Cables2Clouds
Join Chris and Tim as they delve into the Cloud Networking world! The goal of this podcast is to help Network Engineers with their Cloud journey. Follow us on Twitter @Cables2Clouds | Co-Hosts Twitter Handles: Chris - @bgp_mane | Tim - @juangolbez
Cables2Clouds
AWS Simplifies Security While Complicating Vendor Choices
The landscape of cloud security is rapidly evolving as AWS flexes its muscles with a suite of new native security offerings unveiled at AWS re:Inforce. From enhanced threat correlation capabilities in AWS Security Hub to seamless Transit Gateway integration for Network Firewall, these announcements signal Amazon's strategic expansion into territory traditionally dominated by third-party security vendors.
We dive deep into the HPE-Juniper acquisition that finally received regulatory approval, but with interesting conditions – including the requirement to license parts of the coveted Mist AI technology. This could potentially open doors for competitors to leverage the same technology that made Juniper so attractive to HPE in the first place, creating a fascinating dynamic in the networking market.
The most compelling theme emerging from AWS re:Inforce centers around Amazon's continued investment in native security tooling. New offerings like AWS Shield Network Security Director and IAM Access Analyzer directly challenge third-party CSPM providers, while improvements to existing services reduce the friction and complexity of implementing robust security controls. For organizations already invested in the AWS ecosystem, these integrated solutions offer compelling advantages – but they also raise important questions about vendor lock-in and multi-cloud strategies.
Security vendors without a strong moat or differentiated value proposition should be concerned. As cloud service providers continue to enhance their native security capabilities, the pressure on third-party tools will only intensify. This trend follows closely on the heels of Google's acquisition of Wiz, suggesting that cloud security is becoming an increasingly strategic battleground for the major providers.
For security professionals navigating these waters, the proliferation of overlapping security services presents both opportunities and challenges. While AWS continues to simplify implementation, the growing catalog of similar-sounding services can create confusion about which tools to use in which scenarios. As we discuss on the podcast, this appears to reflect AWS's organizational structure as much as customer needs – shipping the org chart rather than truly differentiated services.
What's your security strategy in this evolving landscape? Are you embracing native cloud security tools or maintaining investments in third-party solutions? The answers may vary widely depending on your organization's cloud adoption strategy, but one thing is clear – the security vendor ecosystem is transforming before our eyes.
Purchase Chris and Tim's new book on AWS Cloud Networking: https://www.amazon.com/Certified-Advanced-Networking-Certification-certification/dp/1835080839/
Check out the Fortnightly Cloud Networking News
https://docs.google.com/document/d/1fkBWCGwXDUX9OfZ9_MvSVup8tJJzJeqrauaE6VPT2b0/
Visit our website and subscribe: https://www.cables2clouds.com/
Follow us on BlueSky: https://bsky.app/profile/cables2clouds.com
Follow us on YouTube: https://www.youtube.com/@cables2clouds/
Follow us on TikTok: https://www.tiktok.com/@cables2clouds
Merch Store: https://store.cables2clouds.com/
Join the Discord Study group: https://artofneteng.com/iaatj
Hello and welcome to another episode of the Cables to Clouds fortnightly news. And, as always, I'm Tim McConaughey at at one Golbez goal is on Twitter. I went, I went back to, I went back to Twitter. I'm still on blue sky as well, but uh, yeah, um, and with me, as always, is my cohost, chris miles, who you're at BGV main on both right.
Chris Miles:On both. Um, yeah, I don't, I don't. Are we going back?
Tim McConnaughy:now.
Chris Miles:Is that. Is that what we have to do? Well?
Tim McConnaughy:yeah, I've been going back and forth and honestly, it's still. It's still got problems, lots of them. I feel like every other post is a, is a bot post or a only fan something or other, like I don't know if that's the algorithm or whatever, but uh, yeah, it still feels like that, but it seems like every single tweet.
Chris Miles:I see the first reply is asking Grok. If it's real, that's the other one.
Tim McConnaughy:Every reply at Grok, is this a real thing? Or at Grok, what movie is this? Or at Grok, whatever. I was like geez, this is literally dead internet theory. Anyway, not to make this episode about that, but yeah Anyway. So let's jump right into the news. So the big news that happened really recently, actually just the last couple of days, is that HPE and Juniper have been given the go ahead or sorry, HPE has been given the go ahead by the Department of Justice to acquire Juniper $40 a share, so about $14 billion, and the big difference, or the change that allowed this to move forward, are two things. One is that Juniper has to divest itself of the Instant On branch and wireless portfolio, which, I'll be honest, I don't even barely remember. Instant On, I don't even barely remember instant on. I don't know if it's like a ubiquity thing or whatnot?
