(techno pop music)- [Announcer] Live from Boston, Massachusetts, it's theCUBE. Covering AWS re:Inforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. >> Hello everyone, welcome to theCUBE here in Boston. We're live at Amazon Web Services, AWS' first inaugural security conference. It's called the re:Inforce. They have re:Invent, which is the annual Amazon Web Services, AWS customer event. This is kind of like an Amazon Web Services summit meets with re:Invent. They're calling it re:Inforce. This is an event that looks like it's going to be a lot like re:Invent for the security sector. I'm John Furrier your host, with my co-host, David Vellante. Dave, re:Inforce inaugural show for Amazon Web Services, AWS but it's got a feel for summit, a little education but big keynotes. This is about security. This is a stake in the ground for AWS to have a dedicated conference and customer event around security, reinforces the name. Kind of like re:Invent, kind of get the vibe there. They're tryin' to go kind of independent, kind of new swim lane for a conference. Certainly there's demand. >> Yeah well two years ago, when you and I were at the DC public sector, you just came off of that show recently. The head of IT at the CIA said, "Security of the cloud on our worst day is better than "our clients' server systems on their best day." So this narrative of the sky is falling that you always hear from security vendors, is not what Amazon is projecting. Amazon is projecting that the state of the Cloud Union is strong. Kind of (laughs) like the president, every time he gives a State of the Union Address. So it comes down to me John as how do you secure massively distributed systems in the Cloud? Huge challenge for people. We heard from customers today, Liberty Mutual and Capital One, their number one challenge is how to keep pace with AWS? How to keep pace with the changes? So what you're seeing is this shared security model. Amazon takes care of the infrastructure, the database, the storage, and the customer still has to worry about endpoints, their own network, the operating system, the applications. So, they always talk about undifferentiated heavy lifting. You're seeing a shift toward that customer side of focus and on response. So putting more resources on response versus securing that core infrastructure. >> And security's changing. This is also a show about CISOs, the chief information security officer, also known as a CISO. The CISO and CIO kind of have similar roles. They have to look out over massive change in the enterprise these days, digital transformations, On-premise versus Cloud. Two different modes of operation. People love the On-premise in the old days, but now moving to the Cloud creates a different challenge and opportunity for security. I have some thoughts. I'd love to get your thoughts on what you see as Cloud security because there's a difference. Lift and shift is easy when you're talking about infrastructure. But when you start getting into coding and having something be security Native, there's a difference between Cloud security and On-premise's security. How are you seeing that play out? >> Well I think the whole notion of infrastructure as a code emanated 'cause of the Cloud. So I see it playing out as you got to have security as code. So it's sort of the intersection of DevOps and SecOps. And then to your other point, is what's the right regime? Who's responsible for it? Is it the CIO, is it the CISO? Should the CISO report to the CIO, all that other stuff. And personally I've always felt like it should be a separate reporting structure because otherwise you've got the sort of the fox guarding the henhouse. So I think that's key point number one. The other point is, bad security practices by end users will trump good security by IT. So it is really, it's a cliche, but it is truly a team sport. I think the big challenge again that people have is how do they keep pace with AWS? They're moving so fast. And it's not only just for customers, John. I think it's for the ecosystem as well. I can see Amazon eating away (laughs) at the value created by a lot of their partners. >> I mean, Amazon clearly is showing their cards here. They're continuing to push the agility, raising the bar kind of philosophy. And really what's happening with AWS is that, it's a continuation of their subscription model. You've got Dave McCann, he's going to be coming on theCUBE, he runs the Marketplace. You're seeing now hundreds and hundreds of subscriptions in the marketplace, thousands of subscriptions coming out, huge buying philosophy there. But this notion of foundational security built-in from day one. Is a philosophy Amazon is believing that and they can secure their environment. And they want customers as you pointed out, saying "Look it, we'll cover our AWS, we'll be highly secure." "You focus on what you do better." "You can use Security Hub, Control Tower." Which was announced as general availability. And they're saying to their ecosystems, "Look it, build on top of AWS, "because we have the best security." "We are a bit more secure." "But we won't try to compete with you if you use our stuff." So this has been a very interesting dynamic. And the security industry is responding well to it because they want to rely on Amazon. Why recreate the wheel? Use the Amazon, but they have to be free to compete on their own. That's what Amazon is saying in the private conversations I've had. Is that they're saying, "We're not going to compete with you, if you build on AWS." >> Yeah, and you move fast. (laughs) >> (laughs) And you move fast, and you make more money. >> But this is why I think everybody's going after Multi-Cloud. 