The AWS Heroes are a worldwide group of AWS enthusiasts and community leaders who are passionate about sharing AWS knowledge with others. These re:Inforce guides are authored by Heroes, many of whom have attended multiple re:Invents and are looking forward to attending re:Inforce. They have curated lists of recommended activities based on a specific demographic or technical discipline. They are designed to help guide re:Inforce attendees as they work to build their schedule and sort through the many sessions and activities.

Advanced AWS Builder
By Ben Kehoe

 

This guide is for re:Inforce attendees who are experienced with building applications on AWS and are interested in learning more about integrating security into their practice. Security is about making sure your application does what you intend it to do and only what you intend it to do. This isn't different from what you're trying to do as a developer in the first place, which is why security needs to be a part of the development process. Developers need to know 1) the basics of security, 2) how to recognize potential areas of vulnerability and when to involve security experts, and 3) best practices for secure-by-design systems. re:Inforce is the ideal place to learn this! This guide is for re:Inforce attendees who are experienced with building applications on AWS and are interested in learning more about integrating security into their practice. Security is about making sure your application does what you intend it to do and only what you intend it to do. This isn't different from what you're trying to do as a developer in the first place, which is why security needs to be a part of the development process. Developers need to know 1) the basics of security, 2) how to recognize potential areas of vulnerability and when to involve security experts, and 3) best practices for secure-by-design systems. re:Inforce is the ideal place to learn this!

Some general pointers for getting the most out of re:Inforce:

  • Learn how the security community thinks and talks. This leads to better communication, which leads to smoother conversations about security in your applications.
  • If you're moving to the cloud, or thinking of moving to the cloud, attend sessions about the basics of the shared responsibility model.
  • In the re:Inforce session catalogue, “serverless” refers to cloud native architectures that enables you to build and run applications and services without thinking about servers. Even if you’re at the beginning of your journey, re:Inforce “serverless” sessions may be still be valuable to you. For example, your on-premise application could leverage an Amazon DynamoDB as the backend database, so you don’t have to worry about provisioning, patching, or managing your database.

I've split up the sessions you should consider into four groups.


The right mindset
These sessions help outline how to think about cloud security, and how to help your organization get more on board with these goals.

FND308 – Managing InfoSec risk during cloud adoption: The executive view
If your organization is in the middle of, or maybe even just considering, a move to the cloud, and you just can't wait until everyone is as excited about it as you are, this session is great one to attend. Get the big picture of what the higher-ups in your org might be concerned about, and how you can help them understand the change and reduction in risks when moving to the cloud.

SDD305 – Building a DevSecOps culture
Culture is the most important enabler in an organization. A good culture can eliminate the need for many process-based safeguards. Attend this session to learn what a good culture that embraces security looks like, how it can accelerate—not slow down—your development, and how to bring this mindset back to your organization.

GRC325 – Establishing AWS as a trusted partner
Gaining trust in your cloud provider is a critical part of the journey as your organization expands the use of managed services, because your business is reliant on them to deliver for your customers. Having been on this journey myself, there's an important mindset shift from seeing AWS as a vendor to seeing them as a partner. This session explores that journey, covering the way AWS delivers on their commitment to their customers, answers to questions you'll probably have, and what to expect next.


Fundamentals
These sessions cover the basics. If you're new to AWS, new to the security aspects of AWS, or just want to make sure you're up-to-date on AWS' ever-expanding catalogue of security features relevant for developers, these sessions will be valuable.

FND209 – The fundamentals of AWS cloud security
Just what it says on the tin—come here to help get your mind wrapped around the set of building blocks you have on AWS to build secure applications. If you've ever had a head-scratching moment with IAM, this one's going to help.

SDD331 - Evolving perimeters with guardrails, not gates: Improving developer agility
A key term to look for is "guardrails"—when a security team uses it, it means they are trying to give developers boundaries that will keep them from doing the wrong thing (even unintentionally!), but without restricting their ability to get their tasks done. In this session, Comcast will talk about how they do exactly that.

