July 2, 2025 • 34 mins
The landscape of cloud security is rapidly evolving as AWS flexes its muscles with a suite of new native security offerings unveiled at AWS re:Inforce. From enhanced threat correlation capabilities in AWS Security Hub to seamless Transit Gateway integration for Network Firewall, these announcements signal Amazon's strategic expansion into territory traditionally dominated by third-party security vendors.
We dive deep into the HPE-Juniper acquisition that finally received regulatory approval, but with interesting conditions – including the requirement to license parts of the coveted Mist AI technology. This could potentially open doors for competitors to leverage the same technology that made Juniper so attractive to HPE in the first place, creating a fascinating dynamic in the networking market.
The most compelling theme emerging from AWS re:Inforce centers around Amazon's continued investment in native security tooling. New offerings like AWS Shield Network Security Director and IAM Access Analyzer directly challenge third-party CSPM providers, while improvements to existing services reduce the friction and complexity of implementing robust security controls. For organizations already invested in the AWS ecosystem, these integrated solutions offer compelling advantages – but they also raise important questions about vendor lock-in and multi-cloud strategies.
Security vendors without a strong moat or differentiated value proposition should be concerned. As cloud service providers continue to enhance their native security capabilities, the pressure on third-party tools will only intensify. This trend follows closely on the heels of Google's acquisition of Wiz, suggesting that cloud security is becoming an increasingly strategic battleground for the major providers.
For security professionals navigating these waters, the proliferation of overlapping security services presents both opportunities and challenges. While AWS continues to simplify implementation, the growing catalog of similar-sounding services can create confusion about which tools to use in which scenarios. As we discuss on the podcast, this appears to reflect AWS's organizational structure as much as customer needs – shipping the org chart rather than truly differentiated services.
What's your security strategy in this evolving landscape? Are you embracing native cloud security tools or maintaining investments in third-party solutions? The answers may vary widely depending on your organization's cloud adoption strategy, but one thing is clear – the security vendor ecosystem is transforming before our eyes.
Purchase Chris and Tim's new book on AWS Cloud Networking: https://www.amazon.com/Certified-Advanced-Networking-Certification-certification/dp/1835080839/
Check out the Fortnightly Cloud Networking News
https://docs.google.com/document/d/1fkBWCGwXDUX9OfZ9_MvSVup8tJJzJeqrauaE6VPT2b0/
Visit our website and subscribe: https://www.cables2clouds.com/
Follow us on BlueSky: https://bsky.app/profile/cables2clouds.com
Follow us on YouTube: https://www.youtube.com/@cables2clouds/
Follow us on TikTok: https://www.tiktok.com/@cables2clouds
Merch Store: https://store.cables2clouds.com/
Join the Discord Study group: https://artofneteng.c
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Tim McConnaughy (00:13):
Hello and welcome to another episode of
the Cables to Clouds fortnightlynews.
And, as always, I'm TimMcConaughey at at one Golbez
goal is on Twitter.
I went, I went back to, I wentback to Twitter.
I'm still on blue sky as well,but uh, yeah, um, and with me,
as always, is my cohost, chrismiles, who you're at BGV main on
(00:35):
both right.
Chris Miles (00:36):
On both.
Um, yeah, I don't, I don't.
Are we going back?
Tim McConnaughy (00:40):
now.
Chris Miles (00:40):
Is that.
Is that what we have to do?
Well?
Tim McConnaughy (00:42):
yeah, I've been going back and forth and
honestly, it's still.
It's still got problems, lotsof them.
I feel like every other post isa, is a bot post or a only fan
something or other, like I don'tknow if that's the algorithm or
whatever, but uh, yeah, itstill feels like that, but it
seems like every single tweet.
Chris Miles (01:01):
I see the first reply is asking Grok.
If it's real, that's the otherone.
Tim McConnaughy (01:08):
Every reply at Grok, is this a real thing?
Or at Grok, what movie is this?
Or at Grok, whatever.
I was like geez, this isliterally dead internet theory.
Anyway, not to make thisepisode about that, but yeah
Anyway.
So let's jump right into thenews.
So the big news that happenedreally recently, actually just
(01:31):
the last couple of days, is thatHPE and Juniper have been given
the go ahead or sorry, HPE hasbeen given the go ahead by the
Department of Justice to acquireJuniper $40 a share, so about
$14 billion, and the bigdifference, or the change that
allowed this to move forward,are two things.
(01:52):
One is that Juniper has todivest itself of the Instant On
branch and wireless portfolio,which, I'll be honest, I don't
even barely remember.
Instant On, I don't even barelyremember instant on.
I don't know if it's like aubiquity thing or whatnot?
Chris Miles (02:08):
Yeah, I think it's like a small medium business
type thing.
Tim McConnaughy (02:11):
Yeah, so that's a weird one, but okay.
But the big one is.
So part of the missed AI opstechnology has to be licensable
from Juniper or HPE.
I guess HPE now will have tomake some of the and it's not
clear how much or what part ofthe missed AIOps stuff has to
(02:33):
now be offered as a licensingdeal from HPE.
So that was the big.
So, given those two concessions, I guess.
So now HPE is able to buyJuniper.
And I was telling Chris, beforewe hit record, that my
financial advisor, literally twodays before this was announced,
(02:54):
had just told me hey, let's getout of HPE because this deal is
stalled and we can make moremoney elsewhere.
So that's life, that's thestock market for you and that's
life.
Um, that's, that's the stockmarket for you and that's life.
Uh, yeah, that's that'sinteresting.
Anything, oh my God.
January 9th 2024 is when thiswas originally announced.
I can't believe it's been thatlong.
Chris Miles (03:16):
Yeah, the um, yeah, the interesting piece.
I mean maybe maybe yourfinancial advisor isn't uh,
wrong, maybe you should wait tosee what happens after this
mandatory auction of the, of the, the missed source code, right.
So like I think that's the kindof.
The open item here is that ifthey go through with this, you
(03:37):
know kind of licensing of thesource code, like who knows
who's going to get be able toget access to it, right.
So I think we kind of wentthrough this a bit in that the
the main reason we thought thatyou know this was even being
acquired by hpe was for the youknow the miss ai ops technology,
(03:57):
right, that was kind of the,the meat of it, right.
And if that is the part thathas to, you know, basically be
um put to you know, basically beput out to you know the source
code put out to a license.
You know Cisco could buy it.
Any number of the competitorscould buy it.
Don't know what to degree theywould want to integrate it based
on, you know, their existingportfolio and their existing
(04:18):
technology, et cetera.
But if the I don't know likeit's, like, on one hand hand I
could see like, oh, this is huge, like the.
You know Cisco could buy it andthen it would just be a
completely level playing field.
But I don't think that Ciscowould buy this and be able to
integrate it at any degree.
So it's like I think the idea isto level the playing field, but
it just like no one would gothrough the effort of that.
(04:39):
Uh, at least from from myperspective.
Tim McConnaughy (04:42):
Yeah, I think, I think that's true.
So I think the the, the wordbearing all of the weight, is
limited access.
Limited access, so what is whatdoes that really mean?
What is what is the limitedaccess what?
It's probably not the wholesource code, right, it's going
to be some piece of thetechnology, but what piece and
how much?
I think it because that's goingto answer the question of who
(05:03):
would really Already I'm withyou, I don't think Cisco,
cisco's got the what is it?
Deep network or whatever thatthey're working on their own
model, which probably is builton Splunk's data.
So yeah, I'm with you on that Idon't think the big players
would probably truly license itfor real reasons, maybe
(05:24):
competitive intelligence orsomething.
Yeah, I think the question ishow much?
What does limited really meanin this context?
Chris Miles (05:31):
Yeah, 100%.
Tim McConnaughy (05:32):
Okay, and then the other big piece of news was,
of course, that AWS Reinforcejust finished.
Now, honestly, I wasn't able tokeep up with Reinforce at all
this year.
I know, chris, you did quite abit of watching on the keynotes
and all of that, so you want totell us a little bit about what
(05:53):
happened this year at Reinforce.
Chris Miles (05:55):
Yeah, sure.
So you know, for those thatdon't know, aws Reinforce is
kind of the much smaller sisterevent to reInvent, which is
really all focused on security,right, so it's basically held, I
think it's in.
It was held in dc.
I think it's typically in dcphilly this year, oh, philly
this year, okay, but yeah.
(06:18):
So I watched a few of thekeynotes and I watched some of
the sessions as well, just tokind of stay up to date.
And you know there wasdefinitely some themes that I
saw coming out from thisparticular reinforce in that the
.
You know they kind of went backto talking about the kind of the
traditional stuff about.
You know, security usuallyslows down innovation et cetera.
(06:39):
So it needs to be, you know,directly integrated and easy to
consume et cetera, not kind ofstifle that innovation piece.
But then you know they alsotalked about how it's from what
they've seen they being AWS thatyou know companies with a more
kind of mature security practicein place are able to actually
(07:03):
adopt generative, generative aia bit faster than other
companies.
Um, so you know, kind ofreinforcing the importance on
security.
You know, if that kind offoundational element is there,
um, then you know that youshould be able to consume ai at
a faster pace than than typicalum enterprises, or you know
businesses, etc.
Um, you know businesses, etcetera.
(07:23):
You know they wanted toreinforce that security should
become a competitive advantageand not a cost center.
I mean, I don't know.
I feel like any kind ofconference you go to where,
whatever is the theme, whetherit be a networking conference or
a security conference, they'regoing to be like we need to stop
being a cost center.
At the end of the day, you'reprobably still a fucking cost
center.
I don think you ever think youever get away from that, uh, in
(07:46):
the grand scheme of things.
But, um, there was someinteresting stuff that um, they
talked about in regard tocomcast.
And you know kind of comcast, um, you know kind of they have
this you know cyber securityteam with thousands of people,
um, and their ai adoption has,you know, kind of increased a
lot of their security findingsover the last I'd say last year
(08:07):
I guess and apparently they'rebuilding tons of AI bots for
things like threat modeling.
It's contributed to a good dealof their patents that they've
published as well, which Ithought was quite interesting.
And I think they have this kindof like seven year North Star
type strategy to get, you know,everything adopting AI.
(08:28):
And that's where the challengecame in of security being this
cost center, whereas it shouldbe, you know, kind of used for
innovation, et cetera.
So it was.
I think there was a strongemphasis as well on proactive
security rather than reactivesecurity and leveraging AI
obviously to do all that.
You know AI is obviously goingto be kind of peppered into
(08:51):
everything.
So that was kind of my overallrub of the general theme of the
conference.
So, yeah, it was quiteinteresting.
Tim McConnaughy (09:00):
Yeah, I saw that they put out a whole list
of kind of well, I don't know ifit's a whole list, to be honest
, I'm not sure if it'sexhaustive, but certainly the
top new announcements fromRainforce and going through the
list, all I can think of is, youknow, there's a lot of third
party CSPM tools that shouldprobably be very nervous about
this trend.
I mean, this is the, this isthe thing, though, if you, if
(09:35):
you are a, if are a non-CSPprovider of services to CSP
customers, you really need to bepaying attention to your moat,
and by moat, of course, what Imean is what makes you
differentiated from the CSP.
I mean moat in the traditionalbusiness sense, basically, like
the traditional business sense.
Basically, what is the, what isthe, the thing you are
defending, the, the, the IP, the, the use case, whatever that is
that, um, you know, makes yourcompany essentially viable as a
company.
You know and, uh, you know I'msaying that with my, the own, my
own self-awareness that I workfor.
(09:56):
You know, I work for a companythat's that also offers, you
know, kind of third-partyservices line on the CSPs, but
that's something that's been topof mind right For us as well,
because the CSPs are going tocontinue to innovate and to
bring new services, and it'sgoing to be based on in my
experience, it's been based ontwo things right, who's asking
(10:18):
for it?
Right.
And then how much money isinvolved, which makes perfect
sense, right?
If you're a CSP or if you'reany kind of business really?
I mean, cisco does the samething, like every company that
offers something to customers isasking the same questions,
right?
Who wants it and how much arethey willing to pay for it?
So, anyway, let's go throughsome of the announcements here,
(10:41):
actually, and you'll kind of seewhat I'm talking about.
Let's see the first one here isunify your security with AWS
Security Hub for riskprioritization and response at
scale.
This is a preview feature.
This was announced and this isin preview, but it seems like
it's just a, and we'll have, ofcourse, all the links to the
stuff in the show notes.
So there's some visuals here,there's some workflows and
(11:03):
whatnot that you'll want to gothrough and take a look at
yourself, but the basic idea ofthe security hub seems to be
that it is a.
What do they call it?
Because there's so many ofthese.
I don't know if it's a CSPMitself, but it's basically a
threat correlator analyzer andlike surface insights from other
services.
Chris Miles (11:21):
My takeaway is that this is kind of like a sore
sore, that's right sore, mixedwith some cspm capabilities in
it as well.
Um, it's yeah, like you said,it's kind of ingesting kind of
these um uh, threat discoverythings from different services.
They're running on aws and kindof correlating all that
(11:42):
together and, you know, buildingthis kind of like map for you
and offering remediationtechniques etc.
Tim McConnaughy (11:48):
Yeah, it specifically mentions GuardDuty,
Inspector, macy and AWSSecurities Hub CSPM.
So I don't know if that's whatthey're calling.
It is AWS Security Hub CSPM.
But I'm with you, I agree, moreof a soar, really, because of
the orchestration of all thesecurity feeds and surfacing of
(12:10):
the.
So, like I said, take a look atthe, take a look at the threat,
the visuals that go along withthis.
Again, we'll have the posts andyou can really get an idea of,
like, what they're talking about, when we're talking about, like
you know, ingesting the feedsand surfacing the insights and
giving you kind of that, thatoverall view of your, your
(12:31):
network not network, sorry yourcloud environment, just kind of
based on all of those services.
So, of course, it also meansthat the value of this service
is going to be based on how manyof the other AWS security feed
services you are leveraging,right, like Macy and Inspector.
So there is kind of you know,tongue in cheek there.
(12:51):
It is going to be as useful ashow much AWS security feeds
you're already bringing into it,right?
Yeah?
Chris Miles (12:58):
definitely.
Let's see what else we seeannounced here.
So yeah, next up, let's talkabout a couple of features that
we saw talk about specificallyaround AWS Network Firewall.
So one thing that they alsotouched on was something that is
called.
What is it?
I always bury the names inthese things.
You can never actually findwhat it's called Active Threat
(13:20):
Defense for AWS Network Firewall.
So basically, if you can thinkof kind of the AWS managed rules
that you have within AWSNetwork Firewall or even
something like a WAF, wherebasically there's common things,
the common exploits, et cetera,that are well-defined in a rule
set that AWS manages, and youjust basically invoke that and
(13:43):
use it on your traffic, this iskind of the same thing, except
typically they call out thatcustomers are commonly looking
for third-party threat feeds toget pull-in sources of threat
intel, et cetera, and so thislooks like they've enabled that
to run with their own threatintelligence system, which is
(14:04):
called MadPot, which I thinkthey've been using for quite a
while.
I think they started thisaround 2010 or something like
that.
So basically kind of the samething.
You have these active threatfeeds that are managed by AWS in
conjunction with MadPot and youhave to do things like deep
packet inspection et cetera onthe traffic.
(14:25):
For this to really take effect,they have something called deep
threat inspection built intothis as well, which is labeled
as collective defense, and itenables shared threat
intelligence improvingprotection for active threat
managed role group users.
So I don't know if that meansit's shared.
That one kind of confused me.
(14:45):
I couldn't really tell if thatmeans it's shared amongst like
other organizations, or justlike shared in terms that AWS
manages.
I wasn't really sure about that.
Um, I don't think your specificdata is going to be shared
between rule sets or anythinglike that but I think the the
day you know the data that isingested and you know, learned
by um, the data you push throughcould potentially be used for
(15:08):
another customer.
I suppose um yeah, I thinkthat's what that comes back to I
agree.
Tim McConnaughy (15:12):
I I think it's anonymized.
I mean, and I think Cisco hasbeen doing other like a lot of
other companies have been doingthis right and not using the
data for threat intelligence tolike find zero days and stuff
like that, Right, so that's notunusual.
