AWS re:Invent: Securing the cloud-based virtual desktop
Following AWS re:Invent, Mark Nunnikhoven, a principal engineer for Trend Micro Inc., talks about cloud security and Amazon WorkSpaces.
Editor's Note: In this Q&A, Mark Nunnikhoven, principal engineer of cloud and emerging technologies for security vendor Trend Micro Inc., talks about Amazon Web Services with Senior Site Editor Anne Stuart. Their conversation follows the AWS re:Invent 2013 conference in Las Vegas, where AWS unveiled Amazon WorkSpaces, its new cloud-based virtual desktop service; the premium version includes Trend Micro security technology.
This Q&A has been edited for length, clarity and editorial style.
Let's talk about WorkSpaces. By announcing a virtual desktop offering at AWS re:Invent, it seems like Amazon Web Services (AWS) is changing directions. Your thoughts?
Mark Nunnikhoven: That's a very good observation. AWS is actually shifting what it offers. Up to this point, AWS has been focusing on moving server workloads. … WorkSpaces is really the first time that we've seen a push to move user workloads into the cloud, so [involving] your day-to-day desktop. That's a fundamental shift from what people are used to, and it opens up a lot of exciting possibilities.
Can you talk about some of those possibilities?
Nunnikhoven: Sure. The focus for WorkSpaces is obviously the AWS cloud. What this does is move your user data into the AWS cloud so you can access it from multiple platforms. So if you open up your Kindle tablet and access your WorkSpace, you can pull up Microsoft Office and start working on your data, all while being protected with the Trend software in the background. You can then transition over to your laptop and pull up the exact same WorkSpace with the exact same windows open. There's protection underneath that that continues to work.
So your data -- and your tools to work on that data -- are now following you, as opposed to you lugging your laptop everywhere. Now, that opens up the basic use cases: Essentially, I can go from home to work and transition that to my mobile tablet and have the same look and feel on the same data. But what you're really going to start to see is people starting to question, "Do I really need a full laptop anymore? Is my large tablet with a keyboard and mouse enough?" You're going to see a transition in how people approach that workflow.
What issue might that transition create for AWS customers?
AWS provides world-class security up to the operating system. But after that point, it's your responsibility as a customer to add that additional layer of security. When people aren't aware of that, that's when trouble hits.
Mark Nunnikhoven
Nunnikhoven: Well, an immediate concern that clients bring up is that now all their user data is secured, or pushed into, the cloud. That brings up security concerns.
But when you really start to break it down, in fact, a lot of scenarios can involve a much more secure deployment than what you're used to. The reason for that is the data never actually leaves the AWS cloud.
So while you're doing that workflow, transitioning from your tablet to laptop, the only actual information that's on there is pictures of the screen; it's sending back touch interactions and keyword clicks and mouse clicks. All the actual documents and information are sitting in the AWS cloud. It's all protected by AWS, as well as with Trend Micro for the [WorkSpaces premium] package, so that your data stays stationary while the access to it moves.
That's as opposed to today's scenario, where I might have the same documents synced with my tablet, with my desktop and with my laptop -- and now I have to worry about security in three places -- those three mobile places -- as opposed to one stationary place.
What kind of feedback have you had from customers about the WorkSpaces announcement at AWS re:Invent?
Nunnikhoven: There [has] been a lot of buzz, especially from enterprise customers. We work hand-in-hand with a lot of large enterprises around server workloads, and especially around moving server workloads into the cloud. A lot of them have attempted virtual desktop internally within their enterprises or tried to roll it out themselves. There's a lot of complexity there and there are a lot of technical challenges.
They're quite excited to see a lot of those challenges solved, from their perspective, because AWS has taken care of it. Now they just simply request 20 desktops and there they go, as opposed to worrying about all the machinery under the covers. So there's a lot of excitement, a lot of people signing up for the [WorkSpaces limited] preview and trying to get in line and get access as fast as they can.
In announcing WorkSpaces, Senior Vice President Andy Jassy said virtual desktops aren't new -- they've been around for a while -- but they haven't really taken off as expected. Sounds like that's something you've observed, as well.
Nunnikhoven: Yes, for sure. Where we're seeing a lot of success for virtual desktops is in multiple security-level environments. If you think of a government scenario, where they've got public data, and maybe protected data, and then top-secret data, we've seen a lot of success of virtual desktops in there for top-secret data because [the need for secure access] has been a real driver to live with the technical challenges of implementing it.
But I think this is the first opportunity where we're going to see virtual desktops really going mainstream because they've focused on the ease of use. All the complexities are hidden and taken care of. You just need to access your data and get to work.
Amazon announced several other new services at the conference. Which ones stood out for you?
Nunnikhoven: I think the real dark horse of the show was Kinesis, which is their big data, big-streaming application. It's a really easy way to start processing a massive volume of data in real time and it sort of completes their suite. They've got Kinesis now, which processes real time; RedShift, which is the data warehousing for more complex analytics; and then RDS [Amazon Relational Database Service], which is their relational database service for long-term analysis and longer-term storage as well.
What we've been seeing is that enterprise customers are getting more and more interested in focusing purely on their business, whereas previously, they had to focus on IT to support the business. Now what they're able to do is divert their IT resources for running and maintaining complex infrastructures to being able to rely on Amazon to do that at world-class levels. That then allows the customer to take the same ideas and IT resources and dedicate them to making their core business stronger.
What are the biggest changes you've seen in AWS in the past year?
Nunnikhoven: In the first year [of the AWS conference], we heard a lot of, "Well, we're moving our public website to the cloud, and we're analyzing everything else." This year -- and it's exactly reflective of our experience with our customers -- there's a higher level of trust.
Part of that is because Amazon has been much clearer about how their security works, how they are providing security, and their responsibilities. But overall, there's a lot more comfort with the cloud now. There's a higher level of familiarity. People are moving these key workflows to the cloud.
It's not just startups; it's not just small businesses. We're working with some really large enterprise customers and some surprising vertical systems -- some healthcare, some financials -- that you would think would be hesitant [to move to the cloud] given the regulatory requirements. … But they're actually moving these core workloads into the cloud.
What are other things people need to keep in mind about cloud security? Are there common mistakes you see customers make, or misperceptions they have, or places where they tend to drop the ball or cut corners? What should they avoid?
Nunnikhoven: I think the biggest thing is a misunderstanding of how security works. People think that when they go to a cloud provider like AWS that they're farming everything out and AWS is going to take care of all of it.
That's why I was really happy to see AWS take a strong stance on how security works and that comes back to that shared-responsibility model. AWS has given several talks on it, and they kind of beat the drum every chance they get, and we're echoing that with our customers.
AWS provides world-class security up to the operating system. But after that point, it's your responsibility as a customer to add that additional layer of security. When people aren't aware of that, that's when trouble hits.
So we're doing our best to work in conjunction with our partners at AWS to educate [customers about security] in general, then obviously explain how Trend Micro can provide solutions to help meet your responsibilities under the shared-responsibility model.
That's the biggest pitfall for people: not understanding that you're responsible for security, or for a certain extent of it. If you understand those responsibilities, it can be really easy and straightforward to meet them -- but you need to be aware of them.