'Cause if you hear that story, you're like, Wow, I don't think I could move as fast as AWS. I can't just build on AWS. I have to have a hedge strategy. So therein lies the Multi-Cloud. But John you I think, nailed it several years ago. It's Cloud, right? It's data. The Security fits in there and it weaves in availability, certainly privacy. You don't hear Amazon talking tons about privacy, but that's another side of the coin. These things are all intertwined, and it comes back to the data. >> We're going to see, for the folks watching, we're going to be seeing a lot of security cut on theCUBE. Security's a natural fit for what we've been covering. Starting out with the infrastructure, with Cloud, Big data, AI, Security, IoT are all kind of in the center there, because Security's looking a lot more like Cloud, than Cloud looking like Security. So Security has to become more agile, shared responsibility. Things like automation, reasoning, these are terms that are coming up. AI and Cloud are a perfect mixture to come in and actually reshape the security landscape. 'Cause the fact of the matter is there are way too many vendors and suppliers and service providers for customers that want to get down the (laughs) lower numbers, suppliers and more functionality. So you're seeing the conversations from the CISO's that I've had here. In the hallways and meetings I've had privately they all tell me Dave, that "We want want to reduce our suppliers down to, "big number down to single digits." "Ya know double digits not three digits." "Hundreds to a handful." The second thing that they're telling me is Multi-Cloud is B.S. to them. And that shocked me to hear top regime leaders saying "Multi-Cloud is not something we're interested in." Because this flies in the face of what we've been reporting, what we've been hearing, around Multi-Cloud. And I asked, "Why is that an issue?" "Won't there be multiple Clouds?" And this person said, "Yeah we use multiple Clouds "but I can't split my talents up multi-talents." So it's a talent game in Security. And the risk for the organization is to have multiple Clouds, multiple stacks, too many code bases. They're forking their talent base and that is not consistent with the security direction that they're taking from a coding Native standpoint. They want to have Security built-in and everything. So the devs can be agile and start and build stuff on top of Security. So Multi-Cloud great messaging and concept. You might have a few Clouds but the fact of the matter is, when they start splitin' the talent out like that, you dilute the overall power. >> But you actually, >> That was surprising. >> You actually did report on this. And when you tie back to your JEDI coverage, I mean the DOD basically said that Multi-Cloud is more complex, more costly and less secure. Now for that team that's doing JEDI they want a single (laughs) environment. The other thing I heard today, which I think is interesting, huge challenge is IoT. 75 billion connected endpoints by 2025. Okay we always hear those big numbers. But somethin' I didn't know. 90% of IoT data is plain text in the form of HTTP. Plain text. So it's not encrypted. So Amazon is going hard after that. And so they're going to bring tooling to that problem. I like Amazon strategy and ya everybody says, "Oh you can't bring the Cloud." It's about building applications securely at the edge. And that's what Amazon wants to enable. I like that strategy better than what you see from companies like Dell and HP. Is like, hey here's a box. We're going to top-down, throw it over and secure the edge. I don't think that top-down approach is going to be as effective as a bottom-up application developer approach. To your point, building security in. >> Yeah I mean, we're back to the classic digital transformation and people process technology equation. Where you have the organizational structures. A big conversation here as well. You mentioned which regime runs it. Because if you want to do DevOps, you got to develop and then put it in production. So you have two kind of splits there. You want to have more agility, you need more DevOps and you want to have that Native stack built-in, a firm Security stack, but then when you ship it to production you've got governance. So most organizations here that other big players in Security have kind of pillars. Right? Governance and risk management, operations and intelligence, data, and then full-blown engineering teams and then information security groups. That are just peaked on those. And the numbers are becoming much more significant. Security is IT now. It's not some sanctioned off group. It's becoming the way. And a lot of cutting-edge technologies are coming out of the Security market. So to me, I think the Security industry and the idea of having a conference dedicated to Security is a good one. Because the canary in the coal mine in this industry, is coming out of Security. And this is where the action is. So I see a lot of innovation and I think there's going to be a tsunami of apps that are going to be bought, like services. So I think ya know, this notion of shared services with Amazon and the Marketplace could be a great consumption model for enterprises. So ya know, you're going to see that dynamic. Enablement for channel and ecosystem. Marketplace for customers to buy software and services. >> And it's really again, a strong bottoms-up message from Amazon. It's kind of CISO on down. You know it's not the corner sweep that Amazon is messaging to. Although there's some messaging in there. They're basically positioning themselves as by far the fastest innovator, most features, most compliance, GRC, all that stuff. But really it's hardcore deep dives on Security. They're talkin' to Security pros. It's like when you go to reinvent strong developer crowd. Hardcore security SecOps, really detailed, serious technical people. That's their bottoms-up approach. >> Well Dave let me give you my thoughts on the Keynote. Then I want to get yours. And I want to give you a list of things that I was reporting on last night and getting in today, getting all the data on kind of the key topics that are going to be covered here in this show and beyond. So first the Keynote. Loved the encrypt anywhere message. >> Everywhere