>> Announcer: Live from Manhattan It's theCUBE! Covering AWS Summit New York City 2017. Brought to you by Amazon Web Services. >> And welcome back here to New York. We're at the Javits Center here in midtown Manhattan for AWS Summit 2017. Along with Stu Miniman, I'm John Walls. Glad to have you here on theCUBE we continue our coverage here from New York City. Well, if you're making that move to the cloud these days, you're thinking about privacy, you're thinking about security, you're thinking about compliance. Big questions, and maybe some big problems that Bill Shin can answer for you. He is the Principal Security Architect at AWS, and Bill, thanks for being with us. >> Thanks for giving me the time. >> Hey CUBE rookie, right? This is- >> This is my first time. >> Your maiden voyage. >> First time for everything. >> Glad to have you, yeah. So I just hit on some of the high points, these are big, big questions for a lot of folks I would say. Just in general, before we jump in, how do you go about walking people into the water a little bit, and getting them thinking, get their arms around these topics? >> Absolutely. It's still among the first conversations we have with customers, it's our top priority at AWS, the security, and customers are concerned about their data security, regardless of where that data is. Once they move it into the cloud it's a real opportunity to be more secure, it's an opportunity to think about how they're doing security, and adapt and be a little faster. So we have a really prescriptive methodology for helping customers understand how to do a clouded option, and improve their security at the same time. We have a framework called the Well-Architected Framework, and there's a security pillar in that framework, it's built around five key areas. Identity access management, which is really what you should be thinking about first, because authorization is everything. Everything is code, everything is in API, so it all has to be authorized properly. Then we move into detective controls and talk about visibility and control, turning on CloudTrail, getting logging set up. All the detective controls so that before you even move a workload into the cloud, you know exactly what's happening, right? And then we move into infrastructure security, which includes your network trust boundaries, zone definition, things like firewall rules, load balancers, segmentation, as well as system security. Hardening and configuration state of all the resources in their account. Then we move on to data protection as we walk customers through this adoption journey. Things like encryption, backup, recovery, access control on data. And then finally incident response. We want to make sure that they have a really good, solid plan for incident response as they begin to move more and more of their business into the cloud. So to help them wade through the waters we bring it up. The CSO is a key partner in a clouded option, organizations need to make sure security is in lockstep with engineering as they move to the cloud. So we want to help with that. We also have the Cloud Adoption Framework, and there's a security perspective in that framework. Methodology for really treating security more like engineering these days. So you have Dev Ops and you have Dev Sec Ops. Security needs to have a backlog, they need to have sprints, they need to have user stories. It's very similar to how engineering would do it. In that way their partnering together as they move workloads into the cloud. >> Amazon's releasing so many new features, it's tough for a lot of us to keep up. Andy Jassey last year said, "Every day when you wake up, there's at least three new announcements coming out." So it's a new day, there are a number of announcements in your space, maybe bring us up to speed as to what we missed if you just woke up on the West Coast. >> Sure, sure. Customers love the pace of innovation, especially security organizations, they really like the fact that when we innovate on something, it means they might not have to put as much resources on that particular security opportunity or security concern. They can focus more on their code quality, more on engineering principles, things like that. So today, we happily announced Amazon Macie, love it, it performs data classification on your S3 objects. It provides user activity monitoring for who's accessing that data. It uses a lot of our machine learning algorithms under the hood to determine what is normal access behavior for that data. It has a very differentiated classification engine. So it does things like topic modeling, regular expressions, and a variety of other things to really identify that data. People were storing trillions of objects in S3, and they really want to know what their data is, whether it's important to them. Certainly customer's data is the most important thing, so being able to classify that data, perform user analytics on it, and then be able to alert and alarm on inappropriate activities. So take a look at Macie, it's really going make a big difference for customers who want to know that their data is secure in S3. >> Actually I got a question from the community looking at Macie came out, we've got a lot of questions about JDPR coming out. >> Bill: Okay sure, yeah. >> So Macie, or the underlying tech, can that be- >> Bill: Absolutely a great tool. We think the US is the greatest place to be to perform JDPR compliance. You really got to know your data, you have to know if you're moving data by European citizens around, you really have to understand that data. I think Macie will be a big part of a lot of customer strategy on JDPR compliance. To finish your question, we've announced quite a few things today, so Macie's one of them. We announced the next iteration of Cloud HSM, so it's cheaper, more automated, deals more with the clustering that you don't have to do. Deeper integration with things like CloudTrail. Customers really wanted a bit more control and integration with the services that what the previous iteration was, so we've offered that. We announced EFS volume encryption too, so EFS, or Elastic File System encryption at rest. It natively integrates with the key management system the same way that the many of our services do when you're storing data. We announced some config rules today to help customers better understand the access policies on their S3 buckets. So yeah, good stuff. >> John: Busy day, >> Busy day. >> I mean just from a security standpoint, when you are working with a new client, do you ever uncover, or do they