Chris Miles:Yeah, I think it's like a small medium business type thing.
Tim McConnaughy:Yeah, so that's a weird one, but okay. But the big one is. So part of the missed AI ops technology has to be licensable from Juniper or HPE. I guess HPE now will have to make some of the and it's not clear how much or what part of the missed AIOps stuff has to now be offered as a licensing deal from HPE. So that was the big. So, given those two concessions, I guess. So now HPE is able to buy Juniper. And I was telling Chris, before we hit record, that my financial advisor, literally two days before this was announced, had just told me hey, let's get out of HPE because this deal is stalled and we can make more money elsewhere. So that's life, that's the stock market for you and that's life. Um, that's, that's the stock market for you and that's life. Uh, yeah, that's that's interesting. Anything, oh my God. January 9th 2024 is when this was originally announced. I can't believe it's been that long.
Chris Miles:Yeah, the um, yeah, the interesting piece. I mean maybe maybe your financial advisor isn't uh, wrong, maybe you should wait to see what happens after this mandatory auction of the, of the, the missed source code, right. So like I think that's the kind of. The open item here is that if they go through with this, you know kind of licensing of the source code, like who knows who's going to get be able to get access to it, right. So I think we kind of went through this a bit in that the the main reason we thought that you know this was even being acquired by hpe was for the you know the miss ai ops technology, right, that was kind of the, the meat of it, right. And if that is the part that has to, you know, basically be um put to you know, basically be put out to you know the source code put out to a license.
Chris Miles:You know Cisco could buy it. Any number of the competitors could buy it. Don't know what to degree they would want to integrate it based on, you know, their existing portfolio and their existing technology, et cetera. But if the I don't know like it's, like, on one hand hand I could see like, oh, this is huge, like the. You know Cisco could buy it and then it would just be a completely level playing field. But I don't think that Cisco would buy this and be able to integrate it at any degree.
Chris Miles:So it's like I think the idea is to level the playing field, but it just like no one would go through the effort of that. Uh, at least from from my perspective.
Tim McConnaughy:Yeah, I think, I think that's true. So I think the the, the word bearing all of the weight, is limited access. Limited access, so what is what does that really mean? What is what is the limited access what? It's probably not the whole source code, right, it's going to be some piece of the technology, but what piece and how much? I think it because that's going to answer the question of who would really Already I'm with you, I don't think Cisco, cisco's got the what is it? Deep network or whatever that they're working on their own model, which probably is built on Splunk's data. So yeah, I'm with you on that I don't think the big players would probably truly license it for real reasons, maybe competitive intelligence or something. Yeah, I think the question is how much? What does limited really mean in this context?
Chris Miles:Yeah, 100%.
Tim McConnaughy:Okay, and then the other big piece of news was, of course, that AWS Reinforce just finished. Now, honestly, I wasn't able to keep up with Reinforce at all this year. I know, chris, you did quite a bit of watching on the keynotes and all of that, so you want to tell us a little bit about what happened this year at Reinforce.
Chris Miles:Yeah, sure. So you know, for those that don't know, aws Reinforce is kind of the much smaller sister event to reInvent, which is really all focused on security, right, so it's basically held, I think it's in. It was held in dc. I think it's typically in dc philly this year, oh, philly this year, okay, but yeah. So I watched a few of the keynotes and I watched some of the sessions as well, just to kind of stay up to date. And you know there was definitely some themes that I saw coming out from this particular reinforce in that the.
Chris Miles:You know they kind of went back to talking about the kind of the traditional stuff about. You know, security usually slows down innovation et cetera. So it needs to be, you know, directly integrated and easy to consume et cetera, not kind of stifle that innovation piece. But then you know they also talked about how it's from what they've seen they being AWS that you know companies with a more kind of mature security practice in place are able to actually adopt generative, generative ai a bit faster than other companies. Um, so you know, kind of reinforcing the importance on security.
