From July 25 to July 27, fwd:cloudsec and AWS re:Inforce—two of the essential cloud security community events—drew thousands of cloud security practitioners, leaders, and vendors to Boston, MA. We were thrilled to attend, not least of all because they were a return to in-person events. In this post, we'll go over some of our top highlights from each of these conferences.
2022 marked the third year of fwd:cloudsec, which was founded by a small team of people that included Scott Piper, Principal Cloud Security Engineer at Block. Scott has created a number of projects with the goal of democratizing information regarding cloud service vulnerabilities and security, and this event is no different.
The driving thought of fwd:cloudsec is calling attention to insecure defaults and cloud service provider anti-patterns. The conference sold out its capped 400 tickets for in-person attendance in a matter of minutes, and tens of thousands more tuned in online. It will be interesting to see if they continue to increase the in-person limit in the future.
The theme of fwd:cloudsec is building community and coming together to discuss common problems, security vulnerabilities, and solutions. As a community-focused event, fwd:cloudsec hosts amazing technical deep-dive content. We heard from some terrific speakers, including Datadog’s own Zack Allen, Security Research Director, and Darwin Salazar, Detection Engineer.
Zack's talk, “Cloudy with a chance of IOCs”, took a close look at the various ways threat detection engineering teams are modernizing methods for writing new detections by describing TTPs (tactics, techniques, and procedures). Zack championed the idea of improving existing frameworks rather than continuing to create new ones.
Later in the afternoon, Darwin gave his talk, “Leveraging the Azure Resource Graph for good and for evil.”. Detection engineers are often uniquely positioned to spend lots of time thinking about ways an attacker performs activities like reconnaissance without it being logged by your control plane. In his talk, Darwin showcases how attackers can be clever and leverage the resource graph as a potential logging bypass.
Mohit Gupta and Nick Jones from WithSecureLabs presented an open source tool for provable access. Provable access is the idea of taking all policies that apply to a given user, calculating a full set of their possible IAM permissions, from those policies, and testing success and failure to prove whether they have access for various use cases. In their talk, “Dismantling the Beast: Formally Proving Access at Scale in AWS” they released IAMSpy. Their tool builds on concepts derived from the AWS Zelkova project. Zelkova and IAMSpy use theorem proofs in order to reason about access conditions before an IAM policy is used in practice. Proving the correctness of policies can avoid mistakes like accidental S3 bucket access leaks. This project is an excellent example of how the community can innovate and force multiply technology while applying it to new use cases.
There’s been no announcements about the location or planned size of next year’s fwd:cloudsec. Datadog looks forward to catching up with and participating in the community again. Keep an eye out on their website for updates a little later in the year.
This year marked only the second time that AWS has hosted re:Inforce after canceling the previous two years' events due to the coronavirus pandemic. Prior to the launch of the first event in 2019, there was a huge demand for a conference like this. When, in 2018, Dr. Werner Vogels said, "Security is everyone's job," it sparked a lot of interest in an event where engineers and practitioners from all teams and organizations could gather and recognize progress made in making security their job.
This year, Datadog became an AWS Security Competency Partner. AWS's Security Competency is designed to improve a vendor's integration with AWS services and ensure they have a high level of security maturity. CJ Moses, AWS's CISO and VP of Security Engineering, gave a keynote in which one thing was very present: more security partners and more dimensions to the Security Competency program. CJ announced that "the competency is now organized into eight categories that address over 40 unique customer security use cases, including software and professional service support.” The evolution of a minimum standard for how partners interact with AWS customers really paves the road for a safe and secure customer experience.
On day two, we heard from Kurt Kufeld, AWS Platform VP, regarding the integration of native malware scanning into a host of AWS services via GuardDuty. Previously if a customer needed to run a malware scan, they would initiate a multi-step process to clone a disk, attach it to another instance, and run a scanner of their choice, finally storing the result in S3. This was time consuming, dangerous, and complex. Now malware scanning is baked into GuardDuty as an additional customer benefit.
There were a few major themes that stood out at this year's re:Inforce:
Layered defense for the cloud is no longer optional.
Compliance is driving security at every layer of the business.
Identity and mastery of the IAM system in AWS continues to be the most important thing you can do for your security posture.
Layered defense, often referred to as defense in depth, has been a common phrase since the early days of cyber security. The premise is that if one defense system fails there are other defensive layers in place to ensure that an attacker can not reach their goal, or their attack is detected and remediated before the attacker can circumvent the next defense. At the inaugural re:Inforce, the hot topic for cloud was simple threat detection using a SIEM (security information event manager); simply detecting events is an excellent way to mature your security strategy. However, in the time since the last re:Inforce, our industry has begun to lean into the idea that prevention is as important as detection.
If you walked the expo hall you would have seen some common acronyms like “CSPM,” or cloud security posture management. CSPM is a service that continually monitors the configuration state of an environment and compares it to known compliance baselines. Using a CSPM tool, businesses can also author and enable custom rules to detect misconfigurations that are potentially relevant to them.
CWS, or cloud workload security, was also a prominent theme. It’s no surprise that practices around protecting endpoints have made it to mainstream customer environments. The container space and increasing diversity in compute options bring a host of engineering challenges for best-in-class security solutions. CSPM and CWS services are virtual machine–, control plane–, and container-aware, and correlate many different data points to provide the most actionable findings. Datadog Cloud Workload Security and Cloud Security Posture Management can help you achieve that level of visibility into your multi-account environments.
AWS's Identity and Access Management service, or IAM,' is one of their largest backend services. IAM handles access decisions for half a billion requests per second, according to Brigid Johnson, Senior Software Development Manager, IAM, at AWS. In the session “Streamlining Identity and Access Management for Innovation,” we heard from Karen Haberkorn, Director of Product Management, AWS Identity. If you’re familiar with Brigid’s conference talks you know that two things are always true:
- You will get some great insights into how to leverage AWS Identity to achieve your goals.
- Pickles the Horse will also make an appearance in these fun and technical sessions.
The most game-changing announcement in Brigid's session was that AWS SSO (single sign-on) is now rebranding as AWS Identity Center. AWS Identity Center is a one-stop shop for policies, single sign-on, governance, and verification of identity in the AWS cloud. Given the impact and likelihood of a developer credential leak, moving to SSO is one of the most impactful changes you can make in your organization today. With a host of new features, support for third-party IDPs (identity providers), and delegatable access, there is no reason for your organization not to adopt AWS Identity Center if you're running in AWS. Of course, with all the new features, the AWS Identity best practices also received a revision. If you haven’t had a chance to check them out, you’ll want to take the time to do that.
More than all the great sessions and exciting announcements, what we enjoyed most out of attending these two conferences was networking, being back together with the community, seeing old friends, and making a few new ones. We even got a chance to review the Datadog State of Serverless in the Aurora Partner Theatre with Ashish Rajan from Cloud Security Podcast
It was great to see all of the attendees at both sessions and get some great serverless security questions.
See you next year!
Next year’s re:Inforce will be in Anaheim, CA, on June 13–14. We hope to see you there.