Skip to content

Posts tagged ‘Amazon Web Services’

Jul 3

How To Improve Channel Sales With AI-Based Knowledge Sharing Networks

How To Improve Channel Sales With AI-Based Knowledge Sharing Networks

Bottom Line: Knowledge-sharing networks have been improving supply chain collaboration for decades; it’s time to enhance them with AI and extend them to resellers to revolutionize channel selling with more insights.

The greater the accuracy and speed of supply chain-based data integration and knowledge, the greater the accuracy of custom product orders. Add to that the complexity of selling CPQ and product configurations through channels, and the value of using AI to improve knowledge sharing networks becomes a compelling business case.

Why Channels Need AI-Based Knowledge Sharing Networks Now

Automotive, consumer electronics, high tech, and industrial products manufacturers are combining IoT sensors, microcontrollers, and modular designs to sell channel-configurable smart vehicles and products. AI-based knowledge-sharing networks are crucial to the success of their next-generation products. Likewise, to sell to any of these manufacturers, suppliers need to be pursuing the same strategy. AI-based services, including Amazon Alexa, Microsoft Cortana, and Google Voice and others, rely on knowledge-sharing networks to collaborate with automotive supply chains and strengthen OEM partnerships. The following graphic reflects how successful Amazon’s Alexa Automotive OEM sales team is at using knowledge-sharing networks to gain design wins across their industry.

The following are a few of the many reasons why creating and continually fine-tuning an AI-based knowledge-sharing network is an evolving strategy worth paying attention to:

  • Supply chains are the primary source of knowledge that must permeate an organization’s structure and channels for the company to stay synchronized to broader market demands. For CPQ channel selling strategies to thrive, they need real-time pricing, availability, available-to-promise, and capable-to-promise data to create accurate, competitive quotes that win deals. The better the supplier collaboration across supply chains and with channel partners, the higher the probability of selling more. A landmark study of the Toyota Production System by Professors Jeffrey H Dyer & Kentaro Nobeoka found that Toyota suppliers value shared data more than cash, making knowledge sharing systems invaluable to them (Dyer, Nobeoka, 2000).
  • Smart manufacturing metrics also need to be contributing real-time data to knowledge sharing systems channel partners use, relying on AI to create quotes for products that can be built the fastest and are the most attractive to each customer. Combining manufacturing’s real-time monitoring data stream of ongoing order progress and production availability with supply chain pricing, availability, and quality data all integrated to a cloud-based CPQ platform gives channel partners what they need to close deals now. AI-based knowledge-sharing networks will link supply chains, manufacturing plants, and channel partners to create smart factories that drive more sales. According to a recent Capgemini study, manufacturers are planning to launch 40% more smart factories in the next five years, increasing their annual investments by 1.7 times compared to the previous three years, according to their recent Smart factories @ scale Capgemini survey. The following graphic illustrates the percentage growth of smart factories across key geographic regions, a key prerequisite for enabling AI-based knowledge-sharing networks with real-time production data:
  • By closing the data gaps between suppliers, manufacturing, and channels, AI-based knowledge-sharing networks give resellers the information they need to sell with greater insight. Amazon’s Alexa OEM marketing teams succeeded in getting the majority of design-in wins with automotive manufacturers designing their next-generation of vehicles with advanced electronics and AI features. The following graphic from Dr. Dyer’s and Nobeoka’s study defines the foundations of a knowledge-sharing network. Applying AI to a mature knowledge-sharing network creates a strong network effect where every new member of the network adds greater value.
  • Setting the foundation for an effective knowledge sharing network needs to start with platforms that have AI and machine learning designed in with structure that can flex for unique channel needs. There are several platforms capable of supporting AI-based knowledge-sharing networks available, each with its strengths and approach to adapting to supply chain, manufacturing, and channel needs. One of the more interesting frameworks not only uses AI and machine learning across its technology pillars but also takes into consideration that a company’s operating model needs to adjust to leverage a connected economy to adapt to changing customer needs. BMC’s Autonomous Digital Enterprise (ADE) is differentiated from many others in how it is designed to capitalize on AI and Machine Learning’s core strengths to create innovation ecosystems in a knowledge-sharing network. Knowledge-sharing networks thrive on continuous learning. It’s good to see major providers using adaptive and machine learning to strengthen their platforms, with BMC’s Automated Mainframe Intelligence (AMI) emerging as a leader. Their approach to using adaptive learning to maintain data quality during system state changes and link exceptions with machine learning to deliver root cause analysis is prescient of where continuous learning needs to go.  The following graphic explains the ADE’s structure.

Conclusion

Knowledge-sharing networks have proven very effective in improving supply chain collaboration, supplier quality, and removing barriers to better inventory management. The next step that’s needed is to extend knowledge-sharing networks to resellers and enable knowledge sharing applications that use AI to tailor product and service recommendations for every customer being quoted and sold to. Imagine resellers being able to create quotes based on the most buildable products that could be delivered in days to buying customers. That’s possible using a knowledge-sharing network. Amazon’s success with Alexa design wins shows how their use of knowledge-sharing systems helped to provide insights needed across automotive OEMs wanted to add voice-activated AI technology to their next-generation vehicles.

References

BMC, Maximizing the Value of Hybrid IT with Holistic Monitoring and AIOps (10 pp., PDF).

BMC Blogs, 2019 Gartner Market Guide for AIOps Platforms, December 2, 2019

Cai, S., Goh, M., De Souza, R., & Li, G. (2013). Knowledge sharing in collaborative supply chains: twin effects of trust and power. International journal of production Research51(7), 2060-2076.

Capgemini Research Institute, Smart factories @ scale: Seizing the trillion-dollar prize through efficiency by design and closed-loop operations, 2019.

Columbus, L, The 10 Most Valuable Metrics in Smart Manufacturing, Forbes, November 20, 2020

Jeffrey H Dyer, & Kentaro Nobeoka. (2000). Creating and managing a high-performance knowledge-sharing network: The Toyota case. Strategic Management Journal: Special Issue: Strategic Networks, 21(3), 345-367.

Myers, M. B., & Cheung, M. S. (2008). Sharing global supply chain knowledge. MIT Sloan Management Review49(4), 67.

Wang, C., & Hu, Q. (2020). Knowledge sharing in supply chain networks: Effects of collaborative innovation activities and capability on innovation performance. Technovation94, 102010.

 

Jun 22

Debunking The Myth That Greater Compliance Makes IT More Secure

Debunking The Myth That Greater Compliance Makes IT More Secure

Bottom Line:  Excelling at compliance doesn’t protect any business from being hacked, yet pursuing a continuous risk management strategy helps.

