>> Narrator: From around the globe, It's theCUBE! Covering Fortinet Security Summit, brought to you by Fortinet. >> And welcome to the cube coverage here at the PGA champion-- Fortinet championship, where we're going to be here for Napa valley coverage of Fortinet's, the championships security summit, going on Fortinet, sponsoring the PGA, but a great guest Merritt Baer, who's the principal in the office of the CISO at Amazon web services. Great to see you. Thanks for coming on. >> Merritt: Thank you for having me. It's good to be here. >> So Fortinet, uh, big brand now, sponsoring the PGA. Pretty impressive that they're getting out there with the golf. It's very enterprise focused, a lot of action. A lot of customers here. >> Merritt: It seems like it, for sure. >> Bold move. Amazon, Amazon web services has become the gold standard in terms of cloud computing, seeing DevOps people refactoring. You've seen the rise of companies like Snowflake building on Amazon. People are moving not only to the cloud, but they're refactoring their business and security is top of mind for everyone. And obviously cybersecurity threats that Fortinet helps cover, you guys are partnering with them, is huge. What is your state of the union for cyber? What's the current situation with the threat landscape? Obviously there's no perimeter in the cloud. More end points are coming on board. The Edge is here. 5G, wavelength with outpost, a lot happening. >> That was a long question, but I'll, I'll try. So I think, you know, as always business in innovation is the driver. And security needs to be woven into that. And so I think increasingly we're seeing security not be a no shop, but be an enabler. And especially in cloud, when we're talking about the way that you do DevOps with security, I know folks don't like the term DevSecOps, but you know, to be able to do agile methodology and be able to do the short sprints that are really agile and, and innovative where you can-- So instead of nine months or whatever, nine week timelines, we're talking about short sprints that allow you to elastically scale up and down and be able to innovate really creatively. And to do that, you need to weave in your security because there's no like, okay, you pass go, you collect $200. Security is not an after the fact. So I think as part of that, of course the perimeter is dead, long live the perimeter, right? It does matter. And we can talk about that a little bit. You know, the term zero trust is really hot right now. We can dig into that if that's of interest. But I think part of this is just the business is kind of growing up. And as you alluded to we're at the start of what I think is an S curve that is just at the beginning. >> You know, I was really looking forward to Reinforced this year. It was got canceled last year, but the first inaugural event was in Boston. I remember covering that. This year it was virtual, but the keynote Steven gave was interesting, security hubs at the center of it. And I want to ask you, because I need you to share your view on how security's changed with the cloud, because there's now new things that are there to take advantage of if you're a business or an enterprise, yeah on premises, there's a standard operating procedure. You have the perimeter, et cetera. That's not there anymore, but with the cloud, there's a new, there's new ways to protect and security hub is one. What are some of the new things that cloud enables for security? >> Well, so just to clarify, like perimeters exist logically just like they do physically. So, you know, a VPC for example, would be a logical perimeter and that is very relevant, or a VPN. Now we're talking about a lot of remote work during COVID, for example. But one of the things that I think folks are really interested with Security Hub is just having that broad visibility and one of the beauties of cloud is that, you get this tactile sense of your estate and you can reason about it. So for example, when you're looking at identity and access management, you can look at something like access analyzer that will under the hood be running on a tool that our, our group came up with that is like reasoning about the permissions, because you're talking about software layers, you're talking about computer layer reasoning about security. And so another example is in inspector. We have a tool that will tell you without sending a single packet over the network, what your network reach ability is. There's just like this ability to do infrastructure as code that then allows you to do security as code. And then that allows for ephemeral and immutable infrastructures so that you could, for example, get back to a known good state. That being said, you know, you kill a, your web server gets popped and you kill it and you spin up a new one. You haven't solved your problem, right? You need to have some kind of awareness of networking and how principals work. But at the same time, there's a lot of beauties about cloud that you inherit from a security perspective to be able to work in those top layers. And that's of course the premise of cloud. >> Yeah, infrastructure as code, you mentioned that, it's awesome. And the program ability of it with, with server-less functions, you're starting to see new ways now to spin up resources. How is that changing the paradigm and creating opportunities for better security? Is it, is it more microservices? Is it, is, are there new things that people can do differently now that they didn't have a year ago or two years ago? Because you're starting to see things like server-less functions are very popular. >> So yes, and yes, I think that it is augmenting the way that we're doing business, but it's especially augmenting the way we do security in terms of automation. So server-less, under the hood, whether it's CloudWatch events or config rules, they are all a Lambda function. So that's the same thing that powers your Alexa at home. These are server-less functions and they're really simple. You can program them, you can find them on GitHub, but they are-- one way to really scale your enterprise is to have a lot of automation in place so that you put those decisions in