>>Hello, everyone. Welcome to the Cube's live coverage here in Boston, Massachusetts for AWS reinforce 2022. I'm John fur, host of the cube with Dave. Valante my co-host for breaking analysis, famous podcast, Dave, great to see you. Um, Beck in Boston, 2010, we started >>The queue. It all started right here in this building. John, >>12 years ago, we started here, but here, you know, just 12 years, it just seems like a marathon with the queue. Over the years, we've seen many ways. You call yourself a historian, which you are. We are both now, historians security is doing over. And we said in 2013 is security to do where we asked pat GSK. Now the CEO of Intel prior to that, he was the CEO of VMware. This is the security show fors. It's called the reinforce. They have reinvent, which is their big show. Now they have these, what they call reshow, re Mars, machine learning, automation, um, robotics and space. And then they got reinforced, which is security. It's all about security in the cloud. So great show. Lot of talk about the keynotes were, um, pretty, I wouldn't say generic on one hand, but specific in the other clear AWS posture, we were both watching. What's your take? >>Well, John, actually looking back to may of 2010, when we started the cube at EMC world, and that was the beginning of this massive boom run, uh, which, you know, finally, we're starting to see some, some cracks of the armor. Of course, we're threats of recession. We're in a recession, most likely, uh, in inflationary pressures, interest rate hikes. And so, you know, finally the tech market has chilled out a little bit and you have this case before we get into the security piece of is the glass half full or half empty. So budgets coming into this year, it was expected. They would grow at a very robust eight point half percent CIOs have tuned that down, but it's still pretty strong at around 6%. And one of the areas that they really have no choice, but to focus on is security. They moved everything into the cloud or a lot of stuff into the cloud. >>They had to deal with remote work and that created a lot of security vulnerabilities. And they're still trying to figure that out and plug the holes with the lack of talent that they have. So it's interesting re the first reinforc that we did, which was also here in 2019, Steven Schmidt, who at the time was chief information security officer at Amazon web services said the state of cloud security is really strong. All this narrative, like the pat Gelsinger narrative securities, a do over, which you just mentioned, security is broken. It doesn't help the industry. The state of cloud security is very strong. If you follow the prescription. Well, see, now Steven Schmidt, as you know, is now chief security officer at Amazon. So we followed >>Jesse all Amazon, not just AWS. So >>He followed Jesse over and I asked him, well, why no, I, and they said, well, he's responsible now for physical security. Presumably the warehouses I'm like, well, wait a minute. What about the data centers? Who's responsible for that? So it's kind of funny, CJ. Moses is now the CSO at AWS and you know, these events are, are good. They're growing. And it's all about best practices, how to apply the practices. A lot of recommendations from, from AWS, a lot of tooling and really an ecosystem because let's face it. Amazon doesn't have the breadth and depth of tools to do it alone. >>And also the attendance is interesting, cuz we are just in New York city for the, uh, ado summit, 19,000 people, massive numbers, certainly in the pandemic. That's probably one of the top end shows and it was a summit. This is a different audience. It's security. It's really nerdy. You got OT, you got cloud. You've got on-prem. So now you have cloud operations. We're calling super cloud. Of course we're having our inaugural pilot event on August 9th, check it out. We're called super cloud, go to the cube.net to check it out. But this is the super cloud model evolving with security. And what you're hearing today, Dave, I wanna get your reaction to this is things like we've got billions of observational points. We're certainly there's no perimeter, right? So the perimeter's dead. The new perimeter, if you will, is every transaction at scale. So you have to have a new model. So security posture needs to be rethought. They actually said that directly on the keynote. So security, although numbers aren't as big as last week or two weeks ago in New York still relevant. So alright. There's sessions here. There's networking. Very interesting demographic, long hair. Lot of >>T-shirts >>No lot of, not a lot of nerds doing to build out things over there. So, so I gotta ask you, what's your reaction to this scale as the new advantage? Is that a tailwind or