>>Okay, we're back. My name is Dave Valante and this is the Cube's coverage of AWS storage day. You know, coming off of reinforc I wrote the, the cloud was a new layer of defense. In fact, the first line of defense in a cyber security strategy. And that brings new thinking and models for protecting data, data protection, specifically, traditionally thought of as backup and recovery, it's become a critical adjacency to security and a component of a comprehensive cybersecurity strategy. We're here in our studios outside of Boston with two cube alums, and we're gonna discuss this in other topics. Wayne do so is the vice president for AWS storage edge and data services, and Nancy Wong as general manager of AWS backup and data protection services, guys. Welcome. Great to see you again. Thanks for coming on. Of >>Course, always a pleasure, Dave. Good to >>See you, Dave. All right. So Wayne, let's talk about how organizations should be thinking about this term data protection. It's an expanding definition, isn't >>It? It is an expanding definition. They, last year we talked about data and the importance of data to companies. Every company is becoming a data company, you know, da the amount of data they generate, the amount of data they can use to create models, to do predictive analytics. And frankly, to find ways of innovating is, is grown rapidly. And, you know, there's this tension between access to all that data, right? Getting the value out of that data. And how do you secure that data? And so this is something we think about with customers all the time. So data durability, data protection, data resiliency, and, you know, trust in their data. If you think about running your organization on your data, trust in your data is so important. So, you know, you gotta trust where you're putting your data. You know, people who are putting their data on a platform need to trust that platform will in fact, ensure it's durability, security, resiliency. >>And, you know, we see ourselves AWS as a partner in securing their data, making their data dur durable, making their data resilient, right? So some of that responsibility is on us. Some of that is on so shared responsibility around data protection, data resiliency. And, you know, we think about forever, you know, the notion of, you know, compromise of your infrastructure, but more and more people think about the compromise of their data as data becomes more valuable. And in fact, data is a company's most valuable asset. We've talked about this before. Only second to their people. You know, the people that are most valuable asset, but right next to that is their data. So really important stuff. >>So Nancy, you talked to a lot of customers, but by the way, it always comes back to the data. We've saying this for years, haven't we? So you've got this expanding definition of data protection, you know, governance is in there. You, you think about access cetera. When you talk to customers, what are you hearing from them? How are they thinking about data protection? >>Yeah. So a lot of the customers that Wayne and I have spoken to often come to us seeking thought leadership about, you know, how do I solve this data challenge? How do I solve this data sprawl challenge, but also more importantly, tying it back to data protection and data resiliency is how do I make sure that data is secure, that it's protected against, let's say ransomware events, right. And continuously protected. So there's a lot of mental frameworks that come to mind and a very popular one that comes up in quite a few conversations is this cybersecurity framework, right? And from a data protection perspective is just as important to protect and recover your data as it is to be able to detect different events or be able to respond to those events. Right? So recently I was just having a conversation with a regulatory body of financial institutions in Europe, where we're designing a architecture that could help them make their data immutable, but also continuously protected. So taking a step back, that's really where I see AWS's role in that we provide a wide breadth of primitives to help customers build secure platforms and scaffolding so that they can focus on building the data protection, the data governance controls, and guardrails on top of that platform. >>And, and that's always been AWS's philosophy, you know, make sure that developers have access to those primitives and APIs so that they can move fast and, and essentially build their own if that that's in fact what they wanna do. And as you're saying, when data protection is now this adjacency to cyber security, but there's disaster recoveries in there, business continuance, cyber resilience, et cetera. So, so maybe you could pick up on that and sort of extend how you see AWS, helping customers build out those resilient services. >>Yeah. So, you know, two core pillars to a data protection strategy is around their data durability, which is really an infrastructure element. You know, it's, it's, it's, it's by and large the responsibility of the provider of that infrastructure to make sure that data's durable, cuz if it's not durable, everything else doesn't matter. And then the second pillar is really about data resiliency. So in terms of security, controls and governance, like these are really important, but these are shared responsibility. Like the customers working with us with the services that we provide are there to architect the design, it's really human factors and design factors that get them resiliency, >>Nancy, anything you would add to what Wayne just said. >>Yeah, absolutely. So customers tell us that they want always on data resiliency and data durability, right? So oftentimes in those conversations, three common themes come up, which is they want a centralized solution. They want to be able to transcribe their intent into what they end up doing with their data. And number three, they want something that's policy driven because once you centralize your policies, it's much better and easier to establish control and governance at an organizational level. So keeping that in mind with policy as our interface, there's two managed AWS solutions that I recommend you all check out in terms of data resiliency and data durability. Those are AWS backup, which is our centralized solution for managing protection recovery, and also provides an audit audit capability of how you protect your data across 15 different AWS services, as well as on-premises VMware and for customers whose mission critical data is contained entirely on disk. We also offer AWS elastic disaster recovery services, especially for customers who want to fail over their workloads from on premises to the cloud. >>So you can essentially centralize as a quick follow up, centralize the policy. And like I said, the intent, but you can support a federated data