FND310 – How encryption works in AWS: What assurances do you have that unauthorized users won't access your data?
One of the first objections people raise with a cloud transition is, "what happens to our data?" This session will help with that. But even for cloud native organizations, there's a multitude of options for data encryption that can be selected according to regulatory or risk-based requirements. This session will lay out those options and the trade-offs between them.


Development/Secure by design
With the building blocks in place, how do you develop secure applications with them? These sessions provide practical advice you can use to help design security into your application from the start.

SEP208 – Designing for data privacy on AWS
Data privacy requirements are a hot topic now as organizations are moving to deliver better user control over data. This session will provide practical suggestions for concrete data privacy use cases. What more do you need to hear—don't miss it!

SDD403 – Building secure APIs in the cloud
API Gateway provides so much more than an HTTP endpoint to AWS Lambda. Request validation, sending requests to HTTP backends, custom auth, firewall support—learn about all these and more in this session.

SDD405 – Serverless identity management, authentication, and authorization
Serverless is about owning less technology. The number technology I don't want to own is identity and access management—it's the hardest to get right, and the worst to get wrong. In this session, learn how managed services like Cognito can provide this functionality reliably and securely.

SDD306 – Securing serverless and container services
Serverless- and container-based applications are new to many organizations. In this session, learn the practices you'll need to build secure applications on containers and serverless Being able to speak to how they can be secured will enable developers to better advocate for their use.

SDD324 – Setting up a DevSecOps pipeline to automate vulnerability scanning of Docker images
When you're deploying containers, you're often not responsible for the security of the underlying host—in fact, if you're using Fargate, AWS is responsible for host—but you're still responsible for everything inside the container. This means rebuilding the container image periodically to get security updates. In this session, learn how to use container image scanning to find images that need to get rebuilt, automating this process—one less thing to keep track of!


Useful and fun
These sessions provide additional useful context for developers.

SDD402 – Using the AWS Encryption SDK for multiple master key encryption
The AWS Encryption SDK is underrated. It gives you the ability to apply the encryption tools AWS provides with a minimum of hassle, and without having to think about architectural questions like "where do I store my initialization vector?". Come to this session to get an intro.

SEP316 – Firecracker: Secure and fast microVMs for serverless computing
Firecracker underlies the computing services provided by AWS Lambda and Fargate. The best part about Firecracker is that you don't have to know how it works—but that doesn't mean it isn't fun and fascinating to hear about it, and how Firecracker enables better utilization and security for these services!

SDD302 – Methods for emergency privileged access
If you've ever found that during an incident, your hands were tied due to permissions, this session should be an interesting one. Come away from this session with a practical proposal to bring to your organization for temporary elevated permissions in time-critical situations.


And remember, as at any conference, a key part to getting the most out of your time is the "hallway track"—talking to your fellow attendees! You'll learn even more by trading notes on the sessions you've attended and discussing your individual challenges and experiences in securing cloud applications.

Security Pros
By Mark Nunnikhoven

 

You know the fundamentals of cybersecurity. You and your team have built out a solid security practice and are now looking to understand how it applies in the AWS Cloud…or perhaps you’re a little further down the path and are looking to optimize the work you’ve already done with the latest security best practices. Either way, this guide is for you.

I’ve worked to secure deployments and systems in almost any environment you can think of and it continues to amaze me just how much opportunity there is to advance the state of cybersecurity with deployments in the AWS Cloud. For far too long, we in the cybersecurity community—and yes, as a forensic scientist with 25+ years of security practice, I include myself in that community—have put up with manual, antiquated approaches to security.

We can do better and building in the AWS Cloud presents an opportunity to move forward.

The sessions I’ve picked start with the basics of security in a cloud deployment through to automating compliance in complex environments. My goal with this guide was simple: show you that you don’t have to give up any security principles as you automate away most of the grunt work. Watch these sessions live if possible, on YouTube afterwards if not, and you’ll get a fantastic crash course in modern cybersecurity.


Start with a Strong Understanding
Make sure you have the basics locked down. These talks cover cybersecurity 101 in the AWS Cloud.