a headwind? What's your read? >>Well, it is amazing. I mean he actually, Steven Schmidt talked about quadrillions of events every month, quadrillions 15 zeros. What surprised me, John. So they, they, Amazon talks about five areas, but by the, by the way, at the event, they got five tracks in 125 sessions, data protection and privacy, GRC governance, risk and compliance, identity network security and threat detection. I was really surprised given the focus on developers, they didn't call out container security. I would've thought that would be sort of a separate area of focus, but to your point about scale, it's true. Amazon has a scale where they'll see events every day or every month that you might not see in a generation if you just kind of running your own data center. So I do think that's, that's, that's, that's a, a, a, a valid statement having said that Amazon's got a limited capability in terms of security. That's why they have to rely on the ecosystem. Now it's all about APIs connecting in and APIs are one of the biggest security vulnerability. So that's kind of, I, I I'm having trouble squaring that circle. >>Well, they did just to come up, bring back to the whole open source and software. They did say they did make a measurement was store, but at the beginning, Schmidt did say that, you know, besides scale being an advantage for Amazon with a quadri in 15 zeros, don't bolt on security. So that's a classic old school. We've heard that before, right. But he said specifically, weave in security in the dev cycles. And the C I C D pipeline that is, that basically means shift left. So sneak is here, uh, company we've covered. Um, and they, their whole thing is shift left. That implies Docker containers that implies Kubernetes. Um, but this is not a cloud native show per se. It's much more crypto crypto. You heard about, you know, the, uh, encrypt everything message on the keynote. You heard, um, about reasoning, quantum, quantum >>Skating to the puck. >>Yeah. So yeah, so, you know, although the middleman is logged for J heard that little little mention, I love the quote from Lewis Hamilton that they put up on stage CJ, Moses said, team behind the scenes make it happen. So a big emphasis on teamwork, big emphasis on don't bolt on security, have it in the beginning. We've heard that before a lot of threat modeling discussions, uh, and then really this, you know, the news around the cloud audit academy. So clearly skills gap, more threats, more use cases happening than ever before. >>Yeah. And you know, to your point about, you know, the teamwork, I think the problem that CISOs have is they just don't have the talent to that. AWS has. So they have a real difficulty applying that talent. And so but's saying, well, join us at these shows. We'll kind of show you how to do it, how we do it internally. And again, I think when you look out on this ecosystem, there's still like thousands and thousands of tools that practitioners have to apply every time. There's a tool, there's a separate set of skills to really understand that tool, even within AWS's portfolio. So this notion of a shared responsibility model, Amazon takes care of, you know, securing for instance, the physical nature of S3 you're responsible for secure, make sure you're the, the S3 bucket doesn't have public access. So that shared responsibility model is still very important. And I think practitioners still struggling with all this complexity in this matrix of tools. >>So they had the layered defense. So, so just a review opening keynote with Steve Schmidt, the new CSO, he talked about weaving insecurity in the dev cycles shift left, which is the, I don't bolt it on keep in the beginning. Uh, the lessons learned, he talked a lot about over permissive creates chaos, um, and that you gotta really look at who has access to what and why big learnings there. And he brought up the use cases. The more use cases are coming on than ever before. Um, layered defense strategy was his core theme, Dave. And that was interesting. And he also said specifically, no, don't rely on single security control, use multiple layers, stronger together. Be it it from the beginning, basically that was the whole ethos, the posture, he laid that down >>And he had a great quote on that. He said, I'm sorry to interrupt single controls. And binary states will fail guaranteed. >>Yeah, that's a guarantee that was basically like, that's his, that's not a best practice. That's a mandate. <laugh> um, and then CJ, Moses, who was his deputy in the past now takes over a CSO, um, ownership across teams, ransomware mitigation, air gaping, all that kind of in the weeds kind of security stuff. You want to check the boxes on. And I thought he did a good job. Right. And he did the