 Hello everyone, welcome to theCUBE's live coverage here in Boston, Massachusetts for AWS Reinforced 2022. I'm John Furrier, host of theCUBE with Dave Vellante, my co-host for a breaking analysis, famous podcast. Dave, great to see you. Back in Boston, 2010 we started theCUBE. And all started right here in this building, John. 12 years ago we started here, but here, just 12 years, it just seems like a marathon with theCUBE over the years. We've seen many ways. You call yourself a historian, which you are. We are both now historians. Security is doing over. And we said in 2013, is security a doer? We asked Pat Gessner, now the CEO of Intel, prior to that he was the CEO of VMware. This is the security show for AWS. It's called the Reinforce. They have Reinvent, which is their big show. Now they have these, what they call re-shows. Re-Mars, machine learning, automation, robotics and space. And then they got Reinforce, which is security. It's all about security in the cloud. So great show, a lot to talk about. The keynotes were pretty, I would say generic on one hand, but specific in the other, clear AWS posture. We were both watching, what's your take? Well, John, actually looking back to May of 2010, when we started theCUBE at EMC World, and that was the beginning of this massive boom run, which finally we're starting to see some cracks in the armor. Of course, we're threats of recession. We're in a recession, most likely inflationary pressures, interest rate hikes, and so finally the tech market has chilled out a little bit. And you have this case before we get into the security piece of is the glass half full or half empty? So budgets coming into this year, it was expected they would grow at a very robust eight and a half percent. CIOs have tuned that down, but it's still pretty strong at around six percent. And one of the areas that they really have no choice but to focus on is security. They moved everything into the cloud or a lot of stuff into the cloud. They had to deal with remote work and that created a lot of security vulnerabilities and they're still trying to figure that out and plug the holes with the lack of talent that they have. So it's interesting, the first reinforce that we did, which was also here in 2019, Stephen Schmidt, who at the time was Chief Information Security Officer at Amazon Web Services said the state of cloud security is really strong. All this narrative, like the Pat Gelsinger narrative, security's a do-over, which you just mentioned, security is broken. It doesn't help the industry. The state of cloud security is very strong if you follow the prescription. We'll see. Now, Stephen Schmidt, as you know, is now Chief Security Officer at Amazon, so we followed- All at Amazon, not just AWS. He followed Jassy over and I asked, well, why no I? And they said, well, he's responsible now for physical security, presumably the warehouses. I'm like, wait a minute, what about the data centers? He was responsible for that, so it's kind of funny. CJ Moses is now the CISO at AWS. And these events are good, they're growing. It's all about best practices, how to apply the practices, a lot of recommendations from AWS, a lot of tooling, and really an ecosystem, because let's face it, Amazon doesn't have the breadth and depth of tools to do it alone. And also the attendance is interesting because we were just in New York City for the AWS Summit, 19,000 people, massive numbers, certainly in the pandemic, that's probably one of the top-end shows, and it was a summit. This is a different audience, it's security, really nerdy, got IoT, you got cloud, you got on-premise. So now you have cloud operations, we're calling SuperCloud, of course, we're having our inaugural pilot event on August 9th, check it out, we'll call SuperCloud, go to the kube.net to check it out, but this is the SuperCloud model evolving with security. And what you're hearing today, Dave, I don't want to get your reaction to this, is things like, we've got billions of observational points. We're certainly, there's no perimeter, right? So the perimeter's dead. The new perimeter, if you will, is every transaction at scale. So you have to have a new model. So security posture needs to be rethought. They actually said that directly on the keynote. So security, although numbers aren't as big as last week or two weeks ago in New York, still relevant. So, all right, there's sessions here, there's networking, very interesting demographic. Long hair guys, you know, a lot of nerds doing the build-out things over there. So I got to ask you, what's your reaction to this scale as the new advantage? Is that a tailwind or a headwind? What's your read? Well, it is amazing. I mean, actually, Stephen Schmidt talked about quadrillions of events every month. Quadrillions, 15 zeros. What surprised me, John? So Amazon talks about five areas. But by the way, at the event, they got five tracks and 125 sessions. Data protection and privacy, GRC, governance, risk and compliance, identity, network security and threat detection. I was really surprised given the focus on developers. They didn't call out container security. I would have thought that would be sort of a separate area of focus. But to your point about scale, it's true. Amazon has a scale where they'll see events every day or every month that you might not see in a generation if you're just kind of running your own data