>>from around the globe. It's the Cube with digital coverage of AWS reinvent 2020 sponsored by Intel, AWS and our community partners. >>Hey, welcome back already, Jeffrey here with the Cube coming to you from Palo Alto studios today for our ongoing coverage of aws reinvent 2020. It's a digital event like everything else in 2020. We're excited for our next segment, so let's jump into it. We're joined in our next segment by Andrew Rafa. He is the principal and zero trust offering lead at the Light and Touche LLP. Andrew, great to see you. >>Thanks for having me. >>Absolutely. And joining him is Robbie Deval. He is the AWS cyber risk lead for Deloitte and Touche LLP. Robbie, Good to see you as well. >>Hey, Jeff, good to see you as well. >>Absolutely. So let's jump into it. You guys are all about zero trust and I know a little bit about zero trust I've been going to are safe for a number of years and I think one of the people that you like to quote analysts chase Cunningham from Forrester, who's been doing a lot of work around zero trust. But for folks that aren't really familiar with it. Andrew, why don't you give us kind of the 101? About zero trust. What is it? What's it all about? And why is it important? >>Sure thing. So is your trust is, um, it's a conceptual framework that helps organizations deal with kind of the ubiquitous nature of modern enterprise environments. Um, and then its course. Your trust commits to a risk based approach to enforcing the concept of least privileged across five key pillars those being users, workloads, data networks and devices. And the reason we're seeing is your trust really come to the forefront is because modern enterprise environments have shifted dramatically right. There is no longer a defined, clearly defined perimeter where everything on the outside is inherently considered, considered untrusted, and everything on the inside could be considered inherently trusted. There's a couple what I call macro level drivers that are, you know, changing the need for organizations to think about securing their enterprises in a more modern way. Um, the first macro level driver is really the evolving business models. So as organizations are pushing to the cloud, um, maybe expanding into into what they were considered high risk geography is dealing with M and A transactions and and further relying on 3rd and 4th parties to maintain some of their critical business operations. Um, the data and the assets by which the organization, um transact are no longer within the walls of the data center. Right? So, again, the perimeter is very much dissolved. The second, you know, macro level driver is really the shifting and evolving workforce. Um, especially given the pandemic and the need for organizations to support almost an entirely remote workforce nowadays, um, organizations, they're trying to think about how they revamp their traditional VPN technologies in order to provide connectivity to their employees into other third parties that need to get access to, uh, the enterprise. So how do we do so in a secure, scalable and reliable way and then the last kind of macro level driver is really the complexity of the I t landscape. So, you know, in legacy environment organizations on Lee had to support managed devices, and today you're seeing the proliferation of unmanaged devices, whether it be you know, B y o d devices, um, Internet of things, devices or other smart connected devices. So organizations are now, you know, have the need to provide connectivity to some of these other types of devices. But how do you do so in a way that, you know limits the risk of the expanding threat surface that you might be exposing your organization to by supporting from these connected devices? So those are some three kind of macro level drivers that are really, you know, constituting the need to think about security in a different >>way. Right? Well, I love I downloaded. You guys have, ah zero trust point of view document that that I downloaded. And I like the way that you you put real specificity around those five pillars again users, workloads, data networks and devices. And as you said, you have to take this kind of approach that it's kind of on a need to know basis. The less, you know, at kind of the minimum they need to know. But then, to do that across all of those five pillars, how hard is that to put in place? I mean, there's a There's a lot of pieces of this puzzle. Um, and I'm sure you know, we talk all the time about baking security and throughout the entire stack. How hard is it to go into a large enterprise and get them started or get them down the road on this zero trust journey? >>Yeah. So you mentioned the five pillars. And one thing that we do in our framework because we put data at the center of our framework and we do that on purpose because at the end of the day, you know, data is the center of all things. It's important for an organization to understand. You know what data it has, what the criticality of that data is, how that data should be classified and the governance around who and what should access it from a no users workloads, uh, networks and devices perspective. Um, I think one misconception is that if an organization wants to go down the path of zero trust, there's a misconception that they have to rip out and replace everything that they have today. Um, it's likely that most organizations are already doing something that fundamentally aligned to the concept of these privilege as it relates to zero trust. So it's important to kind of step back, you know, set a vision and strategy as faras What it is you're trying to protect, why you're trying to protect it. And what capability do you have in place today and take more of an incremental and iterative approach towards adoption, starting with some of your kind of lower risk use cases or lower risk parts of your environment and then implementing lessons learned along the way along the journey? Um, before enforcing, you know more of those robust controls around your critical assets or your crown jewels, if you >>will. Right? So, Robbie, I want to follow up with you, you know? And you just talked about a lot of the kind of macro trends that are driving this and clearly covert and work from anywhere is a big one. But one of the ones that you didn't mention that's coming right around the pike is five g and I o t. Right, so five g and and I o. T. We're going to see, you know, the scale and the volume and the mass of machine generated data, which is really what five g is all about, grow