model cuz you're building out this massive, you know, global system, but you can take that policy and essentially bring it anywhere on the AWS cloud. Is that >>Right? Exactly. And actually one powerful integration I want to touch upon is that AWS backup is natively integrated with AWS organizations, which is our defacto multi account federated organization model for how AWS services work with customers, both in the cloud, on the edge, at the edge and on premises. >>So that's really important because as, as we talk about all the time on the cube, this notion of a, a decentralized data architecture data mesh, but the problem is how do you ensure governance and a federated model? So we're clearly moving in that direction. Wayne, I want to ask you about cyber as a board level discussion years ago, I interviewed Dr. Robert Gates, you know, former defense secretary and he sat on a number of boards and I asked him, you know, how important and prominent is security at the board level? Is it really a board level discussion? He said, absolutely. Every time we meet, we talk about cyber security, but not every company at the time, this was kind of early last decade was doing that. That's changed now. Ransomware is front and center. Hear about it all the time. What's AWS. What's your thinking on cyber as a board level discussion and specifically what are you guys doing around ran ransomware? >>Yeah. So, you know, malware in general, ransomware being a particular type of malware. Sure. It's a hot topic and it continues to be a hot topic. And whether at the board level, the C-suite level, I had a chance to listen to Dr. Gates a couple months ago and super motivational, but we think about ransomware and the same way that our customers do. Right? Cause all of us are subject to an incident. Nobody is immune to a ransomware incident. So we think very much the same way. And you, as Nancy said, along the lines of the, this framework, we really think about, you know, how do customers identify their critical access? How do they plan for protecting those assets, right? How do they make sure that they are in fact protected? And if they do detect the ransomware event and ransomware events come from a lot of different places, like there's not one signature, there's not one thumbprint, if you would for ransomware. >>So it's, it's, there's really a lot of vigilance that needs to be put in place, but a lot of planning that needs to be put in place. And once that's detected and a, a, we have to recover, you know, we know that we have to take an action and recover having that plan in place, making sure that your assets are fully protected and can be restored. As you know, ransomware is a insidious type of malware. You know, it sits in your system for a long time. It figures out what's going on, including your backup policies, your protection policies, and figures out how to get around those with some of the things that Nancy talked about in terms of air gaping, your capabilities, being able to, if you would scan your secondary, your backup storage for malware, knowing that it's a good copy. And then being able to restore from that known good copy in the event of an incident is critical. So we think about this for ourselves and the same way that we think about these for our customers. You gotta have a great plan. You gotta have great protection and you gotta be ready to restore in the case of an incident. And we wanna make sure we provide all the capabilities to do >>That. Yeah. So I'll glad you mentioned air gaping. So at the recent re reinforce, I think it was Kurt kufeld was speaking about ransomware and he didn't specifically mention air gaping. I had to leave. So I might have, I might have missed it cause I was doing the cube, but that's a, that's a key aspect. I'm sure there were, were things on the, on the deep dives that addressed air gaping, but Nancy look, AWS has the skills. It has the resources, you know, necessary to apply all these best practices and, you know, share those with customers. But, but what specific investments is AWS making to make the CISO's life easier? Maybe you could talk about that. >>Sure. So following on to your point about the reinforced keynote, Dave, right? CJ Boes talked about how the events of a ransomware, for example, incident or event can take place right on stage where you go from detect to respond and to recover. And specifically on the recovery piece, you mentioned AWS backup, the managed service that protects across 15 different AWS services, as well as on-premises VMware as automated recovery. And that's in part why we've decided to continue that investment and deliver AWS backup audit manager, which helps customers actually prove their posture against how their protection policies are actually mapping back to their organizational controls based on, for example, how they TA tag their data for mission criticality or how sensitive that data is. Right. And so turning to best practices, especially for ransomware events. Since this is very top of mind for a lot of customers these days is I will, will always try to encourage customers to go through game day simulations, for example, identifying which are those most critical applications in their environment that they need up and running for their business to function properly, for example, and actually going through the recovery plan and making sure that their staff is well trained or that they're able to go through, for example, a security orchestration automation, recovery solution, to make sure that all of their mission critical applications are back up and running in case of a ransomware event. >>Yeah. So I love the game day thing. I mean, we know, well just the, in the history of it, you couldn't even test things like disaster recovery, right? Because it was too dangerous with the cloud. You can test these things safely and actually plan out, develop a blueprint, test your blueprint. I love the, the, the game day >>Analogy. Yeah. And actually one thing I'd love to add is, you know, we talked about air gaping. I just wanna kind of tie up that statement is, you know, one thing that's really interesting about the way that the AWS cloud is architected is the identity access and management platform actually allows us to create identity constructs, that air gap, your data perimeter. So that way, when attackers, for example, are able to gain a foothold in your environment, you're still able to air gap your most mission critical and also crown jewels from being infiltrated. >>Mm that's key. Yeah. We've learned, you know, when paying the ransom is not a good strategy, right? Cuz most of the time, many times you don't even get your data back. Okay. So we, we're kind of data geeks here. We love data and we're passionate about it on the cube AWS and you guys specifically are passionate about it. So what excites you, Wayne, you