Chris Miles (15:25):
And it would make sense because it's an opt-in
feature, right.
When you enable the service,you literally just check a box
that says opted in, so I don'tthink it's anything more
specific than that.
Obviously, this comes at aprice.
Starting out, it looks likethis is you know you're going to
pay about half a cent pergigabyte that you use these
specific rules, so kind ofleaning towards things like IPS
(15:49):
et cetera in this kind ofservice with AWS's own threat
feed.
Yeah, we talked about thisbefore we hit record and
obviously turning on certainthings like this usually impacts
performance, but with thisbeing an auto-scaled service
enabled by things like AWSHyperplane et cetera, I wonder
(16:13):
if this really does have anyimpact on that, especially since
they're charging you for it,right?
So they probably want you tofunnel as much as you can
through this thing, becauseyou're going to definitely pay
the piper at the end of the day,right?
So, yeah, that was a new onethat was added.
I thought that was pretty cool.
Anything to add there, Tim?
Tim McConnaughy (16:29):
Yeah, so it does mention.
And, as you pointed out, for DAnything to add there, tim?
Yeah, so it does mention.
And, as you pointed out, fordeep packet inspection to work,
obviously this thing sets itselfup as a.
TLS proxy as well, which iswhere we would expect the big
performance hit to come.
It also mentions at the veryend it's a little bit of a
buried lead because it kind ofleaves some questions.
Another consideration is themitigation of false positives.
(16:49):
When you use this managed rulegroup in your firewall policy,
you can edit the rule groupalert settings to help identify
false positives as part of amitigation strategy, and there's
a whole thing about mitigatingfalse positives.
So remember that this is athreat feed, like a threat
intelligence thing.
So you know, depending on whatyour business is doing and what
you know, maybe your homegrownapplications or whatever that be
, it's possible and they pointthis out that like, oh, by the
(17:12):
way, as you're pushing datathrough here, you know you might
, whatever you're doing, might,light this thing up like a
Christmas tree and be and beperfectly safe, but so so, by
the way, you know, at the veryend you might want to do some
work on making sure that youknow how to mitigate these false
positives.
So that's, that's it.
Otherwise, yeah, yeah, this isthis is just one more piece.
(17:34):
One thing, one question I didhave that was a little very
tongue-in-cheek, was I wasthinking of the uh that report
from uh cyber ratings earlier.
Yeah I was like is this gonna bean extra percent on the, you
know, on the ratings?
I guess we'll see next yearwhat cyber ratings has to guess
we'll see next year whatCybratings has to say, we'll see
(17:56):
if they play nice.
Chris Miles (17:57):
Another real quick one that they announced around
AWS Network Firewall was theenablement of AWS Transit
Gateway native integration,which on the surface you'd
probably say AWS NetworkFirewall is a native service and
already natively integrated.
But typically when you'd wantto deploy AWS Network Firewall
as a native service isn'talready natively integrated but
typically when you'd want todeploy AWS Network Firewall you
(18:17):
would have to.
Essentially, either you couldput it in every single VPC which
a lot of customers do that ifthey are willing to pay that
particular price for it but whatmost customers would do is put
that into a dedicated securityVPC which kind of hangs off of
your TGW and is either used forall your east-west inspection or
north-south inspection, etcetera.
This actually removes the needfor that, which totally makes
(18:40):
sense under the hood.
Like I'm kind of surprised Ididn't do this sooner.
But basically you can, asyou're creating a network
firewall, you can just nativelyattach it to a TGW.
So you're not creating a VPC,you're not creating endpoints,
you're not doing all this stuff,you're not updating route
tables et cetera.
It's just a native integrationwhich is really cool and
(19:02):
probably gonna be removing quitea bit of complexity, I would
imagine, which means that thepeople that are typically they
are managing complex stuff haveone less job to do, which is not
great for us, but it seems tobe that's where they're leaning.
So I just thought this was.
It was kind of a cool featurethat they added.
(19:23):
I wonder if they'll end upadding this type of integration
for for third parties, but Ihighly doubt it because it's AWS
.
But we'll see Anything to addthere, tim.
Tim McConnaughy (19:35):
No, that's, that's it.
I agree the I mean, it's in theclouds, it's in the CSP is best
interest to lower complexity,because that's literally the
value prop of native right.
So I get it.
This and I agree with you thisis like way long in the coming,
like you know.
Consider considering the actualwork to build an inspection VPC
(19:55):
and build the network end pointor the firewall end points and
orchestrate the route tables andall that.
There was literally no reasonAWS couldn't just have and they
did now right, make itcompletely and transparent to
the users.
So will this drive adoption?
I am interested Same reason asbefore.
I'm thinking of that cyberratings report and some other
(20:16):
things.
You know, at the end of the day, it doesn't matter how useful.
You know how easy it is to gettraffic to a firewall if it's
not effective.
But I don't know.
Like we'll see, like are peoplefinding that the firewall is
effective?
That's one thing I stillhaven't heard.
So what I think we'll see ismore adoption and hopefully,
with more adoption, we'll seemore data on how effective AWS
(20:36):
Network Firewall, the nativeintegration, is.
I think this piece with the TGWis just an ease of use, an
uplift for usability, to driveadoption, but I think it's
ultimately going to be a goodthing.
Chris Miles (20:50):
And we should probably add to this that the
announcement specifically callsout that this has no effect on
the existing pricing.
So it's not more expensive andit's not cheaper, but it does
solve some of the complexityunder the hood.
Tim McConnaughy (21:05):
Okay, so here's another new one.
This is interesting.
This is another one in preview,and this one is called AWS
Shield.
It's funny because it's calledAWS Shield.
I was looking at this, we weretalking about this beforehand.
It's called AWS Shield, orthey've now named it officially
AWS Shield, but before that itwas either before that or
they're still calling it theNetwork Security Director.
(21:26):
It's actually AWS Shield,network Security Director.
It's a preview feature and it'sbasically what would you call
it.
It's a preview feature and it'sbasically what would you call
it.
It's like CSPM, basically foryour network is kind of what it
is right, I could agree, yeah.
Yeah, it's made to scan yournetwork deployment in ADBS and
(21:48):
first of all identify holes likethat you've been permissive or
that you have allowed, likemaybe your security groups or
TGW or something it mentionsspecifically like oh, you left
your CloudFront distributionconnected open to public and
stuff like that.
So it goes through yourenvironment, finds network
problems but also maps them thisis the part where the real
(22:10):
value comes in maps them to kindof known security, where the
real value comes in, maps themto known security,
vulnerabilities, exploits,problems.
So think of the thing we justtalked about a little while with
the security hub and then makethis like it's a little bit like
that, but it's specificallyfocused on all the network
implementation stuff, so likeWAF, cloudfront, tgw, security
(22:33):
groups, all that good stuff.
So again, this is another onewhere we're going to have the
links in the show notes, becausethere's a lot of visuals that
are with this to kind ofvisualize for you what that
looks like.
What does the security directorsorry, what does the network,
the AWS Shield director looklike?
Because there's a lot ofquestions that I can't really
(22:55):
explain very well in a voice,but if you look at the
screenshots it'll kind of answerthe questions about, like what
is the value?
What does this do for you?
What is this fine for you?
Yeah, so another one where Ireally feel like this is they're
coming after yeah.
So another one where I reallyfeel like they're really coming
after third-party type of thingsthat do this today.
Chris Miles (23:20):
Yeah, I think this is obviously a relatively cool
feature in that you canbasically just tell it what
resources to scan from thatperspective, like you said,
you'll even do security groups,ec2 instances, things like that.
But I feel like this is AWS, islike they're releasing new
(23:41):
things that are useful, butthey're doing it in a very AWS
way as well, where they can'thelp but release like five or
six different products thatstill all kind of do the same
thing.
Like there's still like there'sstill not a lot of clarity for
me around when you wouldspecifically go to this versus
that.
Tim McConnaughy (23:59):
Right the security.
Chris Miles (24:00):
Yeah, exactly Like why you couldn't remediate
something with this versus withanother product, right?
So there's, the waters arestill muddy and this isn't
really AWS's fault necessarily.
