Boston’s bustling Seaport District played host to the first-ever AWS re:Inforce 2019 cloud security conference, with over 5,000 reported attendees. Amazon Web Services set the tone of the event to be a “learning conference,” with hopes that those who attended would come away better at their jobs. In his keynote, AWS CISO Stephen Schmidt advised against the classic scare tactics usually used to sell security solutions. Instead, he focused on new AWS features designed to deliver quality of life (and security) increases for their users.

Re:Inforce Keynote Highlights

  • Business continuity and disaster recovery: The buildings housing data centers aren’t indestructible. AWS described its differentiated amount of availability zones, which includes 66 zones in 21 regions. It also announced 12 new availability zones in four AWS regions.
  • Control Tower becoming generally available: Control Tower allows users to set up and govern a multi-account AWS environment. This gives users the ability to operate within the parts of the environment they need to be while stopping them from doing things they shouldn’t.
  • Security Hub becoming generally available: Security Hub is a service that enables automated compliance checks and aggregated insights from a variety of services. This feature is the way AWS helps customers understand their security posture across many tools.
  • SecDevOps is a dirty word, and security is everyone’s job: Schmidt emphasized that everyone, not just security pros, is responsible for secure applications. Adding security as a bolt-on to the dev process is perpetuating the problem. Instead, make the application owners responsible for securing their own code and for remediating should there ever be an issue.
  • AWS is embracing Zero Trust without saying Zero Trust: Abby Fuller, principal technologist at AWS, emphasized that security is “Job Zero” for everyone. Fuller stated that limiting human access to data and workloads is paramount for security.
  • Automation is essential: Traditional security’s reliance on manual processes to get things done doesn’t translate to the cloud. Automation is essential for securing cloud workloads and handling routine security tasks. Some of this automation is native to AWS using AWS Config or AWS Lambda but extends to security automation and orchestration (or SAO) solutions like Palo Alto Networks’ Demisto, Splunk Software’s Phantom, and ServiceNow.

Partners Are Welcome And Necessary (For Now)

Throughout the conference, AWS made a point of emphasizing its partner community. Security vendors are rightly concerned about the intrusion of the “Tech Titans” into their turf. AWS insists that its partners are essential for extending capabilities, even as AWS adds more native security features. This is especially helpful for AWS customers who also have on-premises infrastructure or have a multicloud strategy and have a need for security policies, controls, and management that span all of them.

Security vendors have to take cloud security seriously and demonstrate real differentiation from the native capabilities being delivered by public cloud providers if they want to survive.

General Conference Musings

AWS kept true to its vision as a learning conference, with over 300 breakout sessions including boot camps, chalk talks, workshops, full-day hands-on labs, builder sessions, leadership sessions, “capture the flag” competitions, and a “security jam.”

Cool Details

  • Swag can be wasteful, so it was great to see donation boxes for unwanted items from the conference. Technology conferences are full of waste, and it was good to see that AWS was mindful of this. It went so far as to provide opportunities for attendees to put together hygiene care kits for the nonprofit Cradles to Crayons.

Photo credit: @chriseng

  • Inclusion: Breastfeeding privacy pods by Mamava were available throughout the conference venue.

The Not-So-Cool

  • This isn’t the safety net we were talking about: A security vendor (not AWS or a sponsor) thought it would be funny to hand out condoms attached to marketing flyers to attendees. We were unable to get a photo to post here, but it’s safe to say this was in poor taste. Metaphors aside, this swag seemed inappropriate to be handing out at a technology conference and demonstrated a high degree of tone-deafness in a time when such vendor shenanigans are frowned upon by the community.
  • A glimpse of our dystopian future: Many conference sessions were held side by side in a large conference hall. Attendees donned headsets to listen to the talks, which were color-coded to direct people to the right place. The result was something right out of a Philip K. Dick novel, with all the attendees wearing glowing headsets while sitting silently and facing screens. The “silent disco” effect was a bit creepy.

Security Pros: The Cloud Isn’t Going Away

Holding a dedicated security conference demonstrates the importance of security for the migration of applications and infrastructure to the cloud. Security was once a reason why enterprises were skeptical of cloud computing but is now one of the reasons enterprises choose cloud providers over their own data centers.

Security leaders should prepare their teams for securing cloud environments and hybrid infrastructure instead of focusing solely on the premises-based infrastructure of the past. Stop treating cloud as a “special” delivery model. It’s infrastructure, and your organization will be moving there — either all at once or little by little. Security pros are responsible for securing the transformation.

(Written with Madeline Cyr and Elsa Pikulik, Forrester senior research associates)