start and then Nancy, you bring us home. What excites you about data and data protection and why? >>You know, we are data nerds. So at the end of the day, you know, there's this expressions we use all the time, but data is such a rich asset for all of us. And some of the greatest innovations that come out of AWS comes out of our analysis of our own data. Like we collect a lot of data on our operations and some of our most critical features for our customers come out of our analysis, that data. So we are data nerds and we understand how businesses view their data cuz we view our data the same way. So, you know, Dave security really started in the data center. It started with the enterprises. And if we think about security, often we talk about securing compute and securing network. And you know, if you, if you secured your compute, you secured your data generally, but we've separated data from compute so that people can get the value from their data no matter how they want to use it. And in doing that, we have to make sure that their data is durable and it's resilient to any sort of incident and event. So this is really, really important to us. And what do I get excited about? You know, again, thinking back to this framework, I know that we as thought leaders alongside our customers who also thought leaders in their space can provide them with the capabilities. They need to protect their data, to secure their data, to make sure it's compliant and always, always, always durable. >>You know, it's funny, you'd say funny it's it's serious actually. Steven Schmidt at reinforc he's the, the, the chief security officer at Amazon used to be the C C ISO of AWS. He said that Amazon sees quadrillions of data points a month. That's 15 zeros. Okay. So that's a lot of data. Nancy bring us home. What's what excites you about data and data protection? >>Yeah, so specifically, and this is actually drawing from conversations that I had with multiple ISV partners at AWS reinforc is the ability to derive value from secondary data, right? Because traditionally organizations have really seen that as a call center, right? You're producing secondary data because most likely you're creating backups of your mission critical workloads. But what if you're able to run analytics and insights and derive insights from that, that secondary data, right? Then you're actually able to let AWS do the undifferentiated heavy lifting of analyzing that secondary data state. So that way us customers or ISV partners can build value on the security layers above. And that is how we see turning cost into value. >>I love it. As you're taking the original premise of the cloud, taking away the under heavy lifting for, you know, D deploying, compute, storage, and networking now bringing up to the data level, the analytics level. So it continues. The cloud continues to expand. Thank you for watching the cubes coverage of AWS storage day 2022.

[Music] okay we're back my name is dave vellante and this is thecube's coverage of aws storage day you know coming off of reinforce i wrote that the cloud was a new layer of defense in fact the first line of defense in a cyber security strategy that brings new thinking and models for protecting data data protection specifically traditionally thought of as backup and recovery it's become a critical adjacency to security and a component of a comprehensive cyber security strategy we're here in our studios outside of boston with two cube alums and we're going to discuss this and other topics wayne dusso is the vice president for aws storage edge and data services and nancy wong as general manager of aws backup and data protection services guys welcome great to see you again thanks for coming on of course always a pleasure dave good to see you dave all right so wayne let's talk about how organizations should be thinking about this term data protection it's an expanding definition isn't it it is an expanded definition dave last year we talked about uh data and the importance of data to companies every company um is becoming a data company uh you know the amount of data they generate uh the amount of data they can use to uh create models to do predictive analytics and frankly uh to find ways of innovating uh is is growing uh rapidly and you know there's this tension between access to all that data right getting the value out of that data and how do you secure that data and so this is something we think about with customers all the time so data durability data protection data resiliency and you know trust in their data if you think about running your organization on your data trust in your data is so important so you know you got to trust where you're putting your data you know people who are putting their data on a platform need to trust that platform will in fact ensure its durability security resiliency and you know we see ourselves uh aws as a partner uh in securing their data making their data they're built durable making their data resilient all right so some of that responsibility is on us some of that is on amazon responsibility around data protection data resiliency and you know um we think about forever you know the notion of um you know compromise of your infrastructure but more and more people think about the compromise of their data as data becomes more valuable in fact data is a company's most valuable asset we've talked about this before only second to their people you know the people who are the most valuable asset but right next to that is their data so really important stuff so nancy you talk to a lot of customers but by the way it always comes back to the data we've been saying this for years haven't we so you've got this expanding definition of data protection you know governance is in there you think about access etc when you talk to customers what are you hearing from them how are they thinking about data protection yeah so a lot of the customers that wayne and i have spoken to often come to us seeking thought leadership about you know how do i solve this data challenge how do i solve this data sprawl challenge but also more importantly tying it back to data protection and data resiliency is how do i make sure that data is secure that it's protected against let's say ransomware events right and continuously protected so there's a lot of mental frameworks that come to mind and a very popular one that comes up in quite a few conversations is in this cyber security framework right and from a data protection perspective it's just as important to protect and recover your data as it is to be able to detect different events or be able to respond to those events right so recently i was just having a conversation with a regulatory body of financial institutions in europe where we're designing a architecture that could help them make their data immutable but also continuously