At its re:Invent conference this fall, AWS made two IoT cybersecurity announcements that reflect the role of machine identities in its zero-trust security strategy. AWS's roadmap outlines that machine identities need to come first and that customers need cloud services to scale networks comprised of machines and dominated by machine-to-machine integration.

To help achieve that goal, AWS releaseed IoT ExpressLink, a cloud service designed to fast-track new IoT devices through secured DevOps cycles and integrated with AWS IoT Device Defender. It also announced improvements to AWS IoT Greengrass, which include features to assist AWS customers in performing patch management at scale across fleets of IoT and network devices, all of which have their own machine identities.

IT administrators often struggle with tracking patch updates across the large inventories of endpoints, which is one of the primary design goals that guided the latest release. A centralized view of all devices on an enterprise network is essential for IT departments, both from an asset management and a cybersecurity standpoint. Endpoint visibility and control is the most challenging area of zero-trust frameworks to sustain and secure, which is why AWS turned it into a design objective for its cloud services.

Containing the fastest growing threat surface 

Forrester estimates that machine identities are growing twice as fast as human identities across enterprise networks today. However, 50% of enterprises find it challenging to protect machine identities, given how fast they grow. For the first time in its annual trend analysis, Gartner prioritizes machine identity management for CISOs and their security teams. AWS' decision to release IoT ExpressLink now and fast-track enhancements to AWS IoT Greengrass shows its approach to zero-trust security being hardened at the endpoint first.

When AWS customers, developers, and ISVs use ExpressLink and Greengrass together, they can secure machine identities at the kernel or operating system level of each type of IoT and IIoT (industrial IoT) sensor they've standardized on.

Amazon's vision of zero trust is predicated on the NIST 800-207 architecture.  According to AWS, the architectural structure of its cloud services supports key zero-trust requirements, including microsegmentation, Identity and Access Management (IAM), Privileged Access Management (PAM), and securing all data at rest and in transit. AWS cloud services are also designed at the platform level to allow access to enterprise resources on a per-session basis, and all resource authentications and authorizations are dynamic and enforced using the least privileged access. There's also an AWS IoT Zero Trust workshop that covers setting up and securing an IoT network configuration. AWS' vision of using its IoT services to provide Zero Trust Security at the endpoint level is defined at a high level in the following graphic:

AWS provides its own IAM at no charge as part of its AWS instances. It's designed to provide AWS customers with essential support for IAM. While the AWS IAM can integrate at the API level to a diverse base of enterprise systems, it doesn't provide an enterprise-grade level of support for the more challenging aspects of IAM and PAM enterprises are encountering today. These areas include defining and enforcing multiple identity-based policies, auditing each machine for endpoint health and asset management, and the need for better integration support across machines and monitoring systems.

Using the AWS version of the Shared Responsibility Model to illustrate how AWS differentiates between what their platform is responsible for versus their customers, it's clear AWS customers will need a continual refresh of innovation to stay secure long-term. AWS customers also require IoT cloud services that integrate reliably with their platform of choice for machine identity management to scale and secure their operations.