For the first time I’ve attended the AWS Summit in Berlin which against my expectations was very interesting. Not having much in common with AWS (at least not yet), from a security perspective the cloud still remains a very neglected threat to companies. As we all know there is some “rain” coming down from the cloud from time to time. And by “rain” I mean sensitive data which gets exposed due to misconfigured APIs, weak credentials or insecure applications.

Cloud trends

In this years keynote Dr. Werner … pointed out why everybody is moving into the cloud and how they do it. But most important he talked about trends the digital world is facing at nowadays. Among these I’d like to list some.

Data explosion

• the amount of data every company is generating or collecting is huge
• everybody wants to analyze data and get some valuable information related to their business
• data type depends on business case, so you might want to store media files differently as you would do with customer data for example
• the need for a DB as a service inside the cloud is increasing
• Amazon has AWS Aurora which is a MySQL based DB optimized for performance and high scalability

Data warehouse everywhere

• people need to analyze data in real-time
• smart automatic data analysis helps you understand your data
• AWS Redshift is the data warehouse you may want to use

Analytics

• based on the available data people want to do data analysis with real-time input
• people also want to make predictions how their business might evolve based on data generated in the past

Different ways to compute things

• depending where you want and how you want to serve your application, people choose different ways to run their application
• you might choose between:
  • virtual machines
  • containers (yes, docker again)
  • functions (AWS Lambda which IMHO is very powerful)

Deep security everwhere

• when Werner talked about security he tried to separate layers security can be applied to
• in general there is this thing “move fast vs stay secure”
• AWS does have some security:
  • network separation
  • default data encryption
  • compliance rules that can be applied to ressources

Everything is mobile

• mobile clients dominate the market
• there is a need for developers to test their apps against as many devices as possible
• using AWS Device Farm the developers can choose from a variety of devices to test the app against
• AWS Mobile Hub helps you automate to app development process in the cloud

Everything is connected

• yes, IoT is indeed a threat
• there are a lot of Industry 4.0 companies using the cluod to aggregate data from sensors and control the actors

Hybrid

• “make the best of both worlds”

Security

As previously mentioned, the main goal was to identify main security threats in the cloud architecture. Dave Walker had an excellent talk about Securing serverless architectures. Driven by “bad things could happen, when people get creative” operational security is being taken seriously inside AWS. A few attack vectors were shown and the corresponding countermeasures. In general he distinguished between different layers:

• application layer
  • several security were taken to secure applications in general:
    • use TLS 1.2
    • own implementation of TLS/SSL: s2n
    • use of Sigv4 for authenticating AWS requests
• API
  • this also includes the AWS API Gateway
• in-band attacks
  • DoSing the AWS components
• cross-account access
  • read more in Cross-Account Access in the AWS Management Console
  • more details at the AWS Security Roadshow this year but I couldn’t find any materials on that
• lambda functions
  • functions applied to user-supplied input
  • read more in AWS Lambda - Security and Control

Use cases

Among some (Siemens, Air Berlin, ProSiebenSat1, Dubsmash) companies already using AWS, I’ve really enjoyed Air Berlin talk where Michael Ruplitsch talked about their process moving stuff into the cloud:

• motivation

  • competition
  • cost efficiency
  • new distribution channels
    • personalized flight search
    • digital transformation

• lessons learned

  • do not understimate the “cloud migration”
  • educate and train involved parties
  • plan or confirm concept with AWS approved partner
  • take care of governence, change and release management
  • cross monitoring

Berliner Philarmoniker

BitDefener

SoundCloud

Microservices

Since AWS seems to love microservices , Microservices on AWS was a really nice introduction. Implementing your own microservice and bringing it to the cloud, was then presented by Julien Simon in Clustering Docker on AWS with Amazon ECR & ECS.