Amazon Web Services (AWS) at its recent re:Invent 2019 conference previewed two tools to advance cloud security and made available a tool that promises to simplify audits.
Available in preview now, Amazon Detective is a service that plugs into the AWS Management Console. Once invoked, Amazon Detective automatically begins distilling and organizing data from AWS CloudTrail and Amazon Virtual Private Cloud (VPC) Flow Logs into a graph model that summarizes resource behaviors and interactions observed across an AWS environment.
Employing machine learning algorithms, statistical analysis and graph theory, Amazon Detective presents cybersecurity teams with custom visualizations that make it easier to identify, for example, suspicious calls between application programming interfaces (APIs).
In addition to the two data sources currently supported, AWS promised to provide support for DNS logs soon.
At the same time, AWS promised to make available early next year a preview of AWS Nitro Enclaves, which extends the thin Nitro server and network virtualization platform on which the AWS cloud is built to allow IT teams to partition compute and memory resources within an instance of AWS EC2. Each enclave provides the ability to partition varying combinations of CPU cores and memory from the parent instance because each enclave is allocated its own virtual machine with a dedicated kernel, memory and processor. There is no persistent storage, no ability to log in to the enclave and no networking connectivity beyond a secure local channel, and all communications between Nitro modules is encrypted.
AWS CTO Werner Vogels told conference attendees AWS is now applying concepts from the world of APIs and microservices to create a highly modular Nitro platform that is now being extended in the form of AWS Nitro Enclaves. Those enclaves are ideal for processing highly sensitive data, said Vogels.
AWS also promised to make available a software development kit for AWS Nitro Enclaves to provide access to a set of open source libraries.
Finally, AWS announced the availability of AWS IAM Access Analyzer, an identity and access management (IAM) tool designed to make it easier for security teams and administrators to audit resource policies for unintended access.
While AWS is focused on securing its infrastructure, other vendors at AWS re:Invent are intent on securing cloud applications.
Barracuda Networks, for example, announced it has integrated Barracuda Cloud Security Guardian, a tool for assessing the security posture of a cloud environment, with Amazon Detective.
Tim Jefferson, senior vice president of engineering and product management for data protection, network and application security at Barracuda Networks, said given all the services a cloud service provider such as AWS now exposes it’s all but impossible for cybersecurity teams to know what the current state of security is for cloud applications without being able to access a security posture tool.
Threat Stack, meanwhile, announced it has integrated its security monitoring platform with AWS Fargate, an instance of a container platform that AWS makes available via a serverless computing service it manages on behalf of customers.
Chris Ford, vice president of product for Threat Stack, said along with the cybersecurity tools provided by AWS, it’s clear there is a need for additional tools spanning the application and infrastructure stack.
It is apparent many IT organizations are still struggling with the shared responsibility model for security, which lies at the foundation of any cloud security strategy. However, it’s clear that securing those cloud environments will require a broad range of integrated tools.