Chris Miles:You know, if that kind of foundational element is there, um, then you know that you should be able to consume ai at a faster pace than than typical um enterprises, or you know businesses, etc. Um, you know businesses, et cetera. You know they wanted to reinforce that security should become a competitive advantage and not a cost center. I mean, I don't know. I feel like any kind of conference you go to where, whatever is the theme, whether it be a networking conference or a security conference, they're going to be like we need to stop being a cost center. At the end of the day, you're probably still a fucking cost center. I don think you ever think you ever get away from that, uh, in the grand scheme of things.
Chris Miles:But, um, there was some interesting stuff that um, they talked about in regard to comcast.
Chris Miles:And you know kind of comcast, um, you know kind of they have this you know cyber security team with thousands of people, um, and their ai adoption has, you know, kind of increased a lot of their security findings over the last I'd say last year I guess and apparently they're building tons of AI bots for things like threat modeling. It's contributed to a good deal of their patents that they've published as well, which I thought was quite interesting. And I think they have this kind of like seven year North Star type strategy to get, you know, everything adopting AI. And that's where the challenge came in of security being this cost center, whereas it should be, you know, kind of used for innovation, et cetera. So it was. I think there was a strong emphasis as well on proactive security rather than reactive security and leveraging AI obviously to do all that. You know AI is obviously going to be kind of peppered into everything. So that was kind of my overall rub of the general theme of the conference. So, yeah, it was quite interesting.
Tim McConnaughy:Yeah, I saw that they put out a whole list of kind of well, I don't know if it's a whole list, to be honest, I'm not sure if it's exhaustive, but certainly the top new announcements from Rainforce and going through the list, all I can think of is, you know, there's a lot of third party CSPM tools that should probably be very nervous about this trend. I mean, this is the, this is the thing, though, if you, if you are a, if are a non-CSP provider of services to CSP customers, you really need to be paying attention to your moat, and by moat, of course, what I mean is what makes you differentiated from the CSP. I mean moat in the traditional business sense, basically, like the traditional business sense. Basically, what is the, what is the, the thing you are defending, the, the, the IP, the, the use case, whatever that is that, um, you know, makes your company essentially viable as a company. You know and, uh, you know I'm saying that with my, the own, my own self-awareness that I work for. You know, I work for a company that's that also offers, you know, kind of third-party services line on the CSPs, but that's something that's been top of mind right For us as well, because the CSPs are going to continue to innovate and to bring new services, and it's going to be based on in my experience, it's been based on two things right, who's asking for it? Right. And then how much money is involved, which makes perfect sense, right? If you're a CSP or if you're any kind of business really? I mean, cisco does the same thing, like every company that offers something to customers is asking the same questions, right? Who wants it and how much are they willing to pay for it?
Tim McConnaughy:So, anyway, let's go through some of the announcements here, actually, and you'll kind of see what I'm talking about. Let's see the first one here is unify your security with AWS Security Hub for risk prioritization and response at scale. This is a preview feature. This was announced and this is in preview, but it seems like it's just a, and we'll have, of course, all the links to the stuff in the show notes. So there's some visuals here, there's some workflows and whatnot that you'll want to go through and take a look at yourself, but the basic idea of the security hub seems to be that it is a. What do they call it? Because there's so many of these. I don't know if it's a CSPM itself, but it's basically a threat correlator analyzer and like surface insights from other services.
Chris Miles:My takeaway is that this is kind of like a sore sore, that's right sore, mixed with some cspm capabilities in it as well. Um, it's yeah, like you said, it's kind of ingesting kind of these um uh, threat discovery things from different services. They're running on aws and kind of correlating all that together and, you know, building this kind of like map for you and offering remediation techniques etc.
Tim McConnaughy:Yeah, it specifically mentions GuardDuty, Inspector, macy and AWS Securities Hub CSPM. So I don't know if that's what they're calling. It is AWS Security Hub CSPM. But I'm with you, I agree, more of a soar, really, because of the orchestration of all the security feeds and surfacing of the. So, like I said, take a look at the, take a look at the threat, the visuals that go along with this. Again, we'll have the posts and you can really get an idea of, like, what they're talking about, when we're talking about, like you know, ingesting the feeds and surfacing the insights and giving you kind of that, that overall view of your, your network not network, sorry your cloud environment, just kind of based on all of those services. So, of course, it also means that the value of this service is going to be based on how many of the other AWS security feed services you are leveraging, right, like Macy and Inspector. So there is kind of you know, tongue in cheek there. It is going to be as useful as how much AWS security feeds you're already bringing into it, right? Yeah?
