>> Live from Las Vegas, it's theCUBE, covering AWS re:Invent 2018, brought to you by Amazon Web Services, Intel, and their ecosystem partners. >> Hi everybody, welcome back to Las Vegas. I'm Dave Vellante with theCUBE, the leader in live tech coverages. This is day three from AWS re:Invent, #reInvent18, amazing. We have four sets here this week, two sets on the main stage. This is day three for us, our sixth year at AWS re:Invent, covering all the innovations. Markus Strauss is here as a Product Manager for database security at McAfee. Markus, welcome. >> Hi Dave, thanks very much for having me. >> You're very welcome. Topic near and dear to my heart, just generally, database security, privacy, compliance, governance, super important topics. But I wonder if we can start with some of the things that you see as an organization, just general challenges in securing database. Why is it important, why is it hard, what are some of the critical factors? >> Most of our customers, one of the biggest challenges they have is the fact that whenever you start migrating databases into the cloud, you inadvertently lose some of the controls that you might have on premise. Things like monitoring the data, things like being able to do real time access monitoring and real time data monitoring, which is very, very important, regardless of where you are, whether you are in the cloud or on premise. So these are probably really the biggest challenges that we see for customers, and also a point that holds them back a little, in terms of being able to move database workloads into the cloud. >> I want to make sure I understand that. So you're saying, if I can rephrase or reinterpret, and tell me if I'm wrong. You're saying, you got great visibility on prem and you're trying to replicate that degree of visibility in the cloud. >> Correct. >> It's almost the opposite of what you hear oftentimes, how people want to bring the cloud while on premise. >> Exactly. >> It's the opposite here. >> It's the opposite, yeah. 'Cause traditionally, we're very used to monitoring databases on prem, whether that's native auditing, whether that is in memory monitoring, network monitoring, all of these things. But once you take that database workload, and push it into the cloud, all of those monitoring capabilities essentially disappear, 'cause none of that technology was essentially moved over into the cloud, which is a really, really big point for customers, 'cause they cannot take that and just have a gap in their compliance. >> So database discovery is obviously a key step in that process. >> Correct, correct. >> What is database discovery? Why is it important and where does it fit? >> One of the main challenges most customers have is the ability to know where the data sits, and that begins with knowing where the database and how many databases customers have. Whenever we talk to customers and we ask how many databases are within an organization, generally speaking, the answer is 100, 200, 500, and when the actual scanning happens, very often the surprise is it's a lot more than what the customer initially thought, and that's because it's so easy to just spin off a database, work with it, and then forget about it, but from a compliance point of view, that means you're now sitting there, having data, and you're not monitoring it, you're not compliant. You don't even know it exists. So data discovery in terms of database discovery means you got to be able to find where your database workload is and be able to start monitoring that. >> You know, it's interesting. 10 years ago, database was kind of boring. I mean it was like Oracle, SQL Server, maybe DB2, maybe a couple of others, then all of a sudden, the NoSQL explosion occurred. So when we talk about moving databases into the cloud, what are you seeing there? Obviously Oracle is the commercial database market share leader. Maybe there's some smaller players. Well, Microsoft SQL Server obviously a very big... Those are the two big ones. Are we talking about moving those into the cloud? Kind of a lift and shift. Are we talking about conversion? Maybe you could give us some color on that. >> I think there's a bit of both, right? A lot of organizations who have proprietary applications that run since many, many years, there's a certain amount of lift and shift, right, because they don't want to rewrite the applications that run on these databases. But wherever there is a chance for organizations to move into some of their, let's say, more newer database systems, most organizations would take that opportunity, because it's easier to scale, it's quicker, it's faster, they get a lot more out of it, and it's obviously commercially more valuable as well, right? So, we see quite a big shift around NoSQL, but also some of the open source engines, like MySQL, ProsgreSQL, Percona, MariaDB, a lot of the other databases that, traditionally within the enterprise space, we probably wouldn't have seen that much in the past, right? >> And are you seeing that in a lot of those sort of emerging databases, that the attention to security detail is perhaps not as great as it has been in the traditional transaction environment, whether it's Oracle, DB2, even certainly, SQL Server. So, talk about that potential issue and how you guys are helping solve that. >> Yeah, I mean, one of the big things, and I think it was two years ago, when one of the open source databases got discovered essentially online via some, and I'm not going to name names, but the initial default installation had admin as username and no password, right? And it's very easy to install it that way, but unfortunately it means you potentially leave a very, very big gaping hole open, right? And that's one of the challenges with having open source and easily deployable solutions, because Oracle, SQLServer, they don't let you do that that quickly, right? But it might happen with other not as large database instances. One of the things that McAfee for instance does is helps customers making sure that configuration scans are done, so that once you have set up a database instance, that as an organization, you can go in and can say, okay, I need to know whether it's up to patch level, whether we have any sort of standard users with standard passwords, whether we have any sort of very weak passwords that are within the database environment, just to make sure that you cover all of those points, but because it's also important from a compliance point of view, right? It brings me always back to the compliance point of view of the organization being the data steward, the owner of the data, and it has to be our, I suppose, biggest point to protect the data that sits on those databases, right? >> Yeah, well there's kind of two sides of the same coin. The security and then compliance, governance, privacy, it flips. For those edicts, those compliance and governance edicts, I presume your objective is to make sure that those carry over when you move to the cloud. How do you ensure that? >> So, I suppose the biggest point to make that happen is ensure that you have one set of controls that applies to both environments. It brings us back to the hybrid point, right? Because you got to be able to reuse and use the same policies, and measures, and controls that you have on prem and be able to shift these into the cloud and apply them to the same rigor into the cloud databases as you would have been used to on prem, right? So that means being able to use the same set of policies, the same set of access control whether you're on prem or in the cloud. >> Yeah, so I don't know if our folks in our audience saw it today, but Werner Vogels gave a really, really detailed overview of Aurora. He went back to 2004, when their Oracle database went down because they were trying to do things that were unnatural. They were scaling up, and the global distribution. But anyway, he talked about how they re-architected their systems and gave inside baseball on Aurora. Huge emphasis on recovery. So you know, being very important to them, data accessibility, obviously security is a big piece of that. You're working with AWS on Aurora, and RDS as well. Can you talk specifically about what you're doing there as a partnership? >> So, AWS has, I think it was two days ago, essentially put the Aurora database activity stream into private preview, which is essentially a way for third party vendors to be able to read a activity stream off Aurora, enabling McAfee, for instance, to consume that data and bring customers the same level of real-time monitoring to the database as the servers were, as were used to on prem or even in a EC2 environment, where it's a lot easier because customers have access to the infrastructure, install things. That's always been a challenge within the database as the servers were because that access is not there, right? So, customers need to have an ability to get the same level of detail, and with the database activity stream and the ability for McAfee to read that, we give customers the same ability with Aurora PostgreSQL at the moment as customers have on premise with any of the other databases that we support. >> So you're bringing your expertise, some of which is really being able to identify anomalies, and scribbling through all this noise, and identifying the signal that's dangerous, and then obviously helping people respond to that. That's what you're enabling through that connection point. >> Correct, 'cause for organizations, using something like Aurora is a big saving, and the scalability that comes with it is fantastic. But if I can't have the same level of data control that I have on premise, it's going to stop me as an organization, moving critical data into that, 'cause I can't protect it, and I have to be able to. So, with this step, it's a great first step into being able to provide that same level of activity monitoring in real time as we're used to on prem. >> Same for RDS, is that pretty much what you're doing there? >> It's the same for RDS, yes. There is a certain set level of, obviously, you know, we go through before things go into GA but RDS is part of that program as well, yes. >> So, I wonder if we can step back a little bit and talk about some of the big picture trends in security. You know, we've gone from a world of hacktivists to organized crime, which is very lucrative. There are even state sponsored terrorism. I think Stuxnet is interesting. You probably can't talk about Stuxnet. Anyway-- >> No, not really. >> But, conceptually, now the bar is raised and the sophistication goes up. It's an arms race. How are you keeping pace? What role does data have? What's the state of security technology? >> It's very interesting, because traditionally, databases, nobody wanted to touch the areas. We were all very, very good at building walls around and being very perimeter-oriented when it comes to data center and all of that. I think that has changed little bit with the, I suppose the increased focus on the actual data. Since a lot of the legislations have changed since the threat of what if GDPR came in, a lot of companies had to rethink their take on protecting data at source. 'Cause when we start looking at the exfiltration path of data breaches, almost all the exfiltration happens essentially out of the database. Of course, it makes sense, right? I mean I get into the environment through various different other ways, but essentially, my main goal is not to see the network traffic. My main goal as any sort of hacker is essentially get onto the data, get that out, 'cause that's where the money sits. That's what essentially brings the most money in the open market. So being able to protect that data at source is going to help a lot of companies make sure that that doesn't happen, right? >> Now, the other big topic I want to touch on in the minute we have remaining is ransomware. It's a hot topic. People are talking about creating air gaps, but even air gaps, you can get through an air gap with a stick. Yeah, people get through. Your thoughts on ransomware, how are you guys combating that? >> There is very specific strains, actually, developed for databases. It's a hugely interesting topic. But essentially what it does is it doesn't encrypt the whole database, it encrypts very specific key fields, leaves the public key present for a longer period of time than what we're used to see on the endpoint board, where it's a lot more like a shotgun approach and you know somebody is going to pick it up, and going to pay the $200, $300, $400, whatever it is. On the database side, it's a lot more targeted, but generally it's a lot more expensive, right? So, that essentially runs for six months, eight months, make sure that all of the backups are encrypted as well, and then the public key gets removed, and essentially, you have lost access to all of your data, 'cause even the application that access the data can't talk to the database anymore. So, we have put specific controls in place that monitor for changes in the encryption level, so even if only one or two key fields starting to get encrypted with a different encryption key, we're able to pick that up, and alert you on it, and say hey, hang on, there is something different to what you usually do in terms of your encryption. And that's a first step to stopping that, and being able to roll back and bring in a backup, and change, and start looking where the attacker essentially gained access into the environment. >> Markus, are organizations at the point where they are automating that process, or is it still too dangerous? >> A lot of it is still too dangerous, although, having said that, we would like to go more into the automation space, and I think it's something as an industry we have to, because there is so much pressure on any security personnel to follow through and do all of the rules, and sift through, and find the needle in the haystack. But especially on a database, the risk of automating some of those points is very great, because if you make a mistake, you might break a connection, or you might break something that's essentially very, very valuable, and that's the crown jewels, the data within the company. >> Right. All right, we got to go. Thanks so much. This is a really super important topic. >> Appreciate all the good work you're doing. >> Thanks for having me. >> You're very welcome. All right, keep it right there, everybody. You're watching theCUBE. We'll be right back, right after this short break from AWS re:Invent 2018, from Las Vegas. We'll be right back. (techno music)

>> Live from Las Vegas, it's theCUBE, covering AWS re:Invent 2018. Brought to you by Amazon Web Services, Intel, and their ecosystem partners. (upbeat music) >> Welcome back, here on theCUBE, (mumbles) to continue our coverage at AWS re:Invent with Sands. This is actually one of seven sites all around town, that are hosting various sessions. We heard a lot our guests saying, "it's so exciting." There's this spot for this particular expertise. Then I boo, Uber across town, I go to this spot, because that's how big this show's become, and how dynamic this show has become. We are on day three, and I'm here with Rebecca Knight, and also joined by Eric Boerger, who is a technology specialist at McAfee. Hello Eric good to see you. >> Hello, thanks for having me today, this is wonderful. >> You bet, well we've had a couple of your colleagues on already. I mean Markus Strauss is one who comes to mind. Talk about the database you're on the cloud side of things, cloud security. >> I am. I'm a technology