With a few exceptions (such as spearphishing), cyberattacks are, by nature, brutally opportunistic and random. They are driven to disrupt operations at best and steal funds, records, and privileged access credentials at worst. Conversely, the most important compliance event of all, audits, are planned for, often months in advance. Governance, Risk, and Compliance (GRC) teams go to Herculean efforts to meet and exceed audit prep timelines working evenings and weekends.

Wanting to learn more about the relationship between GRC and cybersecurity strategy, I searched for webinars on the topic. I found Improve Your Compliance Posture with Identity-Centric PAM, a recent webinar-on-demand offered by Centrify. The webinar brought up several interesting insights, including shared pains companies experience with compliance and cybersecurity, yet require drastically different approaches to solving them.

Rationalizing Compliance Spending with Cybersecurity

The truth is organizations are attempting to rationalize the high costs of compliance by looking for how GRC spend can also improve cybersecurity. This is a dangerous assumption, as Marriott’s third breach indicates. Marriott is an excellently managed business and sets standards in compliance. Unfortunately, that hasn’t thwarted three breaches they’ve experienced.

Why are organizations assuming GRC spending will improve cybersecurity? It’s because both areas share a common series of pains that require different solutions, according to the webinar. These pains include:

  • Updates to regulations are exponentially increasing today, averaging 200 or more per day from approximately 900 oversight agencies worldwide, leading to a quickly changing, heterogeneous landscape. Dr. Torsten George, Cybersecurity Evangelist at Centrify, said that when he worked in the GRC space, the midsize clients he worked with had to deal with 17 different regulations. Larger organizations that operate on a global basis are dealing with, on average, 70 or more regulations they need to stay in compliance with. Dr. George provided an overview of the compliance landscape, differentiating between the levels compliance requirements every organization needs to abide by, which is shown below:
  • Compliance is, by nature, reactive to a known event (audit), while cybersecurity is also entirely reactive to random events (cyberattacks). GRC teams need to ramp up their staff and equip them with the apps and tools they need at least six months before an audit. For cybersecurity, the threat is random and will most likely be more severe in terms of financial loss. Preparing for each takes entirely different strategies.
  • The lack of continuous risk monitoring by GRC teams and identity management by IT cybersecurity leads to systemic failures in achieving compliance and securing an organization. The webinar makes an excellent point that for compliance to succeed, it needs to be based on continuous risk management, not just checking off the boxes or categories of a given GRC approach. The same holds for cybersecurity. Identity-Centric Privileged Access Management (PAM) provides GRC and IT professionals mutual benefits when it comes to achieving the mission of being and staying compliant, and shows how securing enterprises drive better compliance, not vice versa.
  • Manually updating compliance mapping tables showing the interrelationships of requirements by industry is not scaling – and leaving gaps in GRC coverage. The more regulated a business is, for example manufacturing medical products, the more important it is to automate every aspect of compliance. A great place to start is automating the process of creating mapping tables. Taking a manual approach to creating mapping tables comparing standards often leads to errors and gaps. And in highly regulated industries like medical products manufacturing, the accuracy, speed, and scale of staying compliant can be turned into a competitive advantage, leading to more sales.

How To Resolve The Conflict Between GRC and Cybersecurity Spending

According to the webinar, 80% of today’s data breaches are caused by default, weak, stolen, or otherwise compromised credentials. GRC and cybersecurity strategies’ best efforts need to be put on securing privileged access first. The webinar makes a strong argument for prioritizing privileged access security as the initiative that can unify GRC and cybersecurity strategies.

Key insights from the webinar include the following:

  • Industry standards and government regulations are calling for identity and access management as a requirement, with several specifically naming privilege access controls.
  • Identity-Centric Privileged Access Management (PAM) approaches help meet compliance mandates, while at the same time hardening cybersecurity to the threat surface level.
  • Attaining greater compliance by taking an Identity-Centric PAM approach ensures machines have secured identities as well, and the use of anonymous access accounts is limited to break-glass scenarios only, while organizations should otherwise be leveraging enterprise directory identities for the authentication and authorization process.
  • Improving accountability and segmentation by establishing granular security controls and auditing everything helps bridge the gap between GRC and cybersecurity initiatives.
Debunking The Myth That Greater Compliance Makes IT More Secure

Conclusion

Continuous risk management is key to excelling at compliance, just as securing privileged access credentials is foundational to an effective cybersecurity strategy. Dr. Torsten George ended the webinar saying, “In the long term, I believe that the current situation that we’re dealing with and its associated spike of cyber-attacks will lead to even stricter compliance mandates; especially when it comes to secure remote access by key IT stakeholders and outsourced IT.” The bottom line is that compliance and cybersecurity must share the common goal of protecting their organizations’ privileged access credentials using adaptive approaches and technologies if both are going to succeed.

 

 

Dec 20

Centrify’s Tim Steinkopf On How To Think Like A Cybersecurity CEO

Centrify’s Tim Steinkopf On How To Think Like A Cybersecurity CEO

Tim Steinkopf is CEO at Centrify, where he leads the management, strategic direction, and execution of the company’s vision. Tim initially joined Centrify as Chief Financial Officer in October 2011 and took over as CEO in January 2019. Before Centrify, he held CFO positions at Secure Computing Corporation (acquired by McAfee), SumTotal Systems, Purfresh, and Silicon Entertainment. Tim has also held executive and management positions with Watt/Peterson and Ernst & Young.

Under Tim’s leadership, Centrify is only one of five cybersecurity companies with six or more years on Inc.’s annual list of America’s 5000 fastest-growing private companies. Centrify’s many honors include being awarded Gartner Peer Insights Customer’s Choice 2019 award earlier this year.

Tim is also a member of the Forbes Tech Council, and his latest article, Five Skills Necessary To Transition From CFO to CEO, shares how the lessons he learned from serving as a CFO for over two decades prepared him for the role of CEO. He says the one clear key attribute of CFOs is the ability to apply a metrics-driven approach to all facets of a business. The ability to orchestrate initiatives, programs, and strategies across the many departments of a company and have them all contribute to the metrics that define organizational success is vital and provides CFOs invaluable training in their progression to leading a company.

I had the opportunity to sit down with Tim recently for an executive Q&A to learn how Centrify is separating itself from the pack in crowded cybersecurity space, under his leadership and in partnership with private equity investor Thoma Bravo:

Louis:            Centrify is only one of five cybersecurity companies with six or more years on Inc.’s annual list of America’s 5000 fastest-growing private companies. What are the most effective growth strategies that also deliver strong profitability today that keep Centrify growing?

Tim:                I’m going to break this into two pieces because I think there’s a difference between growth versus profitability.