FND209 – The fundamentals of AWS cloud security
In this talk, Senior Principal Engineer Becky Weiss will lay out the basic concepts of security within the AWS Cloud. Even if you think you already understand the basics, this talk is a great way to ensure that you’ve got a strong foundation to build on for the rest of the conference. All AWS services work under the same model and Becky’s talk will get you up to speed so you can easily understand how to meet your security needs for any workload.

GRC325 – Establishing AWS as a trusted partner
The AWS Cloud works on a shared responsibility model. Using any service means that AWS is responsible for some of the security and operations of your workload. That implies a high level of trust in AWS as a partner…something that traditional security teams struggle with unnecessarily. This session will help you understand this relationship and it will highlight a number of ways that you can verify that the relationship is working as expected.

FND206 – IAM permissions boundaries
The principle of least privilege is a simple concept that can be extremely challenging to implement. Things get a lot easier in the AWS Cloud with the Identity and Access Management (IAM) service. This talk explains how to manage and scale permissions with an organization. Delivered by the Sr. Product Manager for AWS Identity, you’ll come away with a solid strategy to implement permissions right the first time.

FND310 – How encryption works in AWS: What assurances do you have that unauthorized users won’t access your data?
Werner Vogels often says, “Dance like no one is watching. Encrypt like everyone is.” But encryption is hard to do well…at least it used to be. The AWS Cloud offers a multitude of tools that simplify and streamline the encryption process. In this talk, Ken Beer will walk you through the key—sorry, couldn’t resist—AWS services that deal with encryption and how you can use them to take control of your data.


Design with Security in Mind
With a firm understanding in hand, now it’s time to turn to design. Security needs to be built in, not bolted on. These talks will help you understand how modern security design works.

SDD318 – Security best practices the well-architected way
Security is a fundamental part of any well-built application. It’s one of the five pillars of the Well-Architected Framework and should be a part of any discussion when building in the AWS Cloud. A key principle of the framework is constant, data-driven improvements. This deep technical session will focus on how to apply these principles with your team helping to create a strong security culture.

GRC203 – Aligning to the NIST Cybersecurity Framework in the AWS Cloud
A lot of large organizations align their security practice to the NIST Cybersecurity Framework. This talk from Michael South walks through the framework and how to implement its tenents in the AWS Cloud. AWS has a number of resources specific to the NIST framework and this talk will highlights those resources along with key AWS services that will help you build solutions that align with the NIST specified outcomes.

GRC301 – New ways to automate compliance verification on AWS using provable security
Most teams hate audits. The reason? They usually prepare for an audit once during the design phase and then again on the Friday before the audit team starts work on Monday. That’s the old way for working. In this talk, Chad Woolf—VP of Security Assurance at AWS, shows you the modern way. Chad and the other speakers in this session will walk from the AWS Provable Security initiative which applies automated reasoning to automatically prove the compliance state of a workload. This session will help you understand what’s possible when security and compliance take a modern viewpoint with cutting edge tools.

SDD319 – Safeguard the integrity of your code for fast and secure deployments
Design is only part of the picture when it comes to security. Most and more teams are adopting a DevOps philosophy and pushing smaller amounts of code to production, faster. When a security team adopts their tooling and processes, this can be a big security win. Smaller changes are generally easier to troubleshoot and to assess for risk. In this talk, Ben Andrew—the Global Lead for Security & Networking in the AWS Marketplace, will highlight how to modern your security processes and tooling to take advantage of this shift in deployment.


Security in Action
After covering the basics and design, it’s time to see security in action. These talks examine various security activities as they apply within the AWS Cloud.

GRC313 – Using AWS Control Tower to govern multi-account AWS environment at scale
Almost every organization uses multiple AWS accounts. There’s a number of resources and services that help scale your best practices across those accounts. This talk dives in the new AWS Control Tower service. This service can help automate the creation of secure and compliant landing zones that meet your teams policies and best practices right from day one.

