>> live from Boston, Massachusetts. It's the Cube covering A W s reinforce 2019 brought to you by Amazon Web service is and its ecosystem partners. >> Okay, welcome back. Everyone's two cubes Live coverage here in Boston, Massachusetts, for AWS reinforce. This is Amazon Web services Inaugural conference around Cloud security There first of what? Looks like we'll be more focused events around deep dive security to reinvent for security. But not no one's actually saying that. But it's not a summit. It's ah, branded event Reinforce. We're hearing Mark Ryland off director Office of the Sea. So at eight of us, thanks for coming back. Good to see you keep alumni. Yeah, I'm staying here before It's fun. Wait A great Shadow 80 Bucks summit in New York City Last year we talked about some of the same issues, but now you have a dedicated conference here on the feedback from the sea. So as we've talked to and the partners in the ecosystem is, it's great to have an event where they go deep dives on some of the key things that are really, really important to security. Absolutely. This is really kind of a vibe that how reinvents started, right? So reinventing was a similar thing for commercial. You're deep, not easy to us. Three here, deeper on Amazon. But with security. Yeah, security lens on some of the same issues. One thing that happened >> and kind of signal to us that we needed an event like this over the years with reinvent was consistently over the years, the security and compliance track became one of the most important tracks that was oversubscribed in overflow rooms and like, Hey, there's a signal here, right? And so, but at the same time, we wanted to be able to reach on audience. Maybe they wouldn't go to reinvent because they thought I'd say It's all the crazy Dale Ops guys were doing this cloud thing. But now, of course, they're getting the strong message in their security organizations like, Hey, we're doing cloud. Or maybe as a professional, I need to really get smart about this stuff. So it's been a nice transition from still a lot of the same people, but definitely the different crowd that's coming here and was a cross pollination between multiple and I was >> just at Public sector summit. They about cyber security from a national defense and intelligence standpoint. Obviously, threesome Carlson leads That team you got on the commercial side comes like Splunk who our data and they get into cyber. So you started to see kind of the intersection of all the kind of Amazon ecosystems kind of coming around security, where it's now part of its horizontal. It's not just these are the security vendors and partners writes pretty much everyone's kind of becoming native into thinking about security and the benefits that you guys have talk about that what Amazon has to have a framework, a posture. Yeah, they call it shared responsibility. But I get that you're sharing this with the ecosystem. Makes sense. Yeah, talk about the Amazon Web service is posture for this new security >> world. Well, the new security world is if you look at like a typical security framework like Mist 853 120 50 controls all these different things you need to worry about if you're a security professional. And so what eight obvious able to do is say, look, there's a whole bunch of these that we can take care of on your behalf. There's some that we'll do some things and you got to do some things and there's some There's still your responsibility, but we'll try to make it easy for you to do those parts. So right off the bat we can get a lot of wins from just hey, there's a lot of things will just take care of. And you could essentially delegate to us. And for the what remain, You'll take your expertise and you'll re focus it on more like applications security. There still may be some operating systems or whatever. If using virtual machine service, you still have to think about that. But even there, we'll use we have systems Manager will make it easy to do patch management, updating, et cetera. And if you're willing to go all the way to is like a lambda or some kind of a platform capability, make it super easy because all you gotta do is make sure your code is good and we'll take care of all the infrastructure automatically on your behalf so that share responsibility remains. There's a lot of things you still need to be careful about and do well, but your experts can refocus. They could be very you know like it's just a lot less to worry about it. So it's really a message for howto raise the bar for the whole community, but yet still have >> that stays online with the baby value properties, which is, you know, build stuff, ship fast, lower prices. I mazon ethos in general. But when you think about the core A. W. S what made it so great Waas you can reduce the provisioning of resource is to get something up and running. And I think that's what I'm taking away from the security peace you could say. We know Amazon Web service is really well, and we're gonna do these things. You could do that so us on them and then parts to innovate. So I get that. That's good. The other trend I want to get your reaction to is comments we've had on the Cube with si SOS and customers is a trend towards building in house coding security. Your point about Lambda some cool things air being enabled through a B s. There's a real trend of big large companies with security teams just saying, Hey, you know what? I wanna optimize my talent to code and be security focused on use cases that they care about. So you know, Andy Jazz talks about builders. You guys are about builders you got cos your customers building absolutely. Yet they don't want Tonto, but they are becoming security. So you have a builder mindset going on in the big enterprises. >> Yes, talk about that dynamic. That's a That's a really important trend. And we see that