You know this is a very complextopic sometimes, so sometimes
it's necessary.
But if you were relatively newto the industry, I would feel
(24:21):
for you very much, because youwould probably read these and be
like what the hell these all dothe same thing.
Yeah, so it's, you know very,very small details built into
this.
A lot of them build out thesekind of you know maps, which are
very useful, kind of mapping.
You know this, you know thisservice then talks to this and
this.
So you know known exploits hereand there.
(24:42):
You know there's evenseverities.
You know whether they'recritical or you know low
priority, et cetera.
But yeah, it's like all of it'sstill slightly confusing to me,
um, but yeah, well, uh, likeyou said, eventually we'll see
if this gets used.
If it doesn't, they'll axe itand then we'll never see it
again, but we'll see, it's very,it's a very aws thing.
Tim McConnaughy (25:04):
I feel like aws .
I think I've heard, actually,that the people at aws are
incentivized to, through theircustomer obsession, essentially
create new services, like newthings for their customers to
use, and I feel like there's alittle bit of the.
There's also a little bit ofshipping.
The org chart here where youknow, like these people are
working on things and theproducts that they're shipping
(25:28):
essentially match theorganization charts, meaning,
like you know, you're havingthese different orgs coming up
with these different things andanyway.
So I think that's got to bepart of why we have these,
because you would think what Iwould have thought is that you
would take this functionalityand just put it in this thing
that the SOAR, you know, thesecurity hub that already has
(25:48):
all of the other threatintelligence and feeds that are
coming into it for surfacing ofvulnerabilities.
But yeah, so we will see.
Time will tell on how this isdifferentiated, and it's also
possible.
I don't know, it depends onwhat's in here.
Maybe there's just too much inhere to put it in the other one,
(26:09):
I don't know right.
I do feel like it's more aboutshipping the org chart in that
case than about trulydifferentiated services.
And then there's one more ontop of this that's to point out,
which is the Hold on.
I just had the IAM AccessAnalyzer.
So this one is similar to theothers, except it's focused on
(26:30):
IAM and it does exactly what youthink it would do.
It goes through all of your IAMroles, resources and services
for overly permissive IAM access.
So I know there are entireproducts, third-party products
that are probably going to beunless they're multi-cloud
products which they probably areare going to be in trouble.
But yeah, so there's not a lotto say about the IAM Access
(26:51):
Analyzer.
It's pretty short actually, butthe idea is go find overly
permissive guidelines or overlypermissive access, rather
Surface it and then remediate it.
It's pretty short and sweetactually.
Chris Miles (27:13):
Yeah, I mean, like you said, there's a lot of
products that exist out therethat do this today.
So this is, you know,potentially going to be majorly
impact those that are usingthose services, in that, you
know, under the assumption thatAWS can do this any better To
your point, the products outthere that probably do this from
a third party perspective areprobably multi-cloud and their
consumers are probablymulti-cloud, so switching whole
hog to this is not really anoption.
But you know, that's the thing.
(27:37):
That's the problem with beingmulti-cloud.
Right, the organization isgoing to automatically determine
what level of complexity and,you know, number of tools that
they are willing to use to getthe same job done in different
environments, right?
Um, so I mean looking at thepricing, I'll be honest, I don't
know how their competitorswould typically price this stuff
(27:58):
out, but, um, it seems like awsmonitor like charges based this
, not based on the im roles, butbased on the resources um the
ones they're looking at.
Yeah yeah, so this could I mean.
I, I guess you're going to haveway more IAM roles.
I don't know, actually that's agood question.
I don't know if typicallycustomers would have more IAM
(28:19):
roles or more resources.
Um, I can honestly think ofexamples where it would be.
You know one or the other, likeI know customers that have
built millions of IAM roles, um,or you'd probably want a
product like I know customersthat have built millions of im
roles, um, or you'd probablywant a product like this to
clean all this shit up.
Um.
And I also know companies thathave, you know, done very strict
im roles that are that are not,you know, kind of bountiful in
(28:41):
quantity.
I should say um.
So I guess it depends, um.
But I mean, if you're singlecloud aws, I don't see why you
wouldn't use this.
It seems relatively cheap,cheap to do so.
Yeah, it seems a bit like a nobrainer.
Another thing that kind ofsurprised it took this long to
come to the table, if I'm beinghonest let's see.
Tim McConnaughy (29:07):
So yeah, let's do one more.
So there's a new one about ohgosh, sorry, I got them all
mixed up on my screen herecertificate manager.
So Amazon now has expanded ACMcertificate manager so that you
can export.
Finally, I honestly didn't.
I'll be completely honest, Idon't use ACM very much and I
(29:27):
didn't realize you couldn't dothis before.
But now you have the ability toactually export your
certificates from ACM for use inother locations, right On-prem,
other clouds, wherever youwould need the ability to
leverage that certificate.
Before I guess you could onlydo it for AWS resources.
Big, big, big deal, I wouldthink, because, again, I always
(29:51):
thought you could do that.
Yeah, I wonder what we weredoing before.
Actually, now I'm kind ofscratching my head.
I guess you just weren't, youwere using Certificate Manager
to manage certificates youalready had generated elsewhere,
and then you were onlygenerating from ACM for AWS
resources, I guess maybe youweren't really, you were only
generating from ACM for AWSresources, I guess maybe.
Chris Miles (30:13):
Yeah, I mean there's there's benefit to to
both sides of this right, likewith with ACM being kind of this
holistic service in AWS thatjust does all certificate
management.
There's a lot of things thatare completely embedded in there
that you don't have to worryabout from the customer's
perspective, but that comes at aprice in that you can't use it
with external resources, right.
There's some kind ofdependencies built into there.
(30:33):
So this does also kind ofintroduce some new kind of I
don't want to say new things tocertificate management, maybe
new things to certificatemanager or ACM within AWS in
that focusing on you know kindof things like revocation, you
know revoking certificateswhereas it's not all contained
(30:53):
within AWS at that time and kindof the renewal of those
certificates as well.
I don't know if you couldactually revoke certificates
specifically and previously tothis, so I don't know if that's
a new thing that's been addedpreviously to this.
So I don't know if that's a newthing that's been added.
I know you can automaticallyrenew them in ACM, but I don't
remember being able toexplicitly revoke them.
(31:15):
I could be just completelymisremembering that, but yes, I
mean.
This note here does say you canonly revoke certificates that
were previously exported.
So it leads me to believe thatthis is a new thing, but, but,
like you said, now, this is,this is adding an amount of
complexity that wasn't therebefore.
It hasn't been there for thelast, you know, 15 years.
(31:36):
At this point, um, so, uh, youknow, I'm sure some people are,
you know, sighing a breath ofrelief.
Um, um, until the day comeswhen they have to, uh, something
gets compromised and they dohave to revoke these, and I
don't know how that fits intotheir existing workflows, et
cetera.
So yeah, so it's good, but comesat a price of your sanity,
(32:00):
potentially yeah.
Tim McConnaughy (32:02):
I mean I assume basically organizations that
needed this capability elsewheresimply didn't use ACM for their
certificate management, rightAgain, outside of resources that
are completely within AWS andstay and don't need essentially
to do certificate management forother outside identities.
Chris Miles (32:21):
A lot of customers.
I saw it was a completely mixedbag right.
They would do some stuff in ACM, some outside of it.
Tim McConnaughy (32:27):
And to be honest.
Chris Miles (32:28):
I bet they are the ones that are quite happy with
this because it was a nightmare,but I mean, I don't know.
A lot of customers use theirown private CA as well.
Tim McConnaughy (32:36):
Right private CA yeah, you know.
Chris Miles (32:39):
I'd be interested to hear if this is going to
change anyone's workflow, to behonest, or how they do
certificate management.
Tim McConnaughy (32:47):
Yeah, or make it easier, make it harder, yeah,
good call.
Okay, well, let's go ahead andcut it there.
I think we got a good bit ofinformation out there.
Yeah, any last thoughts?
We good.
Chris Miles (32:58):
No, last thoughts.
I think this was good.
Like I said, it still felt verymuch like a aws conference to
me, um, in that it had a littlebit of um, a little bit of magic
sprinkled on everything that,um, you know you can't help be a
bit cynical about.