On the growth side, you can only attain the Inc. 5000 ranking by looking at a cumulative period of time. So, it isn’t that we’ve just grown for six years, it’s that we’ve had the ability to sustain growth over a rolling four-year period. To maintain placement on that list, we’ve had to excel at the details of how we serve our customers. It is quite an accomplishment and congratulations to all the current and former Centrify employees who were involved in that.

The real driver is our history of innovation. Centrify has always been an innovator, and we’ve always paid attention to our market, our drivers, and what our customers are saying. We’re trying to be a step or two ahead of our customers. If you’re able to do that, and you’re able to continue to innovate, then you can drive additional adoption of your solution set, and continue to drive growth.

Profitability does go hand in hand, but it’s slightly different because now you’re talking about effective, efficient growth. As CFO, I always had an eye on ROI and how to put capital, resources, and additional headcount to use, such that we could drive growth. Then you often ask yourself if you are driving it as efficiently as possible. And that’s where making the right kind of bets in technology for running and growing the business make a difference. It’s also about deploying into the correct markets so that you can land and then sustain growth.

Louis:            In a previous interview, you mentioned the need for balanced metrics and change management strategies. Would you like to comment on those aspects of being a CEO?

Tim:                It all comes down to the role of the CEO, leading a company to accomplish its goals. CEOs report to the board of directors, who ultimately set the goals for any company. And when you’re a CEO, you want to do everything possible to get to those goals. Knowing how the different parts of the company run and knowing where and how to allocate resources and change management all contributes to achieving the company’s goals.

Louis:            How has Thoma Bravo, after becoming the majority investor in Centrify, helped your company pursue new partner, product, and service initiatives?

Tim:               TB is known for placing winning bests, and investing in Centrify is a real feather in our cap. It’s seen by partners, prospects, and customers as a vote of confidence. We’ve been in business for over 15 years, are perennially in the Gartner Magic Quadrant, a leader in the Forrester Wave, and a leader in the channel as recognized by Computer Reseller news. We’ve got our own pedigree, and that’s great. Then you add on the fact that TB is a majority investor, and our reputation is even stronger.

Regarding product and service initiatives, TB spends a lot of time and effort on each investment, and they have a great track record, specifically in InfoSec and cybersecurity. They came in and said, “Hey, our investment thesis is to take Centrify and split it into two companies, where each will have a better ability to focus and compete, and that will drive more efficient resource allocation, and growth opportunities.” Centrify current iteration formed as a result of the investment thesis being implemented, and we’re excelling in our chosen market.

Louis:            Gartner Peer Insights awarded Centrify with the 2019 Customer’s Choice recognition recently. What do you attribute your customers’ success to, and their willingness to share their stories online on forums include Gartner’s Peer Insights and others? They’re so critical to sale cycles right now.

Tim:                Customer references are so important, and this is where we have to give credit to the greater Centrify organization. We have a customer-centric attitude, and that is why our customers are willing to speak up, which gives us the opportunity to compete and win awards, including Customer’s Choice 2019 and others.

Behind the scenes, it includes building and delivering a solid solution set combined with services. Once our solution is installed, we work quickly and in close collaboration with our customers to make sure it’s working and meeting their requirements. We view every customer relationship as a partnership, and how we implement our identity-centric PAM solutions for them is essential to a successful journey for them. We measure our success by our customers’ results, and if they are achieving their goals.

Louis:            Privileged Access Management (PAM) shows potential in 2020 as a growth market. What are Centrify’s plans to capitalize on this market momentum?

Tim:                That’s absolutely the market we’re in and serving customers with solutions for today. Going back 10 to 15 years, legacy approaches to PAM were thought of only in terms of password vaulting. We’ve strived to stay in step with our customers, as they’ve shown us that deploying a vault-only approach to PAM is not enough. They need to move beyond the vault and move to an identity-centric approach.

When organizations deploy a vault-only solution, they’re enabling login with shared admin or root accounts, and so that is a generic approach that is not identity-centric. Centrify’s solution helps organizations to centralize authentication and have their employees request access to specific resources with specific privilege elevation rights while also tracking all activity for audits, compliance, forensics, and regulatory purposes. Our customers place a high value on all of these aspects of our solution as it provides non-repudiation across their environments and better protects resources against cyberthreats.

The real potential for growth are the drivers moving PAM beyond the vault. It’s becoming more identity-centric, with a least privilege access approach. That message is resonating across the industry, and people get it. The biggest driver is the fact that 80% of the breaches are occurring because privileged credentials are getting compromised. Since they’re not identity-centric, too much privilege exists, which means the attack surface is greater, and it continues to get breached.

Louis:            What are the most challenging aspects of being CEO of a fast-growing cyber security company today?

Tim:                The most challenging aspects of being a CEO are the most exciting. One of the most energizing is competing in a very dynamic market. That’s what motivates me and why I’ve been in tech a long time.

Advances in technology drive the market, and it motivates companies, customers, and investors to take advantage of those advances and drive their business forward. At Centrify, our core focus is to capitalize on technology gains to help our customers achieve their goals by bringing new products to market. These include cloud, Infrastructure-as-a-Service (IaaS), machine learning, and other key strategic technologies. We’re always interested in utilizing new technologies, as the bad actors are also doing their own development of new ways to compromise our customers and their systems. They are looking for the weakest link.

We are completely committed to what we’re doing to stay ahead of those bad actors. Since technology continues to evolve and change, it makes the industry/market very dynamic.

Louis:            When you visit with Centrify customers, what’s the most interesting feedback you’re hearing from them?

Tim:                Our customer is normally the infrastructure and/or security people and teams. Who we primarily interact with is determined by the structure of a given customer’s organization. The people deploying, running, and supporting the networks and IT environments, who are responsible for those areas, are who we primarily work with.

The one common theme we hear from them is that they’re just trying to keep up. They look to us for help doing that, specifically how they can make privileged access management more efficient and effective across their organizations. Our customers look to Centrify so they can capitalize on our decades of expertise and complete commitment to providing privileged access management solutions that scale with their business.

They all know that it only takes one compromised, privileged credential to ruin their day, affecting millions of customers and costing hundreds of thousands (or millions) of dollars. One of our challenges in helping our customers is to help them face the challenge of educating upwards in their organizations as to the importance of having the proper tools for cybersecurity.

Louis:            When you get invited into a prospect’s bake-off to compare PAM vendors, why does Centrify win? And how do you proceed into a Proof of Concept following winning a bake-off?