yeah. >> Assume everyone's watching. Security is everyone's job. Very big theme around you know, that notion of encryption. And that, you got to take care of it. The shared responsibility model. I loved that kind of message. And then automated remediation. This came up in my CISO conversations I've had this week where remediation can be automated so they can focus the talent on threat detection and notification alerting. So threat detection's moving to notifications and alerts. And they want to use automation like Lambda to automate known tech problems that can just take away and not have their people work on it. So that's a huge, huge topic on the Keynote. I love that. And using Lambda is great one. Building security measures into APIs. And then mathing the Cloud. I love that concept. Nerded on that. So overall typical Amazon Keynote. Meat and potatoes being served up in terms of the course of content and that was an awesome, awesome piece of it. So that' my take. What's your take on the Keynote. >> So my number one takeaway is again the customer saying, "Our number one biggest challenge is keeping up with the pace of change and the pace of innovation." And to your point, the answer to that challenge is automation. Amazon is forcing it's customers to automate so they can move faster. And Amazon knows that that's its key competitive weapon. It can rollout features faster than anybody else. Create that fly-wheel effect. If it can get its customers, you know most vendors move at the speed of the fat-middle of IT. Which is really slow. Amazon, interestingly, is pushing its customers faster than they're used to going. >> So Dave I had a chance to have a sit down and poll a bunch of CISOs and CIOs. So sometimes they have a CISO sometimes it's a CIO. >> Right. >> The role seems to be blending in as kind of one big, kind of overseer of the action. And here's what I've found terms of the key themes that were on their mind. And again this is part of our ongoing CISO interviews we've been doing and paneling the top CISOs of the top companies. Key topics that's on their mind. Vendor lock-in. Spend. They're spendin' a lot of cash. Being Security Native and kind of having that cultural philosophy of Security built-in so developers don't have to do it. That's very DevOpsy. Your point about Security as code. Big topic. That was a big one. And then kind of in the management side. Service providers slash suppliers. Dealing with the legacy (laughs) of the inherited supplier base that's calling on them and people who want to sell them things. The value creation process that's wants to be tied into suppliers. So that's kind of a procurement thing. Metrics. Which KPI should they be paying attention to? What's really going on? As I mentioned the threat detection versus alerts. Threat detection is not, kind of seems to be moving more towards alerts so threat detections can be managed. These are kind of things they want to measure. If you just measure one thing then might be have a blind spot. So metrics is I think what keeps them up at night. In terms of the topic. The Cloud Security model's different On-Premise and Cloud. Integration. Integration from third parties 'cause that's going to be a reality. Ecosystems like Amazon has a ton of suppliers that they can be buying services from, so it better integrate into a security stack. Identity management, obviously big. Automation. Workforce and talent. The Multi-Cloud comment came out of this. Talent is the number one game. This is a really critical piece. They coming up with strategies to recruit and to retain and have the best people working on the tech stacks, not working on just general architecture. And then finally, coding security. These are the top topics on the minds of the top CISOs and CIOs in the enterprise. And this is the key areas we're going to be covering. >> So that says to me you know, the concern about lock-in and the concern about spend, so they probably will have exit strategies in hedge. So (laughs) probably will be Multi-Cloud, which is interesting. The Multi-Cloud at one said Multi-Cloud's B.S. But at the same time their top-of-mind issues suggest that Multi-Cloud is going to be a key. On metrics. You know there's a metric out there that after you get infiltrated it takes 256 days to identify that. >> Yep. >> I'd like to see in the Cloud what that metric looks like. >> Yeah, yeah. >> Does that go down? So that's something that's really interesting. As opposed to, okay, how many threats did we count? Right? Or thwart. You know like you mentioned ID management. Identity management. Automation. And I agree talent. There's a big war. Capital One said they just opened a big technical presence in Boston. A lot of talent here. A lot of talent, around the world >> Well just for the record. I'm not anti Multi-cloud. I was just pointing out, the comments that, >> Right, no right. I understand that ya. >> the CISOs said I think Multi-Cloud is realistic. But what he was pointing out is that right now Multi-Cloud isn't attainable in the way that they want it. They have to spend too much of their talent on code bases and stacks that aren't compatible. >> And integration. >> I personally think that you'll have Multi-Cloud environments for all companies but they're going to pick one. For example, and the workload should define the Cloud you're working on so why would you want to just split a workload between two Clouds. Makes no sense. Unless it's completely automated, and frictionless and there's (laughs) value. >> Well Multi-Cloud is a symptom of multi-vendor. You've got different teams doing different projects, different parts of the organization and that's what it is. It's less of strategy then it is a symptom, at least at this point in time. >> Okay that's the kickoff for the inaugural AWS show here in Boston. This is the live Cube coverage here for two days. I'm John Furrier, Dave Vellante. Stay with us for two days of coverage. We'll be right back. (techno pop music)