ahead of time. So your gray area of human decision making is scaled down. So you've got, you know, what you know to be allowable, what you know to be not allowable. And then you increasingly kind of whittled down that center into things that really are novel, truly novel or high stakes or both. But the focus on automation is a little bit of a trope for us. We at Amazon like to talk about mechanisms, good intentions are not enough. If it's not someone's job, it's a hope and hope is not a plan, you know, but creating the actual, you know, computerized version of making it be done iteratively. And I think that is the key to scaling a security chain because as we all know, things can't be manual for long, or you won't be able to grow. >> I love the AWS reference. Mechanisms, one way doors, raising the bar. These are all kind of internal Amazon, but I got to ask you about the Edge. Okay. There's a lot of action going on with 5G and wavelength. Okay, and what's interesting is if the Edge becomes so much more robust, how do you guys see that security from a security posture standpoint? What should people be thinking about? Because certainly it's just a distributed Edge point. What's the security posture, How should we be thinking about Edge? >> You know, Edge is a kind of catch all, right, we're talking about Internet of Things. We're talking about points of contact. And a lot of times I think we focus so much on the confidentiality and integrity, but the availability is hugely important when we're talking about security. So one of the things that excites me is that we have so many points of contact and so many availability points at the Edge that actually, so for example, in DynamoDB, the more times you put a call on it, the more available it is because it's fresher, you've already been refreshing it, there are so many elements of this, and our core compute platform, EC2, all runs on Nitro, which is our, our custom hardware. And it's really fascinating, the availability benefits there. Like the best patching is a patching you don't have to do. And there are so many elements that are just so core to that Greengrass, you know, which is running on FreeRTOS, which has an open source software, for example, is, you know, one element of zero trust in play. And there are so many ways that we can talk about this in different incarnations. And of course that speaks to like the breadth and depth of the industries that use cloud. We're talking about automotive, we're talking about manufacturing and agriculture, and there are so many interesting use cases for the ways that we will use IOT. >> Yeah. It's interesting, you mentioned Nitro. we also got Annapurna acquisition years ago. You got latency at the Edge. You can handle low latency, high volume compute with the data. That's pretty powerful. It's a paradigm shift. That's a new dynamic. It's pretty compelling, these new architectures, most people are scratching their heads going, "okay, how do I do this, like what do I do?" >> No, you're right. So it is a security inheritance that we are extremely calculated about our hardware supply chain. And we build our own custom hardware. We build our own custom Silicon. Like, this is not a question. And you're right in that one of the things, one of the north stars that we have is that the security properties of our engineering infrastructure are built in. So there just is no button for it to be insecure. You know, like that is deliberate. And there are elements of the ways that nature works from it running, you know, with zero downtime, being able to be patched running. There are so many elements of it that are inherently security benefits that folks inherit as a product. >> Right. Well, we're here at the security summit. What are you excited for today? What's the conversations you're having here at the Fortinet security summit. >> Well, it's awesome to just meet folks and connect outside. It's beautiful outside today. I'm going to be giving a talk on securing the cloud journey and kind of that growth and moving to infrastructure as code and security as code. I'm excited about the opportunity to learn a little bit more about how folks are managing their hybrid environments, because of course, you know, I think sometimes folks perceive AWS as being like this city on a hill where we get it all right. We struggle with the same things. We empathize with the same security work. And we work on that, you know, as a principal in the office of the CISO, I spend a lot of my time on how we do security and then a lot of my time talking to customers and that empathy back and forth is really crucial. >> Yeah. And you've got to be on the bleeding edge and have the empathy. I can't help but notice your AWS crypto shirt. Tell me about the crypto, what's going on there. NFT's coming out, is there a S3 bucket at NFT now, I mean. (both laughing) >> Cryptography never goes out of style. >> I know, I'm just, I couldn't help-- We'll go back to the pyramids on that one. Yeah, no, this is not a, an advertisement for cryptocurrency. It is, I'm a fangirl of the AWS crypto team. And as a result of wearing their shirts, occasionally they send me more shirts. And I can't argue with that. >> Well, love, love, love the crypto. I'm big fan of crypto, I think crypto is awesome. Defi is amazing. New applications are going to come out. We think it's going to be pretty compelling, again, let's get today right. (laughing) >> Well, I don't think it's about like, so cryptocurrency is just like one small iteration of what we're really talking about, which is the idea that math resolves, and the idea that you can have value in your resolution that the math should resolve. And I think that is a fundamental principle and end-to-end encryption, I believe is a universal human right. >> Merritt, thank you for coming on the cube. Great, great to have you on. Thanks for sharing that awesome insight. Thanks for coming on. >> Merritt: Thank you. >> Appreciate it. Okay. CUBE coverage here in Napa valley, our remote set for Fortinet's security cybersecurity summit here as part of their PGA golf Pro-Am tournament happening here in Napa valley. I'm John Furrier. Thanks for watching.