protected so taking a step back that's really where i see aws's role in that we provide a wide breadth of primitives to help customers build secure platforms and scaffolding so that they can focus on building the data protection the data governance controls and guardrails on top of that platform and that's always been aws philosophy make sure that developers have access to those primitives and apis so that they can move fast and essentially build their own if that that's in fact what they want to do and as you're saying when data protection is now this adjacency to cyber security but there's disaster recoveries in there business continuance cyber resilience etc so so maybe you could pick up on that and sort of extend how you see aws helping customers build out those resilient services yeah so you know two uh core pillars to a data protection strategy is around their data durability which is really an infrastructural element you know it's it's it's by and large the responsibility of the provided that infrastructure to make sure that data is durable because if it's not durable and everything else doesn't matter um and the second pillar is really about data resiliency so in terms of security controls and governance like these are really important but these are a shared responsibility like the customers working with us with the services that we provide are there to architect the design it's really human factors and design factors that get them resiliency nancy anything you would add to what wayne just said yeah absolutely so customers tell us that they want always on data resiliency and data durability right so oftentimes in those conversations three common themes come up which is they want a centralized solution they want to be able to transcribe their intent into what they end up doing with their data and number three they want something that's policy driven because once you centralize your policies it's much better and easier to establish control and governance at an organizational level so keeping that in mind with policy as our interface there's two managed aws solutions that i recommend you all check out in terms of data resiliency and data durability those are aws backup which is our centralized solution for managing protection recovery and also provides an audit audit capability of how you protect your data across 15 different aws services as well as on-premises vmware and for customers whose mission-critical data is contained entirely on disk we also offer aws elastic disaster recovery services especially for customers who want to fail over their workloads from on-premises to the cloud so you can essentially centralize as a quick follow-up centralize the policy and as you said the intent but you can support a federated data model because you're building out this massive you know global system but you can take that policy and essentially bring it anywhere on the aws cloud is that right exactly and actually one powerful integration i want to touch upon is that aws backup is natively integrated with aws organizations which is our de facto multi-account federated organization model for how aws services work with customers both in the cloud on the edge at the edge and on premises so that's really important because as we talk about all the time on the cube this notion of a decentralized data architecture data mesh but the problem is how do you ensure governance in a federated model so we're clearly moving in that direction when i want to ask you about cyber as a board level discussion years ago i interviewed dr robert gates you know former defense secretary and he sat on a number of boards and i asked him you know how important and prominent is security at the board level is it really a board level discussion he said absolutely every time we meet we talk about cyber security but not every company at the time this was kind of early last decade was doing that that's changed um now ransomware is front and center hear about it all the time what's aws what's your thinking on cyber as a board level discussion and specifically what are you guys doing around ransomware yeah so you know malware in general ransomware being a particular type of malware um it's a hot topic and it continues to be a hot topic and whether at the board level the c-suite level um i had a chance to listen to uh dr gates a couple months ago and uh it was super motivational um but we think about ransomware in the same way that our customers do right because all of us are subject to an incident nobody is uh uh immune to a ransomware incident so we think very much the same way and as nancy said along the lines of the nist framework we really think about you know how do customers identify their critical access how do they plan for protecting those assets right how do they make sure that they are in fact protected and if they do detect a ransomware event and ransomware events come from a lot of different places like there's not one signature there's not one thumb print if you would for ransomware so it's it's there's really a lot of vigilance uh that needs to be put in place but a lot of planning that needs to be put in place and once that's detected and a we have to recover you know we know that we have to take an action and recover having that plan in place making sure that your assets are fully protected and can be restored as you know ransomware is a insidious uh type of malware you know it sits in your system for a long time it figures out what's going on including your backup policies your protection policies and figures out how to get around those with some of the things that nancy talked about in terms of air gapping your capabilities being able to if you would scan your secondary your backup storage for malware knowing that it's a good copy and then being able to restore from that known good copy in the event of an incident is critical so we think about this for ourselves in the same way that we think about these for our customers you've got to have a great plan you've got to have great protection and you've got to be ready to restore in the case of an incident and we want to make sure we provide all the capabilities to do that yeah so i'm glad you mentioned air gapping so at the recent reinforce i think it was kurt kufeld was speaking about ransomware and he didn't specifically mention air gapping i had to leave so i might i might have missed it because i'm doing the cube but that's a that's a key aspect i'm sure there were things in the on the deep dives that addressed air gapping but nancy look aws has the skills it has the resources you know necessary to apply all these best practices and you know share those as customers but but what specific investments is aws making to make the cso's life easier maybe you could talk about that sure so following on to your point about the reinforced keynote dave