DEV10 - Are you ready for a Cloud pentest?
This Dev Chat by AWS Community Hero, Teri Radichel, helps explains how a pentest works in the AWS Cloud. Teri addresses not only the technical aspects but also the practical. Is your environment ready for a pentext? Do you have well-defined scope? And most importantly, is a pentest the right tool at any given point in time for your team? This talk will help you understand how to align your expected outcomes with the process of security testing.

SDD331 – Evolving perimeters with guardrails, not gates: Improving developer agility
In this session, Comcast discusses its AWS cloud governance strategy, focusing on self-service tooling and account management, and explaining how it improved the developer experience by leveraging federated identities, AWS Organizations, and AWS Identity and Access Management permissions boundaries.

SDD335 – Cloud DevSecOps masterclass: Lessons learned from a multi-year implementation of cloud automation at scale
For those of you that know me or follow me on Twitter—where I’m @marknca—you know I can’t stand the term “DevSecOps”. I believe that security is a fundamental part of everything you build and run, there’s no need to call it out on its own. Knowing that, it takes a lot for me to recommend a talk with the term in its title. Never the less, here I am making such a recommendation.

This talk is another “lessons learned” talk. McGraw-Hill shows how they effective manage over 80 different teams using an automated guardrail strategy. They been through the fire and have come out the other side, listening to this talk should help you avoid a lot of issues before they ever come up in your organization.


Rounding it Out
This last set of talks go deeper into building the AWS Cloud with an eye on security. As a security professional, it’s critical to understand how the teams you collaborate with work on a day-to-day basis.

SDD408 – DDoS attack detection at scale
DDoS attacks are an interesting security challenge, one that is diminished but not removed in the AWS Cloud. This talk dives deep into the technical aspects of the attack and how AWS mitigates these types of attacks. Going further, John Krah—a Sr. Software Engineer at AWS, will demonstrate how to access various insights into how you can view information on these types of attacks and include this information in your incident response plan.

SDD201 – Build a dashboard using serverless security analytics
Security dashboards can be useful but who wants to run another service in your security practice? In this session, Umesh Ramesh—a cloud architect at AWS, builds a practical security dashboard as a serverless application. Leveraging AWS Glue, Amazon Athena, Amazon QuickSight, and more, your team gets the visibility you want with minimal operational overhead.

DEV05 - Security from a developer perspective
In this Dev Chat, AWS Serverless Hero Ben Kehoe, explains why developers should care about security and how to think about risk. This mindset is critical when moving away from that “ugh, security?!?” mindset to a more productive one that realizes security tools and processes are these to ensure what you’re building works as intended and only as intended.

In addition to having the coolest title in tech—Cloud Robotics Research Scientist,—Ben is one of the leading proponents for well-built, cloud native applications. He has a long history of building applications that have a significant impact and always delivers clear insights that you can apply in your work.

*Ben has also written a guide to AWS re:Inforce from the perspective of an advanced AWS builder. Be sure to check it out!


Getting the Most Out of AWS re:Inforce
I’ve attended every AWS re:Invent since the beginning and I’m over the moon that interest in security has grown to the point where it merits its own conference. AWS re:Inforce is a fantastic opportunity to learn from some of the best in cybersecurity and in cloud.

Remember that any conference is more than just the sessions. Be sure to put yourself out there and introduce yourself to people at the event and on social media (follow #reinforce on Twitter). We’re all attending for the same reasons and looking to learn.

I’ll be in the Developer Lounge in the Security Learning Hub during most of the event. In addition to Teri & Ben’s talks, we have a fantastic line up of community speakers and a lot of space to hold discussions and learn from each other. Stop on by and say hello or reach out on Twitter where I’m @marknca.

Navigating re:Inforce for the Executive
By Aileen Gemma Smith

 

I’m Aileen Gemma Smith, AWS Community Hero in Sydney Australia, CEO of Vizalytics and author of this guide. As a business intelligence and data analytics company leader, I empathize with other business leaders who want to know more, especially about the first hand experiences of customers on the front lines. I’ve suggested sessions that include how graph data bases are powerful, and how Pokémon (yes Pokémon!) uses AWS for strengthening their SecOps.

