>> live from Boston, Massachusetts. It's the Cube covering AWS Reinforce 2019. Brought to you by Amazon Web service is and its ecosystem partners. Welcome >> back, everyone. Day two of live coverage here in Boston, Massachusetts, for AWS Amazon Web services. Inaugural conference called Reinforce. This is a Cloud security conference, the first of its kind. It's the beginning of what we see as a new generation of shift in now new category called Cloud Security. Obviously, Cloud has been growing. Security equation is changing and evolving. I got a great guest here. Colby Alan, who's a platform architect at ZIP with based in Seattle. Great for joining us. Thanks for coming on. Thanks for having me. So we're chatting before we came on about your journey and your Dev ops chops you guys have built over there that I want to get into that just quickly explain what you guys do real quick. Set the context. >> Yes, it is on SMS text messaging provider way Specialize in toll free messaging. We also texting able landline phone numbers. Our business is kind of really split into two parts way. Have you know your traditional Sadd's application that ran runs like a sad That's where you can, you know, have the you I thio interface your landline phone number eight under number With that messaging, no, top that We run a carrier grade network. So we have direct binds into all the major carriers in the U. S. Bringing online some Canadian carriers. That's really where the power of our platform and we own the network on DSO way started Nicolo and over the last last year, which has spent nine months moving all that into Amazon and >> forget about that. So explain the architecture. You guys move yet polos with network you moved to Amazon with three people. Just classic devils. A lot of hard work, I'm sure take us through what happened. What was the old environment? And now what does it look like now? >> Yeah, so, you know, when I just started with, you know, they were interesting place. They were just starting a huge growth. And so at that point, they existed in a few data centers in the U. S. And running the empire workloads on or bare metal databases on. The problem was, there was just a scaling problem, right? I mean, we couldn't way We're looking at the type of scale we needed and trying to procure hardware. And we just couldn't physically get it fast enough with the right amount of budget. So I come from a previous place doing a job? Yes. I mean, that's kind of what I've done for a lot of years. So, you know, I convinced my boss stay here. Let's let's run the stats happen. Eight of us. So we built that ran it, launched our new version of arse as application in Amazon. And at that point, you know, our traffic skyrocketed. You know, I think last year we had somewhere to 180% growth, right? And, you know, our core infrastructure just wasn't surviving. Right is outages and problems. And so, you know, we took it and we we went to Amazon with it. And, you know, we rebuilt it all. And it was a really interesting thing, because Amazon was Luther releasing features and we were consuming them, right? Five. Siri's and Nitro came out, and we're like finally waken get performance of the networking interfaces. Then they released the D instances within ve Emmys, or like finally, our databases will survive and they can go fast enough, you know? And then we leveraging huge Aurore instances, real impact power, the back end of this thing. So you >> guys really tapped really? At the right time? You guys were growing. You saw the, you know, that scale potentially bursting. You saw the scale coming in growth coming in the company you could almost see. Okay, look, we got a plan. So you go to Amazon News Service is what's the impact on the staff has been any more people. What's been the impact on? >> Yeah, I think the big thing is the initial move. We did it for three of us. I mean, it was a lot of work. We spent a lot of time doing it. A lot of people, sleepless nights, a lot of long weekends. But now you know, we've got a really stable platform, and, you know, we were able to really continue processing our message. Growth is increased, and we know we haven't, you know, had to totally re architect things again, right? The architecture's work has grown and expanded. Stale ability has been fantastic for us. The performance, of course, is you know, some of >> the best walking commercial for eight of us, a question paper. But if you'll have that same experience, but what's interesting is you guys essentially are, in my opinion, representative of the trend that we're seeing, which is certainly in security as they catch up the devil. That's a big story here. Security now can level up with speed of the Dev ops kind of engineering philosophy and pointing, but it's it's the trend of building your own and a lot of companies. They're reinvesting in teams of people because they're close to the action and they can actually code if I quickly use cases that they know are bona fide, whether it's a low level platform service, primitive or right up into the app, using machine learning and data. So you know you have now that now you had security in there. This is where the action is and so cos I mean, I see the successful ones like you guys coming in saying You know what? Let's not boil the ocean over. Let's just solve one problem scale and then let's look at the service is that we can leverage to doom or take us through that philosophies. I think you guys were great example of that. >> So, I mean, if we touch on the security aspect, I think that that was a big thing is way. Don't run a dedicate security team. My team is the security team, right? And that was a big thing that both me and my director is. You know, we wanted the people building it to be doing the security. And, you know, the that was what was really, you know, easy with eight of us is, you know, we could turn on all these fancy features. It was just, you know, a flag and Terra formed all of a sudden way. Have encryption