specialist here at McAfee. My role is to help our customers as they're moving into the cloud, understanding where their security pitfalls may be, and implementing the right technologies and security tools to help make sure that their transition into the cloud is as secure as possible. >> So what's the big picture on that? Alright so security first and foremost in the cloud, that's probably, well certainly one of the big questions people have right. >> Absolutely, that tends to be the biggest question is, "how can I make sure that as I'm doing this transition to the cloud, that I'm not just throwing assets out there, and finding that I have issues later, but how can I bake security into them from the beginning." And that's really where we at McAfee are trying to sit back and identify where customers are having their challenges, and make sure that our tools are able to be positioned and developed correctly to address those issues. >> So what are some of the most common challenges that you see? >> So some of the most common challenges that we see in terms of problems are misconfigured accounts. That's a very common issue that we see in a lot of breach reports. Somebody setup a data repository, doesn't put the right security mechanisms in place, and all of a sudden now all of the confidential data that's been breached. >> Out the door. >> A second problem we see is a lot of, especially within the IAS space, organizations are standing up new instances of workloads, and the security teams aren't necessarily being informed that they're actually putting these workloads, or computer assets online, so now they're coming online without any protections, or any audit capability in place to make sure they're meeting their own security best practices guidelines that their organizations may have developed. >> Yeah we were talking earlier with probably one of your competitors actually, and they were talking about breaches. We're talking about. They said, "Their estimation 90 percent, are created, or made possible by mistakes." >> Absolutely. >> I mean, you agree with that? Is that our... >> I cannot agree anymore with that. Because the problem is, is that, the ability and the agility of the cloud, is both a positive, it allows us to be extremely flexible and agile as we're developing, but it also allows us to move so fast that we may be outpacing what our own knowledge levels are for being able to secure those. And that's tended to be one of the biggest hindrances that we see, is a developer gets enabled to go through and create a MS3 Bucket, put a lot of data in there, but at the same point they don't implement any tools behind it, or any security behind that. So it's not necessarily their fault, it's just they don't understand what security requirements are to implement in the cloud. >> And that's where you come in. So talk a little bit about your solutions and about how you approach the problem. >> Absolutely. So we have a wide variety of solutions here at McAfee, to help address those issues. That's everything from our Skyhigh McAfee Casb product, to help do account identifications and discovery of rogue accounts. And then some of our tools, like our virtual network IPS. That's able to do packet level inspection to apply a deeper level of security onto those systems. And then of course our Cloud Workload Security Product. That's something that is able to help you discover any of those rogue assets, and identify systems that may have already been breached based upon the network communication that's already occurring on those systems. >> Yeah you're kind of this cat and mouse game, aren't you, in terms of security, because you're trying to stay one step ahead of some actors who are very skilled at maintaining an edge. >> Absolutely. >> I mean how do you sleep at night Eric? >> So moving to the cloud is an area that once you feel that... Once you have the right tools in place, it'll help you actually sleep a lot easier, knowing that there's audit tools in the background, that are able to continuously monitor your workloads, identify if you have misconfigured accounts, if you have systems that are missing, needed information. You may have a requirement to have something like an integrity monitoring tool in place for some of your workloads, and this is a, with our tools, we can actually monitor and tell you if you're out of compliance with any of those baseline requirements. >> So how do you help the companies, the customers that want to move to the cloud, but also be sort of a hybrid, or maybe keep some of their stuff on PRIM, how do you make it easier for them? >> And that's a very common question that we hear over and over is, "I want to move to the cloud, but I'm not ready to go all in yet." So what we've actually done, is we've developed a lot of same discovery tools, can be used on premise. So that as they're building out their private clouds, whether it's in an open sac implementation, or via VMware, we can still do the same discovery, the same identification of misconfigured workloads. Now that also brings us to, as they move more into the cloud, it's already there, it's able to help them with their hybrid environment space, and that