re:Inforce 2024 - KD Secures the World
"There’s no silver bullet solution with cyber security; a layered defense is the only viable defense.” — James Scott (DigitalDefynd)
This picture is the conference Dall-E 3 thinks I attended!
re:Inforce is AWS's annual cloud security conference that provides hands-on training, expert insights, and opportunities for collaboration on securing cloud environments. Held this year at the Pennsylvania Convention Center in Philadelphia, PA, it offered over 250 sessions focused on in-depth AWS security learning, insights on securing generative AI, access to AWS security experts and trusted partners, and opportunities to connect with industry peers. This is the KD review and summary.
The Expo
The expo hall (Hall C of the convention center, reference that only a few readers of KD Be Schemin’ will get) is where attendees can explore real-world security and generative AI use cases, connect with AWS experts, and discover trusted AWS Partners who can help simplify and integrate their security portfolio. The Expo featured these areas:
AWS Builders' Fair
A science fair-style area to explore hands-on demos of real-world AWS security and generative AI use cases. Attendees can talk to the experts who built the projects and learn how to implement the solutions themselves. For me, this was the most innovative feature of the Expo. My favorites were:
Chaos Kitty: Where two people compete, red team vs. blue team, to create chaos in the digital environment, which had a physical representation on a Lego-built environment on the table with a light bulb representing the health of each component. It was entertaining to see some teammates get competitive trying to destroy the other’s environment before they could repair it. Learn more
Deepfake Destroyer: Can you spot a deepfake image? How sure are you? You may think you’ve identified a “tell” or a process that assures you can discern the real image from the deepfake, but one stop by this team’s demo and you’ll be convinced of how human your image analysis can be. I managed 45%, and at least 2 of those correct answers were guessed after I realized I was on a timer. In the other attempts I watched, no one did better than 60%. This team has an algorithm that scores 100%.
OneVoice “LLM @ the Edge”: This team uses Amazon GreenGrass to deploy an LLM to an edge device to simulate authentication and authorization in a physical environment. The interesting part of this project is that they have developed authentication based on shifting facts that only you and the continuous data being updated to the LLM would know. For instance, instead of asking you what your mom’s maiden name is, their solution could ask you anything. Even “what time did you leave the house this morning?” or “who did you meet with at 9 am this morning?” The questions are completely generated on the fly through a prompted LLM, so there is no way to game the system. So if someone stole your phone and lifted your fingerprint to get past biometric authentication, they would have a very small chance of getting past the Security Intelligence of this solution. Check out Channa’s post on their project
AWS for Generative AI
A dedicated area showcasing how organizations can innovate securely with generative AI on AWS, leveraging AWS's enterprise-grade security, privacy controls, access to foundation models, and generative AI-powered applications. As expected, re
GenAI topics, dominated 2024 and the AWS team had a lot of availability to walk us through how to build safety into our GenAI implementations and how to utilize Bedrock, guardrails, and fundamental data security to build applications that assure enterprises their GenAI solutions meet the highest security standards.
AWS Marketplace
The AWS Marketplace team had a hub where dedicated AWS folks helped us discover, deploy, and manage software that runs on AWS. Most of the sponsoring vendors in the Expo can be deployed through the AWS Marketplace, which is a great way to consolidate billing and hit EDP spend commitments.
Partner Booths
Over 90 trusted AWS Partners with proven security competencies were featured in the Expo, allowing attendees to explore integrating third-party tools into their security portfolio. Having missed the last two re
conferences, I was eager to get a sense of how the ecosystem has evolved and how the ISVs are applying GenAI to their products. This is not a comprehensive list, but these are the vendors that caught my attention for various reasons:
Fortinet: A cybersecurity company providing a range of security solutions, including firewalls, anti-virus software, and network security appliances. Fortinet is making moves to strengthen its Cloud Security offerings.
Lacework: A cloud security company offering a cloud-native application protection platform (CNAPP) designed to secure cloud environments and workloads. Their solutions leverage automation and machine learning to provide visibility, threat detection, and compliance across multi-cloud infrastructures. Midway through the conference, we got this announcement: Fortinet to acquire Lacework.
Claroty: Focused on industrial cybersecurity and operational technology (OT) environments. Their products aim to secure industrial control systems, critical infrastructure, and Internet of Things (IoT) devices from cyber threats. We've partnered with Claroty in the past in some of our Industry IoT implementations.
Orca Security: Provides a cloud security platform that offers comprehensive visibility and protection for cloud environments. Their solutions help organizations identify and remediate security risks across their cloud assets, including misconfigurations and vulnerabilities.
upwind: Offers solutions for managing and securing cloud permissions and entitlements. Their products help organizations implement least privilege access and maintain control over their cloud environments.
Sonrai Security: Focuses on managing and securing cloud identities, data, and resources. Their solutions help organizations gain visibility into their cloud footprint and enforce security policies across their cloud environments.
Check Point: Offers a wide range of security solutions, including firewalls, endpoint security, cloud security, and threat prevention products. CloudGuard is Check Point’s complete cloud security management platform.