But, um, overall it's awesome.
(33:21):
Like it kind of sucks when allthe announcements are really
focused on analysis and thingslike that, nothing actually, you
know, changing the forefront,um of how the technology works,
but sometimes that's just howthe cookie crumbles, right.
Tim McConnaughy (33:33):
So, overall I thought it was good yeah, and I
think, like I said, if I was a,if I was a company, third party
with a moat with, I'd be lookingat my moat.
Uh, you know, based on some ofthe stuff, that's been announced
recently.
Chris Miles (33:46):
Yeah, I do.
I do wonder if some of thesethings came on the tail end or
you know potentially some kindof premonitions that AWS knew
ahead of time about.
You know the Wiz acquisition,yeah.
Google buying Wiz yeah.
So the writing might be on thewall.
Tim McConnaughy (34:01):
That's a very good point actually, because a
lot of these capabilities areCSPM capabilities, which, of
course, wiz you know, wiz alsodoes runtime security, which we
haven't really seen.
Like there wasn't a runtimesecurity announcement at ABS,
but yeah, I mean the CSPM sideof it, hardcore, yeah,
definitely.
All right, guys, all right.
Well, this has been a cables toclouds a fortnight in the news.
(34:22):
Thanks for joining us.
The stuff will be in the shownotes.
I encourage you to take a look.
See you next time.
Hello and welcome to another episode of
the Cables to Clouds fortnightlynews.
And, as always, I'm TimMcConaughey at at one Golbez
goal is on Twitter.
I went, I went back to, I wentback to Twitter.
I'm still on blue sky as well,but uh, yeah, um, and with me,
as always, is my cohost, chrismiles, who you're at BGV main on
(00:35):
both right.
Chris Miles (00:36):
On both.
Um, yeah, I don't, I don't.
Are we going back?
Tim McConnaughy (00:40):
now.
Chris Miles (00:40):
Is that.
Is that what we have to do?
Well?
Tim McConnaughy (00:42):
yeah, I've been going back and forth and
honestly, it's still.
It's still got problems, lotsof them.
I feel like every other post isa, is a bot post or a only fan
something or other, like I don'tknow if that's the algorithm or
whatever, but uh, yeah, itstill feels like that, but it
seems like every single tweet.
Chris Miles (01:01):
I see the first reply is asking Grok.
If it's real, that's the otherone.
Tim McConnaughy (01:08):
Every reply at Grok, is this a real thing?
Or at Grok, what movie is this?
Or at Grok, whatever.
I was like geez, this isliterally dead internet theory.
Anyway, not to make thisepisode about that, but yeah
Anyway.
So let's jump right into thenews.
So the big news that happenedreally recently, actually just
(01:31):
the last couple of days, is thatHPE and Juniper have been given
the go ahead or sorry, HPE hasbeen given the go ahead by the
Department of Justice to acquireJuniper $40 a share, so about
$14 billion, and the bigdifference, or the change that
allowed this to move forward,are two things.
(01:52):
One is that Juniper has todivest itself of the Instant On
branch and wireless portfolio,which, I'll be honest, I don't
even barely remember.
Instant On, I don't even barelyremember instant on.
I don't know if it's like aubiquity thing or whatnot?
Chris Miles (02:08):
Yeah, I think it's like a small medium business
type thing.
Tim McConnaughy (02:11):
Yeah, so that's a weird one, but okay.
But the big one is.
So part of the missed AI opstechnology has to be licensable
from Juniper or HPE.
I guess HPE now will have tomake some of the and it's not
clear how much or what part ofthe missed AIOps stuff has to
(02:33):
now be offered as a licensingdeal from HPE.
So that was the big.
So, given those two concessions, I guess.
So now HPE is able to buyJuniper.
And I was telling Chris, beforewe hit record, that my
financial advisor, literally twodays before this was announced,
(02:54):
had just told me hey, let's getout of HPE because this deal is
stalled and we can make moremoney elsewhere.
So that's life, that's thestock market for you and that's
life.
Um, that's, that's the stockmarket for you and that's life.
Uh, yeah, that's that'sinteresting.
Anything, oh my God.
January 9th 2024 is when thiswas originally announced.
I can't believe it's been thatlong.
Chris Miles (03:16):
Yeah, the um, yeah, the interesting piece.
I mean maybe maybe yourfinancial advisor isn't uh,
wrong, maybe you should wait tosee what happens after this
mandatory auction of the, of the, the missed source code, right.
So like I think that's the kindof.
The open item here is that ifthey go through with this, you
(03:37):
know kind of licensing of thesource code, like who knows
who's going to get be able toget access to it, right.
So I think we kind of wentthrough this a bit in that the
the main reason we thought thatyou know this was even being
acquired by hpe was for the youknow the miss ai ops technology,
(03:57):
right, that was kind of the,the meat of it, right.
And if that is the part thathas to, you know, basically be
um put to you know, basically beput out to you know the source
code put out to a license.
You know Cisco could buy it.
Any number of the competitorscould buy it.
Don't know what to degree theywould want to integrate it based
on, you know, their existingportfolio and their existing
(04:18):
technology, et cetera.
But if the I don't know likeit's, like, on one hand hand I
could see like, oh, this is huge, like the.
You know Cisco could buy it andthen it would just be a
completely level playing field.
But I don't think that Ciscowould buy this and be able to
integrate it at any degree.
So it's like I think the idea isto level the playing field, but
it just like no one would gothrough the effort of that.
(04:39):
Uh, at least from from myperspective.
Tim McConnaughy (04:42):
Yeah, I think, I think that's true.
So I think the the, the wordbearing all of the weight, is
limited access.
Limited access, so what is whatdoes that really mean?
What is what is the limitedaccess what?
It's probably not the wholesource code, right, it's going
to be some piece of thetechnology, but what piece and
how much?
I think it because that's goingto answer the question of who
(05:03):
would really Already I'm withyou, I don't think Cisco,
cisco's got the what is it?
Deep network or whatever thatthey're working on their own
model, which probably is builton Splunk's data.
So yeah, I'm with you on that Idon't think the big players
would probably truly license itfor real reasons, maybe
(05:24):
competitive intelligence orsomething.
Yeah, I think the question ishow much?
What does limited really meanin this context?
Chris Miles (05:31):
Yeah, 100%.
Tim McConnaughy (05:32):
Okay, and then the other big piece of news was,
of course, that AWS Reinforcejust finished.
Now, honestly, I wasn't able tokeep up with Reinforce at all
this year.
I know, chris, you did quite abit of watching on the keynotes
and all of that, so you want totell us a little bit about what
(05:53):
happened this year at Reinforce.
Chris Miles (05:55):
Yeah, sure.
So you know, for those thatdon't know, aws Reinforce is
kind of the much smaller sisterevent to reInvent, which is
really all focused on security,right, so it's basically held, I
think it's in.
It was held in dc.
I think it's typically in dcphilly this year, oh, philly
this year, okay, but yeah.
(06:18):
So I watched a few of thekeynotes and I watched some of
the sessions as well, just tokind of stay up to date.
And you know there wasdefinitely some themes that I
saw coming out from thisparticular reinforce in that the
.
You know they kind of went backto talking about the kind of the
traditional stuff about.
You know, security usuallyslows down innovation et cetera.
(06:39):
So it needs to be, you know,directly integrated and easy to
consume et cetera, not kind ofstifle that innovation piece.
But then you know they alsotalked about how it's from what
they've seen they being AWS thatyou know companies with a more
kind of mature security practicein place are able to actually
(07:03):
adopt generative, generative aia bit faster than other
companies.
Um, so you know, kind ofreinforcing the importance on
security.
You know, if that kind offoundational element is there,
um, then you know that youshould be able to consume ai at
a faster pace than than typicalum enterprises, or you know
businesses, etc.
Um, you know businesses, etcetera.
(07:23):
You know they wanted toreinforce that security should
become a competitive advantageand not a cost center.
I mean, I don't know.
I feel like any kind ofconference you go to where,
whatever is the theme, whetherit be a networking conference or
a security conference, they'regoing to be like we need to stop
being a cost center.