discover things about themselves that need to be addressed? >> Bill: Yeah. I think the number one thing, and it's true for many organizations when they move to the cloud, is they want that agility, right? And when we talk to security organizations, one of the top things we advise them on is how to move faster. As much as we're having great conversations about WAF and Shield, the Web Application Firewall, and Shield, our D-DOS solution, Inspector, which performs configuration assessments, all the security services that we've launched, we're also having pretty deep conversations with security organizations these days about CodeStar, CodePipeline, CodeDeploy, and then DevOps tool chains, because security can get that fast engineering principles down, and their just as responsive. It also puts security in the hands of engineers and developers, you know that's the kind of conversations we're having. They discover that they kind of need to get a little closer to how development does their business. You know, talking in the same vocabulary as engineering and development. That's one of the things I think customers discover. Also it's a real opportunity, right? So if you don't have to look after a data center footprints and all the patch panels and switches and routers and firewalls and load balancers and things you have on premises, it really does allow a shift in focus for security organizations to focus on code quality, focus on user behavior, focus on a lot of things that every CSO would like to spend more time on. >> Bill, one of the things a lot of companies struggle with is how they keep up with everything that's happening, all the change there, when I talk to my friends in the security industry it's one of the things that they're most excited about. Is we need to be up on the latest fixes and the patches, and when I go to public cloud you don't ask somebody "Hey what version of AWS or Azure are you running on?" You're going to take care of that behind the scenes. How do you manage the application portfolio for customers, and get them into that framework so that they can, you know we were talking about, Cameron, Jean Kim just buy into that as security just becomes part of the process, as I get more out of agile. >> Yeah, so the question is really about helping customers understand all the services, and really get them integrated deeply. A couple of things, certainly the well architected framework, like I mentioned, is helpful for that. We have solution architects, professional services consultants, a very, very rich partner ecosystem that helps customers. A lot of training for security, there's some free training online, there's classroom, instructor-led training as well, so that training piece is important. I think the solutions are better together. We have a lot of great building blocks, but when you look at something like CloudTrail Cloud Watch Events, and Lambda together, we try and talk about the solutions, not just the individual building blocks. I think that's one key component too, to help them understand how to solve a security problem. Take, for example, monitoring the provisioning of identities and roles and permissions. We really want customers to know that that CloudTrail log, when someone attaches a role to a policy, that can go all the way to a slack channel, that can go all the way to a ticket system. You really want to talk about the end-to-end integration with our customers. Really to help them keep pace with our pace of innovation. We really try and get the blog in front of them, the security blog is a great source of information for all the security announcements we make. Follow Jeff Bar's Twitter, a bunch of things to help keep pace with all of our launches and things, yeah. >> You brought up server lists, if I look at the container space, which is related of course, security has been one of those questions. Bring us up to speed as to where you are with security containers, Lambda- >> Sure, I think Lambda's isolation is very strong, in Lambda we have a really confidence in the tenant isolation model for those functions. The nice thing about server lists is, when there's no code running, you really don't have a surface area to defend. I think from a security perspective, if you were building an application today, and you go to your security team and say "I'd really like to build this little piece of code, and tie these pieces of code together, and when they're not running there's nothing there that you need to defend." Or, would I like to build this big set of operating systems and fleet management and all the things I have to do. It's kind of a, it's a pretty easy conversation right? All the primitives are there in server-less. You have strong cryptography TLSM endpoints, you've got the IM policy framework so that identity access management has really consistent language across all the services, so principles, actions, resources, and conditions is the same across every service. It's not any different for server-less, so they can leverage the knowledge they have of how to manage identities and authorization in the same way. You've got integration of CloudTrail. So all the primitives are there, so customers can focus on their code and being builders. >> Stu: So it sounds like that's part of the way to attach security for IOT then if we're using those. >> I think for IOT it's a very similar architecture too, so you have similar policies that you can apply to what a device you can write to in the cloud. We have a really strong set of authorization and authentication features within the IOT platform so that it makes it easy for developers to build things, deploy them, and maintain them in a secure state. But you can go back to the Well-Architected Framework and the CAF, the Cloud Adoption Framework, you take those five key areas, you know identity, detective controls, infrastructure security, data protection, and IR incident response. It's pretty similar across all the different services. >> It just comes back to the fundamentals. >> It does, absolutely. And for customers, you know those control objectives haven't changed right? They have those control objectives today, they'll have them in the cloud, and we just want to make it easier and faster. >> Well Bill, thanks for being with us. >> You bet, thank you very much. >> Good to have you on theCUBE, look forward to seeing you again for the second time around. >> See you then hopefully >> Bill Shin, from AWS joining us here on theCUBE. Continuing our coverage from the AWS Summit here in New York in just a bit. (techno music)