news. He's the new CISO. Okay. Then you had lean is smart from Mongo DB. Come on. Yeah. Um, she was interesting. I liked her talk, obviously. Mongo is one of the ecosystem partners headlining game. How do you read into that? >>Well, I, I I'm, its really interesting. Right? You didn't see snowflake up there. Right? You see data breaks up there. You had Mongo up there and I'm curious is her and she's coming on the cube tomorrow is her primary role sort of securing Mongo internally? Is it, is it securing the Mongo that's running across clouds. She's obviously here talking about AWS. So what I make of it is, you know, that's, it's a really critical partner. That's driving a lot of business for AWS, but at the same time it's data, they talked about data security being one of the key areas that you have to worry about and that's, you know what Mongo does. So I'm really excited. I talked to her >>Tomorrow. I, I did like her mention a big idea, a cube alumni, yeah. Company. They were part of our, um, season one of our eight of us startup showcase, check out AWS startups.com. If you're watching this, we've been doing now, we're in season two, we're featuring the fastest growing hottest startups in the ecosystem. Not the big players, that's ISVs more of the startups. They were mentioned. They have a great product. So I like to mention a big ID. Um, security hub mentioned a config. They're clearly a big customer and they have user base, a lot of E C, two and storage going on. People are building on Mongo so I can see why they're in there. The question I want to ask you is, is Mongo's new stuff in line with all the upgrades in the Silicon. So you got graviton, which has got great stuff. Um, great performance. Do you see that, that being a key part of things >>Well, specifically graviton. So I I'll tell you this. I'll tell you what I know when you look at like snowflake, for instance, is optimizing for graviton. For certain workloads, they actually talked about it on their earnings call, how it's lowered the cost for customers and actually hurt their revenue. You know, they still had great revenue, but it hurt their revenue. My sources indicate to me that that, that Mongo is not getting as much outta graviton two, but they're waiting for graviton three. Now they don't want to make that widely known because they don't wanna dis AWS. But it's, it's probably because Mongo's more focused on analytics. But so to me, graviton is the future. It's lower cost. >>Yeah. Nobody turns off the database. >>Nobody turns off the database. >><laugh>, it's always cranking C two cycles. You >>Know the other thing I wanted to bring, bring up, I thought we'd hear, hear more about ransomware. We heard a little bit of from Kirk Coel and he, and he talked about all these things you could do to mitigate ransomware. He didn't talk about air gaps and that's all you hear is how air gap. David Flo talks about this all the time. You must have air gaps. If you wanna, you know, cover yourself against ransomware. And they didn't even mention that. Now, maybe we'll hear that from the ecosystem. That was kind of surprising. Then I, I saw you made a note in our shared doc about encryption, cuz I think all the talk here is encryption at rest. What about data in motion? >>Well, this, this is the last guy that came on the keynote. He brought up encryption, Kurt, uh, Goel, which I love by the way he's VP of platform. I like his mojo. He's got the long hair >>And he's >>Geeking out swagger, but I, he hit on some really cool stuff. This idea of the reasoning, right? He automated reasoning is little pet project that is like killer AI. That's next generation. Next level >>Stuff. Explain that. >>So machine learning does all kinds of things, you know, goes to sit pattern, supervise, unsupervised automate stuff, but true reasoning. Like no one connecting the dots with software. That's like true AI, right? That's really hard. Like in word association, knowing how things are connected, looking at pattern and deducing things. So you predictive analytics, we all know comes from great machine learning. But when you start getting into deduction, when you say, Hey, that EC two cluster never should be on the same VPC, is this, this one? Why is this packet trying to go there? You can see patterns beyond normal observation space. So if you have a large observation space like AWS, you can really put some killer computer science technology on this. And that's where this reasoning is. It's next level stuff you don't hear about it because nobody does it. Yes. I mean, Google does it with metadata. There's meta meta reasoning. Um, we've been, I've been watching this for over two decades now. It's it's a part of AI that no one's tapped and if they get it right, this is gonna be a