Let’s get started.

Because there are so many to choose from (over 100 sessions, workshops, chalk talks and builder’s sessions), I’ve made this guide a “best of” for executives so you can choose what interests you most from a variety of topics. This is for folks who are attending and are keen to develop their knowledge and expertise but are not necessarily involved in the technical implementation aspects that some of the other sessions will cover.

If you are looking to learn more from customer stories, or have a deeper understanding of best practices, then read on and use this guide to help you navigate re:Inforce. This guide is a mix of sessions that can give executive attendees perspective to have deeper discussions with your teams and stakeholders, and includes twenty different suggested sessions across all four tracks, with a particular focus on case studies and real world examples.

Remember, re:Inforce is more than just the sessions, it is a unique opportunity to network, connect, and keep learning. For sessions that you can’t attend, slides will be available as will session recordings (some of which could be great for a lunch and learn with your team later on- so definitely consider earmarking those). Lastly, don’t forget to follow @awsonair via Twitter and https://www.twitch.tv/aws during re:Inforce for a live feed of what is going on, and it’s a great way to keep your team, who may not be there, involved.


Governance risk and compliance track

GRC319 Untangling audits using graph databases
Aileen’s rec: Go to this one! Graphs are powerful tools for discovery and insight, and Amazon’s Neptune is a great example of a scalable, affordable solution. A lot of folks who are not familiar with graph databases ask- well why? What is it for? This session can give you perspective, with a use case that resonates for all of us on how Neptune was used to help identify and be proactive on compliance risks.

Abstract: The security assurance automation team at AWS built a service that aggregates data on various internal AWS resources and enables them to discover insightful relationships among these resources. This service was built using the AWS graph database service, Amazon Neptune. It is being used to generate audit populations and proactively identify security and compliance risks. This chalk talk dives deep into potential compliance challenges that could be addressed using a graph database solution.

GRC314 Mature cloud security, assurance, and automation
Aileen’s rec: This is a great session to have a better understanding on how we got to where we are today, or what’s the history and motivation in risk management. Of particular interest to execs this session focuses on governance and methodologies, not a laundry list of services to use.

Abstract: Considering a security control design before fully understanding the threat landscape, the technologies at play, and all associated risks, is a dangerous approach to security, and it can lead to a lack of innovation, or worse, actually lowering the security posture. It’s important to understand the threats and risks in the cloud in addition to the mitigation options before considering controls. In this session, we explore the history and motivation behind information security risk management. We discuss potential reasons for the current—and not so effective—approach to security, what a good security approach looks like, why it is so important to solve the root cause of a problem. We also cover why the change triggered by cloud adoption can be a significant security enabler. The focus of this session is governance and methodologies, not services.

GRC317 Regulating the cloud: Balancing cloud innovation and security assurance
Aileen’s rec: Don’t miss this one! Here you can learn more about best practices based on real world observations, and have a better handle on assessing your company’s strengths and opportunities for excellence.

Abstract: In an accreditation system, it’s critical to balance the needs for cloud service provider (CSP) security assurance and ensuring an efficient path towards cloud adoption and use. In this session, we share best practices from observing and learning from our participation in a number of government CSP accreditation programs. Information from this session benefits decision makers and cloud users in gaining a broad knowledge of the global CSP accreditation systems that are in operation today. Attendees also gain a deeper understanding of their respective strengths and opportunities for excellence, in addition to how to apply them in their own cloud journey.

GRC310 Pop the hood: Next-gen customer audits of AWS
Aileen’s rec- Want a deeper dive to understanding audits? Then this is the session for you. Learn more about how AWS external audit reports help customers, specifically those in financial services, which need additional transparency.

Abstract: Next-gen customer audits of AWS: AWS external audit reports help customers attest to our high bar of security, but AWS customers in the financial services industry often request additional transparency to satisfy their compliance needs and their overall understanding of AWS security posture.