Tim:                The number one reason we win is because we have a strong vision around identity-centric privileged access management. In addition, many organizations are undergoing digital transformations, and the majority of organizations have a hybrid IT and cloud environment. This includes on-premises, hybrid cloud and multi-cloud environments, and ephemeral environments. The ability to manage all of those different aspects with a central approach to identity is much more efficient and effective in the long run.

We see customers looking to make this their ongoing infrastructure deployment strategy, which will set them up for the future. That, and having a more encompassing solution set that addresses their greatest security risks are how we are differentiating today.

Louis:            Your customer base appears to have a robust multi-cloud strategy, combining AWS, Microsoft Azure, and Google Cloud Platform. What’s a major challenge many are facing when migrating to cloud, and what does the future look like in terms of securing their identity and privileged access?

Tim:                Multi-cloud didn’t really shape our strategy because we are based on a central repository for identity. Implicit in that approach is having everybody log in as themselves while providing them the freedom to do their jobs. And when it comes to least privileged access, we focus on allowing just enough access to every member to get their work done, while tracking every login to ensure compliance.

We’ve always supported that vision with an architecture that would span on-premises and cloud systems because nobody is going to completely do multi-cloud overnight. It’s a journey that begins by recognizing the business need for a hybrid IT environment that includes multi-cloud integration and platforms.

Our architecture is based on a cloud-based privileged access service that connects to wherever our customer’s identity store is. Through the use of cloud connectors, we can provide centralized identity and privileged access into your workloads running within a Virtual Private Cloud (VPC). We find most customers have multiple VPCs and their architected to be generic, which reflects the fact our customers end up with more than one infrastructure as a service platform provider. We’re able to handle that and provide privileged access management across all those environments.

It’s the strength of our privileged access service and our cloud connectors give our customers the option of selecting a thin client that deploys on their workloads within different VPCs, and then comes back to the service and communicates with various connected identity stores. It’s designed to be a very efficient architecture, and it plays well in ephemeral, quickly-changing elastic environments to support the requirements and scale needs of the business. Our architecture flexes and provides identity and privileged access management across their unique cloud and on-premise system configurations.

 

Nov 30

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

  • 60% of security and IT professionals state that security is the leading challenge with cloud migrations, despite not being clear about who is responsible for securing cloud environments.
  • 71% understand that controlling privileged access to cloud service administrative accounts is a critical concern, yet only 53% cite secure access to cloud workloads as a key objective of their cloud Privileged Access Management (PAM) strategies.

These and many other fascinating insights are from the recent Centrify survey, Reducing Risk in Cloud Migrations: Controlling Privileged Access to Hybrid and Multi-Cloud Environments, downloadable here. The survey is based on a survey of over 700 respondents from the United States, Canada, and the UK from over 50 vertical markets, with technology (21%), finance (14%), education (10%), government (10%) and healthcare (9%) being the top five. For additional details on the methodology, please see page 14 of the study.

What makes this study noteworthy is how it provides a candid, honest assessment of how enterprises can make cloud migrations more secure by a better understanding of who is responsible for securing privileged access to cloud administrative accounts and workloads.

Key insights from the study include the following:

  • Improved speed of IT services delivery (65%) and lowered total cost of ownership (54%) are the two top factors driving cloud migrations today. Additional factors include greater flexibility in responding to market changes (40%), outsourcing IT functions that don’t create competitive differentiation (22%), and increased competitiveness (17%). Reducing time-to-market for new systems and applications is one of the primary catalysts driving cloud migrations today, making it imperative for every organization to build security policies and systems into their cloud initiatives.

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

 

  • Security is the greatest challenge to cloud migration by a wide margin. 60% of organizations define security as the most significant challenge they face with cloud migrations today. One in three sees the cost of migration (35%) and lack of expertise (30%) being the second and third greatest impediments to cloud migration project succeeding. Organizations are facing constant financial and time constraints to achieve cloud migrations on schedule to support time-to-market initiatives. No organization can afford the lost time and expense of an attempted or successful breach impeding cloud migration progress.

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

  • 71% of organizations are implementing privileged access controls to manage their cloud services. However, as the privilege becomes more task-, role-, or access-specific, there is a diminishing interest of securing these levels of privileged access as a goal, evidenced by only 53% of organizations securing access to the workloads and containers they have moved to the cloud. The following graphic reflects the results.

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

 

  • An alarmingly high 60% of organizations incorrectly view the cloud provider as being responsible for securing privileged access to cloud workloads. It’s shocking how many customers of AWS and other public cloud providers are falling for the myth that cloud service providers can completely protect their customized, highly individualized cloud instances. The native Identity and Access Management (IAM) capabilities offered by AWS, Microsoft Azure, Google Cloud, and others provide enough functionality to help an organization get up and running to control access in their respective homogeneous cloud environments. Often they lack the scale to adequately address the more challenging, complex areas of IAM and Privileged Access Management (PAM) in hybrid or multi-cloud environments, however. For an expanded discussion of the Shared Responsibility Model, please see The Truth About Privileged Access Security On AWS and Other Public Clouds. The following is a graphic from the survey and Amazon Web Services’ interpretation of the Shared Responsibility Model.

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

 

  • Implementing a common security model in the cloud, on-premises, and in hybrid environments is the most proven approach to making cloud migrations more secure. Migrating cloud instances securely needs to start with Multi-Factor Authentication (MFA), deploying a common privileged access security model equivalent to on-premises and cloud systems, and utilizing enterprise directory accounts for privileged access. These three initial steps set the foundation for implementing least privilege access. It’s been a major challenge for organizations to do this, particularly in cloud environments, as 68% are not eliminating local privilege accounts in favor of federated access controls and are still using root accounts outside of “break glass” scenarios. Even more concerning, 57% are not implementing least privilege access to limit lateral movement and enforce just-enough, just-in-time-access.

How To Excel At Secured Cloud Migrations With A Shared Responsibility Model

  • When it comes to securing access to cloud environments, organizations don’t have to re-invent the wheel. Best practices from securing on-premises data centers and workloads can often be successful in securing privileged access in cloud and hybrid environments as well.

Conclusion

The study provides four key takeaways for anyone working to make cloud migrations more secure. First, all organizations need to understand that privileged access to cloud environments is your responsibility, not your cloud providers’. Second, adopt a modern approach to Privileged Access Management that enforces least privilege, prioritizing “just enough, just-in-time” access. Third, employ a common security model across on-premises, cloud, and hybrid environments. Fourth and most important, modernize your security approach by considering how cloud-based PAM systems can help to make cloud migrations more secure.

Aug 25

The Truth About Privileged Access Security On AWS And Other Public Clouds

 

Bottom Line: Amazon’s Identity and Access Management (IAM) centralizes identity roles, policies and Config Rules yet doesn’t go far enough to provide a Zero Trust-based approach to Privileged Access Management (PAM) that enterprises need today.

