>> Announcer: From Boston, Massachusetts it's The Cube. Covering AWS re:Inforce 2019. Brought to you by Amazon Web Services and it's ecosystem partners. >> Hey, welcome back everyone. This is The Cube's live coverage of AWS re:Inforce in Boston, Massachusetts. I'm John Furrier with Dave Vallante. This is re:Inforce. This is the inaugural conference for AWS on the security and Cloud security market. A new category being formed from an events standpoint around Cloud security. Our next guest is Cube alumni guest analyst Corey Quinn, and Cloud Economist with the Duckbill Group. Good to see you again. Great to have you on. Love to have you come back, because you're out in the hallways. You're out getting all the data and bringing it back and reporting. But this event, unlike the other ones, you had great commentary and analysis on. You were mentioned onstage during the Keynote from Stephen Smith. Congratulations. >> Thank you. I'm still not quite sure who is getting fired over that one, but somehow it happened, and I didn't know it was coming. It was incredibly flattering to have that happen, but it was first "Huh, awesome, he knows who I am." Followed quickly by "Oh dear, he knows who I am." And it, at this point, I'm not quite sure what to make of that. We'll see. >> It's good news, it's good business. All press is good press as they say, but let's get down to it. Obviously, it's a security conference. This is the inaugural event. We always love to go to inaugural events because, in case there's no second event, we were there - >> Corey: Oh yes >> for one event. So, that's always the case. >> Corey: Been there since the beginning is often great bragging rights. And if there isn't a second one, well, you don't need to bring it up ever again. So, they've already announced there's another one coming to Houston next year. So that'll be entertaining. >> So a lot of people were saying to us re:Inforce security event, some skepticism, some bullish on the sector. obviously, Cloud is hot. But the commentary was, oh, no one's really going to be there. It's going to be more of an educational event. So, yeah, it's more of an educational event for sure. That they're talking about stuff that they can't have time to do and reinvent. But there's a lot of investment going on there. There are players here from the companies. McAfee, you name the big name companies here, they're sending real people. A lot of biz dev folks trying to understand how to build up the sector. A lot of technical technologists here, as well. Digging in to some of the deep conversations. Do you agree? What's your thoughts of the event? >> I'm surprised, I was expecting this to be a whole bunch of people trying to sell things to other people, who were trying to sell them things in return, and it's not. There are, there are people who are using the Cloud for interesting things walking around. And that's fantastic. One thing that's always struck me as being sort of strange, and why I guess I feel sort of spiritually aligned here if nothing else. Is cost and security are always going to be trailing functions. No company is excited to invest in those things, until immediately after they really should have been investing in those things and weren't. So with time to market, velocity are always going to be something much valuable and important to any company strategically. But, we're seeing people start to get ahead of the curve in some ways. And that's, it's refreshing and frankly surprising. >> What is the top story in your mind? Top three stories coming out of re:Inforce. From industry standpoint, or from a product standpoint, that you think need to be told or amplified, or not being told, be told? >> Well there's been the stuff that we've seen on the stage and that's terrific. And, I think that you've probably rehashed those a fair bit with other guests. For me, what I'm seeing, the story that resonates as I walk around the Expo Hall here. Is we're seeing a bunch of companies that have deep roots in data centered environments. And now they're trying to come up with stories that resonate with Cloud. And if they don't, this is a transformational moment. They're going to effectively, likely find themselves in decline. But, they're not differentiating themselves from one another particularly well. There are a few very key things that we're seeing people operate within. Such as, with the new port mirroring stuff coming out of NVPC Traffics. You're right. You have a bunch of companies that are able to consume those, or flow logs. If you want to go back in time a little bit, and spit out analysis on this. But you're not seeing a lot of differentiation around this. Or, Hey we'll take all your security events and spit out the useful things. Okay, that is valuable, and you need to be able to do that. How many vendors do you need in one company doing the exact same thing? >> You know, we had a lot of sites CSO's on here and practitioners. And one of the comments on that point is Yeah, he's like, "Look I don't need more alerts." "I need things fixed." "Don't just tell me what's going on, fix it." So the automation story is also a pretty big one. The VCP traffic mirror, I think, is going to be just great for analytics. Great for just for getting that data out. But what does it actually impact In the automation piece? And the, okay there's an