arrest. It's something we've never had before. So there's that. And then, you know, to the builder methodology be because we came from such a scrappy like way. Got to go fast, like we didn't have time to evaluate software bringing consultants, you know, it's so, you know, we kind of just kind of adopted that, you know, it's better for us a lot of times to kind of roll our own thing. Andan there, times where there's software that's a good fit for it. I mean, we do use some external vendors on things, and >> that's really more of a decision on the platform. But as you look at the platform engineer, you go. Okay, we gotta build here. Let's weigh No, he don't really is not me that be a core competency. Let's go look at some vendors for this, this and that. But ultimately, if you look at something that's really core, you can dig into it. And certainly with Kubernetes and with a lot of the service is coming out sas after taking eventually Cloud Native. >> Yeah, yeah, through you're you're so we're huge Criminality is 100% kubernetes everywhere, and I think that that's really been another big thing for us is you know, it's it's brought our application up a level to be able to integrate, be more reliable. I mean, you know where you used to have this external service discovery piece, and then you have your security peace. You know where kubernetes I can go deploy a container application. Describe it all at once, right? It's all in my coat config so I can audit it for our compliance sees. You know we can co to review for our compliance, sees but the same time I deploy the whole thing. I'm not. Here's this team to point the There's this other team then coming by trying to secure the app. It it's all together. >> The old way would have been kind of build it out, maybe use some software. Have all these silo teams. Yes, and that's kind of all kind of built in. >> Yeah, we kinda just opened it out, right? I mean, you know, from from arse, as teams leveraging a lot of, you know, the security features that are available to us to our core piece, which is a very different type of software, you know, is leveraging the same pieces and same type of monitoring principle. >> It's interesting, You know, the Kino. There's something people hemming and hard around, like the word Dev sec ops. I mean, I love Devon. We've been we've been part of that since day one. It's been fun to be part of it, but we saw the benefits of it. Clearly. You see, no doubt there's no debate. But when you start getting into some of the semantic definitions, go to security known feel that, by the way, is fragmented like crazy and now you get the growth of the cloud is starting to see cloud security become its own thing That's different than the on premises side. So what's your take on that? Because a lot of people are wanting their going to cloud anyway. So what's that they're saying on premise, security posturing and cloud security? In your opinion? >> Yeah, so I mean, it is drastically different. I think part of it's the tool set that's available, right? I mean, we ran data centers. I've automated data centers, but, you know, they're just not at the level of which I could do the automation in the auditing in the cloud. So I feel like I found actually, some respects makes it easier for me to do security on run security and audit security numbers. The data center. You know, I don't run a lot of tooling and a lot of things to get all the views. I need it, But there's a lot of really separate systems, you know, in the cloud you have, like this one. Nice, fundamental, a p I. That hi is a person who has to build the infrastructure can use, but it's the same a p I that I put my security had on that. Like I used to make security, right, security groups, things of that sort. It's all the same, right? I'm not having to learn five different applications has been really important for our team because, you know, my team comes from the vast majority of no true Dev ops Thio. You know, we've been upgraded from people in our knock, you know, and have them really just learned the one ecosystem >> is you don't want to fragment the team. Yeah, I don't wanna have five different skill sets, kind of >> their victims. We just We don't wanna have tools that only one person knew how to do right. We wanted people to take vacations right? And like, we don't want to have a tool that's like only only that person knows how to run it, nobody else does. And so >> that was the big thing for us. What you think about the show here, reinforce all say it's not an Amazon Webster's summit. They do the summits which assistance see a commercial version of reinventing regions. This is a branded show is obviously their cloud security going hard at it. What's your take. So far, >> I've really enjoyed it. I mean, so I've gone to some. It's I've been to reinvent for a few years spoken to reinvent once, you know? But, you know, those things were fun, but they're so big and there's so much going on, you know, it's it's refreshing to be in this reinforced conference and focus on the security side. Sitting talks were like, You have people getting into kms and like some of these really pivotal tools. Yeah, it's been really, really >> get down and dirty here. Yeah, And people talk to, you know, approachable >> without, like, having to deal with all of Amazon, right? I can focus on, like, this one little >> portion reinvent you kidding? Walked through the hallways just like >> yeah, I mean, Well, where one hotel Are you gonna >> be at that point now, right? Yeah. >> Okay. So I gotta ask you about the dev ops question. We've been commenting yesterday day Volonte, who is on his way in. He and I were talking with a lot of si sos and a lot of practitioners. And the conversation generally was security needs to catch up to Dev ops and to pay who you talk to. They may or may not believe that way. Think that to be true. We think security now has the level up with the speed of Dev ops from his agility things that are highlights. For