Chris Miles:definitely. Let's see what else we see announced here. So yeah, next up, let's talk about a couple of features that we saw talk about specifically around AWS Network Firewall. So one thing that they also touched on was something that is called. What is it? I always bury the names in these things. You can never actually find what it's called Active Threat Defense for AWS Network Firewall.
Chris Miles:So basically, if you can think of kind of the AWS managed rules that you have within AWS Network Firewall or even something like a WAF, where basically there's common things, the common exploits, et cetera, that are well-defined in a rule set that AWS manages, and you just basically invoke that and use it on your traffic, this is kind of the same thing, except typically they call out that customers are commonly looking for third-party threat feeds to get pull-in sources of threat intel, et cetera, and so this looks like they've enabled that to run with their own threat intelligence system, which is called MadPot, which I think they've been using for quite a while. I think they started this around 2010 or something like that. So basically kind of the same thing. You have these active threat feeds that are managed by AWS in conjunction with MadPot and you have to do things like deep packet inspection et cetera on the traffic. For this to really take effect, they have something called deep threat inspection built into this as well, which is labeled as collective defense, and it enables shared threat intelligence improving protection for active threat managed role group users.
Chris Miles:So I don't know if that means it's shared. That one kind of confused me. I couldn't really tell if that means it's shared amongst like other organizations, or just like shared in terms that AWS manages. I wasn't really sure about that. Um, I don't think your specific data is going to be shared between rule sets or anything like that but I think the the day you know the data that is ingested and you know, learned by um, the data you push through could potentially be used for another customer.
Chris Miles:I suppose um yeah, I think that's what that comes back to I agree.
Tim McConnaughy:I I think it's anonymized. I mean, and I think Cisco has been doing other like a lot of other companies have been doing this right and not using the data for threat intelligence to like find zero days and stuff like that, Right, so that's not unusual.
Chris Miles:And it would make sense because it's an opt-in feature, right. When you enable the service, you literally just check a box that says opted in, so I don't think it's anything more specific than that. Obviously, this comes at a price. Starting out, it looks like this is you know you're going to pay about half a cent per gigabyte that you use these specific rules, so kind of leaning towards things like IPS et cetera in this kind of service with AWS's own threat feed. Yeah, we talked about this before we hit record and obviously turning on certain things like this usually impacts performance, but with this being an auto-scaled service enabled by things like AWS Hyperplane et cetera, I wonder if this really does have any impact on that, especially since they're charging you for it, right? So they probably want you to funnel as much as you can through this thing, because you're going to definitely pay the piper at the end of the day, right? So, yeah, that was a new one that was added. I thought that was pretty cool. Anything to add there, Tim?
Tim McConnaughy:Yeah, so it does mention. And, as you pointed out, for D Anything to add there, tim? Yeah, so it does mention. And, as you pointed out, for deep packet inspection to work, obviously this thing sets itself up as a.
Tim McConnaughy:TLS proxy as well, which is where we would expect the big performance hit to come. It also mentions at the very end it's a little bit of a buried lead because it kind of leaves some questions. Another consideration is the mitigation of false positives. When you use this managed rule group in your firewall policy, you can edit the rule group alert settings to help identify false positives as part of a mitigation strategy, and there's a whole thing about mitigating false positives.
Tim McConnaughy:So remember that this is a threat feed, like a threat intelligence thing. So you know, depending on what your business is doing and what you know, maybe your homegrown applications or whatever that be, it's possible and they point this out that like, oh, by the way, as you're pushing data through here, you know you might, whatever you're doing, might, light this thing up like a Christmas tree and be and be perfectly safe, but so so, by the way, you know, at the very end you might want to do some work on making sure that you know how to mitigate these false positives. So that's, that's it. Otherwise, yeah, yeah, this is this is just one more piece. One thing, one question I did have that was a little very tongue-in-cheek, was I was thinking of the uh that report from uh cyber ratings earlier.
Tim McConnaughy:Yeah I was like is this gonna be an extra percent on the, you know, on the ratings? I guess we'll see next year what cyber ratings has to guess we'll see next year what Cybratings has to say, we'll see if they play nice.