killer part of the automation. So >>He talked about this, basically it being advanced math that gets you to provable security, like you gave an example. Another example I gave is, is this S3 bucket open to the public is a, at that access UN restricted or unrestricted, can anyone access my KMS keys? So, and you can prove, yeah. The answer to that question using advanced math and automated reasoning. Yeah, exactly. That's a huge leap because you used to be use math, but you didn't have the data, the observation space and the compute power to be able to do it in near real time or real time. >>It's like, it's like when someone, if in the physical world real life in real life, you say, Hey, that person doesn't belong here. Or you, you can look at something saying that doesn't fit <laugh> >>Yeah. Yeah. >>So you go, okay, you observe it and you, you take measures on it or you query that person and say, why you here? Oh, okay. You're here. It doesn't fit. Right. Think about the way on the right clothes, the right look, whatever you kind of have that data. That's deducing that and getting that information. That's what reasoning is. It's it's really a killer level. And you know, there's encrypt, everything has to be data. Lin has to be data in at movement at rest is one thing, but you gotta get data in flight. Dave, this is a huge problem. And making that work is a key >>Issue. The other thing that Kirk Coel talked about was, was quantum, uh, quantum proof algorithms, because basically he put up a quote, you're a hockey guy, Wayne Greski. He said the greatest hockey player ever. Do you agree? I do agree. Okay, great. >>Bobby or, and Wayne Greski. >>Yeah, but okay, so we'll give the nada Greski, but I always skate to the where the puck is gonna be not to where it's been. And basically his point was where skating to where quantum is going, because quantum, it brings risks to basically blow away all the existing crypto cryptographic algorithms. I, I, my understanding is N just came up with new algorithms. I wasn't clear if those were supposed to be quantum proof, but I think they are, and AWS is testing them. And AWS is coming out with, you know, some test to see if quantum can break these new algos. So that's huge. The question is interoperability. Yeah. How is it gonna interact with all the existing algorithms and all the tools that are out there today? So I think we're a long way off from solving that problem. >>Well, that was one of Kurt's big point. You talking about quantum resistant cryptography and they introduce hybrid post quantum key agreements. That means KMS cert certification, cert manager and manager all can manage the keys. This was something that's gives more flexibility on, on, on that quantum resistance argument. I gotta dig into it. I really don't know how it works, what he meant by that in terms of what does that hybrid actually mean? I think what it means is multi mode and uh, key management, but we'll see. >>So I come back to the ho the macro for a second. We've got consumer spending under pressure. Walmart just announced, not great earning. Shouldn't be a surprise to anybody. We have Amazon meta and alphabet announcing this weekend. I think Microsoft. Yep. So everybody's on edge, you know, is this gonna ripple through now? The flip side of that is BEC because the economy yeah. Is, is maybe not in, not such great shape. People are saying maybe the fed is not gonna raise after September. Yeah. So that's, so that's why we come back to this half full half empty. How does that relate to cyber security? Well, people are prioritizing cybersecurity, but it's not an unlimited budget. So they may have to steal from other places. >>It's a double whammy. Dave, it's a double whammy on the spend side and also the macroeconomic. So, okay. We're gonna have a, a recession that's predicted the issue >>On, so that's bad on the one hand, but it's good from a standpoint of not raising interest rates, >>It's one of the double whammy. It was one, it's one of the double whammy and we're talking about here, but as we sit on the cube two weeks ago at <inaudible> summit in New York, and we did at re Mars, this is the first recession where the cloud computing hyperscale is, are pumping full cylinder, all cylinders. So there's a new economic engine called cloud computing that's in place. So unlike data center purchase in the past, that was CapEx. When, when spending was hit, they pause was a complete shutdown. Then a reboot cloud computer. You can pause spending for a little bit, make, might make the cycle longer in sales, but it's gonna be quickly fast turned on. So, so turning off spending with cloud is not that hard to do. You can hit pause and like check things out and then turn it back on again. So that's just