example, you guys have What's your take on that when someone says, Hey, security's got to catch up the devil Is it really catching a prism or transformation? What's your view on this >> will be like when you say catching up like it takes a negative. You know, I don't want to be negative there on DSO. I feel like it's a transformation. That means the same thing of going from the data center as as just as an operational engineer to Amazon is, there wasn't catching up. It was you just changing everything you do and how you think. And I think you know that's That's the same thing that a lot of security people I've seen struggle with was their success. Life are the ones that have gone, and I understand that, like, >> what do you think is the most important story happening in this world security cloud security screen general that should be covered by media that should be covered by the industry that is covered him should be amplified Maur or isn't covered and should be talking about what's the what is the most important stories that should be told. >> Well, so again, you know, I'm a fundamental layer, so things to me that I are always over shouted or like, you know, just encryption, right? I mean, everybody's like train encryption on. But, you know, I feel that talks I've gone to today or deeper dives into that. I feel like, you know, the kms product of Amazon. I feel like is a very powerful product that isn't super talked about. It's been nice here because they talked about 100 like you go to reinvent you don't really see a lot of kms type things are crowded, just them. And, you know, I think it makes some of those very difficult products to run in a data center very easy. You know what you hear on the security side is unsecured, as three buckets are like. Security groups are in conflict. Configure it incorrectly. And you know, no one knows that commercial. Everyone knows that. You know Elasticsearch not turned into a new s three right compromises You choose your database of choice of public. But for me, I think it's like a part that I feel is missing with Amazon is the ease of use of like, clicking a button. And >> now I have >> full Aurora encryption by default >> and the service you can just turn on what's next for you guys. Give us a peek into some of the things they're working on. What excited about? >> So I mean, we're making Ah, big thing is, you know, so we spend a lot of building now we're kind of going back and really kind of wrapping are a lot of our compliance is so zip it is a hole has been working towards a lot of stock to type compliance, seize on things like that. So, you know, we've been working through governance and no deploying. You know, software that kind of is more actively watching our environment and alerting us or helping us make sure we're staying at C. I s type benchmark so that you know, when my boss comes to me and says, Show me that we're doing this, I can just say, Oh, here's dashboard. So we were really not like via more secure State is a big, big product that we're working with right now. We leverage cloud health and those kind of the two external vendors that we've really partnered with. And so, you know, this year's been adopting those into the system. That's when the eight of us side, you know, we still just run Cooper Nettie. So there's a lot going on in the Cuban aunties ecosystem that we're also working on. So, like, service, mash and things of that sort like, How can I take this idea of security groups in this least trust model infrastructural e up to kubernetes, which by default this kind of flattened open. And so, you know, we've been exploring envoy and sdo linker D or write our own, you know, you know, and looking through those things and and then again wrote, making more robust CCD pipeline. So container scanning vulnerability, protecting our edge way running cloudfront wife for a while. But, you know, a lot of this year's gonna be spent, you know, Evaluate Now you know, we deployed a lost about 10 and got it turned on right because it works. But diving more deeply into like some of the autumn mediations >> have a fun environment right now, is it? You can knock down some core business processes, scale them up, and then you got the toys to play with the open source front. You got kubernetes really a robust ecosystem. They're just It's a lot of fun. >> Yeah, Criminal has definitely been exciting to play with >> advice to fellow practitioners and platform engineers because, you know, you guys been successful with transmission A the best. You got your hands on a lot of cool things. You got a good view, the landscape on security side of the deaf, upside for the people out there who were like they want to jump in with a parachute open. Whatever makes you that nervous, Some people are aggressively going at it hard core. Some have cultural change issues. What's your invite? General advice to your >> fellow appears My advice is just jump in and do it right. I mean, you know, don't be afraid. I mean, we had a really fast transformation, and we failed a lot very fast, and we weren't afraid of it. I mean, you know, if we weren't failing, we weren't doing it right. You know, in my opinion, right. We had to fail a few times a year. I was gonna work. And so I think, you know, don't be scared to jump in and just build, you know, right the automation. See what it does. Run some tests against it. >> You know, it's almost like knowing what not to do is the answer. Get some testing out there, get his hands dirty. >> What's gonna work for you? What's gonna work for your business? And the only way you're going to do that is to actually do it. >> Showed up in specialized Colby. Thanks for coming and sharing the great insight. Kobe Alan, platform engineer for Zip Whip Great company here. The Cube. Bring all the action. Extracting the signal from the noise. Great insights. And here, coming from reinforced here in Boston, eight dresses. First conference around. Cloud security will be right back after this short break