GRC325 Establishing AWS as a trusted partner
Aileen’s rec: Go to this one to understand what adoption on AWS looks like and how trust is earned and built over time. If you want a better sense of milestones for adoption and what the overall journey to the cloud looks like, this is a great session for you!

Abstract: Customers trust AWS with mission-critical workloads because AWS is designed and built to deliver the most flexible, reliable, scalable, and secure cloud computing environment available today. AWS works to earn that trust by offering transparency, demonstrating consistency, and providing best practices to keep themselves secure. As customers adopt AWS, they traverse several trust-building milestones with due-diligence activities, such as assurance report and AWS Well-Architected Tool reviews and deep dives with AWS subject matter experts. This session addresses these milestones at common AWS adoption stages with examples, questions that customers often ask, and suggestions for how to get started.


Security Pioneers Track

SEP306 Serverless AI-powered identity management
Aileen’s rec: AI to the rescue! This is a neat session on how chatbots and AWS services can help to offload some of your most basic use cases (and ultimately save time and money). Good overview on serverless as well.

Abstract: Organizations today spend much time and money staffing or outsourcing to IT support desks, which fulfill some basic use cases, such as resetting passwords, unlocking accounts, and providing access to applications. However, it is costly to implement existing password and account self-service solutions. In this session, we explore how to use chatbots and AWS services to offload some of the most frequent IAM-based calls to service centers. We show you how natural language interfaces, combined with AWS serverless technologies, can enable your organization to build cost-effective self-service capabilities for users.

SEP202 Beyond security & compliance, with healthcare compliance analytics
Aileen’s rec: Good session that takes you through the customer Protenus and how AWS is helping them to change their security and compliant strategies. Because security threats are becoming both more complex and context dependent, this session is useful even if your vertical is not healthcare.

Abstract: Organizations are moving to the cloud and transitioning more of their business and operations to real-time, highly integrated systems. As threats become more complex and context-dependent, the platforms that protect institutions become all the more critical for their success. In this session, learn how Protenus is using the AWS cloud computing platform to change the security and compliance strategies of large healthcare organizations across the country. Discover how, by leveraging AI to save time, Protenus is able to focus on what's strategically important and gain deep visibility into risks across their electronic systems.

SEP203 Leverage the security & resiliency of the cloud & IoT for industry use cases
Aileen’s rec: An interactive session where you get to talk through your perspective on the capabilities needed to mitigate and respond to two example incidents while leveraging the cloud for crisis management and planning. Also gives you background on the cybersecurity framework developed by NIST.

Abstract: This two-hour Internet of Things (IoT) tabletop exercise benefits business and technology leaders and regulators in the Energy, Oil and Gas, Transportation, Healthcare, Financial, and Manufacturing sectors. Through discussion of two simulated cyber IoT incidents, participants explore required capabilities and processes for mitigation. They also learn how to leverage AWS for security, high availability, incident response, and continuity of operations for systems that include IoT. Participants discuss the advantages of cloud security and resiliency over traditional on-premises environments to better understand their opportunities. We also highlight the effectiveness of international cybersecurity frameworks in improving an organization’s security posture.

SEP302 CloudTrail and GuardDuty with Amazon SageMaker
Aileen’s rec: Want to know more about machine learning? Then definitely attend this session. Get a better handle on how to build machine learning into your security pipeline. This is a neat session because you get to see how SageMaker was used to train a model based on IP addresses, then the model scores those addresses with Guard Duty to help better prioritize alerts.

Abstract: This workshop helps customers understand and build machine learning into their security pipeline. We walk you through how to feed data from AWS CloudTrail and Amazon GuardDuty into Amazon SageMaker to augment GuardDuty findings. We show you how to use the new IP Insights algorithm in Amazon SageMaker to train a model based on IP addresses used in CloudTrail. This model is used to score IP addresses that come associated with GuardDuty alerts to gain additional threat information about the alerts, enabling security operators to better prioritize alerts for further action. Please note, laptops are required for this workshop.