Chris Miles:Another real quick one that they announced around AWS Network Firewall was the enablement of AWS Transit Gateway native integration, which on the surface you'd probably say AWS Network Firewall is a native service and already natively integrated. But typically when you'd want to deploy AWS Network Firewall as a native service isn't already natively integrated but typically when you'd want to deploy AWS Network Firewall you would have to. Essentially, either you could put it in every single VPC which a lot of customers do that if they are willing to pay that particular price for it but what most customers would do is put that into a dedicated security VPC which kind of hangs off of your TGW and is either used for all your east-west inspection or north-south inspection, et cetera. This actually removes the need for that, which totally makes sense under the hood. Like I'm kind of surprised I didn't do this sooner. But basically you can, as you're creating a network firewall, you can just natively attach it to a TGW. So you're not creating a VPC, you're not creating endpoints, you're not doing all this stuff, you're not updating route tables et cetera.
Chris Miles:It's just a native integration which is really cool and probably gonna be removing quite a bit of complexity, I would imagine, which means that the people that are typically they are managing complex stuff have one less job to do, which is not great for us, but it seems to be that's where they're leaning. So I just thought this was. It was kind of a cool feature that they added. I wonder if they'll end up adding this type of integration for for third parties, but I highly doubt it because it's AWS. But we'll see Anything to add there, tim.
Tim McConnaughy:No, that's, that's it. I agree the I mean, it's in the clouds, it's in the CSP is best interest to lower complexity, because that's literally the value prop of native right. So I get it. This and I agree with you this is like way long in the coming, like you know. Consider considering the actual work to build an inspection VPC and build the network end point or the firewall end points and orchestrate the route tables and all that.
Tim McConnaughy:There was literally no reason AWS couldn't just have and they did now right, make it completely and transparent to the users. So will this drive adoption? I am interested Same reason as before. I'm thinking of that cyber ratings report and some other things. You know, at the end of the day, it doesn't matter how useful. You know how easy it is to get traffic to a firewall if it's not effective. But I don't know. Like we'll see, like are people finding that the firewall is effective? That's one thing I still haven't heard. So what I think we'll see is more adoption and hopefully, with more adoption, we'll see more data on how effective AWS Network Firewall, the native integration, is. I think this piece with the TGW is just an ease of use, an uplift for usability, to drive adoption, but I think it's ultimately going to be a good thing.
Chris Miles:And we should probably add to this that the announcement specifically calls out that this has no effect on the existing pricing. So it's not more expensive and it's not cheaper, but it does solve some of the complexity under the hood.
Tim McConnaughy:Okay, so here's another new one. This is interesting. This is another one in preview, and this one is called AWS Shield. It's funny because it's called AWS Shield. I was looking at this, we were talking about this beforehand. It's called AWS Shield, or they've now named it officially AWS Shield, but before that it was either before that or they're still calling it the Network Security Director. It's actually AWS Shield, network Security Director. It's a preview feature and it's basically what would you call it. It's a preview feature and it's basically what would you call it. It's like CSPM, basically for your network is kind of what it is right, I could agree, yeah.
Tim McConnaughy:Yeah, it's made to scan your network deployment in ADBS and first of all identify holes like that you've been permissive or that you have allowed, like maybe your security groups or TGW or something it mentions specifically like oh, you left your CloudFront distribution connected open to public and stuff like that. So it goes through your environment, finds network problems but also maps them this is the part where the real value comes in maps them to kind of known security, where the real value comes in, maps them to known security, vulnerabilities, exploits, problems. So think of the thing we just talked about a little while with the security hub and then make this like it's a little bit like that, but it's specifically focused on all the network implementation stuff, so like WAF, cloudfront, tgw, security groups, all that good stuff. So again, this is another one where we're going to have the links in the show notes, because there's a lot of visuals that are with this to kind of visualize for you what that looks like.
Tim McConnaughy:What does the security director sorry, what does the network, the AWS Shield director look like? Because there's a lot of questions that I can't really explain very well in a voice, but if you look at the screenshots it'll kind of answer the questions about, like what is the value? What does this do for you? What is this fine for you? Yeah, so another one where I really feel like this is they're coming after yeah. So another one where I really feel like they're really coming after third-party type of things that do this today.
Chris Miles:Yeah, I think this is obviously a relatively cool feature in that you can basically just tell it what resources to scan from that perspective, like you said, you'll even do security groups, ec2 instances, things like that. But I feel like this is AWS, is like they're releasing new things that are useful, but they're doing it in a very AWS way as well, where they can't help but release like five or six different products that still all kind of do the same thing. Like there's still like there's still not a lot of clarity for me around when you would specifically go to this versus that.