CrowdStrike: Specializes in endpoint protection and cloud workload security. Their products, such as the Falcon platform, use artificial intelligence and machine learning to detect and respond to cyber threats in real-time.
Palo Alto Networks: Provides a range of cybersecurity solutions, including next-generation firewalls, cloud security, and secure access service edge (SASE) products. Palo Alto continues to acquire in the Cloud Security space and offer a very complete set of solutions to meet DevOps and Cloud customers' needs.
Alert Logic: Offers cloud security solutions, including managed detection and response (MDR) services. Their products leverage various data sources to provide comprehensive threat detection and response capabilities across cloud environments.
Cisco: Offers a wide range of products and solutions, including networking hardware, software, and cybersecurity solutions. Cisco is focused on Hybrid environments and continues to acquire solutions in the Cloud and DevSecOps space.
Wiz: Provides a cloud security platform that offers comprehensive visibility and protection for cloud environments. Wiz is the fastest-growing platform for Cloud Native and Cloud governance.
Sessions
re:Inforce 2024 featured content across six key areas: Data Protection, Governance, Risk, and Compliance, Identity and Access Management, Network and Infrastructure Security, Threat Detection and Incident Response, and Application Security. This year’s sessions placed a strong emphasis on generative AI security, with sessions exploring how to secure and govern generative AI applications and leverage AI for development. Other notable themes included building a culture of security, securing CI/CD pipelines, implementing supply chain security, and enhancing application security practices. The sessions mostly catered to the engineering crowd, offering insights into AWS security tools, best practices, and real-world case studies. I attended several sessions on securing GenAI implementations, which showcased a few different use cases and how they were architected for security. Key factors for a secure GenAI architecture include:
Secure AI Infrastructure: Isolate and encrypt data and transmissions.
Security Across the AI Lifecycle: SageMaker provides built-in protection in the building of models along with other Data infrastructure security solutions AWS provides.
Built-in Security and Privacy Features: AWS has built security into Bedrock and SageMaker and provides governance tools for RAG processing.
Data Governance and Compliance: Emphasis on governing what data goes into the LLM through RAG processes and ensuring IAM is linked to the data so that users can only view data they are authorized to access.
Risk Assessment and Regulation Awareness: Adapting methods to apply governance through configuration without changing code depending on region and country regulations.
User Training and Policies: Training goes a long way, but remember that your policy in a Word document protects zero data.
The Basics Are Still a Battle
Another session presented a survey of AWS customers across Asia. The results summary? Nearly 70% of AWS customers have not implemented basic AWS account protections. These are protections covered in the AWS Well-Architected Review. For a few years now I’ve questioned: Why is “root account uses MFA” a question on the WAR? Well, now I know, apparently about half of us have not implemented basic security on our AWS accounts.
RUST
Dr. Werner Vogels recently posted about some experimentation he is doing with RUST link. Rust is considered more secure than many other programming languages due to its unique features and design principles. Its ownership system ensures memory safety without a garbage collector. It prevents common bugs like null pointer dereferencing, buffer overflows, and use-after-free errors by enforcing strict memory access and management rules. Additionally, Rust's type system and ownership model facilitate writing concurrent programs that are free from data races by enforcing safe access to shared data at compile time, making it ideal for developing high-performance, multi-threaded applications securely.
Automatic Reasoning
Automatic reasoning is probably the most thought-provoking topic I picked up on at re:Inforce. It is used to reliably prove that services are secure rather than relying on traditional testing mechanisms that cannot test every possible scenario. Automated reasoning is leveraged at AWS for advanced testing and verification methods that use mathematical logic to analyze and prove properties of computer systems. It is employed for policy analysis by translating AWS policies into mathematical formulas, providing comprehensive verification by checking all possible scenarios and enabling provable security for critical components. This method offers efficiency at scale, analyzing complex systems quickly, and is applied to the formal verification of software. It is integrated into customer-facing features like IAM Access Analyzer and incorporated into AWS development processes. This approach allows AWS to offer higher levels of security assurance and more rigorous testing than traditional methods, benefiting both AWS infrastructure and its customers. I will have another article dedicated to this topic in the coming weeks.
Final Thoughts
Chris Betz, CISO of AWS, was the headliner of the keynote. Chris dedicated the majority of his time on stage with us building trust with the customer community. He spoke a great deal about the culture of security at AWS, emphasizing that security is part of everyone’s day-to-day activities and assuring customers that Enterprise GenAI is about data and that we can trust AWS with our enterprise data. I agree that AWS provides a well-rounded toolset for running and securing digital workloads. If we all implement our solutions using the platforms and best practices, our enterprise data is as safe in AWS as any other platform we can build or buy elsewhere.
re:Inforce 2024 highlighted the ever-evolving landscape of cloud security and the innovative solutions being developed to address new challenges. The focus on generative AI, the importance of foundational security practices, and cutting-edge approaches like automatic reasoning showcased AWS's commitment to advancing security for its customers. Whether you're just starting your cloud security journey or looking to deepen your expertise, re:Inforce provides invaluable insights and connections to help you secure your cloud environments effectively. I look forward to seeing how these technologies and practices continue to evolve and shape the future of cloud security.