even in security organizations which historically were full of experts but not full of engineers and people that could write code. And what we're seeing now is people say, Look, I have all this expertise, but I also see that with a software defined the infrastructure and everything's in a P I. If I pair up in engineering team with a security professional team, then well, how good things will happen because the security specials will say, Gosh, I do this repetitive task all the time. Can you write code to do that like, Yeah, we can write code to do that. So now I can focus on things that require judgment instead of just more rep repetitive. So So there's a really nice synergy there, and our security customers are becoming builders as well, and they're codifying if you moment expression in code, a policy that used to be in a document. And now they write code this as well. If that policy is whatever password length or how often we rode a credentials, whatever the policy is where Icho to ensure that that actually happening. So it's a real nice confluence of security expertise with the engineering, and they're not building the full stack >> themselves. This becomes again Aki Agility piece I had one customer on was an SMS business. They imported to eight of US Cloud with three engineers, and they wrote all the Kuban aged code themselves. They could have used, you know, other things, but they wanted to make sure it's stable so they could bring in some suppliers that could add value. So, again, this is new. Used to be this way back in the old days, in House developers build the abs on the mainframe, build the APS on the mini computers and then on I went to outsourcing, so we're kind of back. The insourcing is the big trend now, >> right in with the smaller engineering team, I can do a lot that used to require so many more people with a big waterfall method and long term projects. And now I take all these powerful building blocks and put an engineering team five people or what we would call it to pizza team five or six people off to the side, given 34 weeks, and they can generate a really cool system that would have required months and not years before. So that's a big trend, and it applies across the board, including two security. >> I think there's a sea change, and I think it's clear what I like about this show is this cloud security. But it's also they have the on premises conversation, Mrs Legacy applications that have been secured and or need to be secured as they evolve. And then you got cloud native and all these things together where security has to be built in. Yeah, this is a key theme, so I want to get your thoughts on this notion of built in security from Day one. What's your what's your view on this? And how should customers start thinking >> about it? And >> what did you guys bringing to the table? Well, I think that's just a general say maturation that goes on in the industry, >> whether it's cloud or on Prem is that people realize that the old methods we used to use like, Hey, I'm gonna build a nap And then I'm gonna hand it to the security team and they're gonna put firewalls around it That's not really gonna have a good result. So security by design, having security is equal co aspect of If I'm getting doing an architecture, I look a performance. I look, it cost. I look at security. It's just part of my system designed. I don't think of it as like a bolt on afterwards, so that leads to things like, you know, Secure Dev ops and kind of integration teams through. This could be happening on premises to it's just part of I T. Modernization. But Cloud is clearly a driver as well, and cloud makes it easier because it's all programmable. So things that are still manual on premises, you can do in a more automated getting into a lot of conversations here under the covers, A lot of under the hood conversations here around >> security BC to one of the most popular service is you guys have obviously compute a big part of the mission Land, another of the feature VPC traffic flows, where mirroring was a big announcement. Like we talked about that a lot of talking about the E c two nitro. You gave a talk on that. Did you just unpacked it a little bit because this has been nuanced out there. It's out there people are interested in. What's that talk about inscription is, is in a popular conversation taking minutes? Explain your talk. Sure, So we've talked for now a year and 1/2 >> about how we've essentially rien. Imagine reinvented our virtual machine architecture, too. Go from a primarily soft defined system where you have a mainboard with memory and intel processor and all that kind of a coup treatments of a standard server. And then your virtual ization layer would run a full copy of an operating system, which we call a Dom zero privileged OS that would mediate access between the guest OS is in this and the outside world because it would maintain the device model like how do I talk to a network card? How I talked to a storage device. I talked through the hyper visor, but through also a dom zero Ah, copy of Lennox. A copy of Windows to do all that I owe. So what we just did over the past few years, we begin to take all the things we're running inside that privileged OS and move that into dedicated hardware software, harbor combination where we now have components we call nitro components their actual separate little computers that do dbs processing. They do vpc processing they do instance, storage. So at this point now, we've taken all of the components of that damn zero. We've moved it out into these You could call Cho processors. I almost think of them is like the Nitro controllers. The main processor and the Intel motherboard is a co processor where customer workloads run because the trust now is in these external all systems. And when you go to talk to the