center. So I do think that's a valid statement. Having said that, Amazon has got a limited capability in terms of security. That's why they have to rely on the ecosystem. Now it's all about APIs connecting in. And APIs are one of the biggest security vulnerabilities. So that's kind of, I'm having trouble squaring that circle. Well, they did, just to come up, bring back to the whole open source and software. They did say they didn't make a measure of a store, but at the beginning, Schmidt did say that besides scale being an advantage for Amazon with a quadrillion, 15 zeros, don't bolt on security. So that's a classic old, we've heard that before. But he said specifically, we've been security in the dev cycles and the CICD pipeline. That basically means shift left. So Sneak is here, company we've covered, and their whole thing is shift left. That implies Docker containers. That implies Kubernetes. But this is not a cloud native show per se. It's much more crypto. You heard about, encrypt everything, message on the keynote. You heard about reasoning. It's a quantum, right? Skating to the puck. Yeah, so, although the ultimate is log 4j, hear that little mention. I love the quote from Lewis Hamilton that they put up on stage. CJ Moses said, team behind the scenes make it happen. So a big emphasis on teamwork, big emphasis on don't bolt on security. Have it in the beginning. We've heard that before. A lot of threat modeling discussions. And then really this, you know, the news around the cloud audit academy. So clearly skills gap, more threats, more use cases happening than ever before. Yeah, and you know, to your point about, you know, the teamwork, I think the problem that CISOs have is they just don't have the talent that AWS has. So they have a real difficulty applying that talent. And so, but AWS say, well, join us at these shows. We'll kind of show you how to do it, how we do it internally. And again, I think when you look out on this ecosystem, there's still like thousands and thousands of tools that practitioners have to apply. Every time there's a tool, there's a separate set of skills to really understand that tool, even within AWS's portfolio. So this notion of a shared responsibility model, Amazon takes care of, you know, securing, for instance, the physical nature of S3. You're responsible for secure, make sure you're the, the S3 bucket doesn't have public access. So that shared responsibility model is still very important. I think practitioners are still struggling with all this complexity and this matrix of tools. So they had the layered defense. So just to review, the opening keynote was Steve Schmidt, the new CSO. He talked about weaving and security in the Dev Cycles shift left, which is the, I don't bolt it on, I keep it in the beginning, the lessons learned. He talked a lot about over permissive creates chaos and that you got to really look at who has access to what and why, big learnings there. And he brought up the use cases. The more use cases are coming on than ever before, layered defense strategy was his core theme, Dave. And that was interesting. And he also said specifically, don't rely on single security control, use multiple layers, stronger together, bake it in from the beginning. Basically that was the whole ethos, the posture. He laid that down. He had a great quote on that. He said, sorry to interrupt, single controls in binary states will fail, guaranteed. Yeah, that's a guarantee. That was basically like, that's not a best practice. That's a mandate. And then CJ Moses, who was his deputy in the past, now takes over as CISO, ownership across teams, ransomware mitigation, air gapping, all that kind of in the weeds, kind of security stuff you want to check the boxes on. And I thought he did a good job, right? And he predicted the news. He's the new CISO. Okay. Then you had Lena Smart from MongoDB come on. Yeah. She was interesting. I liked her talk. I see Mongo is one of the ecosystem partners. How do you read into that? Well, it's really interesting, right? You didn't see a snowflake up there, right? You didn't see Databricks up there. You had Mongo up there. And I'm curious, is she's coming on theCUBE tomorrow? Is her primary role sort of securing Mongo internally? Is it securing the Mongo that's running across clouds? She's obviously here talking about AWS. So what I make of it is it's a really critical partner that's driving a lot of business for AWS. But at the same time, it's data. They talked about data security being one of the key areas that you have to worry about. And that's what Mongo does. So I'm really excited to talk to her tomorrow. I did like her mention a big idea, a CUBE alumni company. They were part of our season one of our AWS Startups Showcase. Check out awsstartups.com. If you're watching this, we've been doing that. We're in season two. We're featuring the fastest growing, hottest startups in the ecosystem. Not the big players. That's ISVs, more of the startups. They were mentioned. They're a great product. So I like to mention a big idea. Security Hub mentioned AWS Config. They're clearly a big customer and they have user-based, a lot of EC2 and storage going on. People are building on Mongo so I can see why they're in there. The question I want to ask you is, is Mongo's new stuff in line with all the upgrades in the Silicon? So you got Graviton, which has got great stuff, great