right cj moses talked about how the events of a ransomware for example incident or event can take place right on stage where you go from detect to respond and to recover and specifically on the recover piece he mentioned aws backup the managed service that protects across 15 different aws services as well as on-premises vmware as automated recovery and that's in part why we've decided to continue that investment and deliver aws backup audit manager which helps customers actually prove their posture against how their protection policies are actually mapping back to their organizational controls based on for example how they tag their data for mission criticality or how sensitive that data is right and so turning to best practices especially for ransomware events since this is very top of mind for a lot of customers these days is i will always try to encourage customers to go through game day simulations for example identifying which are those most critical applications in their environment that they need up and running for their business to function properly for example and actually going through the recovery plan and making sure that their staff is well trained or that they're able to go through for example a security orchestration automation recovery solution to make sure that all of their mission critical applications are back up and running in case of a ransomware event yeah so i love the game date thing i mean we know well just in the history of it you couldn't even test things like disaster recovery be right because it was too dangerous with the cloud you can test these things safely and actually plan out develop a blueprint test your blueprint i love the the game day analogy yeah and actually one thing i love to add is you know we talked about air gapping i just want to kind of tie up that statement is you know one thing that's really interesting about the way that the aws cloud is architected is the identity access and management platform actually allows us to create identity constructs that air gap your data perimeter so that way when attackers for example are able to gain a foothold in your environment you're still able to air gap your most mission critical and also crown jewels from being infiltrated that's key yeah we've learned you know when paying the ransom is not a good strategy right because most of the time many times you don't even get your data back okay so we we're kind of data geeks here we love data um and we're passionate about it on the cube aws and you guys specifically are passionate about it so what excites you wayne you start and then nancy you bring us home what excites you about data and data protection and why you know we are data nerds uh so at the end of the day um you know there's there's expressions we use all the time but data is such a rich asset for all of us some of the greatest innovations that come out of aws comes out of our analysis of our own data like we collect a lot of data on our operations and some of our most critical features for our customers come out of our analysis that data so we are data nerds and we understand how businesses uh view their data because we view our data the same way so you know dave security really started in the data center it started with the enterprises and if we think about security often we talk about securing compute and securing network and you know if you if you secured your compute you secured your data generally but we've separated data from compute so that people can get the value from their data no matter how they want to use it and in doing that we have to make sure that their data is durable and it's resilient to any sort of incident event so this is really really important to us and what do i get excited about um you know again thinking back to this framework i know that we as thought leaders alongside our customers who also thought leaders in their space can provide them with the capabilities they need to protect their data to secure their data to make sure it's compliant and always always always durable you know it's funny you'd say it's not funny it's serious actually steven schmidt uh at reinforce he's the the chief security officer at amazon used to be the c c iso of aws he said that amazon sees quadrillions of data points a month that's 15 zeros okay so that's a lot of data nancy bring us home what's what excites you about data and data protection yeah so specifically and this is actually drawing from conversations that i had with multiple isv partners at aws reinforce is the ability to derive value from secondary data right because traditionally organizations have really seen that as a cost center right you're producing secondary data because most likely you're creating backups of your mission critical workloads but what if you're able to run analytics and insights and derive insights from that secondary data right then you're actually able to let aws do the undifferentiated heavy lifting of analyzing that secondary data as state so that way you as customers or isv partners can build value on the security layers above and that is how we see turning cost into value i love it you're taking the original premise of the cloud taking away the undifferentiated heavy lifting for you know deploying compute storage and networking now bringing up to the data level the analytics level so it continues the cloud continues to expand thank you for watching thecube's coverage of aws storage day 2022

>> Announcer: From theCUBE studios in Palo Alto in Boston, bringing you data-driven insights from theCUBE and ETR. This is "Breaking Analysis" with Dave Vellante. >> The rapid pace of cloud adoption has changed the way organizations approach cybersecurity. Specifically, the cloud is increasingly becoming the first line of cyber defense. As such, along with communicating to the board and creating a security aware culture, the chief information security officer must ensure that the shared responsibility model is being applied properly. Meanwhile, the DevSecOps team has emerged as the critical link between strategy and execution, while audit becomes the free safety, if you will, in the equation, i.e., the last line of defense. Hello, and welcome to this week's, we keep on CUBE Insights, powered by ETR. In this "Breaking Analysis", we'll share the latest data on hyperscale, IaaS, and PaaS market performance, along with some fresh ETR survey data. And we'll share some highlights and the puts and takes from the recent AWS re:Inforce event in Boston. But first, the macro. It's earning season, and that's what many people want to talk about, including us. As we reported last week, the macro spending picture is very mixed and weird. Think back to a week ago when SNAP reported. A player like SNAP misses and the Nasdaq drops 300 points. Meanwhile, Intel, the great semiconductor hope for America misses by a