Tim McConnaughy:Right the security.
Chris Miles:Yeah, exactly Like why you couldn't remediate something with this versus with another product, right? So there's, the waters are still muddy and this isn't really AWS's fault necessarily. You know this is a very complex topic sometimes, so sometimes it's necessary. But if you were relatively new to the industry, I would feel for you very much, because you would probably read these and be like what the hell these all do the same thing. Yeah, so it's, you know very, very small details built into this. A lot of them build out these kind of you know maps, which are very useful, kind of mapping. You know this, you know this service then talks to this and this. So you know known exploits here and there. You know there's even severities. You know whether they're critical or you know low priority, et cetera. But yeah, it's like all of it's still slightly confusing to me, um, but yeah, well, uh, like you said, eventually we'll see if this gets used. If it doesn't, they'll axe it and then we'll never see it again, but we'll see, it's very, it's a very aws thing.
Tim McConnaughy:I feel like aws. I think I've heard, actually, that the people at aws are incentivized to, through their customer obsession, essentially create new services, like new things for their customers to use, and I feel like there's a little bit of the. There's also a little bit of shipping.
Tim McConnaughy:The org chart here where you know, like these people are working on things and the products that they're shipping essentially match the organization charts, meaning, like you know, you're having these different orgs coming up with these different things and anyway. So I think that's got to be part of why we have these, because you would think what I would have thought is that you would take this functionality and just put it in this thing that the SOAR, you know, the security hub that already has all of the other threat intelligence and feeds that are coming into it for surfacing of vulnerabilities. But yeah, so we will see. Time will tell on how this is differentiated, and it's also possible. I don't know, it depends on what's in here. Maybe there's just too much in here to put it in the other one, I don't know right. I do feel like it's more about shipping the org chart in that case than about truly differentiated services. And then there's one more on top of this that's to point out, which is the Hold on.
Tim McConnaughy:I just had the IAM Access Analyzer. So this one is similar to the others, except it's focused on IAM and it does exactly what you think it would do. It goes through all of your IAM roles, resources and services for overly permissive IAM access. So I know there are entire products, third-party products that are probably going to be unless they're multi-cloud products which they probably are are going to be in trouble. But yeah, so there's not a lot to say about the IAM Access Analyzer. It's pretty short actually, but the idea is go find overly permissive guidelines or overly permissive access, rather Surface it and then remediate it. It's pretty short and sweet actually.
Chris Miles:Yeah, I mean, like you said, there's a lot of products that exist out there that do this today. So this is, you know, potentially going to be majorly impact those that are using those services, in that, you know, under the assumption that AWS can do this any better To your point, the products out there that probably do this from a third party perspective are probably multi-cloud and their consumers are probably multi-cloud, so switching whole hog to this is not really an option. But you know, that's the thing. That's the problem with being multi-cloud. Right, the organization is going to automatically determine what level of complexity and, you know, number of tools that they are willing to use to get the same job done in different environments, right? Um, so I mean looking at the pricing, I'll be honest, I don't know how their competitors would typically price this stuff out, but, um, it seems like aws monitor like charges based this, not based on the im roles, but based on the resources um the ones they're looking at.
Chris Miles:Yeah yeah, so this could I mean. I, I guess you're going to have way more IAM roles. I don't know, actually that's a good question. I don't know if typically customers would have more IAM roles or more resources. Um, I can honestly think of examples where it would be. You know one or the other, like I know customers that have built millions of IAM roles, um, or you'd probably want a product like I know customers that have built millions of im roles, um, or you'd probably want a product like this to clean all this shit up. Um. And I also know companies that have, you know, done very strict im roles that are that are not, you know, kind of bountiful in quantity. I should say um. So I guess it depends, um. But I mean, if you're single cloud aws, I don't see why you wouldn't use this. It seems relatively cheap, cheap to do so. Yeah, it seems a bit like a no brainer. Another thing that kind of surprised it took this long to come to the table, if I'm being honest let's see.