alert. Pay attention to it or ignore it. Or fix it. Seems to be kind of the next level conversation. Your thoughts around that piece. >> I think that as we take a look at the space and we see companies continuing to look at things like auto remediation. Automation's terrific, until the first time it does something you didn't want it to do and takes something down. At which point no one trusts it ever again. And that becomes something hard to tend to. I also think we're starting to see a bit of a new chapter as alliance with this from AWS and it's relationship with partners. I mean historically you would look at re:Invent, and you're sitting in the Expo Hall and watching the keynote. And it feels like it's AWS Red Wedding. Where, you're trying to see who's about to get killed by a feature that just comes out. And now were seeing that they've largely left aspects of the security space alone. They've had VPC flow logs for a long time, but sorting through those yourself was always like straining raw sewage with your teeth. You had to find a partner solution or build something yourself out of open source tooling from spit and duct tape. There's never been a great tool there. And it almost feels like they're leaving that area, for example, alone. And leaving that as an area rife for partners. Now how do you partner with something like AWS? That's a hard question to answer. >> So one of the other things we've heard from practitioners is they don't want incrementalism. They're kind of sick of that. They want step functions, that do as John said, remediate. >> Corey: Yeah. So, like you say, you called it the Red Wedding at the main stage. What does a partner have to do to stay viable in this ecosystem? >> Historically, the answer to that has always been to continue innovating ahead of the bow wave of AWS's own innovation. The problem is you see that slide that they put on in every event, that everyone who doesn't work at AWS sees. That shows the geometric increase in number of feature and service releases. And we all feel this sinking sensation of not even the partner side. But, they're releasing so much that I know some of that is going to fix things for my company, but I'll never hear it. Because it's drowned in the sheer volume of what they're releasing. AWS is rapidly increasing their pace of innovation to the point where companies that are not able to at least match that are going to be in for a bad time. As they find themselves outpaced by the vendor they're partnering with. >> And you heard Liberty Mutual say their number one challenge was actually the pace of Cloud. Being able to absorb all these new features >> Yes. >> And so, you mentioned the partner ecosystem. I mean, so it's not just the partners. It's the customers as well. That bow is coming faster than they can move. >> Absolutely. I can sit here now and talk very convincingly about services that don't exist. And not get called out on them by an AWS employee who happens to be sitting here. Because no one person can have all of this in their head anymore. It's outpaced most people's ability to wrap their heads around that and contextualize it. So people specialize, people focus. And, I think, to some extent that might be an aspect of why we're seeing re:Inforce as its own conference. >> So we talked a lot of CSO's this trip. >> Yeah. >> John: A lot of one on ones. We had some interviews. Some private meetings. I'm going to read you a list of key areas that they brought up as concern. I want to get you're reaction to. >> Sure. >> You pick the ones out you think are very relevant. >> Sure. >> Speedily, very fast. Vendor lock in. Spend. >> Not concerned. Yep. Security Native. >> Yeah. >> Service provider supplier relationship. Metrics, cloud securities, different integration, identity, automation, work force talent, coding security, and the human equation. There were all kind of key areas that seemed to glob and be categorically formed. Your thoughts to those. Which ones do you think jump out as criticalities on the market? >> Sure. I think right now people talking about lock in are basically wasting their time and spinning their wheels. If you, for example, you go with two cloud providers because you don't want to be locked into one. Well now there's a rife partner ecosystem. Because translating things like IAM into another provider's environment is completely foreign. You have to build an entire new security model on top of things in order to do that effectively. That's great. In security we're seeing less of an aversion to lock in than we are in other aspects of the business. And I think that is probably the right answer. Again, I'm not partisan in this battle. If someone wants to go with a different Cloud provider than AWS, great! Awesome! Make them pick the one that makes sense for your business. I don't think that it necessarily matters. But pick one. And go all in on that. >> Well this came up to in a couple of ways. One was, the general consensus was, who doesn't like multi Cloud? If you can seamlessly move stuff between Clouds. Without having to do the modification on all this code that has to be developed. >> Who wouldn't love that? But the reality is, doesn't exist. >> Corey : Well. To your point, this came up again, is that workplace, workforce talent is on CSO said "I'm with AWS." "I have a little bit of Google. I could