Channel partner events, SSO/MFA, Managed Security Services

AWS re:Inforce: Security Culture is a Top Priority

AWS - Amazon Web Services

What MSSP customer does not operate part or all of its services in the public cloud? As cloud computing has become as important as networking for overall IT infrastructure, cloud security has also become a top priority for all companies from enterprises to small businesses.

Speaking at the AWS re:Inforce conference in Philadelphia recently, AWS CISO Chris Betz said it takes a “dedicated effort” to grow, evolve and maintain a culture focused on security as a top priority.

As Dan Raywood, senior editor at our sister site SC Magazine UK, reported, Betz said there is a culture across AWS, led by CEO Matt Garman, where security leaders are able to meet with individual service teams to discuss important security issues.

That same dedication to a culture of security is important for all service providers, particulary MSSPs and MSPs, especially as they become the front lines of the battle against an evolving cybersecurity threat landscape.

Cybersecurity Requires Developing New Habits

As Raymond reported, Betz went on to say that culture “is at the root” of developing new habits within an organization to prioritize security. “It's culture that drives us to design systems that are secure by design - not bolting it on after - and it's a culture that teaches us to empower the individuals and operate the business in a way allowing us to remain agile while distributing security throughout the organization,” he said.

Betz said that culture doesn't happen overnight, can take constant investment and begins with a single motivated individual. He later said that upon joining AWS, it was clear that security was the top priority, and in how processes and mechanisms were developed, and the “thoughtfulness and maturity at AWS was next level.”

To that end, also at re:Inforce, AWS announced its intention to push multi-factor authentication (MFA) out to users, with support added for FIDO2 passkeys.

Intended “to help customers align with their MFA requirements and enhance their default security posture,” this addition will help users - who already use passkeys on billions of computers and mobile devices, using only a security mechanism such as a fingerprint, facial scan, or PIN built in to their device.

Speaking to SC UK, Mark Ryland, director of Amazon Security says the intention is to provide a “somewhat more user-friendly convenient form factor” for users.

Finally, Raymond reported, in an announcement made June 11 at the re:Inforce conference in Philadelphia, AWS said as it expands its MFA capabilities, this support for FIDO2 passkeys as an MFA method is launched “to help customers align with their MFA requirements and enhance their default security posture,” Arynn Crow, senior manager of user authentication products for AWS Identity, said.

Acknowledging that customers already use passkeys on billions of computers and mobile devices across the globe, using only a security mechanism such as a fingerprint, facial scan, or PIN built in to their device, Crow said that same passkey can be used as your MFA method as you sign in to the AWS console across multiple devices.

Specifically, a passkey is a pair of cryptographic keys generated on your client device when you register for a service or a website. The key pair is bound to the web service domain and unique for each one.

Rather than replacing the password, the passkey adds a second factor authentication, to provide something you have in addition to something you know.

“AWS customers can now use the built-in authenticators on their phones and laptops to add cryptographically phishing-resistant credentials to their side of the experience,” Betz said.

Sharon Florentine

Sharon manages day-to-day content on ChannelE2E and serves as senior managing editor for CyberRisk Alliance’s Channel Brands. She also covers enterprise-class technology companies, strategic alliances and channel partner strategies. Sharon is a veteran tech journalist and editor with more than 25 years experience in the industry, and has previously held key editorial, content and leadership positions at Techstrong Group, CIO.com, Ziff Davis Enterprise and CRN.

You can skip this ad in 5 seconds