At the end of the day, you'reprobably still a fucking cost
center.
I don think you ever think youever get away from that, uh, in
(07:46):
the grand scheme of things.
But, um, there was someinteresting stuff that um, they
talked about in regard tocomcast.
And you know kind of comcast, um, you know kind of they have
this you know cyber securityteam with thousands of people,
um, and their ai adoption has,you know, kind of increased a
lot of their security findingsover the last I'd say last year
(08:07):
I guess and apparently they'rebuilding tons of AI bots for
things like threat modeling.
It's contributed to a good dealof their patents that they've
published as well, which Ithought was quite interesting.
And I think they have this kindof like seven year North Star
type strategy to get, you know,everything adopting AI.
(08:28):
And that's where the challengecame in of security being this
cost center, whereas it shouldbe, you know, kind of used for
innovation, et cetera.
So it was.
I think there was a strongemphasis as well on proactive
security rather than reactivesecurity and leveraging AI
obviously to do all that.
You know AI is obviously goingto be kind of peppered into
(08:51):
everything.
So that was kind of my overallrub of the general theme of the
conference.
So, yeah, it was quiteinteresting.
Tim McConnaughy (09:00):
Yeah, I saw that they put out a whole list
of kind of well, I don't know ifit's a whole list, to be honest
, I'm not sure if it'sexhaustive, but certainly the
top new announcements fromRainforce and going through the
list, all I can think of is, youknow, there's a lot of third
party CSPM tools that shouldprobably be very nervous about
this trend.
I mean, this is the, this isthe thing, though, if you, if
(09:35):
you are a, if are a non-CSPprovider of services to CSP
customers, you really need to bepaying attention to your moat,
and by moat, of course, what Imean is what makes you
differentiated from the CSP.
I mean moat in the traditionalbusiness sense, basically, like
the traditional business sense.
Basically, what is the, what isthe, the thing you are
defending, the, the, the IP, the, the use case, whatever that is
that, um, you know, makes yourcompany essentially viable as a
company.
You know and, uh, you know I'msaying that with my, the own, my
own self-awareness that I workfor.
(09:56):
You know, I work for a companythat's that also offers, you
know, kind of third-partyservices line on the CSPs, but
that's something that's been topof mind right For us as well,
because the CSPs are going tocontinue to innovate and to
bring new services, and it'sgoing to be based on in my
experience, it's been based ontwo things right, who's asking
(10:18):
for it?
Right.
And then how much money isinvolved, which makes perfect
sense, right?
If you're a CSP or if you'reany kind of business really?
I mean, cisco does the samething, like every company that
offers something to customers isasking the same questions,
right?
Who wants it and how much arethey willing to pay for it?
So, anyway, let's go throughsome of the announcements here,
(10:41):
actually, and you'll kind of seewhat I'm talking about.
Let's see the first one here isunify your security with AWS
Security Hub for riskprioritization and response at
scale.
This is a preview feature.
This was announced and this isin preview, but it seems like
it's just a, and we'll have, ofcourse, all the links to the
stuff in the show notes.
So there's some visuals here,there's some workflows and
(11:03):
whatnot that you'll want to gothrough and take a look at
yourself, but the basic idea ofthe security hub seems to be
that it is a.
What do they call it?
Because there's so many ofthese.
I don't know if it's a CSPMitself, but it's basically a
threat correlator analyzer andlike surface insights from other
services.
Chris Miles (11:21):
My takeaway is that this is kind of like a sore
sore, that's right sore, mixedwith some cspm capabilities in
it as well.
Um, it's yeah, like you said,it's kind of ingesting kind of
these um uh, threat discoverythings from different services.
They're running on aws and kindof correlating all that
(11:42):
together and, you know, buildingthis kind of like map for you
and offering remediationtechniques etc.
Tim McConnaughy (11:48):
Yeah, it specifically mentions GuardDuty,
Inspector, macy and AWSSecurities Hub CSPM.
So I don't know if that's whatthey're calling.
It is AWS Security Hub CSPM.
But I'm with you, I agree, moreof a soar, really, because of
the orchestration of all thesecurity feeds and surfacing of
(12:10):
the.
So, like I said, take a look atthe, take a look at the threat,
the visuals that go along withthis.
Again, we'll have the posts andyou can really get an idea of,
like, what they're talking about, when we're talking about, like
you know, ingesting the feedsand surfacing the insights and
giving you kind of that, thatoverall view of your, your
(12:31):
network not network, sorry yourcloud environment, just kind of
based on all of those services.
So, of course, it also meansthat the value of this service
is going to be based on how manyof the other AWS security feed
services you are leveraging,right, like Macy and Inspector.
So there is kind of you know,tongue in cheek there.
(12:51):
It is going to be as useful ashow much AWS security feeds
you're already bringing into it,right?
Yeah?
Chris Miles (12:58):
definitely.
Let's see what else we seeannounced here.
So yeah, next up, let's talkabout a couple of features that
we saw talk about specificallyaround AWS Network Firewall.
So one thing that they alsotouched on was something that is
called.
What is it?
I always bury the names inthese things.
You can never actually findwhat it's called Active Threat
(13:20):
Defense for AWS Network Firewall.
So basically, if you can thinkof kind of the AWS managed rules
that you have within AWSNetwork Firewall or even
something like a WAF, wherebasically there's common things,
the common exploits, et cetera,that are well-defined in a rule
set that AWS manages, and youjust basically invoke that and
(13:43):
use it on your traffic, this iskind of the same thing, except
typically they call out thatcustomers are commonly looking
for third-party threat feeds toget pull-in sources of threat
intel, et cetera, and so thislooks like they've enabled that
to run with their own threatintelligence system, which is
(14:04):
called MadPot, which I thinkthey've been using for quite a
while.
I think they started thisaround 2010 or something like
that.
So basically kind of the samething.
You have these active threatfeeds that are managed by AWS in
conjunction with MadPot and youhave to do things like deep
packet inspection et cetera onthe traffic.
(14:25):
For this to really take effect,they have something called deep
threat inspection built intothis as well, which is labeled
as collective defense, and itenables shared threat
intelligence improvingprotection for active threat
managed role group users.
So I don't know if that meansit's shared.
That one kind of confused me.
(14:45):
I couldn't really tell if thatmeans it's shared amongst like
other organizations, or justlike shared in terms that AWS
manages.
I wasn't really sure about that.
Um, I don't think your specificdata is going to be shared
between rule sets or anythinglike that but I think the the
day you know the data that isingested and you know, learned
by um, the data you push throughcould potentially be used for
(15:08):
another customer.
I suppose um yeah, I thinkthat's what that comes back to I
agree.
Tim McConnaughy (15:12):
I I think it's anonymized.
I mean, and I think Cisco hasbeen doing other like a lot of
other companies have been doingthis right and not using the
data for threat intelligence tolike find zero days and stuff
like that, Right, so that's notunusual.
Chris Miles (15:25):
And it would make sense because it's an opt-in
feature, right.
When you enable the service,you literally just check a box
that says opted in, so I don'tthink it's anything more
specific than that.
Obviously, this comes at aprice.
Starting out, it looks likethis is you know you're going to
pay about half a cent pergigabyte that you use these
specific rules, so kind ofleaning towards things like IPS
(15:49):
et cetera in this kind ofservice with AWS's own threat
feed.
Yeah, we talked about thisbefore we hit record and
obviously turning on certainthings like this usually impacts
performance, but with thisbeing an auto-scaled service
enabled by things like AWSHyperplane et cetera, I wonder
(16:13):
if this really does have anyimpact on that, especially since
they're charging you for it,right?
So they probably want you tofunnel as much as you can
through this thing, becauseyou're going to definitely pay
the piper at the end of the day,right?
So, yeah, that was a new onethat was added.
I thought that was pretty cool.
Anything to add there, Tim?
Tim McConnaughy (16:29):
Yeah, so it does mention.
And, as you pointed out, for DAnything to add there, tim?
Yeah, so it does mention.
And, as you pointed out, fordeep packet inspection to work,
obviously this thing sets itselfup as a.
TLS proxy as well, which iswhere we would expect the big
performance hit to come.