again exponentially. We've seen enough curves up into the right on the data growth, but we've barely scratched the surface and what's coming on? Five G and I o t. How does that work into your plans? And how should people be thinking about security around this kind of new paradigm? >>Yeah, I think that's a great question, Jeff. And as you said, you know, I UT continues to accelerate, especially with the recent investments and five G that you know pushing, pushing more and more industries and companies to adopt a coyote. Deloitte has been and, you know, helping our customers leverage a combination of these technologies cloud, Iot, TML and AI to solve their problems in the industry. For instance, uh, we've been helping restaurants automate their operations. Uh, we've helped automate some of the food safety audit processes they have, especially given the code situation that's been helping them a lot. We are currently working with companies to connect smart, wearable devices that that send the patient vital information back to the cloud. And once it's in the cloud, it goes through further processing upstream through applications and data. Let's etcetera. The way we've been implementing these solutions is largely leveraging a lot of the native services that AWS provides, like device manager that helps you onboard hundreds of devices and group them into different categories. Uh, we leveraged device Defender. That's a monitoring service for making sure that the devices are adhering to a particular security baseline. We also have implemented AWS green grass on the edge, where the device actually resides. Eso that it acts as a central gateway and a secure gateway so that all the devices are able to connect to this gateway and then ultimately connect to the cloud. One common problem we run into is ah, lot of the legacy i o t devices. They tend to communicate using insecure protocols and in clear text eso we actually had to leverage AWS lambda Function on the edge to convert these legacy protocols. Think of very secure and Q t t protocol that ultimately, you know, sense data encrypted to the cloud eso the key thing to recognize. And then the transformational shift here is, um, Cloud has the ability today to impact security off the device and the edge from the cloud using cloud native services, and that continues to grow. And that's one of the key reasons we're seeing accelerated growth and adoption of Iot devices on did you brought up a point about five G and and that's really interesting. And a recent set of investments that eight of us, for example, has been making. And they launched their AWS Waveland zones that allows you to deploy compute and storage infrastructure at the five G edge. So millions of devices they can connect securely to the computer infrastructure without ever having to leave the five g network Our go over the Internet insecurely talking to the cloud infrastructure. Uh, that allows us to actually enable our customers to process large volumes of data in a short, near real time. And also it increases the security of the architectures. Andi, I think truly, uh, this this five g combination with I o t and cloudy, I m l the are the technologies of the future that are collectively pushing us towards a a future where we're gonna Seymour smart cities that come into play driverless connected cars, etcetera. >>That's great. Now I wanna impact that a little bit more because we are here in aws re invent and I was just looking up. We had Glenn Goran 2015, introducing a W S s I O T Cloud. And it was a funny little demo. They had a little greenhouse, and you could turn on the water and open up the windows. But it's but it's a huge suite of services that you guys have at your disposal. Leveraging aws. I wonder, I guess, Andrew, if you could speak a little bit more suite of tools that you can now bring to bear when you're helping your customers go to the zero trust journey. >>Yeah, sure thing. So, um, obviously there's a significant partnership in place, and, uh, we work together, uh, pretty tremendously in the market, one of the service are one of solution offering that we've built out which we dub Delight Fortress, um is a is a concept that plays very nicely into our zero trust framework. More along the kind of horizontal components of our framework, which is really the fabric that ties it all together. Um s o the two horizontal than our framework around telemetry and analytics. A swell the automation orchestration. If I peel back the automation orchestration capability just a little bit, um, we we built this avoid fortress capability in order for organizations to kind of streamline um, some of the vulnerability management aspect of the enterprise. And so we're able through integration through AWS, Lambda and other functions, um, quickly identify cloud configuration issues and drift eso that, um, organizations cannot only, uh, quickly identify some of those issues that open up risk to the enterprise, but also in real time. Um, take some action to close down those vulnerabilities and ultimately re mediate them. Right? So it's way for, um, to have, um or kind of proactive approach to security rather than a reactive approach. Everyone knows that cloud configuration issues are likely the number one kind of threat factor for Attackers. And so we're able to not only help organizations identify those, but then closed them down in real time. >>Yeah, it's interesting because we hear that all the time. If there's a breach and if if they w s involved often it's a it's a configuration. You know, somebody left the door open basically, and and it really drives something you were talking about. Ravi is the increasing important of automation, um, and and using big data. And you talked about this kind of horizontal tele metrics and analytics because without automation, these systems are just getting too big and and crazy for people Thio manage by themselves. But more importantly, it's kind of a signal to noise issue when you just have so much traffic, right? You really need help surfacing. That signals you said so that your pro actively going after the things that matter and not being just drowned in the things that don't matter. Ravi, you're shaking your head up and down. I think you probably agree with this point. >>Yeah, yeah, Jeff and definitely agree with you. And what you're saying is truly automation is a way off dealing with problems at scale. When when you have hundreds of accounts and that spans across, you know, multiple cloud service providers, it truly becomes a