Organizations have many reasons to move to the cloud — efficiency, cost control, nimbleness. While security may not top the list, or determine cloud provider selection, it’s an attribute that Amazon Web Services says helps win over prospective customers.
The security posture of applications and data that customers run on AWS is “materially better than in their own on-premises infrastructure or any other cloud,” AWS CEO Adam Selipsky said Tuesday during his keynote at AWS re:Invent.
“The safety and security, the protection of your data and apps, are prerequisites for the confidence needed for the digital transformation so many companies are undergoing,” Selipsky said.
There are four elements, he said, that support the security of AWS’ cloud.
The first is foundational, where AWS infrastructure and services are designed and managed. That infrastructure, which is constantly monitored, “offers fault-isolation capabilities to improve resilience and allows encryption in all of the data flowing across the AWS network before it leaves our secured facilities,” he said.
Security is also woven into the development phase for organizations writing code for applications and services on AWS, Selipsky said. “Builders no longer have to trade off security with speed."
"On AWS, building securely is the path of least resistance,” he said.
The next layer contributing to the security of AWS is through cloud security products and features the company has built to help organizations identify, remediate and remove vulnerabilities and threats in their applications.
This includes products for automated security checks and vulnerability management, data discovery and protection, a managed DDoS protection service and threat detection via Amazon GuardDuty.
“We’ve taken our security learnings and your feedback to build machine learning models that intelligently continuously monitor and identify hard-to-detect threats, often a lot faster than other security products,” Selipsky said.
AWS earlier this year expanded GuardDuty’s purview to detect threats within managed Kubernetes environments, and that’s now being extended to include container runtime threat detection.
This feature will detect threats from software running inside a container by monitoring operating system-level behavior, such as file access, process execution and network connections.
“It can detect an attempt to access underlying compute nodes and obtain an instance’s credentials or identify a container that’s trying to communicate with the malicious actors' command and control server,” Selipsky said.
That level of specificity symbolizes the company’s strategy to provide embedded security controls where it can flex its expertise.
That strategy also leaves room for third-party vendors to sell services to AWS customers that fulfill distinct needs.
Thousands of offerings on the AWS Marketplace are integrated into AWS, including products for application security, data protection, perimeter protection, compliance, and identity and access controls.
“Companies usually employ a wide range of these services and tools to help improve their security posture,” Selipsky said.