mile, cuts its revenue outlook by 15% for the year, and the Nasdaq was up nearly 250 points just ahead of the close, go figure. Earnings reports from Meta, Google, Microsoft, ServiceNow, and some others underscored cautious outlooks, especially those exposed to the advertising revenue sector. But at the same time, Apple, Microsoft, and Google, were, let's say less bad than expected. And that brought a sigh of relief. And then there's Amazon, which beat on revenue, it beat on cloud revenue, and it gave positive guidance. The Nasdaq has seen this month best month since the isolation economy, which "Breaking Analysis" contributor, Chip Symington, attributes to what he calls an oversold rally. But there are many unknowns that remain. How bad will inflation be? Will the fed really stop tightening after September? The Senate just approved a big spending bill along with corporate tax hikes, which generally don't favor the economy. And on Monday, August 1st, the market will likely realize that we are in the summer quarter, and there's some work to be done. Which is why it's not surprising that investors sold the Nasdaq at the close today on Friday. Are people ready to call the bottom? Hmm, some maybe, but there's still lots of uncertainty. However, the cloud continues its march, despite some very slight deceleration in growth rates from the two leaders. Here's an update of our big four IaaS quarterly revenue data. The big four hyperscalers will account for $165 billion in revenue this year, slightly lower than what we had last quarter. We expect AWS to surpass 83 billion this year in revenue. Azure will be more than 2/3rds the size of AWS, a milestone from Microsoft. Both AWS and Azure came in slightly below our expectations, but still very solid growth at 33% and 46% respectively. GCP, Google Cloud Platform is the big concern. By our estimates GCP's growth rate decelerated from 47% in Q1, and was 38% this past quarter. The company is struggling to keep up with the two giants. Remember, both GCP and Azure, they play a shell game and hide the ball on their IaaS numbers, so we have to use a survey data and other means of estimating. But this is how we see the market shaping up in 2022. Now, before we leave the overall cloud discussion, here's some ETR data that shows the net score or spending momentum granularity for each of the hyperscalers. These bars show the breakdown for each company, with net score on the right and in parenthesis, net score from last quarter. lime green is new adoptions, forest green is spending up 6% or more, the gray is flat, pink is spending at 6% down or worse, and the bright red is replacement or churn. Subtract the reds from the greens and you get net score. One note is this is for each company's overall portfolio. So it's not just cloud. So it's a bit of a mixed bag, but there are a couple points worth noting. First, anything above 40% or 40, here as shown in the chart, is considered elevated. AWS, as you can see, is well above that 40% mark, as is Microsoft. And if you isolate Microsoft's Azure, only Azure, it jumps above AWS's momentum. Google is just barely hanging on to that 40 line, and Alibaba is well below, with both Google and Alibaba showing much higher replacements, that bright red. But here's the key point. AWS and Azure have virtually no churn, no replacements in that bright red. And all four companies are experiencing single-digit numbers in terms of decreased spending within customer accounts. People may be moving some workloads back on-prem selectively, but repatriation is definitely not a trend to bet the house on, in our view. Okay, let's get to the main subject of this "Breaking Analysis". TheCube was at AWS re:Inforce in Boston this week, and we have some observations to share. First, we had keynotes from Steven Schmidt who used to be the chief information security officer at Amazon on Web Services, now he's the CSO, the chief security officer of Amazon. Overall, he dropped the I in his title. CJ Moses is the CISO for AWS. Kurt Kufeld of AWS also spoke, as did Lena Smart, who's the MongoDB CISO, and she keynoted and also came on theCUBE. We'll go back to her in a moment. The key point Schmidt made, one of them anyway, was that Amazon sees more data points in a day than most organizations see in a lifetime. Actually, it adds up to quadrillions over a fairly short period of time, I think, it was within a month. That's quadrillion, it's 15 zeros, by the way. Now, there was drill down focus on data protection and privacy, governance, risk, and compliance, GRC, identity, big, big topic, both within AWS and the ecosystem, network security, and threat detection. Those are the five really highlighted areas. Re:Inforce is really about bringing a lot of best practice guidance to security practitioners, like how to get the most out of AWS tooling. Schmidt had a very strong statement saying, he said, "I can assure you with a 100% certainty that single controls and binary states will absolutely positively fail." Hence, the importance of course, of layered security. We heard a little bit of chat about getting ready for the future and skating to the security puck where quantum computing threatens to hack all of the existing cryptographic algorithms, and how AWS is trying to get in front of all that, and a new set of algorithms came out, AWS is testing. And, you know, we'll talk about that maybe in the future, but that's a ways off. And by its prominent presence, the ecosystem was there enforced, to talk about their role and filling the gaps and picking up where AWS leaves off. We heard a little bit about ransomware defense, but surprisingly, at least in the keynotes, no discussion about air gaps, which we've talked about in previous "Breaking Analysis", is a key factor. We heard a lot about services to help with threat detection and container security and DevOps, et cetera, but there really wasn't a lot of specific talk about how AWS is simplifying the life of the CISO. Now, maybe it's inherently assumed as AWS did a good job stressing that security is job number one, very credible and believable in that front. But you have to wonder if the world is getting simpler or more complex with cloud. And, you know, you might say, "Well, Dave, come on, of course it's better with cloud." But look, attacks are up, the threat surface is expanding, and new exfiltration records are being set every day. I think the hard truth is, the cloud is driving businesses forward and accelerating digital, and those businesses are now exposed more than ever. And that's why security has become such an important topic to boards and throughout the entire organization. Now, the other epiphany that we had at re:Inforce is that there are new layers and a new trust framework emerging in cyber. Roles are shifting, and as a direct result of the cloud, things are changing within organizations. And