Okay. We're back at AWS reinforced 2022. My name is Dave Vellante, and this is the cube we're here in Boston, home of lobster and CDA. And we're here, the convention center where the cube got started in 2010, Shariq Qureshi is here the senior manager at Deloitte and two LL P and merit bear is back on the cube. Good to see >>You guys can't keep me away, >>Right? No. Well, we love having you on the cube shark set up your role at, at Deloitte and toosh what do you actually, what's your swim lane, if you will. >>Yeah, sure. You know, I spend, I wear a lot of hats. I spend a lot of time in the assurance, the controls advisory audit type of role. So I spend our time, a lot of time working with our clients to understand, you know, regulatory requirements, compliance requirements, and then controls that they need to have in place in order to address risks, technology risks, and ultimately business risks. >>So I like to put forth premise, you know, when I walk around a show like this and come up with some observations and then I like to share 'em and then people like me. Well, you know, maybe so help me course correct. My epiphany at this event is the cloud is becoming the first line of defense. The CISO at your customers is now the second line of defense. I think audit is maybe the th third line of defense. Do, do you buy that the sort of organizational layered approach? >>No, because in fact, what we're here to talk about today is audit manager, which is integrated, right? Like if you're doing so the whole notion of cloud is that we are taking those bottom layers of the stack, right? So the concrete floors up through layer for the hypervisor, the, the racks and stacks and HVAC and guards and gates up through the hypervisor, right? Our, our proprietary hardware nitro ecosystem, which has security inheritance is okay upon that. We are then virtualized. Right? And so what we're really talking about is the ways that audit looks different today, that you can reason about what you're doing. So you're doing infrastructure as code. You can do securities code, you can do compliances code, and that's the beauty of it. So like for better, or in your case for worse in your analogy, you know, these are integrated, these are woven together and they are an API call >>Seamless. >>It, it is like easy to describe, right? I mean, like you can command line knowledge about your resources. You can also reason about it. So like, this is something that's embedded, for example, an inspector you can do network reachability know whether you have an internet facing endpoint, which is a PCI, you know, requirement, but that'll be dashboarded in your security hub. So there's the cloud is all the stuff we take away that you don't have to deal with. And also all the stuff that we manage on top of it that then you can reason about and augment and, and take action on. >>Okay. So at the same time you can't automate the audit entirely. Right? So, but, but talk about the challenges of, of, of, of automating and auditing cloud environment. >>Yeah. I mean, when I look at cloud, you know, organizations move to take advantage of cloud characteristics and cloud capabilities, right? So elasticity, scalability is one of them. And, you know, for market conditions, business, business outcomes, you know, resources expand and contract. And one of the questions that we often get as an auditor is how do you maintain a control environment for resources that weren't there yesterday, but are there today, or that are, that are no longer there and that are there today. So how do you maintain controls and how do you maintain security consistently uniformly throughout an audit environment? It's not there. So that's a challenge auditors, you know, historically when you look at the on-prem environment, you have servers that are there, it's a physical, it's a physical box. You can touch it and see it. And if it goes down, then, you know, it's still there. You can hug >>It if you're some people >>It's still there. So, but you know, with, you know, with cloud things get torn down that you don't see. So how do you maintain controls? That's, you know, it, one challenges, it >>Sounds like you're describing a CMDB for audit. >>I mean, that's a, that's an outcome of having, you know, getting good controls of having a CMDB to keep track and have an inventory of your assets. >>But the problem with CMDB is they're out of date, like so, so quickly, is it different in the cloud world? >>Yeah, exactly. I mean, yes. And yes, they are outta date. Cuz like anything static will be manual and imprecise, like it's gonna be, did John go calculate, like go count how many servers we have. That's why I was joking about server huggers versus like virtualizing it. So you put out a call and you know, not just whether it exists, but whether it's been patched, whether it's, you know, like there are ways that we can reason about what we've done, permissioning pruning, you know, like, and these, by the way, correspond to audit and compliance requirements. And so yes, we are not like there, it's not a click of a, whatever, a snap of the fingers, right. It takes work to translate between auditors and us. And it also takes work to have customers understand how they can augment the way that they think about compliance. But a lot of this is just the good stuff that they already need to be doing, right? Knowing internet facing endpoints or whatever, you know, like pruning permissioning. And there's a lot of ways that, you know, access analyzer, for example, these are automated reasoning tools that come from our formal reasoning group, automated reason group that's in identity. Like they, computers can reason about things in ways that are more complex, as long as it can be resolved. It's like EEU utility in mathematics. You don't go out and try to count every prime number. We accept the infinitude of primes to be true. If you believe in math, then we can reason about it. >>Okay. So hearing that there's a changing landscape yeah. In compliance shift from a lot of manual work to one that's much more highly automated, maybe not completely integrated and seamless. Right. But, but working in that direction, right. Yeah. Is that right? And maybe you could describe that in a little bit