Security Deep Dive Track

SDD301 Lean and clean SecOps using AWS native services cloud
Aileen’s rec: Moving from ‘no’ to ‘know.’ Check out this session so you can better understand how to scale in a fast paced environment.

Abstract: "Cloud first" and "cloud native" are the new mindsets for many IT & business teams operating on AWS. In this new world, security functions need to scale for rapidly growing AWS accounts and VPCs in the organization. In this session, we show you how to build a world-class security operations organization with the same "cloud native" mindset using AWS tools. By the end of this session, you will understand how to run a lean and clean SecOps center for a fast-paced organization. The key objective of this session is to transform the security team from "no” to everything, to "know” everything. By knowing everything, you will sleep better.

SDD316 How Dow Jones uses AWS to create a secure perimeter around its web properties
Aileen’s rec: First hand from the front lines of data at Dow Jones. Definitely one to attend. This will take you through how Dow Jones implemented an innovative architecture to meet its software security framework presented by their senior principal engineer, Kamal Verma. Because this covers both how they implemented and what they learned, I strongly encourage you to check it out.

Abstract: Dow Jones, a world-leading data, media, and intelligence solutions provider, has numerous applications that need protection. The company was seeking a protection solution and a way to gain more control over security, and it looked to AWS to secure the cloud right at the edge. This session explores how Dow Jones implemented innovative architecture to meet its software security framework using CloudFront, AWS Shield, AWS WAF, Lambda, and more. Learn how to use AWS services to architect software environments for securing applications. Join Kamal Verma, senior principal engineer at Dow Jones, for a deep dive into their implementation and learnings.

SDD325 Bose uses AWS IoT to securely connect millions of devices and improve IT agility
Aileen’s rec: First hand perspective on Bose’s journey to the cloud, direct from their CISO. They have closed one data center already and plan to turn off a second one in 2019.

Abstract: As a result of moving to AWS, Bose retired its first data center in 2018, and its second data center is closing later this year. In this session, Bose’s head of security discusses the company’s journey to the cloud and how it moved hundreds of workloads and services to AWS using a shared services model. This included business-critical environments that are in scope for regulatory compliance and SAP applications that are paramount to running the business. On the product side, this session covers how Bose securely connected millions of devices to AWS IoT, which required multiple iterations of security controls, policies, and standards.

SDD328 How Pokémon’s SecOps team enables its business
Aileen’s rec: Pokémon is more than a fun game, there is a lot of PII that needs to be reconciled. Join this session to learn how the Sec Ops team built an automated PII data lake pipeline to categorize profiles and manager permissions.

Abstract: Pokémon’s SecOps team built an automated PII datalake pipeline allowing them to categorize data into profiles and manage permissions. We discuss how, using AWS Lambda, Amazon DynamoDB, and Amazon Simple Queue Service (Amazon SQS), they can validate any person in Active Directory, build the approval to the appropriate manager, write to DDB with a TTL, and push the appropriate access controls. This has two benefits: First, Pokémon can reuse this architecture for other permissions-based business processes, meaning a security layer can be added at the beginning. Second, it frees up security engineers to tackle larger, more important challenges.

SDD401 Securing enterprise-grade serverless applications
Aileen’s rec: Curious about why serverless matters and the benefits it can bring to your team? Want to know more about how to make enterprise grade serverless applications secure? Then this is a session to attend. You can learn more from real world examples of serverless in action, and AWS serverless experts will be on hand to chat further.

Abstract: Serverless is one of the most popular innovations in the cloud today. Join this session to learn how to secure enterprise-grade serverless applications. We cover the strategies you can use to build secure applications running on AWS Lambda and Amazon API Gateway. Then we review how you can audit and monitor your applications using tools like AWS Config and AWS X-Ray. Join us to see examples and learn best practices from AWS serverless experts.

SDD409 Volkswagen’s security journey to the cloud: Building a platform for millions of vehicles
Aileen’s rec: Lessons learned from the team at Volkswagen on their security architectural patters over the past three years. If you want perspective for different points across the cloud and security journey, do not miss this one.