outside world from easy to now you're talking through these very trusted, very powerful co processors that do encryption. They do identity management for you. They do a lot of work that's off the main processor, but we can accelerate it. We could be more assured that it's trustworthy. It can it can protect itself from potential types of hacks that might have been exposed if that, say, an encryption key was in the and the main motherboard. Now it's not so it's a long story until one hour version and doing three minutes now. But overall we feel that we built a trustworthy system for virtual. What was the title of talk so people can find it online? So I was just called the night to architecture security implications of the night to architecture. So it's taking information that we had out there. But we're like highlighting the fact that if you're a security professional, you're gonna really like the fact that this system has it has no damn zero. It has no shell. You can't log into the system as a human being. It's impossible to log in. It's all software to find suffer driven, and all the encryption features air in these co processors so we can do like full line made encryption of 100 gigabits of network traffic. It's all encrypted like that's never been done before. Really, in the history of computing, what's the benefit of nitro architectural? Simply not shelter. More trust built into it a trusted root. That's not the main board encryption, off load and more isolation. Because even if I somehow we're toe managed to the impossible combination of facts to get sort of like ownership of that main board, I still don't have access to the outside world. From there, I have to go through a whole another layer of very secure software that mediates between the inner world of where customer were close run and the outside world where the actual cloud is. So it's just a bunch of layers that make things more secure, >> and I'm sure Outpost will have that as well. Can you waste on that? Seem to me to hear about that. Okay, Encryption, encrypt everything. Is it philosophy we heard in the keynote? You also talked about that as well. Um, encrypting traffic on the hour. I didn't talk about what that means. What was talked to you? What's the big conversation around? Encryption within a. W s just inside and outside. What's the main story there? >> There's a lot of pieces to the pie, but a big one that we were talking about this week is a pretty long term project we call Project lever. It was actually named after a ah female cryptographer. Eventually Park team that was help. You know, one of the major factors, including World War Two, are these mathematicians and cryptographers. So we we wanted to do a big scale encryption project. We had a very large scale network and we had, you know, all the features you normally have, but we wanted to make it so that we really encrypted everything when it was outside of our physical control. So we done that took a long time. Huge investment, really exciting now going forward, everything we build. So any time data that customers give to us or have traffic between regions between instances within the same region outside reaches, whenever that traffic leaves our physical control so kind of our building boundaries or gates and guards and going down the street on a fiber optic to another data center, maybe not far away or going inter continent intercontinental links are going sub oceanic links all those links. Now we encrypt all the traffic all the time. >> And what's the benefit of that? So the benefit of that is there. Still, you know, it's it's obscure, >> but there is a threat model where, you know, governments have special submarines that are known to exist that go in, sniff those transoceanic links. And potentially a bad guy could somehow get into one of those network junction points or whatever. Inspect traffic. It's not, I would say, a high risk, but it's possible now. That's a whole nother level of phishing attacks. Phishing attack, submarine You're highly motivated to sniff that line couldn't resist U. S. O. So that's now so people could feel comfortable that that protection exists and even things like here's a kind of a little bit of scare example. But we have customers that say, Look, I'm a European customer and I have a very strong sense of regional reality. I wanna be inside the European community with all my data, etcetera, and you know, what about Brexit? So now I've got all this traffic going through. A very large Internet peering point in London in London won't be part of Europe anymore according to kind of legal norms. So what are you doing in that case? Unless they Well, how about this? How about if yes, the packets are moving through London, but they're always encrypted all the time. Does that make you feel good? Yeah, that makes me feel good. I mean, I so my my notion of work as extra territorial extra additional congee modified to accept the fact that hey, if it's just cipher text, it's not quite the same as unscripted. >> People don't really like. The idea of encrypted traffic. I mean, just makes a lot of sense. Why would absolutely Why wouldn't you want to do that right now? Final question At this event, a lot of attendee high, high, high caliber people on the spectrum is from biz dab People building out the ecosystem Thio Hardcore check. He's looking under the hood to see SOS, who oversee the regime's within companies, either with the C i O or whatever had that was formed and every couple is different. But there's a lot of si SOS here to information security officers. You are in the office of the Chief Security Information officer. So what is the conversations they're having? Because we're hearing a lot of Dev ops like conversations in the security bat with a pretty backdrop about not just chest undead, but hack a phone's getting new