more detail, how that, you know, journey has progressed. >>I mean, just the fact alone that you have, you know, a lot of services, a lot of companies that are out there that are trying to remove the manual component and to automate things, to make things more efficient. So then, you know, developers can develop and we can be more agile and to do the things that, you know, really what the core competencies are of the business to remove those manual, you know, components to take out the human element and there's a growing need for it. You know, like we always look at security as, you know, like a second class citizen, we don't take advantage of, you know, the, you know, the opportunities that we need to, to do to maintain controls. So, you know, there's an opportunity here for us to look at and, and automate compliance, to automate controls and, and to make things, you know, seamless >>As a fun side benefit, you will actually hopefully have improved your actual security and also retain your workforce because people don't wanna be doing manual processes. You know, they wanna be doing stuff that humans are designed for, which is creative thinking, innovation, you know, creating ways to make new pathways instead of just like re walking these roads that a computer can analyze, >>You mentioned audit manager, what is that? I mean, let's give a plug for the product or the service. What's that all about what problems does it solve? Let's get >>Into that. Yeah. I mean, audit manager is a first of its kind service. You're not gonna find this offered through any other hyperscaler it's specifically geared and tailored towards the second line, which is security and compliance and a third line function, which is internal audit. So what is it looking to do and what is it looking to address some of those challenges working in a cloud space working, and if you have a cloud footprint. So for example, you know, most organizations operate in a multi account strategy, right? You don't just have one account, but how do you maintain consistency of controls across all your accounts? Auto manager is a service that can give, you know, kind of that single pane of view that to see across your entire landscape, just like a cartographer has a map to see, you know, the entire view of what he's designing auto managers does the same thing only from a cloud perspective. So there's also other, you know, features and capabilities that auto managers trying to integrate, you know, that presents challenges for those in compliance those in the audit space. So, you know, most companies, organizations they have, you know, not just one framework like SOC two or GDPR, high trust, HIPAA PCI, you know, you can select an industry accepted framework and evaluate your cloud consumption against, you know, an industry accepted framework to see where you stand in terms of your control posture, your security hygiene, >>And that's exclusive to AWS. Is that what you're saying? You won't find that on any other hyper scale >>And you'll find similarities in other products, but you won't find something that's specifically geared towards the second line and third line. There's also other features and capabilities to collect evidence, which is, I don't see that in the marketplace. >>Well, the only reason I ask that is because, you know, you, everybody has multiple clouds and I would love, I would love a, you know, an audit manager that's, that's span that transcends, you know, one cloud, is that possible? Or is that something that is just not feasible because of the, the, the deltas between clouds? >>I mean, anything's possible with the APIs right now, the way that, you know, you have to ingrain in, right. There's, you know, a, a feature that was introduced recently for audit manager was the ability to pull in APIs from third party sources. So now you're not just looking, looking exclusively at one cloud provider, you're looking at your entire digital ecosystem of services, your tools, your SA solutions that you're consuming to get a full, comprehensive picture of your environment. >>So compliance, risk, audit security, they're like cousins that are all sort of hanging out on the same holiday, but, but they're different. Like what help us understand and squint through those different disciplines. >>Yeah. I mean, each of them have, you know, a different role and a hat to wear. So internal audit is more of your independent arm of management working or reporting directly towards, you know, to the audit committee or to the board to give an independent view on company control and posture security and compliance works with management to help design the, that there that are intended to prevent, detect, or even correct, you know, controls, breakdowns, you know, those action, those action verb items that you wanna prevent unauthorized access, or you wanna restrict changes from making its way into production unless it's approved and, and documented and tracked and so on and so forth. So each, you know, these roles they're very similar, but they're also different in terms of what their function is. >>How are customers dealing with regional differences? You mentioned GDPR, different regulations, data sovereignty, what are the global nuances and complexities that, that, that cloud brings. And how are you addressing those? >>Yeah. Merit, I don't know if you had any thoughts on that one. >>I mean, I think that a lot of what, and this will build off of your response to the sort of Venn diagrams of security and risk and compliance and audit. I think, you know, what we're seeing is that folks care about the same stuff. They care about privacy. They care about security. They care about incentivizing best practices. The form that that takes when it's a compliance framework is by definition a little bit static over time. Whereas security tends to be more quickly evolving with standards that are like industry standards. And so I think one of the things that, you know, all these compliance frameworks have in, in mind is to go after those best practices, the forms that they take may take different forms. You know what I mean? And so I, I see them as hopeful in the motivation sense that we are helping entities get the wherewithal, they need to grow up or mature or