It also mentions at the veryend it's a little bit of a
buried lead because it kind ofleaves some questions.
Another consideration is themitigation of false positives.
(16:49):
When you use this managed rulegroup in your firewall policy,
you can edit the rule groupalert settings to help identify
false positives as part of amitigation strategy, and there's
a whole thing about mitigatingfalse positives.
So remember that this is athreat feed, like a threat
intelligence thing.
So you know, depending on whatyour business is doing and what
you know, maybe your homegrownapplications or whatever that be
, it's possible and they pointthis out that like, oh, by the
(17:12):
way, as you're pushing datathrough here, you know you might
, whatever you're doing, might,light this thing up like a
Christmas tree and be and beperfectly safe, but so so, by
the way, you know, at the veryend you might want to do some
work on making sure that youknow how to mitigate these false
positives.
So that's, that's it.
Otherwise, yeah, yeah, this isthis is just one more piece.
(17:34):
One thing, one question I didhave that was a little very
tongue-in-cheek, was I wasthinking of the uh that report
from uh cyber ratings earlier.
Yeah I was like is this gonna bean extra percent on the, you
know, on the ratings?
I guess we'll see next yearwhat cyber ratings has to guess
we'll see next year whatCybratings has to say, we'll see
(17:56):
if they play nice.
Chris Miles (17:57):
Another real quick one that they announced around
AWS Network Firewall was theenablement of AWS Transit
Gateway native integration,which on the surface you'd
probably say AWS NetworkFirewall is a native service and
already natively integrated.
But typically when you'd wantto deploy AWS Network Firewall
as a native service isn'talready natively integrated but
typically when you'd want todeploy AWS Network Firewall you
(18:17):
would have to.
Essentially, either you couldput it in every single VPC which
a lot of customers do that ifthey are willing to pay that
particular price for it but whatmost customers would do is put
that into a dedicated securityVPC which kind of hangs off of
your TGW and is either used forall your east-west inspection or
north-south inspection, etcetera.
This actually removes the needfor that, which totally makes
(18:40):
sense under the hood.
Like I'm kind of surprised Ididn't do this sooner.
But basically you can, asyou're creating a network
firewall, you can just nativelyattach it to a TGW.
So you're not creating a VPC,you're not creating endpoints,
you're not doing all this stuff,you're not updating route
tables et cetera.
It's just a native integrationwhich is really cool and
(19:02):
probably gonna be removing quitea bit of complexity, I would
imagine, which means that thepeople that are typically they
are managing complex stuff haveone less job to do, which is not
great for us, but it seems tobe that's where they're leaning.
So I just thought this was.
It was kind of a cool featurethat they added.
(19:23):
I wonder if they'll end upadding this type of integration
for for third parties, but Ihighly doubt it because it's AWS
.
But we'll see Anything to addthere, tim.
Tim McConnaughy (19:35):
No, that's, that's it.
I agree the I mean, it's in theclouds, it's in the CSP is best
interest to lower complexity,because that's literally the
value prop of native right.
So I get it.
This and I agree with you thisis like way long in the coming,
like you know.
Consider considering the actualwork to build an inspection VPC
(19:55):
and build the network end pointor the firewall end points and
orchestrate the route tables andall that.
There was literally no reasonAWS couldn't just have and they
did now right, make itcompletely and transparent to
the users.
So will this drive adoption?
I am interested Same reason asbefore.
I'm thinking of that cyberratings report and some other
(20:16):
things.
You know, at the end of the day, it doesn't matter how useful.
You know how easy it is to gettraffic to a firewall if it's
not effective.
But I don't know.
Like we'll see, like are peoplefinding that the firewall is
effective?
That's one thing I stillhaven't heard.
So what I think we'll see ismore adoption and hopefully,
with more adoption, we'll seemore data on how effective AWS
(20:36):
Network Firewall, the nativeintegration, is.
I think this piece with the TGWis just an ease of use, an
uplift for usability, to driveadoption, but I think it's
ultimately going to be a goodthing.
Chris Miles (20:50):
And we should probably add to this that the
announcement specifically callsout that this has no effect on
the existing pricing.
So it's not more expensive andit's not cheaper, but it does
solve some of the complexityunder the hood.
Tim McConnaughy (21:05):
Okay, so here's another new one.
This is interesting.
This is another one in preview,and this one is called AWS
Shield.
It's funny because it's calledAWS Shield.
I was looking at this, we weretalking about this beforehand.
It's called AWS Shield, orthey've now named it officially
AWS Shield, but before that itwas either before that or
they're still calling it theNetwork Security Director.
(21:26):
It's actually AWS Shield,network Security Director.
It's a preview feature and it'sbasically what would you call
it.
It's a preview feature and it'sbasically what would you call
it.
It's like CSPM, basically foryour network is kind of what it
is right, I could agree, yeah.
Yeah, it's made to scan yournetwork deployment in ADBS and
(21:48):
first of all identify holes likethat you've been permissive or
that you have allowed, likemaybe your security groups or
TGW or something it mentionsspecifically like oh, you left
your CloudFront distributionconnected open to public and
stuff like that.
So it goes through yourenvironment, finds network
problems but also maps them thisis the part where the real
(22:10):
value comes in maps them to kindof known security, where the
real value comes in, maps themto known security,
vulnerabilities, exploits,problems.
So think of the thing we justtalked about a little while with
the security hub and then makethis like it's a little bit like
that, but it's specificallyfocused on all the network
implementation stuff, so likeWAF, cloudfront, tgw, security
(22:33):
groups, all that good stuff.
So again, this is another onewhere we're going to have the
links in the show notes, becausethere's a lot of visuals that
are with this to kind ofvisualize for you what that
looks like.
What does the security directorsorry, what does the network,
the AWS Shield director looklike?
Because there's a lot ofquestions that I can't really
(22:55):
explain very well in a voice,but if you look at the
screenshots it'll kind of answerthe questions about, like what
is the value?
What does this do for you?
What is this fine for you?
Yeah, so another one where Ireally feel like this is they're
coming after yeah.
So another one where I reallyfeel like they're really coming
after third-party type of thingsthat do this today.
Chris Miles (23:20):
Yeah, I think this is obviously a relatively cool
feature in that you canbasically just tell it what
resources to scan from thatperspective, like you said,
you'll even do security groups,ec2 instances, things like that.
But I feel like this is AWS, islike they're releasing new
(23:41):
things that are useful, butthey're doing it in a very AWS
way as well, where they can'thelp but release like five or
six different products thatstill all kind of do the same
thing.
Like there's still like there'sstill not a lot of clarity for
me around when you wouldspecifically go to this versus
that.
Tim McConnaughy (23:59):
Right the security.
Chris Miles (24:00):
Yeah, exactly Like why you couldn't remediate
something with this versus withanother product, right?
So there's, the waters arestill muddy and this isn't
really AWS's fault necessarily.
You know this is a very complextopic sometimes, so sometimes
it's necessary.
But if you were relatively newto the industry, I would feel
(24:21):
for you very much, because youwould probably read these and be
like what the hell these all dothe same thing.
Yeah, so it's, you know very,very small details built into
this.
A lot of them build out thesekind of you know maps, which are
very useful, kind of mapping.
You know this, you know thisservice then talks to this and
this.
So you know known exploits hereand there.
(24:42):
You know there's evenseverities.
You know whether they'recritical or you know low
priority, et cetera.
But yeah, it's like all of it'sstill slightly confusing to me,
um, but yeah, well, uh, likeyou said, eventually we'll see
if this gets used.
If it doesn't, they'll axe itand then we'll never see it
again, but we'll see, it's very,it's a very aws thing.
Tim McConnaughy (25:04):
I feel like aws .
I think I've heard, actually,that the people at aws are
incentivized to, through theircustomer obsession, essentially
create new services, like newthings for their customers to
use, and I feel like there's alittle bit of the.
There's also a little bit ofshipping.
The org chart here where youknow, like these people are
working on things and theproducts that they're shipping
(25:28):
essentially match theorganization charts, meaning,
like you know, you're havingthese different orgs coming up
with these different things andanyway.
