Why IoT is the cornerstone of AWS’s zero-trust strategy

At its re:Invent conference this fall, AWS made two IoT cybersecurity announcements that reflect the role of machine identities in its zero-trust security strategy. AWS’s roadmap outlines that machine identities need to come first and that customers need cloud services to scale networks comprised of machines and dominated by machine-to-machine integration.

To help achieve that goal, AWS releaseed IoT ExpressLink, a cloud service designed to fast-track new IoT devices through secured DevOps cycles and integrated with AWS IoT Device Defender. It also announced improvements to AWS IoT Greengrass, which include features to assist AWS customers in performing patch management at scale across fleets of IoT and network devices, all of which have their own machine identities.

IT administrators often struggle with tracking patch updates across the large inventories of endpoints, which is one of the primary design goals that guided the latest release. A centralized view of all devices on an enterprise network is essential for IT departments, both from an asset management and a cybersecurity standpoint. Endpoint visibility and control is the most challenging area of zero-trust frameworks to sustain and secure, which is why AWS turned it into a design objective for its cloud services.

Containing the fastest growing threat surface 

Forrester estimates that machine identities are growing twice as fast as human identities across enterprise networks today. However, 50% of enterprises find it challenging to protect machine identities, given how fast they grow. For the first time in its annual trend analysis, Gartner prioritizes machine identity management for CISOs and their security teams. AWS’ decision to release IoT ExpressLink now and fast-track enhancements to AWS IoT Greengrass shows its approach to zero-trust security being hardened at the endpoint first.

When AWS customers, developers, and ISVs use ExpressLink and Greengrass together, they can secure machine identities at the kernel or operating system level of each type of IoT and IIoT (industrial IoT) sensor they’ve standardized on.

Amazon’s vision of zero trust is predicated on the NIST 800-207 architecture.  According to AWS, the architectural structure of its cloud services supports key zero-trust requirements, including microsegmentation, Identity and Access Management (IAM), Privileged Access Management (PAM), and securing all data at rest and in transit. AWS cloud services are also designed at the platform level to allow access to enterprise resources on a per-session basis, and all resource authentications and authorizations are dynamic and enforced using the least privileged access. There’s also an AWS IoT Zero Trust workshop that covers setting up and securing an IoT network configuration. AWS’ vision of using its IoT services to provide Zero Trust Security at the endpoint level is defined at a high level in the following graphic:

Above: AWS offers an IoT Zero Trust Workshop for cloud services customers who need to get up to speed on how to provision, audit, perform anomaly detection and update their AWS IoT Zero Trust network configurations.

Machine identities are the new security perimeter 

Machine identities also need to have security access policies defined, enforced, and audited at the endpoint level. In essence, machine identities are the new, most at-risk security perimeter. AWS focusing its IoT cloud services on creating device software and firmware in secured DevOps cycles, combined with real-time visibility of every endpoint, reflects the lessons they’ve learned from building and bundling in their own IAM for years – and translating those lessons learned to machine identities.

AWS provides its own IAM at no charge as part of its AWS instances. It’s designed to provide AWS customers with essential support for IAM. While the AWS IAM can integrate at the API level to a diverse base of enterprise systems, it doesn’t provide an enterprise-grade level of support for the more challenging aspects of IAM and PAM enterprises are encountering today. These areas include defining and enforcing multiple identity-based policies, auditing each machine for endpoint health and asset management, and the need for better integration support across machines and monitoring systems.

Using the AWS version of the Shared Responsibility Model to illustrate how AWS differentiates between what their platform is responsible for versus their customers, it’s clear AWS customers will need a continual refresh of innovation to stay secure long-term. AWS customers also require IoT cloud services that integrate reliably with their platform of choice for machine identity management to scale and secure their operations.

Above: The AWS Shared Responsibility Model provides an overview of what AWS provides to customers versus what customers are expected to provide for themselves. Implicit in this diagram is the need for constant innovation on both sides to keep the balance of power in check, with bad actors

AWS looks to secure every endpoint 

AWS hopes to secure every endpoint and enable its customers to create scalable zero-trust security frameworks to the IoT and IIoT sensor levels. It’s an ambitious vision of providing customers with the cloud services they need to create and track every machine identity on an AWS network. All public cloud platform providers face the challenges of helping their customers adopt zero-trust security frameworks using an additive-based strategy that makes the most of previous cybersecurity investments.