probably go Azure." "Maybe I bought a company with dealing some stuff over there." "But for the most part all of my talent is peaked on AWS." "Why would I want to have three separate security teams peaking on different things? When I want everyone on our stack." They're building their own stacks. Then outsourcing or using suppliers where it supports it. >> Sure. >> But the focus of building their own stacks. Their own security. Coding up was critical. And having a split competency on code bases just to make it multi, was a non starter. >> And I think multi Cloud has been a symptom. I mean, it's more than a strategy. I think it's in a large part a somewhat desperate attempt by a number of vendors who don't have their own Cloud. To say Hey, you need to have a multi Cloud strategy. But, multi Cloud has been really an outcome of multiple projects. As you say, MNA. Horses for courses. Lines of business. So my question is, I think you just answered it. Multi Cloud is more complex, less secure, and probably more costly. But is it a viable strategy for things other than lock in? >> To a point. There are stories about durability. There's business reasons. If you have a customer who does not want their data living one one particular Cloud provider. Those are strategic reasons to get away from it. And to be clear, I would love the exact same thing that you just mentioned. Where I could take what I've built and run that seamlessly on other providers. But I don't just want that to be a pile of VM's and maybe some disc. I want those to be the higher level services that take care of massive amounts of my business for me. And I want to flow those seamlessly between providers. And there's just no story around that for anything reasonable or modern. >> And history would say there won't really ever be. Without some kind of open source movement to - >> Oh yes. A more honest reading of some of the other cloud providers that are talking about multi cloud extensively translates that through a slight filter. To, we believe you should look into Multi Cloud. Because if you're going all in on a single provider there is no way in the world it's going to be us. And that's sort of a challenge. If you take a look at a number of companies out here. If someone goes all in on one provider they will not have much, if anything, to sell them of differentiated value. And that becomes the larger fixture challenge for an awful lot of companies. And I empathize with that, I really do. >> Amazon started to do a lot of channel development. Obviously their emphasis on helping people make some cash. Obviously their vendors are, ecosystems a fray. Always a fray. So sheer responsibility at one level is, well we only have one security model. We do stuff and you do stuff. So obviously it's inherently shared. So I think that's really not a surprise for me. The issue is how to get successful monetization in the ecosystem. Clearly defining lines of, rules of engagement, around where the white spaces are. And where the differentiation can occur. Your thoughts on how that plays out. >> Yeah. And that's a great question. Because I don't think you're ever going to get someone from Amazon sitting in a room. And saying Okay, if you build a tool that does this, we're never, ever, ever going to build a thing that does that. They just launched a service at re:Invent that talks to satellites in orbit. If they're going to build that, I don't, there's nothing that I will say they're never going to get involved with. Their product strategy, from the outside, feels like it's a post it note that says Yes on it. And how do you wind up successfully building and scaling a business around that? I don't have a clue. >> Eddie Jafse's on the record here in The Cube and privately with me on my reporting. Saying never say never. >> Never say never. >> We'll never say never. So that is actually an explicit >> Take him at his word on that one. >> Right. And I'm an independent consultant. Where my first language is sarcasm. So, I basically make fun of AWS in the newsletter and podcast. And that seems to go reasonably well. But, I'm never going to say that they're not going to move into self deprecation as a business model. Look at some of their service names. They're clearly starting to make inroads in that space. So, I have to keep innovating ahead of that bow wave. And for now, okay. I can't fathom trying to build a business model with a 300 person company and being able to continue to innovate at that pace. And avoid the rapid shifts as AWS explores on new offers. >> And I what I like about why, well, we were always kind of goofing on AWS. But we're fanboys as well, as you know. But what I love about AWS is that they give the opportunity for their partners. They give them plenty of head's up. It's pretty much the rules of engagement is never say never. But if they're not differentiating, that's their job. >> Corey: Yeah. >> Their job is to be better. Now one thing Amazon does say is Hey we might have a competing service, but we're always going to favor the customer. So, the partner. If a customer wants an Amazon Cloud trail. They want Cloud trail for a great example. There's been requests for that. So why wouldn't they do it? But they also recognize it's bus - people in the ecosystem that do similar things. >> Corey: Yeah. >> And they are not going to