AWS provides a baseline level of support for Identity and Access Management at no charge as part of their AWS instances, as do other public cloud providers. Designed to provide customers with the essentials to support IAM, the free version often doesn’t go far enough to support PAM at the enterprise level. To AWS’s credit, they continue to invest in IAM features while fine-tuning how Config Rules in their IAM can create alerts using AWS Lambda. AWS’s native IAM can also integrate at the API level to HR systems and corporate directories, and suspend users who violate access privileges.

In short, native IAM capabilities offered by AWS, Microsoft Azure, Google Cloud, and more provides enough functionality to help an organization get up and running to control access in their respective homogeneous cloud environments. Often they lack the scale to fully address the more challenging, complex areas of IAM and PAM in hybrid or multi-cloud environments.

The Truth about Privileged Access Security on Cloud Providers Like AWS

The essence of the Shared Responsibility Model is assigning responsibility for the security of the cloud itself including the infrastructure, hardware, software, and facilities to AWS and assign the securing of operating systems, platforms, and data to customers. The AWS version of the Shared Responsibility Model, shown below, illustrates how Amazon has defined securing the data itself, management of the platform, applications and how they’re accessed, and various configurations as the customers’ responsibility:

AWS provides basic IAM support that protects its customers against privileged credential abuse in a homogenous AWS-only environment. Forrester estimates that 80% of data breaches involve compromised privileged credentials, and a recent survey by Centrify found that 74% of all breaches involved privileged access abuse.

The following are the four truths about privileged access security on AWS (and, generally, other public cloud providers):

  1. Customers of AWS and other public cloud providers should not fall for the myth that cloud service providers can completely protect their customized and highly individualized cloud instances. As the Shared Responsibility Model above illustrates, AWS secures the core areas of their cloud platform, including infrastructure and hosting services. AWS customers are responsible for securing operating systems, platforms, and data and most importantly, privileged access credentials. Organizations need to consider the Shared Responsibility Model the starting point on creating an enterprise-wide security strategy with a Zero Trust Security framework being the long-term goal. AWS’s IAM is an interim solution to the long-term challenge of achieving Zero Trust Privilege across an enterprise ecosystem that is going to become more hybrid or multi-cloud as time goes on.
  2. Despite what many AWS integrators say, adopting a new cloud platform doesn’t require a new Privileged Access Security model. Many organizations who have adopted AWS and other cloud platforms are using the same Privileged Access Security Model they have in place for their existing on-premises systems. The truth is the same Privileged Access Security Model can be used for on-premises and IaaS implementations. Even AWS itself has stated that conventional security and compliance concepts still apply in the cloud. For an overview of the most valuable best practices for securing AWS instances, please see my previous post, 6 Best Practices For Increasing Security In AWS In A Zero Trust World.
  3. Hybrid cloud architectures that include AWS instances don’t need an entirely new identity infrastructure and can rely on advanced technologies, including Multi-Directory Brokering. Creating duplicate identities increases cost, risk, and overhead and the burden of requiring additional licenses. Existing directories (such as Active Directory) can be extended through various deployment options, each with their strengths and weaknesses. Centrify, for example, offers Multi-Directory Brokering to use whatever preferred directory already exists in an organization to authenticate users in hybrid and multi-cloud environments. And while AWS provides key pairs for access to Amazon Elastic Compute Cloud (Amazon EC2) instances, their security best practices recommend a holistic approach should be used across on-premises and multi-cloud environments, including Active Directory or LDAP in the security architecture.
  4. It’s possible to scale existing Privileged Access Management systems in use for on-premises systems today to hybrid cloud platforms that include AWS, Google Cloud, Microsoft Azure, and other platforms. There’s a tendency on the part of system integrators specializing in cloud security to oversell cloud service providers’ native IAM and PAM capabilities, saying that a hybrid cloud strategy requires separate systems. Look for system integrators and experienced security solutions providers who can use a common security model already in place to move workloads to new AWS instances.

Conclusion

The truth is that Identity and Access Management solutions built into public cloud offerings such as AWS, Microsoft Azure, and Google Cloud are stop-gap solutions to a long-term security challenge many organizations are facing today. Instead of relying only on a public cloud provider’s IAM and security solutions, every organization’s cloud security goals need to include a holistic approach to identity and access management and not create silos for each cloud environment they are using. While AWS continues to invest in their IAM solution, organizations need to prioritize protecting their privileged access credentials – the “keys to the kingdom” – that if ever compromised would allow hackers to walk in the front door of the most valuable systems an organization has. The four truths defined in this article are essential for building a Zero Trust roadmap for any organization that will scale with them as they grow. By taking a “never trust, always verify, enforce least privilege” strategy when it comes to their hybrid- and multi-cloud strategies, organizations can alleviate costly breaches that harm the long-term operations of any business.

Aug 7

AWS Certifications Increase Tech Pay Up To $12K A Year

AWS Certifications Increase Tech Pay Up To $12K A Year

  • AWS and Google certifications are among the most lucrative in North America, paying average salaries of $129,868 and $147,357 respectively.
  • Cross-certifying on AWS is providing a $12K salary bump to IT professionals who already have Citrix and Red Hat/Linux certifications today
  • Globally, four of the five top-paying certifications are in cloud computing.

These and many other insights of which certifications provide the highest salaries by region of the world are from the recently published Global Knowledge 2019 IT Skills and Salary ReportThe report is downloadable here (27 pp., PDF, free, opt-in). The methodology is based on 12,271 interviews across non-management IT staffs (29% of interviews), mid-level professionals including managers and team leads (43%), and senior-level and executive roles (28%) across four global regions. For additional details regarding the study’s methodology, please see page 24 of the report.

Key insights from the report include the following:

  • Cross-certifying on AWS is providing a $12K salary bump to IT professionals who already have Citrix and Red Hat/Linux certifications. Citrix certifications pay an average salary of $109,546 and those earning an AWS certification see a $12,339 salary bump on average. Red Hat/Linux certification-based jobs pay an average of $113,165 and are seeing an average salary bump of $12,553.  Cisco-certified IT professionals who gain AWS certification increase their salaries on average from $101,533 to $111,869, gaining a 10.2% increase. The following chart compares the salary bump AWS certifications are providing to IT professionals with seven of the more popular certifications (please click on the graphic to expand for easier reading).