this first hit me in a conversation with long-time cyber practitioner and Wikibon colleague from our early Wikibon days, and friend, Mike Versace. And I spent two days testing the premise that Michael and I talked about. And here's an attempt to put that conversation into a graphic. The cloud is now the first line of defense. AWS specifically, but hyperscalers generally provide the services, the talent, the best practices, and automation tools to secure infrastructure and their physical data centers. And they're really good at it. The security inside of hyperscaler clouds is best of breed, it's world class. And that first line of defense does take some of the responsibility off of CISOs, but they have to understand and apply the shared responsibility model, where the cloud provider leaves it to the customer, of course, to make sure that the infrastructure they're deploying is properly configured. So in addition to creating a cyber aware culture and communicating up to the board, the CISO has to ensure compliance with and adherence to the model. That includes attracting and retaining the talent necessary to succeed. Now, on the subject of building a security culture, listen to this clip on one of the techniques that Lena Smart, remember, she's the CISO of MongoDB, one of the techniques she uses to foster awareness and build security cultures in her organization. Play the clip >> Having the Security Champion program, so that's just, it's like one of my babies. That and helping underrepresented groups in MongoDB kind of get on in the tech world are both really important to me. And so the Security Champion program is purely purely voluntary. We have over 100 members. And these are people, there's no bar to join, you don't have to be technical. If you're an executive assistant who wants to learn more about security, like my assistant does, you're more than welcome. Up to, we actually, people grade themselves when they join us. We give them a little tick box, like five is, I walk on security water, one is I can spell security, but I'd like to learn more. Mixing those groups together has been game-changing for us. >> Now, the next layer is really where it gets interesting. DevSecOps, you know, we hear about it all the time, shifting left. It implies designing security into the code at the dev level. Shift left and shield right is the kind of buzz phrase. But it's getting more and more complicated. So there are layers within the development cycle, i.e., securing the container. So the app code can't be threatened by backdoors or weaknesses in the containers. Then, securing the runtime to make sure the code is maintained and compliant. Then, the DevOps platform so that change management doesn't create gaps and exposures, and screw things up. And this is just for the application security side of the equation. What about the network and implementing zero trust principles, and securing endpoints, and machine to machine, and human to app communication? So there's a lot of burden being placed on the DevOps team, and they have to partner with the SecOps team to succeed. Those guys are not security experts. And finally, there's audit, which is the last line of defense or what I called at the open, the free safety, for you football fans. They have to do more than just tick the box for the board. That doesn't cut it anymore. They really have to know their stuff and make sure that what they sign off on is real. And then you throw ESG into the mix is becoming more important, making sure the supply chain is green and also secure. So you can see, while much of this stuff has been around for a long, long time, the cloud is accelerating innovation in the pace of delivery. And so much is changing as a result. Now, next, I want to share a graphic that we shared last week, but a little different twist. It's an XY graphic with net score or spending velocity in the vertical axis and overlap or presence in the dataset on the horizontal. With that magic 40% red line as shown. Okay, I won't dig into the data and draw conclusions 'cause we did that last week, but two points I want to make. First, look at Microsoft in the upper-right hand corner. They are big in security and they're attracting a lot of dollars in the space. We've reported on this for a while. They're a five-star security company. And every time, from a spending standpoint in ETR data, that little methodology we use, every time I've run this chart, I've wondered, where the heck is AWS? Why aren't they showing up there? If security is so important to AWS, which it is, and its customers, why aren't they spending money with Amazon on security? And I asked this very question to Merrit Baer, who resides in the office of the CISO at AWS. Listen to her answer. >> It doesn't mean don't spend on security. There is a lot of goodness that we have to offer in ESS, external security services. But I think one of the unique parts of AWS is that we don't believe that security is something you should buy, it's something that you get from us. It's something that we do for you a lot of the time. I mean, this is the definition of the shared responsibility model, right? >> Now, maybe that's good messaging to the market. Merritt, you know, didn't say it outright, but essentially, Microsoft they charge for security. At AWS, it comes with the package. But it does answer my question. And, of course, the fact is that AWS can subsidize all this with egress charges. Now, on the flip side of that, (chuckles) you got Microsoft, you know, they're both, they're competing now. We can take CrowdStrike for instance. Microsoft and CrowdStrike, they compete with each other head to head. So it's an interesting dynamic within the ecosystem. Okay, but I want to turn to a powerful example of how AWS designs in security. And that is the idea of confidential computing. Of course, AWS is not the only one, but we're coming off of re:Inforce, and I really want to dig into something that David Floyer and I have talked about in previous episodes. And we had an opportunity to sit down with Arvind Raghu and J.D. Bean, two security experts from AWS, to talk about this subject. And let's share what we learned and why we think it matters. First, what is confidential computing? That's what this slide is designed to convey. To AWS, they would describe it this way. It's the use of special hardware and the associated firmware that protects customer code and data from any unauthorized access while the data is in use, i.e., while it's being processed. That's oftentimes a security gap. And there are two dimensions here. One is protecting the data and the code from operators on the cloud provider, i.e, in this case, AWS, and protecting the data and code from the customers themselves. In other words, from admin level users are possible malicious actors on the customer side where the code and