One message coming out of AWS re:Inforce in July was that every transaction at scale has become the “new perimeter.”

This will significantly test enterprise security, as organizations must contend with an expanding number of cloud services, infrastructure complexity, and an avalanche of small applications. There was a clear sense at the gathering in Boston that security needs new models to deal with this rapidly evolving landscape. Meanwhile, the threats are climbing.

TheCUBE, SiliconANGLE Media’s livestreaming studio, took a closer look at new approaches to enterprise security through exclusive interviews during the conference with Amazon Web Services Inc. executives, industry analysts and numerous startup entrepreneurs. (* Disclosure below.)

Here are three insights you might have missed:

1. The worrisome Log4j vulnerability is living off APIs.

A computer vulnerability called Log4j is shaping up to be one of the most pervasive security risks of the decade, and there is a growing body of evidence that APIs are fueling the vulnerability.

In July, a review board led by the U.S. Department of Homeland Security called Log4j “one of the most serious software vulnerabilities in history” and indicated that it will likely be “exploited for years to come.”

Initially discovered inside Microsoft’s popular online game Minecraft, Log4j is a Java programming tool that logs user activity on computers. Exploits have allowed hackers to enable data theft or inject malware.

API servers vulnerable to the Log4j exploit can provide a new attack avenue for malicious actors. More significantly, compromised APIs can extend an attacker’s reach and resulting damage. Cequence Security Inc. is one of the companies in a position to see this firsthand. The firm provides API observability solutions and protects more than $2 trillion in customer assets across 2 billion accounts.

“We’ve seen a ton of Log4j exposed servers,” said Shreyans Mehta, founder and chief technology officer of Cequence, in an interview with theCUBE. “There was an article that said Log4j is going to be endemic. That is going to be there.”

Here’s theCUBE’s complete video interview with Shreyans Mehta:

2. The software bill of materials could soon become a big thing in security.

Concerns around the Log4j vulnerability have focused greater attention on a key question: What exactly is in a software package and where did it come from?

To address this central issue, the tech industry has been working toward implementation of a software bill of materials, or SBOM. The idea is to create a documented list of ingredients within a piece of software and verify the code provenance in an effort to strengthen software supply chain security.

The SBOM effort got a major boost last year when the White House issued an Executive Order that outlined a requirement for SBOMs from any vendor doing business with the federal government.

MongoDB Inc., one of several companies at the forefront of the SBOM movement, is being led by Chief Information Security Officer Lena Smart (pictured). Smart’s company has been using an SBOM internally, leveraging tools from the security firm Snyk Inc. to analyze and report vulnerabilities in existing software.

“What we’ve done is we’ve taken our work with Snyk and now we have a proof of concept for SBOMs,” said Smart, in a recent conversation with theCUBE. “SBOMs shouldn’t be something to be afraid of. If you want to do business with the government, you’re going to have to create one. This is going to be big, and we’re going to be able to use it and hopefully stop things like another Log4j.”

Here’s theCUBE’s complete video interview with Lena Smart:

3. As data streaming grows, new security tools will be needed to protect the flow.

Deployment of a more robust 5G wireless standard to support an exploding number of devices at the edge is creating a new problem for security professionals. What was once a one-time migration of information to the cloud has now become a nonstop stream.

“The biggest trend we see is pipelining, and the new extract, transform and load is streaming,” said Ameesh Divatia, co-founder and chief executive officer of Baffle Inc., during a re:Inforce interview with theCUBE. “You have these Kafka and Kinesis capabilities that are coming into the picture where data is being ingested all the time. It is not a one-time migration; it’s a stream.”

Divatia’s reference to Apache Kafka, an open-source data streaming tool, and Amazon Kinesis, a proprietary data pipeline product developed by Amazon Web Services Inc., highlights both a key trend and a challenge. How can growing volumes of streaming data be safeguarded in-use and in-flight?

One example can be found in Zoom Inc.’s use of Kinesis. The video conference service’s cloud accounts send data logs to Kinesis through security tools, such as AWS Config, AWS CloudTrail, and AWS CloudWatch.

Baffle is building its business on the use of encryption algorithms to protect data upon creation so that it can remain secure once it is on the move.

“You create ways of monitoring where data is being exposed or where data is being exfiltrated, you want to build security into the data pipeline itself,” Divatia said. “We are seeing lots of applications for this particular solution.”

Here’s theCUBE’s complete video interview with Ameesh Divatia:

To watch more of theCUBE’s coverage of AWS Summit New York, here’s our complete event video playlist:

(* Disclosure: TheCUBE is a paid media partner for AWS re:Inforce. AWS and other sponsors of theCUBE’s event coverage have no editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE