates; it is the key to security track application deployment (and not lagging behind). Once you understand that you can adopt a security posture aligned to organizational goals, it is much easier to implement that posture without tying yourself to networking constructs like IP addresses, VLANs, or firewall zones. You can read more about decoupling security from your network in this new paper.
- Automation is essential: Humans cannot react as fast as machines and bad actors are increasingly using automation to achieve their purpose. In addition, there aren’t enough trained security practitioners to deal with the deluge of information and events to parse for taking corrective action. This was a common thread in conversations with attendees: unless we leverage automation, we cannot succeed in protecting our assets. And it was summed up well in one network architect's POV: bad guys are using automation all day long and they have to be right only once, while we are using manual methods to beat them and we have to be right every time.
- The emergence of segmentation for security: Segmentation has been leveraged to solve networking problems like reducing broadcast domain, traffic management, etc. Security stands to gain as well from adopting segmentation. Many of the attendees I talked to were familiar with segmentation but always associated it with networking functions to reduce broadcast domains and traffic engineering. There was an increasing sense that this very same concept can and should be utilized to separate applications and possibly users from each other as required.
- The compliance conversation: Compliance seems to be the top driver for security segmentation. Usually it takes a compelling event like an audit to get things started and funded.
Learn more about how Illumio's approach to decoupling security from your underlying infrastructure can help you secure your AWS deployment: