>>LA from Las Vegas. It's the cube covering AWS reinvent 2019 brought to you by Amazon web services and along with its ecosystem partners. >>Okay. Welcome back everyone. Cube coverage, Las Vegas live action ADA was reinvent 2019 third day of a massive show where our seventh year of the eight years of Ava when documenting the history and the rise and the changing landscape of the business. I'm Jon Favreau, Stu Miniman, my cohost, our next guest, bill McGee, senior vice president, general manager of the hybrid cloud security group within trend micro sold this company, those guys now lead executive of the cloud and hybrid hybrid cloud security. You've got hybrid in there looking through the queue and I've been to every re-invent every single one. Congratulations. Welcome to the cube. Nice to be here. So eight years. What's changed in your mind real quick? >>Ah, wow. The um, yeah, certainly the amount of adop uh, the amount of adoption is now massive mainstream. You don't have the question, should I go to the cloud? It's all about how and how much. Probably the biggest change we've seen is how it's really being embraced all around the world. We're a global company. We saw initially a U S on Australia type focused UK. Now it's all over the place and so really relevant everywhere. Oh Phil. I, you know, at least from my standpoint, and I have enough friends of mine in the security industry when we first started coming to the show, I mean security was here, security is not only is so front and center in the discussion of cloud that they had a whole show for it here. So, you know, give us the 2019 view of security inside that the, the broader hybrid cloud discussion here at Reinventure. >>Let me tell you a couple of things. Kind of what we're seeing within our customer base and then what matters from a security perspective. So we see some organizations doing cloud migration, moving workloads to the cloud. A various farms had a couple of meetings yesterday. One was call it evacuating their data center. The other one was celebrating that two weeks ago they closed their data center. So that's a big step. Windows and Linux workloads moving to the cloud and really changing existing security controls to work better in the cloud. But certainly what a lot of these cloud builders are here for is, uh, you know, developing cloud native applications. And originally, you know, back seven, eight years ago, that was on top of what's now seemed like pretty simple services like S three. Now you've got containers and serverless and other platforms that people are using. >>And then the last thing, a lot of companies are establishing a cloud center of excellence and they're trying to optimize their use of the cloud. They still have compliance requirements that they need to achieve. So these are what we see happening and really the challenge for the customer, okay, how do we secure all this? How do we secure the aggressive, aggressive cloud native application development? How do we help a customer achieve compliance easily from a cloud center of excellence? So that's where we see fitting. And we made a big announcement a couple of weeks ago about a new platform that we've created and you know, I'd love to talk to. >>Yeah, let's dig into that. Let's dig into that. But first when we were at was Amazon's first security conference, Dave latte and I were talking about wow, cloud security versus on prem security. And then what's happening here is I had a conversation with someone who was close to the CIA, can't say his or her name and that, and they said cloud has changed the game for them because their cost line was pretty much flat, but the demand for missions, which we're growing scaling. So we're seeing that same dynamic you were referring to it earlier, that cost in data centers is kind of flat, but the demand for application new stuff's happened. So there's a real increased her demand for apps. This is the real driver of how people are flexing and deploying technology. So the security becomes really the built in conversation. Correct. Comment on that dynamic. And what do you recommend while, so here's a couple of things >>as we've seen really. Uh, you know, again, we've been doing cloud security for about a decade and really it was primarily focused on one service of AWS, which is. Now that's a pretty darn big service. And, uh, you know, widely used within their customer base. There's now 170 services I think is the, you know, the most recent number. Um, so developers are embracing all these new services. We acquired a new capability in October company called cloud conformity based in Sydney, Australia. Very focused on AWS analyzes implementations against the AWS well architected framework. So the first step we see for customers is you got to get visibility into your use of the cloud for the security team. What services are being used? Then can you set up a set of security guard rails to allow those services to be used in a secure manner? Then we help our customers turn to more detailed specialized protection of or containers or serverless. So that's what we've recognized ourselves. We had to create a very modest version of what Amazon has created themselves, which is a platform that allows builders to connect to and choose what security services they want >>to help. Lota how broad is your service base? Is it all the services? Are you guys now pick and choose? I can't. It's hard to do all, but yeah, there's the main ones. What are the highlights? >>Yeah, I'll give you the ones where we provide, uh, a very large breadth of protection. So in the, what we're calling cloud one conformity service, so that's this, uh, technology we acquired a couple months ago. Um, it cuts across about 70 services right now and gives you visibility of potential security configuration errors that you have in your environment. Now, if it's in a dev team, maybe not such a big deal, but if it's in production, it is a big deal. Even better, you can scan your cloud formation templates on the