What We Learned at AWS re:Invent 2019

A Candid look at key announcements, product launches, and takeaways from another jam-packed week with the cloud computing giant out in Las Vegas 

re:Invent wrapped up yet another busy week and here are our favorite launches out of the vast amount of announcements made throughout the event. 

Bright and early on a colder than usual day in Vegas, Andy Jassy, CEO of AWS took the main stage and what we heard was not about technology but instead, focused on leadership, innovation and the components of digital transformation. 

This year marks the 8th annual event coming to Vegas and with that Andy spoke to its namesake. Re:Invent was born out of the result of the rate of invention among its users. A simple question started the session off strong and left you to ponder exactly how should we think about transforming ourselves? How can we re:Invent our businesses and our customer’s experiences so we can be meaningful and sustainable over a long period of time?

Re:Invent never ceases to provide compelling keynotes, discussions, and sessions and this year was no different.  Enterprise adoption of the cloud opportunity is only getting started and they need all the help they can get, including prescriptive advice on how to successfully navigate this limitless environment. We are excited to share how Matter compliance paired with reusable architectural patterns is prepared to be that guide. Matter on AWS Marketplace

Our Takeaways
AWS Outposts 

Enterprise adoption of the public cloud is in its infant stage with Jassy calling out that of the $3.7T IT market, 97% remains on-prem. “Some customers have certain workloads that will likely need to remain on-premises for several years, such as applications that are latency-sensitive and need to be in close proximity to on-premises assets,” Amazon stated. 

AWS Outposts is a fully managed service that provides customers with AWS designed hardware that allows them to run compute and storage on-prem while still utilizing the cloud services. With AWS Outposts you can run Amazon EC2, Amazon EBS, Amazon Elastic Container Service (ECS), Amazon Elastic Kubernetes Service (EKS) and Amazon Relational Database Service (RDS), Amazon S3 will be made available in 2020. 

The idea is that customers are able to utilize the same AWS infrastructure, services, API’s and tools to build and run applications on-prem and in the cloud to provide a consistent hybrid experience across both environments. Just like in the cloud, all services are managed, monitored and updated by AWS. 

Candid Helps to Support AWS Outposts

AWS Sagemaker Autopilot

On Tuesday AWS announced SageMaker Autopilot, a new tool for SageMaker ML platform that automates the machine learning modeling. This includes tasks like data preprocessing, training parameters and classification. 

SageMaker is Amazon’s service for ML. By using this service within the SageMaker Studio IDE  organizations are able to integrate various tools like SageMaker Augmented AI, SageMaker Model Tuning for automated optimization and now, SageMaker Autopilot for automating the building and training process for machine learning modules. 

As for how it works, AWS emphasized that Autopilot allows inspection of what’s happening underneath, unlike with a black box set of other tools. Amazon also shared the following on its capabilities. 

“SageMaker Autopilot first inspects your data set and runs a number of candidates to figure out the optimal combination of data preprocessing steps, machine learning algorithms, and hyperparameters. Then, it uses this combination to train an Inference Pipeline, which you can easily deploy either on a real-time endpoint or for batch processing. As usual with Amazon SageMaker, all of this takes place on fully-managed infrastructure.

Last but not least, SageMaker Autopilot also generates Python code showing you exactly how data was preprocessed: not only can you understand what SageMaker Autopilot did, you can also reuse that code for further manual tuning if you're so inclined.”

AWS Contact Lens

Contact centers can sometimes be the only personal interaction a customer gets with an organization and these conversations have a profound effect on customer satisfaction, trust, and loyalty. There are millions of hours of recorded calls that contain valuable information and feedback but given the volume, some organizations are unable to or struggle with the task of extracting and analyzing the collected information. 

Those that are able to analyze this data do so by using existing contact center analytics services which tend to be expensive, slow and lack the ability to give accurate call transcriptions. All of which makes it difficult to quickly detect customer experience and provide useful feedback. These existing solutions are also unable to provide real-time analytics on in-progress calls, which prevents identifying and helping customers that are becoming frustrated with their experience. 

AWS Contact Lens makes it possible for organizations to understand the feedback they’re receiving by giving their users access to fully managed machine learning capabilities that are all available with AWS Connect and don’t require coding or ML experience. Contact Lens’ highly accurate speech transcription technology transcribes a customers call, then automatically indexes it with chat transcription so the conversation can be searched within the Amazon Connect console. 

Final Thoughts 

During this year’s event, we had the chance to learn about the innovation our cloud computing peers are implementing to solve big problems with simple solutions. We spoke with some of the largest and fastest-moving organizations in the world and we came out the other end eager to get a jump on 2020 by answering Jassy’s question ourselves and to our clients. 

How should we think about transforming ourselves?

Through integrity, culture, leadership, intelligence, and experience Candid provides actions over advice by making it easier for organizations to build and manage their applications in the cloud.

