Barbarians Inside the Gates: AWS Security Roadshow

AWS Security Roadshow, Tysons Corner, VA (5/23/2017)

I attended the AWS Security Roadshow yesterday in Tysons Corner, VA (5/23/2017).  Members of the AWS Technical Services Team delivered various briefings and answered one-on-questions regarding best practices for securing one’s AWS Cloud-Based Software Solutions.  One of my biggest take-a-ways was the idea of ‘DevSecOps’.

The software development life cycle (SDLC) is typically a process balanced by two competing forces: Development and Operational Staff.  The Development Staff is typically motivated by the imperative to deliver quality code quickly and often, while the Operations Staff is typically motivated by the imperative to keep the Production Environment running and stable, with as few changes as possible.  AWS are encouraging users of their platform to include a third competing component in the typical SDLC: Security Staff.

Security Staff, the ‘Sec’ in the term ‘DevSecOps’, are motivated by the imperative to keep the bad guys away from Enterprise Data, promising to make the balancing act between Development and Operational imperatives even more contentious, albeit a necessary contention at that.  Security Engineers need to be integral components of any Enterprise Software Engineer Team, and they need to be driving Security concerns and architectural decisions from the very beginning of the SDLC.  Computer Security is not a quality gate, but an integral part of the SDLC.

Security Inconsistencies

While overall I am impressed by AWS’ focus on Cloud Security, and their desire to ensure that AWS customers practice ‘Safe OpSec’ (Safe Operational Security, for you AFN Fans) on their platform, I have noticed a few inconsistencies in the overall security messaging:

Practicing Safe OpSec Costs More

Keeping technical assets secure in the AWS Cloud costs more.  For example, if you want to keep your Lambda function safe from the wily internet behind a Virtual Public Cloud (VPC), the VPC is going to cost you.  Moreover, if your Lambda function, running safely on your VPC subnet, needs to access the public network for anything, like to access SES to send out an email notification, your VPC will need to be attached to a NAT to forward internet bound requests out through an Internet Gateway.  The NAT/Gateway implementation is also going to cost you.  So, in reality (and this may matter quite a bit to bootstrapped startups using AWS), it will cost a customer significantly more to secure their cloud-based solution than not.

Even Ehrlich Bachman and his ‘See Food’ startup express angst over AWS charges…

Penetration Testing Can Get You In Trouble

The AWS Staff encouraged participants at this particular Road Show gathering to automate security testing, and penetration testing in particular, into the CI/CD code build and deployment pipeline.  However, penetration testing, in someone else’s cloud infrastructure, can land you in hot water.  You need to be sure to read the law of the land on this issue, and request permission to pen-test from AWS (https://aws.amazon.com/security/penetration-testing/).  From a newbie customer’s perspective, these instructions seem a bit ominous and could deter folks from even bothering.

Alexa Skill Security

I asked one AWS Engineer some questions about Alexa Security and how Alexa might be securely utilized in the Enterprise.  The engineer I asked was not an Alexa engineer, so agreed to forward my question to the Alexa Engineering Staff.  I have not heard anything back yet on my questions, but I suspect IT security and Alexa Skills have yet to meet one another.

Think Like A Barbarian

I am impressed that AWS is concerned enough about sharing security concerns with their customers that they are traveling around the United States to help ensure that IT security remains a primary concern.  AWS have a vested interest in customers who are well educated on AWS Cloud services and security best practices.  Their message is clear: when deploying applications to the AWS infrastructure, think like a Black Hat and use AWS services and best practices to help protect your assets.  As more and more organizations move to AWS, IT Security becomes increasingly important for the growing universe of AWS Cloud Customers.