way to, to, to being live. Then we have a set of specialized protection that will, you know, will run on a workload and protect it, protect a containerized environment, a library that can sit within a serverless application. So that's kinda how we look at it. >>They'll want, one of the things of going to the more and more cloud for customers is that there's that shared responsibility model. We know that security is everyone's responsibility. It needs to be built in from the ground up. How are your customers doing with that shift and how are they understanding what they need to do? There've been some pretty visible like, Oh wait, I really had to configure that. I'm not about that. And Amazon's trying to close the gap on some, bring us through some of those. >>We've seen a big positive change over the years. Initially I would say that there was what I would call a naive perception that the cloud was magic and it was perfectly secure and that I don't have to worry about it. Right. Amazon did a, did the industry a real favor by establishing the shared responsibility model and making crystal clear what they've got covered that you don't need to worry about anymore as a customer and then what are the capabilities you still need to worry about? They've delivered a set of security tools that help their customers and then they rely on partners like us to deliver a set of more in depth tools to a, you know, specialized markets. >>You actually used a word that we've been talking about a lot this week. Naive. So we said there's, you know, the one letter difference between being cloud native, I mean cloud naive there. What does it mean to be cloud native in the security world? >>Well, I would say what allows you to be so first the most important thing in every customer's mind. I don't care how good the security capabilities you're helping me with. If you're going to slow down the improvements that I've just made to my development life cycle, I'm not interested. So that is the most important thing is are you able to inject your security technology and allow the customer to deliver at the rate that they're currently or continuing to improve? That is by far the most important thing. Then it's are your controls fitting into an environment in a way that that are as easy as possible for the customer? One part that's been very critical for us. We've been a lead adopter of the AWS marketplace allowing customers to procure security technology easily. They don't actually have to talk to us to buy our product. That's pretty revolutionary. >>Talking about the number of breaches that have gone on and what's changed with you guys over the year because new vectors are coming out, there's more surface area. Obviously it's been been discussed what's changed most in years? I'll tell you what we're worried about and what we expect to see. Although I would say the evidence, it's early. Uh, the reality in our traditional data centers, they were so porous at runtime in terms of the infrastructure and vulnerabilities that it was relatively easy for attackers to get in. The cloud has actually improved the level of security because of automation, less configuration errors. Unfortunately, what we expect as attackers to move to the developers move to the dev pipeline, injecting code, not at runtime, but injecting it earlier in the life cycle. We've seen evidence of container images, uh, up on Docker hub getting infected and then developers just pulling in without thinking about it. >>That's where attackers are going to move to the dev pipeline and we need to move some of our security technology to the dev pipeline to help customers defend themselves. What about international geo geo issues around compliance? How is that changing the game or slowing it down or I'd say doubling it or can you talk about that dynamic? Because I'm sure with regions, I'm sure you know, the U S is the most innovative market and the most risk taking market and therefore people move to the cloud quite bravely. Uh, you know, over this over this decade. Um, and some of the markets, so for example, we're Japanese headquartered company, um, in general Japanese companies, you know, really, uh, take into a lot of considerations before they make that type of big bet. But now we're seeing it, we're seeing auto manufacturers, uh, embrace the cloud. So I think those, it was a struggle for us in the early days, how regional the adoption of cloud was. >>That's not the case anymore. It's really a relevant conversation in every one of our markets. Bill, thank you for coming on the Cuban sharing your insights on hybrid cloud security. I got to ask you to end the segment. Yeah. What is going on for you this year? I see hybrids in your title. That's obviously the, the operating model is clouds and are gravity clouds going to the edge or data center and just operating model. What's on your mind this year? What are you trying to do and accomplish? What's, what are you excited about? What we're really excited about was this a product announcement that we made called cloud one and what cloud one is, is a set of security services which customers can access through, you know, common, uh, common access, common billing infrastructure, common cloud account management, and choose what to use. You know, Andy put it pretty well in his keynote where, you know, he talked about, he doesn't think of AWS as, as a Swiss army knife. >>He thinks of it as a specialized set of tools that builders get to adopt. We want to create a set of security tools in a similar way where customers can choose which of these specialized security services that they want to adopt. Bill, great pleasure to meet you and have this conversation pro and then security area entrepreneur sold this company to trend micro. This is the hybrid world is all about the cloud operating model. So all about agility and getting things done with application developers, just cube bringing you all the data from re-invent. Stay with us for more coverage after this short break.