Abstract: Volkswagen has been building a solid digital ecosystem with over a hundred applications on AWS to serve millions of devices in vehicles and in manufacturing plants. In this session, the security architectural patterns learned during this journey are shared, including topics such as layered landing zone approaches, pipeline bootstrapping, safeguarding of AWS Lambda, outbound proxies, IPsec mesh, self-service jump hosts, AWS security group references, and security governance.


Foundation Track

FND201 AWS Executive Security Simulation
Aileen’s rec: Want a hands-on experiential exercise to take you through the key decision points? Then this session is for you. You not only get to go through the exercise, but you also learn both decision and investment to secure cloud adoption journeys. The workshop was specifically designed for execs leading a secure cloud journey.

Abstract: In this workshop, senior security management, IT, and business executive teams participate in an experiential exercise that illuminates the key decision points of a successful and secure cloud journey. During the team-based, game-like simulation, participants leverage an industry case study and make strategic decisions and investments around security, risk, and compliance. Participants experience the impact of these investments and decisions on the critical aspects of their secure cloud adoption. They also learn applicable decision and investment approaches to specific secure cloud adoption journeys. They walk through real-life examples, receive practical advice from AWS facilitators, and they leave with an understanding of the major success factors for building security, risk, and compliance in the cloud. This workshop is designed for executives who are leading a secure cloud journey, including the CISO, senior security and risk management leaders, and CIO/CTO. Non-IT participants who are key to executing the cloud security strategy are also encouraged to attend.

FND209 The fundamentals of AWS cloud security
Aileen’s rec: This is a great foundational session, and helps you to better understand fundamental patterns that you can apply to secure your workloads.

Abstract: The services that make up AWS are many and varied, but the set of concepts you need to secure your data and infrastructure is simple and straightforward. By the end of this session, you will know the fundamental patterns that you can apply to secure any workload you run in AWS with confidence. We cover the basics of network security, the process of reading and writing access management policies, and data encryption.

FND308 Managing InfoSec risk during cloud adoption: The executive view
Aileen’s rec: If your journey to the cloud is ongoing, then do not miss this session. Here you’ll be taken through the how to’s on implementing proactive and top down approaches with examples of risk governance that enterprise customers can use.

Abstract: Most enterprises have developed bodies of knowledge about risk governance for on-premise data centers. This knowledge influences information security risk management through objectives, priorities, standards, metrics, processes, and roles. The cloud journey offers new perspectives and opportunities for automation and continuous risk mitigation. Customers recognizing the need for change and implementing proactive, top-down approaches find it easier to manage risk. This session covers methods used in advanced stages of cloud adoption and patterns for risk governance that enterprise customers can use. It touches on the AWS security services portfolio and how some customers use these for maturing risk governance.

FND312 It’s still Day 1 for diversity: How actively promoting women provides better outcomes for you and your customers
Aileen’s rec: Join this session. This session is a frank discussion on the challenges faced today with an infosec workforce that is only 11% female Learn more on what we can all be doing to promote diversity in teams and how we can create better outcomes.

Abstract: Customer Obsession. Are Right, a Lot. Insist on the Highest Standards. Deliver Results. These Amazon leadership principles demand that we promote, ensure, and own diversity. Why? Because teams with diverse perspectives are proven to deliver more successful outcomes for businesses and to provide better innovation for customers. Yet women make up only 11 percent of the Information Security workforce and still frequently face harassment. In this session, a panel of industry leaders discusses issues facing women in Information Security, the way that diverse and multidisciplinary teams create better outcomes, and actions that anyone can take to improve the situation.


If you have made it this far- congratulations! I hope the guide is helpful as you choose how to spend your time at re:Inforce. Let us know what sessions were most important for you, and what your key takeaways were. As a Hero, I am here to build community, which is borderless, so I welcome your feedback, questions, and suggestions. Please feel free to email me aileen@vizalytics.com or follow me on Twitter @aileengemma or LinkedIn Aileen Gemma Smith


Onward to a great event!
Aileen