  • AWS and Google certifications are among the most lucrative in North America, paying average salaries of $129,868 and $147,357 while the most popular are cybersecurity, governance, compliance, and policy. 27% of all respondents to Global Knowledge’s survey have at least one certification in this category. Nearly 18% are ITIL certified. In North American, the most popular certification categories beyond cybersecurity are CompTIA, Microsoft, and Cisco. The following table from the report provides an overview of salary by certification category (please click on the graphic to expand for easier reading).

  • AWS Certified Solutions Architect – Associate is the most popular AWS certification today, with 72% of respondents having achieved its requirements. Certified Solutions Architect – Associate leads the top five most commonly held AWS certifications today according to the survey. AWS Certified Developer – Associate (33%), AWS Certified SysOps Administrator – Associate (24%), AWS Certified Solutions Architect – Professional (16%) and AWS Certified Cloud Practitioner round out the top five most common AWS certifications across the 12,271 global respondents to the Global Knowledge survey.

Aug 5

10 Charts That Will Change Your Perspective Of Amazon’s Patent Growth

10 Charts That Will Change Your Perspective Of Amazon's Patent Growth

  • Since 2010 Amazon has grown its patent portfolio from less than 1,000 active patents in 2010 to nearly 10,000 in 2019, a ten-fold increase in less than a decade.
  • Amazon heavily cites Microsoft, IBM, and Alphabet, with 39%, 32% and 28% of Amazon’s total Patent Asset Index
  • Amazon’s patent portfolio is dominated by Cloud Computing, with the majority of the patents contributing to AWS’ current and future services roadmap. AWS achieved 41% year-over-year revenue growth in the latest fiscal quarter, reaching $7.6B in revenue.

Patents are fascinating because they provide a glimpse into potential plans, and roadmaps tech companies are considering. Amazon has one of the most interesting patent portfolios today that encompass a wide spectrum of technologies, from aircraft technology, drones, cloud computing, to machine learning. Interested in learning more about Amazon’s unique patent portfolio, I contacted PatentSight, a LexisNexis company, one of the leading providers of patent analytics and provider of the PatentSight analytics platform used for creating the ten charts shown below.

  • Amazon patents grew at a Compound Annual Growth Rate (CAGR) of above 35% between 2010 and 2019. PatentSight’s analysis shows that Amazon’s patent portfolio has increased tenfold in the last decade, and is comprised entirely of organic patents with only a small percentage gained from acquisitions. PatentSight also finds that Amazon’s patents have a falling average quality as measured by their Competitive Impact score shown on the vertical axis of the chart below. As Amazon’s patent portfolio has grown, there has been a downward trend of quality. William Mansfield, Head of Consulting and Customer Success at LexisNexis PatentSight explains why. “To maintain a high quality when growing the portfolio is difficult, as each patent would need to be equally as good as or better than the previous,” he said. Mr. Mansfield’s analysis found that Amazon’s portfolio has an average Competitive Impact of 2 today, double the PatentSight database average of 1.

  • Amazon’s patent portfolio is unique in that 100% of it is protected in the U.S. “The protection strategy of Amazon is also uncommon. While it can be the case that US firms tend to be US-centric, Amazon is an extreme case,” said William Mansfield. It’s surprising how many Amazon patents are active only in the USA (86%) and invented in the USA and active only in the USA (81%). William explained that “one factor for this US-centricity could be the great acceptance of software patents in the USA, we do also see high US-only filing for other tech giants, but are a level of around 60% vs. Amazon’s 86%.”

  • PatentSight found that the majority of the Amazon portfolio falls in the 2nd decile of Competitive Impact (top 20% – 10%). Comparable technology-based organizations have a higher density of patents in the top 10% of Competitive Impact, which is another unusual aspect regarding Amazon’s patent growth. “This is unusual compared to other big tech companies which have more in the top 10%, it could be Amazon is holding onto more lower value assets than required,” William Mansfield remarked.

  • Amazon’s patent citations most often cite Microsoft, IBM, and Alphabet, with 39%, 32% and 28% of Amazon’s total Patent Asset Index. Interesting that PatentSight’s analysis finds the reciprocal is not the case. A much smaller percentage of companies cite Amazon in return. This can be attributed to a few other firms having the breadth and depth of patent development that Amazon does today.  PatentSight found that less than 10% of their respective portfolios even mention Amazon.  William Mansfield explains that “one factor here is the larger size of these companies, vs. Amazon. However, even in absolute terms, Microsoft and IBM cite Amazon much less than the other way round. However, citation value is close to equal in absolute terms between Amazon and Alphabet.”

  • Relying on patents to keep AWS’ rapid growth going appears to be Amazon’s high priority patent strategy today. As can be seen from the portfolio below, Cloud Computing patents dominate Amazon’s patent portfolio today. In the latest fiscal quarter ending March 31, 2019, AWS delivered $7.9B in revenue and$2.2B in operating income, growing 41% year-over-year. “Amazon’s ongoing developments in alternative delivery methods in Urban Logistics and Drones are noteworthy with Drones being one area of particular strength in the portfolio as seen from the high Competitive Impact, despite the smaller portfolio size,” notes William Mansfield.

  • Amazon’s prioritization of cloud computing, AI, and machine learning patents is evident when 18 years of patent history is compared. The proliferation of AI and machine learning-based services on the AWS platform is apparent in the trend line starting in 2014. The success of Amazon’s SageMaker machine learning platform is a case in point. Amazon SageMaker enables developers and data scientists to quickly and easily build, train, and deploy machine learning models at scale.

  • Amazon is already one of the top 10 patent holders in Drone technology, just behind Alphabet and Toyota Motors. PatentSight defines Drone technology as encompassing aviation, autonomous robots, and autonomous driving. Amazon’s rapid ascent in this area is attributable to the logistics and supply chain efficiencies possible when Drones and their related technologies are applied to their supply chain’s more complex challenges.

  • PatentSight finds that FinTech is an area of long-standing strength in the Amazon patent portfolio, attribute to their payment systems being the backbone of their e-commerce business. Reflecting how diverse their business model has become, Amazon is now one of the top 15 patent holders in this area due to cloud computing, AI, and machine learning taking precedence. “FinTech is a highly competitive field with many established players, and while Amazon is not in the top 10, but top 15 players, it’s still an impressive achievement,” said William Mansfield.

  • Amazon’s patent portfolio in speech recognition encompasses Alexa, its related patents, and Amazon Lex, an AWS service used for creating conversational interfaces for applications. Alphabet, Apple, Microsoft, and Samsung are patent leaders, according to PatentSight’s analysis. The fact that Amazon is in the top 10 speaks to the level of activity and patent production going on in the Alexa research and development and product teams.