stuff built and then moving into production operations. Little Deb's sec up So these kinds of things, we're all kind of coming together. What are you hearing from those customers inside Amazon? Because I know you guys a customer driven in the customers in the sea SOS as your customer. What are they saying? What are they asking for? So see, so's our first getting their own minds around >> this big technical transformations that are happening on dhe. They're thinking about risk management and compliance and things that they're responsible for. They've got a report to a board or a board committee say, Hey, we're doing things according to the norms of our industry or the regulated industries that we sit in. So they're building the knowledge base and the expertise and the teams that can translate from this sort of modern dev ops e thing to these more traditional frameworks like, Hey, I've got this oversight by the Securities Exchange Commission or by the banking regulators, or what have you and we have to be able to explain to them why our security posture not only is maintained, it in some ways improved in these in this new world. So they're they're challenge now is both developing their own understanding, which I think they're doing a good job at, but also kind of building this the muscle of the strength. The terminology translate between these new technologies, new worlds and more traditional frameworks that they sit within and people who give oversight over them. So you gotta risk. So there's risk committees on boards of these large publics organizations, and the risk committees don't know a lot about cloud computing. So s O they're part of what they do now is they do that translation function and they can say, Look, I've I've got assurance is based on my work that I do in the technology and my compliance frameworks that I could meet the risk profiles that we've traditionally met in other ways with this new technology. So it's it's a pretty interesting >> had translations with the C I A. Certainly in public sector, those security oriented companies, a cz well, as the other trend, they're gonna educate the boards and they're secure and not get hacked the obsolete. And then there's the innovation side of it. Yeah, we actually gotta build out. Yes. This is what we just talked about a big change for our C says. That we talk to and work with all the time is that hey, we're in engineering community now. We didn't used to write a lot of code, and now we do. We're getting strong in that way. Or else we're parting very closely with an engineering team who has dedicated teams that support our security requirements and build the tools. We need to know that things are going well from our perspective. So that's a really cool, I think, changing that. I think that is probably one >> of my favorite trends that I see because he really shows the criticality of security was pretty much all critically, only act. But having that code coding focus really shows that they're building in house use case that they care about and the fact that I can now get native network traffic. Yeah, and you guys are exposing new sets of service is with land and other things >> over the top. >> It just makes for a good environment to do these clouds. Security things. That seems to be the show >> in a nutshell. Yeah, I think that's one of the nice thing about this show. Is It's a very positive energy here. It's not like the fear and scary stuff sometimes hear it. Security conference is like a the sky's falling by my product kind of thing Here. It's much more of a collaborative like, Hey, we got some serious challenges. There's some bad guys out there. They're gonna come after us. But as a community using new tooling, new techniques, modern approaches, modernization generally like let's get rid of a lot of these crusty old systems we've never updated for 10 or 20 years. It's a positive energy, which is really exciting. Good Mark, get your insights out. So this is your wheelhouse Show. Congratulations. >> You got to ask you the question. Just take your see. So Amazon had off just as an industry participant riding this way, being involved in it. What is the most important story that needs to be told in the press? In the media that should be told what's as important. Either it's being told it, then should be amplified or not being told and be written out. What's the What's the top story? I don't think that even after all this time that you know when people >> hear public cloud computing. They still have this kind of instinctive reaction like, Oh, that sounds kind of scary or a little bit risky and, you know, way need to get to the point where those words don't elicit some sense of risk in people's minds, but rather elicit like, Oh, cool, that's gonna help me be secure instead of being a challenge. Now that's a journey, and people have to get there, and our customers who go deep, very consistently, say, And I'm sure you've had them say to you, Hey, I feel more confident in my cloud based security. Then I do my own premises security. But that's still not the kind of the initial reaction. And so were we still have a ways, a fear based mentality. Too much more >> of a >> Yeah. Modernization base like this is the modern way to get the results in the outcomes I want, and cloud is a part of that, and it doesn't not only doesn't scare me, I want to go there because it's gonna take a community as well. Yeah, Mark, thanks so much for coming back on the greatest. Be hearing great Mark Mark Riley, direct of the office of the chief information security at Amazon Web services here, sharing his inside, extracting the signal. But the top stories and most important things >> being being >> said and discussed and executed here, it reinforced on the Cube. Thanks for watching. We'll be right back with more after this short break.