Why IoT is the cornerstone of AWS’s zero-trust strategy

Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more

At its re:Invent conference this fall, AWS made two IoT cybersecurity announcements that reflect how machine identities are a core part of its zero-trust security strategy. IoT ExpressLink, is a cloud service designed to fast-track new IoT devices through secured DevOps cycles and integrated with AWS IoT Device Defender. Improvements to AWS IoT Greengrass include features to assist AWS customers in performing patch management at scale across fleets of IoT and network devices, all of which have their own machine identities.

IT administrators often struggle with tracking patch updates across the large inventories of endpoints they have, which is one of the primary design goals that guided the latest release. Getting a centralized view of all devices on an enterprise network is essential for all IT departments, both from an asset management and cybersecurity standpoint, which led AWS to continually improve endpoint monitoring. Endpoint visibility and control is the most challenging area of zero-trust frameworks to sustain and secure, which is why AWS turned it into a design objective for current and future cloud services.

Containing the fastest growing threat surface 

Forrester estimates that machine identities are growing twice as fast as human identities across enterprise networks today. However, 50%  of enterprises find it challenging to protect machine identities, given how fast they grow. For the first time in its annual trend analysis, Gartner prioritizes machine identity management for CISOs and their security teams. AWS’ decision to get IoT ExpressLink out now and fast-track enhancements to AWS IoT Greengrass shows how committed it is to zero-trust security being hardened at the endpoint first.

When AWS customers, developers, and ISVs use ExpressLink and Greengrass together, they can secure machine identities at the kernel or operating system level of each type of IoT and IIoT sensor they’ve standardized on.

Amazon’s vision of zero trust is predicated on the NIST 800-207 architecture, as are all AWS IoT services.  According to AWS, the architectural structure of their cloud services supports key zero trust requirements, including microsegmentation, Identity and Access Management (IAM), Privileged Access Management (PAM), and securing all data at rest and in transit. AWS cloud services are also designed at the platform level to allow access to enterprise resources on a per-session basis, and all resource authentications and authorizations are dynamic and enforced using the least privileged access. There’s also an AWS IoT Zero Trust workshop that covers setting up and securing an IoT network configuration. AWS’ vision of using its IoT services to provide Zero Trust Security at the endpoint level is defined at a high level in the following graphic:

Machine identities are the new security perimeter 

Machine identities also need to have security access policies defined, enforced, and audited at the endpoint level. In essence, machine identities are the new, most at-risk security perimeter. AWS focusing its IoT cloud services on creating device software and firmware in secured DevOps cycles, combined with real-time visibility of every endpoint, reflects the lessons they’ve learned from building and bundling in their own IAM for years – and translating those lessons learned to machine identities.

AWS provides its own IAM at no charge as part of its AWS instances. It’s designed to provide AWS customers with essential support for IAM. While the AWS IAM can integrate at the API level to a diverse base of enterprise systems, it doesn’t provide an enterprise-grade level of support for the more challenging aspects of IAM and PAM enterprises are encountering today. These areas include defining and enforcing multiple identity-based policies, auditing each machine for endpoint health and asset management, and the need for better integration support across machines and monitoring systems.

Using the AWS version of the Shared Responsibility Model to illustrate how AWS differentiates between what their platform is responsible for versus their customers, it’s clear AWS customers will need a continual refresh of innovation to stay secure long-term. AWS customers also require IoT cloud services that integrate reliably with their platform of choice for machine identity management to scale and secure their operations.

AWS Shared Responsibility Model

AWS looks to secure every endpoint 

AWS is taking on the challenge of securing every endpoint and enabling its customers to create scalable zero-trust security frameworks to the IoT and IIoT sensor levels. It’s an ambitious vision of providing customers with the cloud services they need to create and track every machine identity on an AWS network. All public cloud platform providers face the challenges of helping their customers adopt zero-trust security frameworks using an additive-based strategy that makes the most of previous cybersecurity investments. AWS’s roadmap shows it’s decided that machine identities need to come first, and giving customers the cloud services they need to scale networks comprised of machines and dominated by machine-to-machine integration is a high priority today.

Originally appeared on: TheSpuzz