  • Amazon’s patent strategy is eclectic yet always anchored to cloud computing to make AWS the platform of choice. The following selected patens reflect how broad the Amazon patent portfolio is. What each share in common is a reliance on AWS as the platform to ensure service consistency, reliability, and scale. An example of this is their patents Video Game Streaming.

Apr 15

The State Of Cloud Business Intelligence, 2019

  • An all-time high 48% of organizations say cloud BI is either “critical” or “very important” to their operations in 2019.
  • Marketing & Sales place the greatest importance on cloud BI in 2019.
  • Small organizations of 100 employees or less are the most enthusiastic, perennial adopters and supporters of cloud BI.
  • The most preferred cloud BI providers are Amazon Web Services and Microsoft Azure.

These and other insights are from Dresner Advisory Services’ 2019 Cloud Computing and Business Intelligence Market Study. The 8th annual report focuses on end-user deployment trends and attitudes toward cloud computing and business intelligence (BI), defined as the technologies, tools, and solutions that rely on one or more cloud deployment models. What makes the study noteworthy is the depth of focus around the perceived benefits and barriers for cloud BI, the importance of cloud BI, and current and planned usage.

“We began tracking and analyzing the cloud BI market dynamic in 2012 when adoption was nascent. Since that time, deployments of public cloud BI applications are increasing, with organizations citing substantial benefits versus traditional on-premises implementations,” said Howard Dresner, founder, and chief research officer at Dresner Advisory Services. Please see page 10 of the study for specifics on the methodology.

Key insights gained from the report include the following:

  • An all-time high 48% of organizations say cloud BI is either “critical” or “very important” to their operations in 2019. Organizations have more confidence in cloud BI than ever before, according to the study’s results. 2019 is seeing a sharp upturn in cloud BI’s importance, driven by the trust and credibility organizations have for accessing, analyzing and storing sensitive company data on cloud platforms running BI applications.

  • Marketing & Sales place the greatest importance on cloud BI in 2019. Business Intelligence Competency Centers (BICC) and IT departments have an above-average interest in cloud BI as well, with their combined critical and very important scores being over 50%. Dresner’s research team found that Operations had the greatest duality of scores, with critical and not important being reported at comparable levels for this functional area. Dresner’s analysis indicates Operations departments often rely on cloud BI to benchmark and improve existing processes while re-engineering legacy process areas.

  • Small organizations of 100 employees or less are the most enthusiastic, perennial adopters and supporters of cloud BI. As has been the case in previous years’ studies, small organizations are leading all others in adopting cloud BI systems and platforms.  Perceived importance declines only slightly in mid-sized organizations (101-1,000 employees) and some large organizations (1,001-5,000 employees), where minimum scores of important offset declines in critical.

  • The retail/wholesale industry considers cloud BI the most important, followed by technology and advertising industries. Organizations competing in the retail/wholesale industry see the greatest value in adopting cloud BI to gain insights into improving their customer experiences and streamlining supply chains. Technology and advertising industries are industries that also see cloud BI as very important to their operations. Just over 30% of respondents in the education industry see cloud BI as very important.

  • R&D departments are the most prolific users of cloud BI systems today, followed by Marketing & Sales. The study highlights that R&D leading all other departments in existing cloud BI use reflects broader potential use cases being evaluated in 2019. Marketing & Sales is the next most prolific department using cloud BI systems.

  • Finance leads all others in their adoption of private cloud BI platforms, rivaling IT in their lack of adoption for public clouds. R&D departments are the next most likely to be relying on private clouds currently. Marketing and Sales are the most likely to take a balanced approach to private and public cloud adoption, equally adopting private and public cloud BI.

  • Advanced visualization, support for ad-hoc queries, personalized dashboards, and data integration/data quality tools/ETL tools are the four most popular cloud BI requirements in 2019. Dresner’s research team found the lowest-ranked cloud BI feature priorities in 2019 are social media analysis, complex event processing, big data, text analytics, and natural language analytics. This years’ analysis of most and least popular cloud BI requirements closely mirror traditional BI feature requirements.

  • Marketing and Sales have the greatest interest in several of the most-required features including personalized dashboards, data discovery, data catalog, collaborative support, and natural language analytics. Marketing & Sales also have the highest level of interest in the ability to write to transactional applications. R&D leads interest in ad-hoc query, big data, text analytics, and social media analytics.

  • The Retail/Wholesale industry leads interest in several features including ad-hoc query, dashboards, data integration, data discovery, production reporting, search interface, data catalog, and ability to write to transactional systems. Technology organizations give the highest score to advanced visualization and end-user self-service. Healthcare respondents prioritize data mining, end-user data blending, and location analytics, the latter likely for asset tracking purposes. In-memory support scores highest with Financial Services respondent organizations.

  • Marketing & Sales rely on a broader base of third party data connectors to get greater value from their cloud BI systems than their peers. The greater the scale, scope and depth of third-party connectors and integrations, the more valuable marketing and sales data becomes. Relying on connectors for greater insights into sales productivity & performance, social media, online marketing, online data storage, and simple productivity improvements are common in Marketing & Sales. Finance requiring integration to Salesforce reflects the CRM applications’ success transcending customer relationships into advanced accounting and financial reporting.

  • Subscription models are now the most preferred licensing strategy for cloud BI and have progressed over the last several years due to lower risk, lower entry costs, and lower carrying costs. Dresner’s research team found that subscription license and free trial (including trial and buy, which may also lead to subscription) are the two most preferred licensing strategies by cloud BI customers in 2019. Dresner Advisory Services predicts new engagements will be earned using subscription models, which is now seen as, at a minimum, important to approximately 90% of the base of respondents.

  • 60% of organizations adopting cloud BI rank Amazon Web Services first, and 85% rank AWS first or second. 43% choose Microsoft Azure first and 69% pick Azure first or second. Google Cloud closely trails Azure as the first choice among users but trails more widely after that. IBM Bluemix is the first choice of 12% of organizations responding in 2019.

Apr 14

Public Cloud Soaring To $331B By 2022 According To Gartner

Gartner is predicting the worldwide public cloud services market will grow from $182.4B in 2018 to $214.3B in 2019, a 17.5% jump in just a year. Photo credit: Getty

  • Gartner predicts the worldwide public cloud service market will grow from $182.4B in 2018 to $331.2B in 2022, attaining a compound annual growth rate (CAGR) of 12.6%.
  • Spending on Infrastructure-as-a-Service (IaaS) is predicted to increase from $30.5B in 2018 to $38.9B in 2019, growing 27.5% in a year.
  • Platform-as-a-Service (PaaS) spending is predicted to grow from $15.6B in 2018 to $19B in 2019, growing 21.8% in a year.
  • Business Intelligence, Supply Chain Management, Project and Portfolio Management and Enterprise Resource Planning (ERP) will see the fastest growth in end-user spending on SaaS applications through 2022.