actively try to put them out of business, per se. >> Oh yeah! One company that's done fantastically well partnering with everyone is PagerDuty. And even if AWS were to announce a service that wakes you up in the middle of the night when something breaks. It's great. Awesome. How about you update your status page in a timely fashion first? Then talk about me depending on the infrastructure that you run to tell me when the infrastructure that you run is now degraded? The idea of being able to take some function like that and outsource worked well enough for them to go public. >> So where are the safe points in the ecosystem? So obviously a partner that has a strong on-prem presence that Amazon wants to get access to. >> That's a short term, or maybe even a mid term strategy. Okay. Professional services. If you're Accenture, and Ernie Young, and Deloitte, PWC, you're probably okay. Because that's not a business that Amazon really wants to be in. Now they might want to, they might want to automate as much to that as possible. But the world's going to do that anyway. But, what's your take where it's safe? >> I would also add cost optimization to that. Not from a basis of technical capability. And I think that their current tooling is disappointing. I'd argue that cost explorer and the rest of their billing situation is the asterisk next to customer obsession if we're being perfectly honest. But there's always going to be some value in an external party coming in from that space. And what form that takes is going to change. But, it is not very defensible internally to say our Cloud spend is optimized, because the vendor we're writing those large checks to tells us it is. There's always going to be a need for some third-party validation. And whether that can come through software? >> How big is that business? >> It's a great question. Right now, we're seeing that people are spending over 30 billion dollars a year on AWS and climbing. One thing we can say with a certainty in almost every case is that people's Cloud bills are not getting smaller month over month. >> Yep. >> So, it's a growing market. It's one that people feel incredibly acutely. And when you get a few drinks into people and they start complaining about various aspects of Cloud, one of the first most common points that comes up is the bill. Not that it's too high, but that it is inscrutable. >> And so, just to do a back of napkin tam, how much optimization potential is there? Is it a ten percent factor? More? >> It depends on the level of effort you're willing to invest. I mean, there's a story for almost environments where you can save 70% on your Cloud bill. All you have to do is spend 18 months of rewriting everything to use serverless primitives. Six of those months you'll be hard down across the board. And then, wait where did everyone go? Because no one's going to do that. >> Dave: You might be out of business. So it's always a question of effort spent doing optimization, versus improving features, speeding time to market and delivering something that will generate for more revenue. The theoretical upside of cost optimization is 100% of your Cloud bill. Launching the right service or product can bring in multiples of that in revenue. >> I think my theory on differentiation, Dave, is that I think Amazon is basically saying in so many words, not directly. But it's my interpretation. Hold on to the rocket ship of AWS as long as you can. And if you can get stable, hold on. If you fall off that's just your fault, right? So, what that means is, to me, move up the stack. So Amazon is clearly going to continue to grow and create scale. So the benefits to the companies create a value proposition that can extract rents out of the marketplace from value that they create on the Amazon growth. Which means, they got to lock step with Amazon on growth. And cost leap, pivot up to where there's space. And Amazon is just a steam roller that will come in. The rocket ship that's going so fast. Whatever metaphor. And so people who just say We made a deal with Amazon, we're in. And then kind of sit idle. Will probably end up getting spun off. I mean, cause it's like they fall off and Amazon will be like All right so we did that. You differentiate enough, you didn't innovate enough. But, they're going to give everyone the opportunity to take a place with the growth. So the strategy, management wise, is just constantly push the envelope. >> So that's implicit in the Amazon posture. What's explicit in Amazon's posture is build applications on our platform. And you should be okay. You know? For a while. >> Yeah. And again, I think that a lot of engineers get stuck in a trap of building something and spending all their time making their code quality as best as possible. But, that's not going to lead to a business outcome one way or another. We see stories of companies hitting success with a tire fire of an infrastructure all the time. Twitter used to display massive downtime until they were large enough to justify the time and expense of a massive rewrite. And now Twitter is effectively up all the time. Whether that's good or not is a separate argument. But, they're there. So there's always going to be time to fix things. >> Well the Twitter example is a great example. Because they built it on rails. >> Yes. >> And they put it on Amazon Cloud. It