get even more security minded. I think there are times that they feel a little clunky, but you know, that's just Frank. Yeah. >>It, it, it can audit manager sort of help me solve that problem. Is that the intent? And I see what you're saying, merit, that there security is at a different pace than, than, you know, GDPR, a privacy, you know, person, >>Right. I mean, like security says, we want this outcome. We want to have, you know, data be protected. The compliance may say, it must be this particular encryption standard. You know what I mean? Like the form I see things taking over time will evolve and, and feels dynamic. Whereas I think that sometimes when we think about compliance and it's exactly why we need stuff like audit manager is to like help manage exactly what articulation of that are we getting in this place at this time for this regulated industry? And like almost every customer I have is regulated. If you're doing business, you're probably in PCI, right. >>And there's never just one silver bullet. So security is, is a number of things that you're gonna do, the number of tools that you're gonna have. And it's often the culture in, in what you develop in your people, your process and technology. So auto manager is one of the components of robust strategy on how to address security. >>But it's also one of those things where like, there are very few entities, maybe Deloitte is one that are like built to do compliance. They're built to do manufacturing, automotive hospitality. Yeah. You know, like they're doing some other industry as their industry. Right. And we wanna let them have less lag time as they make sure that they can do that core business. And the point is to enable them to move our, I mean like sure. I think that folks should move to the pod because of security, but you don't have to, you should move because it enables your business. And this is one of the ways in which it just like minimizes, you know, like whatever our tailwinds lagging or push it anyway, it pushes you. Right. I mean, like it minimizes the lag >>Definitely tailwind. So are you suggesting merit that you can inject that industry knowledge and specificity into things like audit manager and, and actually begin to automate that as, and of course Deloitte has, you know, industry expertise char, but, but, but how should we think about that? >>I mean, you're gonna, you're gonna look at your controls comprehensively a across the board. So if you operate in an industry, you're gonna look to see like, what's, what's important for you. What do you have to, you know, be mindful of? So if you have data residency concerns, you wanna make sure that you've tailored your controls based on the risks that you're addressing. So if there's a framework >>And remember that you can go in the console and choose what region you're, you know, like we never remove your data from your region that you have chosen, you know, like this is, there's an intentionality and an ability to do this with a click of a mouse or with an API call that's, you know, or with a cloud formation template. That's like, there is a deliberateness there. There's not just like best wishes. >>You know, >>ESG is in scope. I presume, you know, helping the CISO become more green, more diverse. Increasingly you're seeing ESG reports come out from major organizations. I presume that's part of the compliance, but maybe not, maybe it hasn't seeped in yet. Are you seeing >>For that? I think it's still a new service auto manager. It's still, you know, being developed, but, you know, continuous feedback to make sure that, you know, we're covering a, a broad range of services and, and, and those considerations are definitely in the scope. Yeah. >>I mean, are you hearing more of that from >>Clients? So, I mean, we have an internal commitment to sustainability, right. That has been very publicly announced and that I'm passionate about. We also have some other native tools that probably, you know, are worth mentioning here, like security hub that does, you know, CIS benchmarking and other things like that are traffic lighted in their dashboard. You know, like there are ways a lot of this is going to be the ways that we can take what might have been like an ugly ETL process and instead take the managed ness on top of it and, and consume that and allow your CISO to make high velocity decision, high velocity, high quality decisions. >>What's the relationship between your two firms? How do you work >>To I'm like we just met. >>Yeah. I sense that, so is it, is it, how do you integrate, I guess is >>A question. Yeah. I mean, I mean, from the audit perspective, our perspective, working with clients and understanding, you know, their requirements and then bringing the service audit manager from the technical aspect and how we can work together. So we have a few use cases, one we've working with the tech company who wanted to evaluate, you know, production workload that had content, you know, critical client information, client data. So they needed to create custom controls. We were working with them to create custom controls, which auto manager would evaluate their environment, which would, you know, there's a reporting aspect of it, which was used to, you know, to present to senior leadership. So we were working together with AWS and on helping craft what those custom controls were in implement at the customer. >>Yeah. I mean, among other things, delight can help augment workforce. It can help folks interpret their results when they get outputs and act upon them and understand industry standards for responsiveness there. I mean, mean like it's a way to augment your approach by, you know, bringing in someone who's done this before. >>Yeah. Cool, cool. Collaboration on a topic that's generally considered, sorry. Don't, don't hate me for saying this boring, but really important. And the fact that you're automating again makes it a lot more interesting guys. Excellent. Thanks for your sharp first time on the cube. Thank you. Absolutely on, appreciate it. Rapidly. Becoming a VIP. Thanks. Coming on. Hey, I'll take it. All right. Keep it right there. Thank you. This is Dave ante for the cube. You're watching our coverage of AWS reinforce 2022 from Boston. We'll be right back.