Candid Ranks on the Inc. 5000 for Fifth Consecutive Year

Achievement Validates Firm as one of the Country's Fastest-Growing Cloud Consulting Firms

Candid ranked on the Inc. Magazine’s 38th Inc. 5000, the most prestigious ranking of the nation’s fastest-growing private companies. This year’s ranking marks the fifth year in a row the cloud consulting firm secured placement on the list since its debut in 2015 with a 3 year growth rate of 79 percent. Candid is one of 2019 Georgia companies recognized on this year’s list, and one of only 15 to consecutively rank for the past 5 years or more

“We’re honored to be recognized as part of an exclusive group of fast-growth private companies demonstrating aggressive yet consistent year-over-year growth,” says Merrick Olives, founding partner of Candid. “There are very few companies with a showing like ours in the IT Management industry on the list.  Our placement validates both our consistent delivery and discipline for clients. As a leader in the cloud community, we’ve got our finger on what’s to come as more enterprises migrate critical applications to the cloud.”

Candid differentiates itself by providing regulatory compliant solutions that no other firm is currently offering. With a growing adoption of cloud technology by healthcare and financial service organizations, Candid is well positioned to lead these industries to harness the business advantages of the cloud.

“Our capabilities are a natural fit for these markets. It’s simply a matter of time before adoption becomes widespread, and our hopes are to scale our offerings on a national level as soon as possible,” adds John Peak, managing partner for Candid. “Up to this point, Candid focused primarily on the Southeast Region. Given our growth and broad exposure as an innovator in the cloud space, we are fully committed to scaling the company nationally to support our increasingly geographically dispersed client base.”

“Congratulations to Candid on being included on the Inc. 5000 list for five consecutive years,” notes Sonny Deriso, Chair of the Georgia Chamber of Commerce. “We are honored to play a role in Candid continued growth and join them in celebration over this milestone achievement. We look forward to many more years of applauding their continued success.”

For more information and the full list of 2019 Inc. 5000 rankings, visit www.inc.com/inc5000/2019/top-private-companies-2019-inc5000.


Lessons Learned from the Capital One Hack: Compliance in the Cloud

When federal prosecutors charged a Seattle woman with stealing data from more than 100 million credit applications this week, the security of the Capital One AWS environment became the immediate focus of the media landscape.

According to the court filing and various media reports, the attack vector was orchestrated from a compromised server due to a misconfigured web application firewall (WAF). Ephemeral AWS credentials were extracted from the instance role and used to raid data from S3 buckets. The attack took place on April 21st, and on July 17th an email to Capital One outlining the attack sparked an investigation.

Several things immediately stand out about this attack. Most notably:

  • The weakness identified by Capital One and throughout media was "a misconfigured firewall." But even if that was the point of entry, a single firewall misconfiguration should not cause a security breach this vast; as failsafe security measures should catch intruders. The lack of redundancy in security indicates other systemic security issues.
  • As Capital One acknowledged, the web application firewall (WAF) role in question never made API calls, like “List Buckets” or “Sync”, until this criminal made those calls. The WAF role’s permissions should have been reviewed at creation time to make sure they fit the business purpose.
  • Nothing in the system flagged the WAF role’s behavioral change, though such warnings would’ve been possible. When a credential set suddenly begins behaving atypically – such as scanning and looting S3 buckets – it’s wholly possible to flag the behavior for review. The API-driven nature of public cloud allows you to be reactive in real-time; Amazon Macie could have caught this abnormal behavior and alerted Capital One immediately.
  • A broader security architecture review should have highlighted that extra S3 permissions and eliminated them from the role, or limited them to a WAF-logging specific bucket if truly needed.  New automation tools exist to help meet this level of compliance. Why weren’t S3 buckets filled with sensitive information on restricted access for known IP ranges only, when such a setting can be managed and continuously monitored with automated compliance tools?
  • Permissions should be regularly checked to see if they’re being used. If not, those extra permissions should be removed. Netflix recently released an open source tool to automate this effort, called RepoKid.
  • As a best practice, logging must always be enabled across all public cloud accounts, and those logs should be sent to a protected and dedicated logging account.
  • It’s imperative to have an Incident Response plan, so you know how to react to compromises before they happen.

On the last two points, Capital One was actually pretty successful. Because Capital One was proactively logging everything, the criminal’s actions were logged and available for immediate review. You can’t protect what you can’t see, and at minimum Capital One was able to look retroactively and see the exact steps taken to breach their security, allowing them to be rapid and accountable in their response, which is commendable.

In the end, the lesson from the Capital One breach should be a lesson of caution that the public cloud, while far more secure than on-premise data centers, is far from a security silver bullet. It’s imperative that the DevOps teams building your public cloud are paying attention.