Gartner’s annual forecast of worldwide public cloud service revenue was published last week, and it includes many interesting insights into how the research firm sees the current and future landscape of public cloud computing. Gartner is predicting the worldwide public cloud services market will grow from $182.4B in 2018 to $214.3B in 2019, a 17.5% jump in just a year. By the end of 2019, more than 30% of technology providers’ new software investments will shift from cloud-first to cloud-only, further reducing license-based software spending and increasing subscription-based cloud revenue.

The following graphic compares worldwide public cloud service revenue by segment from 2018 to 2022. Please click on the graphic to expand for easier reading.

Comparing Compound Annual Growth Rates (CAGRs) of worldwide public cloud service revenue segments from 2018 to 2022 reflects IaaS’ anticipated rapid growth. Please click on the graphic to expand for easier reading.

Gartner provided the following data table this week as part of their announcement:

  • Business Intelligence, Supply Chain Management, Project and Portfolio Management and Enterprise Resource Planning (ERP) will see the fastest growth in end-user spending on SaaS applications through 2022.  Gartner is predicting end-user spending on Business Intelligence SaaS applications will grow by 23.3% between 2017 and 2022.  Spending on SaaS-based Supply Chain Management applications will grow by 21.2% between 2017 and 2022. Project and Portfolio Management SaaS-based applications will grow by 20.9% between 2017 and 2022. End-user spending on SaaS ERP systems will grow by 19.2% between 2017 and 2022.

Sources: Gartner Forecasts Worldwide Public Cloud Revenue to Grow 17.5 Percent in 2019 and Forecast: Public Cloud Services, Worldwide, 2016-2022, 4Q18 Update (Gartner client access)

Jan 13

6 Best Practices For Increasing Security In AWS In A Zero Trust World

  • Amazon Web Services (AWS) reported $6.6B in revenue for Q3, 2018 and $18.2B for the first three fiscal quarters of 2018.
  • AWS revenue achieved an impressive 46% year-over-year net sales growth between Q3, 2017 and Q3, 2018 and 49% year-over-year growth for the first three quarters of the year.
  • AWS’ 34% market share is bigger than its next four competitors combined with the majority of customers taken from small-to-medium sized cloud operators according to Synergy Research.
  • The many announcements made at AWS Re:Invent this year reflect a growing focus on hybrid cloud computing, security, and compliance.

Enterprises are rapidly accelerating the pace at which they’re moving workloads to Amazon Web Services (AWS) for greater cost, scale and speed advantages. And while AWS leads all others as the enterprise public cloud platform of choice, they and all Infrastructure-as-a-Service (IaaS) providers rely on a Shared Responsibility Model where customers are responsible for securing operating systems, platforms and data.  In the case of AWS, they take responsibility for the security of the cloud itself including the infrastructure, hardware, software, and facilities. The AWS version of the Shared Responsibility Model shown below illustrates how Amazon has defined securing the data itself, management of the platform, applications and how they’re accessed, and various configurations  as the customers’ responsibility:

Included in the list of items where the customer is responsible for security “in” the cloud is identity and access management, including Privileged Access Management (PAM) to secure the most critical infrastructure and data.

Increasing Security for IaaS in a Zero Trust World

Stolen privileged access credentials are the leading cause of breaches today. Forrester found that 80% of data breaches are initiated using privileged credentials, and 66% of organizations still rely on manual methods to manage privileged accounts. And while they are the leading cause of breaches, they’re often overlooked — not only to protect the traditional enterprise infrastructure — but especially when transitioning to the cloud.

Both for on-premise and Infrastructure-as-a-Service (IaaS), it’s not enough to rely on password vaults alone anymore. Organizations need to augment their legacy Privileged Access Management strategies to include brokering of identities, multi-factor authentication enforcement and “just enough, just-in-time” privilege, all while securing remote access and monitoring of all privileged sessions. They also need to verify who is requesting access, the context of the request, and the risk of the access environment. These are all essential elements of a Zero Trust Privilege strategy, with Centrify being an early leader in this space.

6 Ways To Increase Security in AWS

The following are six best practices for increasing security in AWS and are based on the Zero Trust Privilege model:

  1. Vault AWS Root Accounts and Federate Access for AWS Console

Given how powerful the AWS root user account is, it’s highly recommended that the password for the AWS root account be vaulted and only used in emergencies. Instead of local AWS IAM accounts and access keys, use centralized identities (e.g., Active Directory) and enable federated login. By doing so, you obviate the need for long-lived access keys.

  1. Apply a Common Security Model and Consolidate Identities

When it comes to IaaS adoption, one of the inhibitors for organizations is the myth that the IaaS requires a unique security model, as it resides outside the traditional network perimeter. However, conventional security and compliance concepts still apply in the cloud. Why would you need to treat an IaaS environment any different than your own data center? Roles and responsibilities are still the same for your privileged users. Thus, leverage what you’ve already got for a common security infrastructure spanning on-premises and cloud resources. For example, extend your Active Directory into the cloud to control AWS role assignment and grant the right amount of privilege.

  1. Ensure Accountability

Shared privileged accounts (e.g., AWS EC2 administrator) are anonymous. Ensure 100% accountability by having users log in with their individual accounts and elevate privilege as required. Manage entitlements centrally from Active Directory, mapping roles, and groups to AWS roles.

  1. Enforce Least Privilege Access

Grant users just enough privilege to complete the task at hand in the AWS Management Console, AWS services, and on the AWS instances. Implement cross-platform privilege management for AWS Management Console, Windows and Linux instances.

  1. Audit Everything

Log and monitor both authorized and unauthorized user sessions to AWS instances. Associate all activity to an individual, and report on both privileged activity and access rights. It’s also a good idea to use AWS CloudTrail and Amazon CloudWatch to monitor all API activity across all AWS instances and your AWS account.

  1. Apply Multi-Factor Authentication Everywhere

Thwart in-progress attacks and get higher levels of user assurance. Consistently implement multi-factor authentication (MFA) for AWS service management, on login and privilege elevation for AWS instances, or when checking out vaulted passwords.

Conclusion

One of the most common reasons AWS deployments are being breached is a result of privileged access credentials being compromised. The six best practices mentioned in this post are just the beginning; there are many more strategies for increasing the security in AWS.  Leveraging a solid Zero Trust Privilege platform, organizations can eliminate shared Amazon EC2 key pairs, using auditing to define accountability to the individual user account level, execute on least privilege access across every login, AWS console, and AWS instance in use, enforce MFA and enable a common security model.

« Older Entries