I have some headlines for those of you who didn’t have the time or hopeful optimism to attend the inaugural AWS re:Inforce conference in Boston last month. You can read the product announcements in a thousand places online, and there are no shortage of play-by-plays, videos, and contemporaneous tweets and LinkedIn updates you can browse. I’d like to tell you the top five takeaways I actually took away from what turned out to be an interesting and focused use of a couple of days in the Bay State.
Headline 1: Security is finally a first-class participant in a new platform
Securing the core AWS infrastructure has been a public focus and ongoing success for the team at AWS. This is understandable, considering early adopter reticence about putting crucial assets in somebody else’s security hands. Beyond this, at re:Inforce, securing the customer side of the shared responsibility model was hammered home in multiple presentations, was an outgrowth of multiple announcements, and was a topic that I talked about with attendees at my presentations and just wandering around. The clarity of AWS messaging about the security that they provide and the security that they don’t provide is arming security and infrastructure teams to plan for security before newly transformed cloud services are dropped as urgent hot security potatoes in their already over-committed laps. Security planning is a part of AWS migration planning in a fundamental and organic way.
Headline 2: A security show can be about improving security not just selling security
There were plenty of vendors at AWS reinforce, and there was certainly plenty of selling going on. The attendees, though, showed up looking for approaches and answers to specific challenges in their migrations or infrastructures. Vendor friends I spoke with talked about the fact that their conversations were not about their companies’ general value prop but were instead focused on how a specific security capability was provided by their solution to fill an existing or projected gap. In my own experience, I learned plenty from the way that attendees described their use of both AWS and the AWS security solutions. The amount of shared information and experience at re:Inforce will be a reason that people come back for the show in Houston next year.
Headline 3: The power of AWS is creating new security challenges
Some attendees talked with me about the challenges that the scalability of AWS is posing. There is a new flood of information from these highly scalable services, and the dynamic nature of the services is weakening the underpinnings of security management. IP addresses, User IDs, monolithic applications, and perimeters have lost their traditional meaning, forcing a reassessment of security monitoring and incident response. These changes are also additive, as most organizations are not moving wholesale to a single cloud-provider, and none I spoke with intend to fully abandon all their on-premise systems. As AWS provides the capability to do more and to do that more even more quickly, there is a looming security crisis for organizations that need to keep up with the increased volume, disparity, and granularity of their security data.
Headline 4: Everyone is using AWS, but AWS security expertise is scarce
Every person I asked about staffing for AWS security roles gave me the same frown and had similar stories to tell. In a security industry where we know there are hundreds of thousands of open jobs, and where burnout is becoming a more pressing and disabling reality, finding people who understand security and existing security technologies is hard enough. Recruiting players who understand these and who have also taken the time to learn the very different and nuanced field of AWS security is like looking for four-leaf clovers. It isn’t impossible, but it is so hard and costly that I found people at re:Inforce who attended in hopes of learning to become those people. I’ve had a conversation with one engineering director who is being forced to slow-roll his team’s move into serverless application development because they can’t explain to him how they will be able to make those applications secure. AWS continues to expand its list of security capabilities, but they also need to develop some way to create an ecosystem of professionals who will know how to use them.
Headline 5: re:Inforce is looking to build a community
In my conversations with re:Inforce organizers and AWS execs prior to the show, it was obvious that they were planning an event that would increase industry awareness of AWS security capabilities. They were also looking to showcase customer examples of strong security within the new AWS environment and to introduce their broad network of partners who are helping to bridge that AWS security experience gap. The result, from my perspective, was that AWS customers and partners, at different points in their AWS and cloud journeys, spent their time getting to know what was out there. They learned what was hard and what was working, and over the two days of announcements they learned what was coming next. The information sharing and discussions created new relationships and ideas, which was certainly part of the re:Inforce plan.
I think this was a very good use of 48+ hours in my old home state, and I’ll definitely be there next year in Houston.