Tim McConnaughy:So yeah, let's do one more. So there's a new one about oh gosh, sorry, I got them all mixed up on my screen here certificate manager. So Amazon now has expanded ACM certificate manager so that you can export. Finally, I honestly didn't. I'll be completely honest, I don't use ACM very much and I didn't realize you couldn't do this before. But now you have the ability to actually export your certificates from ACM for use in other locations, right On-prem, other clouds, wherever you would need the ability to leverage that certificate. Before I guess you could only do it for AWS resources. Big, big, big deal, I would think, because, again, I always thought you could do that. Yeah, I wonder what we were doing before. Actually, now I'm kind of scratching my head. I guess you just weren't, you were using Certificate Manager to manage certificates you already had generated elsewhere, and then you were only generating from ACM for AWS resources, I guess maybe you weren't really, you were only generating from ACM for AWS resources, I guess maybe.
Chris Miles:Yeah, I mean there's there's benefit to to both sides of this right, like with with ACM being kind of this holistic service in AWS that just does all certificate management. There's a lot of things that are completely embedded in there that you don't have to worry about from the customer's perspective, but that comes at a price in that you can't use it with external resources, right. There's some kind of dependencies built into there. So this does also kind of introduce some new kind of I don't want to say new things to certificate management, maybe new things to certificate manager or ACM within AWS in that focusing on you know kind of things like revocation, you know revoking certificates whereas it's not all contained within AWS at that time and kind of the renewal of those certificates as well.
Chris Miles:I don't know if you could actually revoke certificates specifically and previously to this, so I don't know if that's a new thing that's been added previously to this. So I don't know if that's a new thing that's been added. I know you can automatically renew them in ACM, but I don't remember being able to explicitly revoke them. I could be just completely misremembering that, but yes, I mean. This note here does say you can only revoke certificates that were previously exported.
Chris Miles:So it leads me to believe that this is a new thing, but, but, like you said, now, this is, this is adding an amount of complexity that wasn't there before. It hasn't been there for the last, you know, 15 years. At this point, um, so, uh, you know, I'm sure some people are, you know, sighing a breath of relief. Um, um, until the day comes when they have to, uh, something gets compromised and they do have to revoke these, and I don't know how that fits into their existing workflows, et cetera.
Chris Miles:So yeah, so it's good, but comes at a price of your sanity, potentially yeah.
Tim McConnaughy:I mean I assume basically organizations that needed this capability elsewhere simply didn't use ACM for their certificate management, right Again, outside of resources that are completely within AWS and stay and don't need essentially to do certificate management for other outside identities.
Chris Miles:A lot of customers. I saw it was a completely mixed bag right. They would do some stuff in ACM, some outside of it.
Tim McConnaughy:And to be honest.
Chris Miles:I bet they are the ones that are quite happy with this because it was a nightmare, but I mean, I don't know. A lot of customers use their own private CA as well.
Tim McConnaughy:Right private CA yeah, you know.
Chris Miles:I'd be interested to hear if this is going to change anyone's workflow, to be honest, or how they do certificate management.
Tim McConnaughy:Yeah, or make it easier, make it harder, yeah, good call. Okay, well, let's go ahead and cut it there. I think we got a good bit of information out there. Yeah, any last thoughts? We good.
Chris Miles:No, last thoughts. I think this was good. Like I said, it still felt very much like a aws conference to me, um, in that it had a little bit of um, a little bit of magic sprinkled on everything that, um, you know you can't help be a bit cynical about. But, um, overall it's awesome. Like it kind of sucks when all the announcements are really focused on analysis and things like that, nothing actually, you know, changing the forefront, um of how the technology works, but sometimes that's just how the cookie crumbles, right.
Tim McConnaughy:So, overall I thought it was good yeah, and I think, like I said, if I was a, if I was a company, third party with a moat with, I'd be looking at my moat. Uh, you know, based on some of the stuff, that's been announced recently.
Chris Miles:Yeah, I do. I do wonder if some of these things came on the tail end or you know potentially some kind of premonitions that AWS knew ahead of time about. You know the Wiz acquisition, yeah. Google buying Wiz yeah. So the writing might be on the wall.
Tim McConnaughy:That's a very good point actually, because a lot of these capabilities are CSPM capabilities, which, of course, wiz you know, wiz also does runtime security, which we haven't really seen. Like there wasn't a runtime security announcement at ABS, but yeah, I mean the CSPM side of it, hardcore, yeah, definitely. All right, guys, all right. Well, this has been a cables to clouds a fortnight in the news. Thanks for joining us. The stuff will be in the show notes. I encourage you to take a look. See you next time.