data is being processed. And there are three capabilities that enable this. First, the AWS Nitro System, which is the foundation for virtualization. The second is Nitro Enclaves, which isolate environments, and then third, the Nitro Trusted Platform Module, TPM, which enables cryptographic assurances of the integrity of the Nitro instances. Now, we've talked about Nitro in the past, and we think it's a revolutionary innovation, so let's dig into that a bit. This is an AWS slide that was shared about how they protect and isolate data and code. On the left-hand side is a classical view of a virtualized architecture. You have a single host or a single server, and those white boxes represent processes on the main board, X86, or could be Intel, or AMD, or alternative architectures. And you have the hypervisor at the bottom which translates instructions to the CPU, allowing direct execution from a virtual machine into the CPU. But notice, you also have blocks for networking, and storage, and security. And the hypervisor emulates or translates IOS between the physical resources and the virtual machines. And it creates some overhead. Now, companies like VMware have done a great job, and others, of stripping out some of that overhead, but there's still an overhead there. That's why people still like to run on bare metal. Now, and while it's not shown in the graphic, there's an operating system in there somewhere, which is privileged, so it's got access to these resources, and it provides the services to the VMs. Now, on the right-hand side, you have the Nitro system. And you can see immediately the differences between the left and right, because the networking, the storage, and the security, the management, et cetera, they've been separated from the hypervisor and that main board, which has the Intel, AMD, throw in Graviton and Trainium, you know, whatever XPUs are in use in the cloud. And you can see that orange Nitro hypervisor. That is a purpose-built lightweight component for this system. And all the other functions are separated in isolated domains. So very strong isolation between the cloud software and the physical hardware running workloads, i.e., those white boxes on the main board. Now, this will run at practically bare metal speeds, and there are other benefits as well. One of the biggest is security. As we've previously reported, this came out of AWS's acquisition of Annapurna Labs, which we've estimated was picked up for a measly $350 million, which is a drop in the bucket for AWS to get such a strategic asset. And there are three enablers on this side. One is the Nitro cards, which are accelerators to offload that wasted work that's done in traditional architectures by typically the X86. We've estimated 25% to 30% of core capacity and cycles is wasted on those offloads. The second is the Nitro security chip, which is embedded and extends the root of trust to the main board hardware. And finally, the Nitro hypervisor, which allocates memory and CPU resources. So the Nitro cards communicate directly with the VMs without the hypervisors getting in the way, and they're not in the path. And all that data is encrypted while it's in motion, and of course, encryption at rest has been around for a while. We asked AWS, is this an, we presumed it was an Arm-based architecture. We wanted to confirm that. Or is it some other type of maybe hybrid using X86 and Arm? They told us the following, and quote, "The SoC, system on chips, for these hardware components are purpose-built and custom designed in-house by Amazon and Annapurna Labs. The same group responsible for other silicon innovations such as Graviton, Inferentia, Trainium, and AQUA. Now, the Nitro cards are Arm-based and do not use any X86 or X86/64 bit CPUs. Okay, so it confirms what we thought. So you may say, "Why should we even care about all this technical mumbo jumbo, Dave?" Well, a year ago, David Floyer and I published this piece explaining why Nitro and Graviton are secret weapons of Amazon that have been a decade in the making, and why everybody needs some type of Nitro to compete in the future. This is enabled, this Nitro innovations and the custom silicon enabled by the Annapurna acquisition. And AWS has the volume economics to make custom silicon. Not everybody can do it. And it's leveraging the Arm ecosystem, the standard software, and the fabrication volume, the manufacturing volume to revolutionize enterprise computing. Nitro, with the alternative processor, architectures like Graviton and others, enables AWS to be on a performance, cost, and power consumption curve that blows away anything we've ever seen from Intel. And Intel's disastrous earnings results that we saw this past week are a symptom of this mega trend that we've been talking about for years. In the same way that Intel and X86 destroyed the market for RISC chips, thanks to PC volumes, Arm is blowing away X86 with volume economics that cannot be matched by Intel. Thanks to, of course, to mobile and edge. Our prediction is that these innovations and the Arm ecosystem are migrating and will migrate further into enterprise computing, which is Intel's stronghold. Now, that stronghold is getting eaten away by the likes of AMD, Nvidia, and of course, Arm in the form of Graviton and other Arm-based alternatives. Apple, Tesla, Amazon, Google, Microsoft, Alibaba, and others are all designing custom silicon, and doing so much faster than Intel can go from design to tape out, roughly cutting that time in half. And the premise of this piece is that every company needs a Nitro to enable alternatives to the X86 in order to support emergent workloads that are data rich and AI-based, and to compete from an economic standpoint. So while at re:Inforce, we heard that the impetus for Nitro was security. Of course, the Arm ecosystem, and its ascendancy has enabled, in our view, AWS to create a platform that will set the enterprise computing market this decade and beyond. Okay, that's it for today. Thanks to Alex Morrison, who is on production. And he does the podcast. And Ken Schiffman, our newest member of our Boston Studio team is also on production. Kristen Martin and Cheryl Knight help spread the word on social media and in the community. And Rob Hof is our editor in chief over at SiliconANGLE. He does some great, great work for us. Remember, all these episodes are available as podcast. Wherever you listen, just search "Breaking Analysis" podcast. I publish each week on wikibon.com and siliconangle.com. Or you can email me directly at David.Vellante@siliconangle.com or DM me @dvellante, comment on my LinkedIn post. And please do check out etr.ai for the best survey data in the enterprise tech business. This is Dave Vellante for theCUBE Insights, powered by ETR. Thanks for watching. Be well, and we'll see you next time on "Breaking Analysis." (upbeat theme music)