So I think that's got to bepart of why we have these,
because you would think what Iwould have thought is that you
would take this functionalityand just put it in this thing
that the SOAR, you know, thesecurity hub that already has
(25:48):
all of the other threatintelligence and feeds that are
coming into it for surfacing ofvulnerabilities.
But yeah, so we will see.
Time will tell on how this isdifferentiated, and it's also
possible.
I don't know, it depends onwhat's in here.
Maybe there's just too much inhere to put it in the other one,
(26:09):
I don't know right.
I do feel like it's more aboutshipping the org chart in that
case than about trulydifferentiated services.
And then there's one more ontop of this that's to point out,
which is the Hold on.
I just had the IAM AccessAnalyzer.
So this one is similar to theothers, except it's focused on
(26:30):
IAM and it does exactly what youthink it would do.
It goes through all of your IAMroles, resources and services
for overly permissive IAM access.
So I know there are entireproducts, third-party products
that are probably going to beunless they're multi-cloud
products which they probably areare going to be in trouble.
But yeah, so there's not a lotto say about the IAM Access
(26:51):
Analyzer.
It's pretty short actually, butthe idea is go find overly
permissive guidelines or overlypermissive access, rather
Surface it and then remediate it.
It's pretty short and sweetactually.
Chris Miles (27:13):
Yeah, I mean, like you said, there's a lot of
products that exist out therethat do this today.
So this is, you know,potentially going to be majorly
impact those that are usingthose services, in that, you
know, under the assumption thatAWS can do this any better To
your point, the products outthere that probably do this from
a third party perspective areprobably multi-cloud and their
consumers are probablymulti-cloud, so switching whole
hog to this is not really anoption.
But you know, that's the thing.
(27:37):
That's the problem with beingmulti-cloud.
Right, the organization isgoing to automatically determine
what level of complexity and,you know, number of tools that
they are willing to use to getthe same job done in different
environments, right?
Um, so I mean looking at thepricing, I'll be honest, I don't
know how their competitorswould typically price this stuff
(27:58):
out, but, um, it seems like awsmonitor like charges based this
, not based on the im roles, butbased on the resources um the
ones they're looking at.
Yeah yeah, so this could I mean.
I, I guess you're going to haveway more IAM roles.
I don't know, actually that's agood question.
I don't know if typicallycustomers would have more IAM
(28:19):
roles or more resources.
Um, I can honestly think ofexamples where it would be.
You know one or the other, likeI know customers that have
built millions of IAM roles, um,or you'd probably want a
product like I know customersthat have built millions of im
roles, um, or you'd probablywant a product like this to
clean all this shit up.
Um.
And I also know companies thathave, you know, done very strict
im roles that are that are not,you know, kind of bountiful in
(28:41):
quantity.
I should say um.
So I guess it depends, um.
But I mean, if you're singlecloud aws, I don't see why you
wouldn't use this.
It seems relatively cheap,cheap to do so.
Yeah, it seems a bit like a nobrainer.
Another thing that kind ofsurprised it took this long to
come to the table, if I'm beinghonest let's see.
Tim McConnaughy (29:07):
So yeah, let's do one more.
So there's a new one about ohgosh, sorry, I got them all
mixed up on my screen herecertificate manager.
So Amazon now has expanded ACMcertificate manager so that you
can export.
Finally, I honestly didn't.
I'll be completely honest, Idon't use ACM very much and I
(29:27):
didn't realize you couldn't dothis before.
But now you have the ability toactually export your
certificates from ACM for use inother locations, right On-prem,
other clouds, wherever youwould need the ability to
leverage that certificate.
Before I guess you could onlydo it for AWS resources.
Big, big, big deal, I wouldthink, because, again, I always
(29:51):
thought you could do that.
Yeah, I wonder what we weredoing before.
Actually, now I'm kind ofscratching my head.
I guess you just weren't, youwere using Certificate Manager
to manage certificates youalready had generated elsewhere,
and then you were onlygenerating from ACM for AWS
resources, I guess maybe youweren't really, you were only
generating from ACM for AWSresources, I guess maybe.
Chris Miles (30:13):
Yeah, I mean there's there's benefit to to
both sides of this right, likewith with ACM being kind of this
holistic service in AWS thatjust does all certificate
management.
There's a lot of things thatare completely embedded in there
that you don't have to worryabout from the customer's
perspective, but that comes at aprice in that you can't use it
with external resources, right.
There's some kind ofdependencies built into there.
(30:33):
So this does also kind ofintroduce some new kind of I
don't want to say new things tocertificate management, maybe
new things to certificatemanager or ACM within AWS in
that focusing on you know kindof things like revocation, you
know revoking certificateswhereas it's not all contained
(30:53):
within AWS at that time and kindof the renewal of those
certificates as well.
I don't know if you couldactually revoke certificates
specifically and previously tothis, so I don't know if that's
a new thing that's been addedpreviously to this.
So I don't know if that's a newthing that's been added.
I know you can automaticallyrenew them in ACM, but I don't
remember being able toexplicitly revoke them.
(31:15):
I could be just completelymisremembering that, but yes, I
mean.
This note here does say you canonly revoke certificates that
were previously exported.
So it leads me to believe thatthis is a new thing, but, but,
like you said, now, this is,this is adding an amount of
complexity that wasn't therebefore.
It hasn't been there for thelast, you know, 15 years.
(31:36):
At this point, um, so, uh, youknow, I'm sure some people are,
you know, sighing a breath ofrelief.
Um, um, until the day comeswhen they have to, uh, something
gets compromised and they dohave to revoke these, and I
don't know how that fits intotheir existing workflows, et
cetera.
So yeah, so it's good, but comesat a price of your sanity,
(32:00):
potentially yeah.
Tim McConnaughy (32:02):
I mean I assume basically organizations that
needed this capability elsewheresimply didn't use ACM for their
certificate management, rightAgain, outside of resources that
are completely within AWS andstay and don't need essentially
to do certificate management forother outside identities.
Chris Miles (32:21):
A lot of customers.
I saw it was a completely mixedbag right.
They would do some stuff in ACM, some outside of it.
Tim McConnaughy (32:27):
And to be honest.
Chris Miles (32:28):
I bet they are the ones that are quite happy with
this because it was a nightmare,but I mean, I don't know.
A lot of customers use theirown private CA as well.
Tim McConnaughy (32:36):
Right private CA yeah, you know.
Chris Miles (32:39):
I'd be interested to hear if this is going to
change anyone's workflow, to behonest, or how they do
certificate management.
Tim McConnaughy (32:47):
Yeah, or make it easier, make it harder, yeah,
good call.
Okay, well, let's go ahead andcut it there.
I think we got a good bit ofinformation out there.
Yeah, any last thoughts?
We good.
Chris Miles (32:58):
No, last thoughts.
I think this was good.
Like I said, it still felt verymuch like a aws conference to
me, um, in that it had a littlebit of um, a little bit of magic
sprinkled on everything that,um, you know you can't help be a
bit cynical about.
But, um, overall it's awesome.
(33:21):
Like it kind of sucks when allthe announcements are really
focused on analysis and thingslike that, nothing actually, you
know, changing the forefront,um of how the technology works,
but sometimes that's just howthe cookie crumbles, right.
Tim McConnaughy (33:33):
So, overall I thought it was good yeah, and I
think, like I said, if I was a,if I was a company, third party
with a moat with, I'd be lookingat my moat.
Uh, you know, based on some ofthe stuff, that's been announced
recently.
Chris Miles (33:46):
Yeah, I do.
I do wonder if some of thesethings came on the tail end or
you know potentially some kindof premonitions that AWS knew
ahead of time about.
You know the Wiz acquisition,yeah.
Google buying Wiz yeah.
So the writing might be on thewall.
Tim McConnaughy (34:01):
That's a very good point actually, because a
lot of these capabilities areCSPM capabilities, which, of
course, wiz you know, wiz alsodoes runtime security, which we
haven't really seen.
Like there wasn't a runtimesecurity announcement at ABS,
but yeah, I mean the CSPM sideof it, hardcore, yeah,
definitely.
All right, guys, all right.
Well, this has been a cables toclouds a fortnight in the news.
(34:22):
Thanks for joining us.
The stuff will be in the shownotes.
I encourage you to take a look.
See you next time.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.