AWS exec: ‘Embrace more automation’ to boost cloud security

Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more

A key priority for Amazon Web Services in 2022 will be around expanding the use of automation for cybersecurity, enabling customers to increase the security of their cloud environments through “automation at scale,” an AWS executive told VentureBeat.

Dudi Matot, security segment lead for AWS, said in an interview that the cloud computing platform has made big strides in enabling more use of automation for security — including with a number of announcements at AWS re:Invent 2021. And customers can expect “more to come around that” in 2022 and beyond, he said.

“We believe that we need to move from manual into automation. The more that customers expand their footprints — within AWS or within a hybrid cloud strategy — they need to embrace more automation,” Matot said.

‘Automation at scale’

A key example, he said, is how AWS enables customers to build more secure, “immutable” infrastructure by leveraging infrastructure as code (IaC) services, such as AWS CloudFormation or HashiCorp’s Terraform.

IaC enables automated management of infrastructure using software code instead of through manual management of hardware. When combined with the AWS Lambda serverless compute service, this approach allows customers to “build automation at scale,” Matot said.

At re:Invent, one AWS announcement in that vein was for the Amazon Inspector cloud vulnerability management service. The latest Inspector updates can help customers to bring an “at-scale, agentless type of approach and build as much automation as possible into the process,” Matot said.

AWS recommends that customers consider tools such as Lambda, as well as the AWS Config resource monitoring service and associated AWS Config rules, to help with bolstering their cloud security posture, he said.

Configuration is a major trouble spot for customers when it comes to cloud security, with misconfiguration blamed for the vast majority of breaches in the cloud, according to a recent report from Fugue and Sonatype. The report found that 36% of organizations had suffered a serious cloud data leak or a breach over the previous 12 months.

More automation = more security

AWS Config has strong relevance for current cloud security needs, said Kat Traxler, senior security researcher at security AI platform provider Vectra, in an email.

The service exposes the underlying CloudFormation API and allows for programmatic data operations on cloud resources “in a standardized descriptive language, without having to use a CloudFormation template,” Traxler said. “This will really free up automation and build pipelines.”

Ultimately, “the more cloud resources are managed by automation pipelines, the easier it is to do security things like correct for drift, audit your posture, and explain your current state,” she said.

AWS also announced new automation capabilities as part of the update to Amazon Inspector at re:Invent. Now, Inspector assessment scans are continual and automated — taking the place of manual scans that occur only periodically — while resource discovery is also automated.

Using the new Amazon Inspector will enable auto-discovery and begin a continual assessment of a customer’s Elastic Compute Cloud (EC2) and Amazon Elastic Container Registry-based container workloads — ultimately evaluating the customer’s security posture even while underlying resources are changing, according to AWS.

Reducing customer burdens

Additionally, the company unveiled a number of other new features for Amazon Inspector, including additional support for container-based workloads, with the ability to assess workloads on both EC2 and container infrastructure.

The updates to Inspector are a welcome enhancement in terms of increasing automation and customer security, said Augusto Barros, vice president at security analytics firm Securonix.

“Inspector is evolving. Certain checks for container images and secrets management are also being automatically performed in the backend, reducing the burden in the hands of the customer,” Barros said in an email.

Given the complexity of cloud environments, AWS is doing the right thing by increasing its emphasis on automation for security, said Tyler Shields, chief marketing officer at JupiterOne.

“When you create an automated system of managing that level of complexity is when you hit the highest levels of modern cybersecurity,” Shields said in an email.

All in all, while the complexity of cloud environments can still be an adjustment for customers — especially those that have only recently shifted from on-premises environments to the cloud — AWS is making helpful improvements in terms of enabling security for customers, said Stel Valavanis, founder and CEO of managed security services firm OnShore Security.

The updates announced at re:Invent “provide tools, additional visibility, audits of configurations, and better defaults,” Valavanis said in an email. “The cloud is inherently complex and AWS can’t change that. What they can do is create good default configurations and appliances, good interfaces, and lots of documentation and support. These announcements take a few steps forward.”

Speed of automation

In an even broader sense, automation will be increasingly crucial in security going forward, said Sumedh Thakar, CEO at cloud security firm Qualys, in an interview. Businesses face ever-growing cyber threats and a massive shortage of available security talent, even as they attempt to secure a greater number of devices due to many workers remaining remote, he said.

“The only solution I see is more automation. Otherwise, how can we do this?” Thakar said. More and more, “your security is just as good as the speed of automation that you have,” he said.

While it’s certainly true that “cloud is different” than an on-premises environment, Matot said, this is good for security in many ways, since there are a number of additional capabilities available. And an approach that brings a focus on automation, immutable infrastructure, and IaC can help greatly with “meeting customer needs at scale, with security baked in,” he said.

Originally appeared on: TheSpuzz