general cloud economics with security though. I don't see the spending slowing down. Maybe the sales cycles might go longer, but there's no spending slow down in my mind that I see. And if there's any pause, it's more of refactoring, whether it's the crypto stuff or new things that Amazon has. >>So, so that's interesting. So a couple things there. I do think you're seeing a slight slow down in the, the, the ex the velocity of the spend. When you look at the leaders in spending velocity in ETR data, CrowdStrike, Okta, Zscaler, Palo Alto networks, they're all showing a slight deceleration in spending momentum, but still highly elevated. Yeah. Okay. So, so that's a, I think now to your other point, really interesting. What you're saying is cloud spending is discretionary. That's one of the advantages. I can dial it down, but track me if I'm wrong. But most of the cloud spending is with reserved instances. So ultimately you're buying those reserved instances and you have to spend over a period of time. So they're ultimately AWS is gonna see that revenue. They just might not see it for this one quarter. As people pull back a little bit, right. >>It might lag a little bit. So it might, you might not see it for a quarter or two, so it's impact, but it's not as severe. So the dialing up, that's a key indicator get, I think I'm gonna watch that because that's gonna be something that we've never seen before. So what's that reserve now the wild card and all this and the dark horse new services. So there's other services besides the classic AC two, but security and others. There's new things coming out. So to me, this is absolutely why we've been saying super cloud is a thing because what's going on right now in security and cloud native is there's net new functionality that needs to be in place to handle multiple clouds, multiple abstraction layers, and to do all these super cloudlike capabilities like Mike MongoDB, like these vendors, they need to up their gain. And that we're gonna see new cloud native services that haven't exist. Yeah. I'll use some hatchy Corp here. I'll use something over here. I got some VMware, I got this, but there's gaps. Dave, there'll be gaps that are gonna emerge. And I think that's gonna be a huge wild >>Cup. And now I wanna bring something up on the super cloud event. So you think about the layers I, as, uh, PAs and, and SAS, and we see super cloud permeating, all those somebody ask you, well, because we have Intuit coming on. Yep. If somebody asks, why Intuit in super cloud, here's why. So we talked about cloud being discretionary. You can dial it down. We saw that with snowflake sort of Mongo, you know, similarly you can, if you want dial it down, although transaction databases are to do, but SAS, the SAS model is you pay for it every month. Okay? So I've, I've contended that the SAS model is not customer friendly. It's not cloudlike and it's broken for customers. And I think it's in this decade, it's gonna get fixed. And people are gonna say, look, we're gonna move SAS into a consumption model. That's more customer friendly. And that's something that we're >>Gonna explore in the super cloud event. Yeah. And one more thing too, on the spend, the other wild card is okay. If we believe super cloud, which we just explained, um, if you don't come to the August 9th event, watch the debate happen. But as the spending gets paused, the only reason why spending will be paused in security is the replatforming of moving from tools to platforms. So one of the indicators that we're seeing with super cloud is a flight to best of breeds on platforms, meaning hyperscale. So on Amazon web services, there's a best of breed set of services from AWS and the ecosystem on Azure. They have a few goodies there and customers are making a choice to use Azure for certain things. If they, if they have teams or whatever or office, and they run all their dev on AWS. So that's kind of what's happened. So that's, multi-cloud by our definition is customers two clouds. That's not multi-cloud, as in things are moving around. Now, if you start getting data planes in there, these customers want platforms. If I'm a cybersecurity CSO, I'm moving to platforms, not just tools. So, so maybe CrowdStrike might have it dial down, but a little bit, but they're turning into a platform. Splunk trying to be a platform. Okta is platform. Everybody's scale is a platform. It's a platform war right now, Dave cyber, >>A right paying identity. They're all plat platform, beach products. We've talked about that a lot in the queue. >>Yeah. Well, great stuff, Dave, let's get going. We've got two days alive coverage. Here is a cubes at, in Boston for reinforc 22. I'm Shante. We're back with our guests coming on the queue at the short break.