can either be managed on premise or from the cloud directly. So that when they're ready to move all their management infrastructure to the cloud, our tools are already there and ready for them. >> Now you're really good at what you do, but as you know, you're not the only game in town. >> We're not. >> So what's your differentiation then in terms of your cloud offering? What do you think this is what McAfee does better than anybody else? >> So what we feel that we really do better than anybody else, is be able to integrate a full security picture in a unified console management. So this is giving us the ability to do deployment of our own tool sets. Being able to do things such as integration with our Skyhigh product, and being able to pull back from the Casb view to help pull in a unified view. That's where we really feel that we've got a lot of unique factors in the cloud space to help our customers as they're moving. Plus the ability to be not just cloud focused, but still hybrid. Being able to protect those private data centers. We see a lot of companies who are going pure cloud, but they say, "Well if you had something on a premise, we don't care about it anymore, because it's not in the cloud." We feel with our background and our strengths in security we can really help address those concerns. >> So you're a technology specialist, that is your job title, >> It is. >> but in so many of these migrations and big digital transformations, the technology is really the easy part. And what's so much harder is getting the people onboard with the changes. Getting them to adopt and embrace and keep using the solutions. First of all, do you see this kind of resistance, and then also how do you overcome those challenges? >> Absolutely, the challenge is getting people to adopt to the cloud, and then continually be integrative with the newest tools that are coming available from the security standpoint and side is always a problem. The developers are very agile, they want to move at the speed of development. Which means going back and talking to security and saying, "hey by the way, I'm doing these things," doesn't always happen. So this is where we want to be able to give you a continuous monitoring ability to say hey, "somebody went through and stood something up." Security was completely outside of the loop. Bring them back in so that they can get the visibility, the alerting. And this is even where we've created some new features, that we announced on stage yesterday to be able to be integrated with the Amazon security hub. This is where we really feel that being able to help augment as Amazon's developing tools providing our security insight, to make sure that once again, as the developers are taking advantage of some of the newest features, we're there with them. >> And what was the driver of that? I mean how did you get to that point? >> So this is part of our partnership with Amazon. We actually have a great foundational relationship where we have a lot of our products have gone through a best practices review. And we have well architecture review stamps on a lot of the products that we have in the marketplace. This is due to the tight security integrations that we've had work with Amazon. That we're invited to be one of the first partners into the security hub, and you're going to see this out of additional products as we move forward with our new capabilities in the cloud. >> Yeah I hate to, I mean we have just a few minutes left, and I hate to dive into a big topic here, but on the other side of that security coin is compliance. Right, you got to be concerned about that. It's governments, you got to be concerned about that. And that's a whole new can of worms especially today with whether you're dealing with company concerns, state, federal concerns, and even European concerns. >> Absolutely, and the data privacy is another major concern with the compliance. It's not just what do I have, but how is it being used, how's it being utilized, and that's where with some of our products we've actually gone through and have build our full DLP engine into discovery of any of your data that exists within the cloud. So if you put data in as three, we can go through, scan it, identify if there's any PII data, alert upon it, give you controls of that. And then from a workload perspective side, we have tools that can go through and feed in your own templates. To say that I need to be PCI compliant, I need to meet HIPAA compliance. Be able to audit that workload, and give a continuance summary report back to the management teams to say hey, "I have auditors coming in, how am I in compliance, and then tell me what I need to do to address those gaps that I found from my cloud workloads." >> Solving problems. >> Solving problems. >> That's what it's all about right there. >> He's the best, that's right. >> Alright, I want you around more often. (laughing) We got a lot of problems to be solved, we appreciate it Eric, thank you for your time here at AWS re:Invent. >> Thank you very much for the time today. >> Good to have you, thanks for the McAfee story. Back with more from Las Vegas right after this. You're watching theCUBE. (upbeat music)