was just kind of a hack, and then all of the sudden Boom, people loved it. And then, that's to me, the benefit of Cloud. One you get the scape velocity, the investment to start Twitter was fairly low, given what the success was. And then they had to rewrite, because the scale was bursting up. That's called prototyping. >> Oh yeah. >> That's what enterprises have to do. This is the theme of, agile. Get started as a theme, just dig in. Do a hack up font. But don't get confuse that with scale. That's where the rubber meets the road. >> Right and the, Oh Cloud isn't for us because we're an exception case. There are very few companies for whom that statement is true in the modern era. And, do an honest analysis first, before deciding we're going to build our own data centers because we can do it for cheaper. If you're Dropbox, putting storage in, great. Otherwise you're going to end up in this story where Oh, well, we have 20 instances now, so we can do this cheaper in Iraq somewhere. I will bet you a house you're wrong. But okay. >> Yeah. People are telling me that. Okay final question for you. As you've wandered around and been in the sessions, been in the analyst thing. What are some slice of life commentary stories you've bumped into that you found either funny, clever, insulting, or humorous? What's out on the floor? What are some of the conversations? >> One of the best ones was a company I'm not going to name, but the story they told was fantastic. They have, they're primarily on Azure. But they also have a strong secondary presence with AWS, and that's fascinating to me. How does that work internally? It turns out their cloud of choice is Azure. And they have to mandate that with guardrails in place. Because if you give developers a choice they will all go and build on AWS instead. Which is fascinating. And there are business reasons behind why they're doing what they're doing. But that story was just very humorous. I can't confirm or deny whether it was true or not. Because it was someone with way too much to drink telling an awesome story. But the idea of having to forcibly drag your developers away from a thing in a favor of another thing? >> That's like being at a bad party. It's like Oh, the better party is over there. All my friends are over there. >> But they have a commitment to Microsoft software estate. So, that's likely why they're. >> They just deal with Microsoft. >> And I'm not saying this is necessarily the wrong approach. I just find it funny. >> Might be the right business decision, but when you ask the developers, we see that all the time, John. >> All the time. I mean I had a developer one time come to me and start, he like "Look, we thought it would be great to build on Azure. We were actually being paid. They were writing checks to incent us. And I had a revolt. Engineers were revolting. Because the reverse proxies as there was cobbled together services. And they weren't clean native services and primitives. So the engineers were revolting. So they, we had to turn down the cash from Microsoft and go back to Amazon." >> Azure is much better now, but they have to outrun that legacy shadow of at first, it wasn't great. And people try something once, "That was terrible!" Well would you like to try it again now? "Why would I do that? It was terrible!" And it takes time to overcome that knee-jerk reaction. >> Well, but to your point about the business decision. It might make business sense to do that with Microsoft. It's maybe a little bit more predictable than Amazon is as a partner. >> Oh the way to optimize your bill on another Cloud provider that isn't AWS these days is to call up your account rep and yell at them. They're willing to buy business in most cases. That's not specific to any one provider. That's most of them. It's challenging to optimize free, so we don't see the same level of expensive bill problems in most companies there as well. >> Well the good news is on Microsoft, and I was a really big critic of Azure going back a few years ago. Is that they absolutely have changed their philosophy going back, I'd say two, three years ago. In the past two years, particular 24 months, they really have been cranking. They've been pedaling as fast as they can. They're serious. There's commitment from the top. And then they tell us, so there's no doubt. They're doing it also with the Kubernetes. What they're seeing, as they're doing is phenomenal. So... >> Great developer jobs at Microsoft. >> They're in for the long game. They're not going to be a fad. No doubt about it. >> No. And we're not going to see for example the Verizon public Cloud the HP public Cloud. Both of which were turned off. The ones that we're seeing today are largely going to be to stay of the big three. Big four if we include Alibaba. And it's, I'm not worried about the long term viability of any of them. It's just finding their niche, finding their market. >> Yeah, finding their lanes. Cory. Great to have you on. Good to hear some of those stories. Thanks for the commentary. >> Thank you. >> As always great guest analyst Cube alumni, friend, analyst, Cory Quinn here in the Cube. Bringing all the top action from AWS re:Inforce. Their first inaugural security conference around Cloud security. And Cube's initiation of security coverage continues, after this break. (upbeat electronic music)