challenge to establish a particular security baseline and continue to adhere to it. And you wanna have some automation capabilities in place to be able to react, you know, and respond to it in real time versus it goes down to a ticketing system and some person is having to do you know, some triaging and then somebody else is bringing in this, you know, solution that they implement. And eventually, by the time you're systems could be compromised. So ah, good way of doing this and is leveraging automation and orchestration is just a capability that enhances your operational efficiency by streamlining summed Emmanuel in repetitive tasks, there's numerous examples off what automation and orchestration could do, but from a security context. Some of the key examples are automated security operations, automated identity provisioning, automated incident response, etcetera. One particular use case that Deloitte identified and built a solution around is the identification and also the automated remediation of Cloud security. Miss Consideration. This is a common occurrence and use case we see across all our customers. So the way in the context of a double as the way we did this is we built a event driven architectures that's leveraging eight of us contribute config service that monitors the baselines of these different services. Azzan. When it detects address from the baseline, it fires often alert. That's picked up by the Cloudwatch event service that's ultimately feeding it upstream into our workflow that leverages event bridge service. From there, the workflow goes into our policy engine, which is a database that has a collection off hundreds of rules that we put together uh, compliance activities. It also matched maps back to, ah, large set of controls frameworks so that this is applicable to any industry and customer, and then, based on the violation that has occurred, are based on the mis configuration and the service. The appropriate lambda function is deployed and that Lambda is actually, uh, performing the corrective actions or the remediation actions while, you know, it might seem like a lot. But all this is happening in near real time because it is leveraging native services. And some of the key benefits that our customers see is truly the ease of implementation because it's all native services on either worse and then it can scale and, uh, cover any additional eight of those accounts as the organization continues to scale on. One key benefit is we also provide a dashboard that provides visibility into one of the top violations that are occurring in your ecosystem. How many times a particular lambda function was set off to go correct that situation. Ultimately, that that kind of view is informing. Thea Outfront processes off developing secure infrastructure as code and then also, you know, correcting the security guard rails that that might have drifted over time. Eso That's how we've been helping our customers and this particular solution that we developed. It's called the Lloyd Fortress, and it provides coverage across all the major cloud service providers. >>Yeah, that's a great summary. And I'm sure you have huge demand for that because he's mis configuration things. We hear about him all the time and I want to give you the last word for we sign off. You know, it's easy to sit on the side of the desk and say, Yeah, we got a big security and everything and you got to be thinking about security from from the time you're in, in development all the way through, obviously deployment and production and all the minutes I wonder if you could share. You know, you're on that side of the glass and you're out there doing this every day. Just a couple of you know, kind of high level thoughts about how people need to make sure they're thinking about security not only in 2020 but but really looking down the like another road. >>Yeah, yeah, sure thing. So, you know, first and foremost, it's important to align. Uh, any transformation initiative, including your trust to business objectives. Right? Don't Don't let this come off as another I t. Security project, right? Make sure that, um, you're aligning to business priorities, whether it be, you know, pushing to the cloud, uh, for scalability and efficiency, whether it's digital transformation initiative, whether it be a new consumer identity, Uh uh, an authorization, um, capability of china built. Make sure that you're aligning to those business objectives and baking in and aligning to those guiding principles of zero trust from the start. Right, Because that will ultimately help drive consensus across the various stakeholder groups within the organization. Uh, and build trust, if you will, in the zero trust journey. Um, one other thing I would say is focus on the fundamentals. Very often, organizations struggle with some. You know what we call general cyber hygiene capabilities. That being, you know, I t asset management and data classifications, data governance. Um, to really fully appreciate the benefits of zero trust. It's important to kind of get some of those table six, right? Right. So you have to understand, you know what assets you have, what the criticality of those assets are? What business processes air driven by those assets. Um, what your data criticality is how it should be classified intact throughout the ecosystem so that you could really enforce, you know, tag based policy, uh, decisions within, within the control stack. Right. And then finally, in order to really push the needle on automation orchestration, make sure that you're using technology that integrate with each other, right? So taken a p I driven approach so that you have the ability to integrate some of these heterogeneous, um, security controls and drive some level of automation and orchestration in order to enhance your your efficiency along the journey. Right. So those were just some kind of lessons learned about some of the things that we would, uh, you know, tell our clients to keep in mind as they go down the adoption journey. >>That's a great That's a great summary s So we're gonna have to leave it there. But Andrew Robbie, thank you very much for sharing your insight and and again, you know, supporting this This move to zero trust because that's really the way it's got to be as we continue to go forward. So thanks again and enjoy the rest of your reinvent. >>Yeah, absolutely. Thanks for your time. >>All right. He's Andrew. He's Robbie. I'm Jeff. You're watching the Cube from AWS reinvent 2020. Thanks for watching. See you next time.