performance. Do you see that being a key part of things? Well, specifically Graviton. So I'll tell you this. I'll tell you what I know. When you look at Snowflake, for instance, is optimizing for Graviton for certain workloads. They actually talked about it on their earnings call how it's lowered the cost for customers and actually hurt their revenue. They still had great revenue but it hurt their revenue. My sources indicate to me that Mongo is not getting as much out of Graviton 2 but they're waiting for Graviton 3. Now they don't want to make that widely known because they don't want to diss AWS but it's probably because Mongo's more focused on transactions, Snowflake's more focused on analytics. But so to me, Graviton is the future. It's lower cost. Nobody turns off the database. Nobody turns off the database. It's always cranking up EC2 cycles. The other thing I wanted to bring up, I thought we'd hear more about ransomware. We heard a little bit from Kirk Kuhfeld and he talked about all these things you could do to mitigate ransomware. He didn't talk about air gaps. That's all you hear is how air gap. David Floyer talks about this all the time. You must have air gaps if you want to cover yourself against ransomware and they didn't even mention that. Now maybe we'll hear that from the ecosystem. That was kind of surprising. Then I saw you made a note in our shared doc about encryption because I think all the talk here is encryption at rest. What about data in motion? Well this is the last guy that came on the keynote. He brought up encryption, Kurt Kuhfeld, which I love by the way. He's VP of platform data. I like this Mojo, he's got the long hand, he's getting out. He's a swagger. But he hit on some really cool stuff. This idea of the reasoning, right? The automated reasoning, his little pet project. That is like killer AI. That's next generation, next level stuff. Explain that. So machine learning does all kinds of things. It goes through the pattern, supervise, unsupervised, automate stuff, but true reasoning. No one connecting the dots with software. That's like true AI, right? That's really hard. Like in word association, knowing how things are connected, looking at patterns and deducing things. So you predict the analytics we all know comes from great machine learning. But when you start getting into deduction, we say, hey, that EC2 cluster never should be on the same VPC as this one. Why is this package trying to go there? You can see patterns beyond normal observation space. So if you have a large observation space like AWS, you can really put some killer computer science technology on this, and that's where this reasoning is. It's next level stuff. You don't hear about it because nobody does it. I mean, Google does it with metadata. There's metadata reasoning. I've been watching this for over two decades now. It's a part of AI that no one's tapped. And if they get it right, this is going to be a killer part of the automation. So he talked about this, basically, it being advanced math that gets you to provable security like you gave an example and another example he gave is, is this S3 bucket open to the public? Is that access restricted or unrestricted? Can anyone access my KMS keys? So, and you can prove the answer to that question using advanced math and automated reasoning. That's a huge leap because you used to be, use math, but you didn't have the data, the observation space and the compute power to be able to do it in near real time or real time. It's like when someone, in the physical world, real life, in real life, you say, hey, that person doesn't belong here. Or you can look at something saying, that doesn't fit. So you go, okay, you observe it and you take measures on it, or you query that person and say, why are you here? Oh, okay, you're here. Doesn't fit right, didn't know the way to write clothes or write look, whatever. You kind of have that data. That's deducing that and getting that information. That's what reasoning is. It's really a killer level. And this encrypt everything has to be data pipelining, has to be data at movement. At rest is one thing, but you got to get data in flight, Dave. This is a huge problem and nicking that work is a key issue. The other thing that Kirk Kuhl talked about was quantum proof algorithms because basically he put up a quote, you're a hockey guy. Wayne Greski said the greatest hockey player ever. Do you agree? I do agree. Okay, so you agree. Okay, so we'll give it to Dr. Greski, but I always skate to where the puck is going to be, not to where it's been. And basically his point was we're skating to where quantum is going, because quantum brings risks to basically blow away all the existing cryptographic algorithms. My understanding is NIST just came up with new algorithms. I wasn't clear if those were supposed to be quantum proof, but I think they are and AWS is testing them and AWS is coming out with some tests to see if quantum can break these new algos. So that's huge. The question is interoperability. How is it going to interact with all the existing algorithms and all the tools that are out there today? So I think we're a long way off from solving that problem. Well that was one of Kirk's big point, he talked about quantum resistant cryptography and they introduced hybrid post-quantum key agreements. That means KMS certification, CERT manager and AWS manager all can manage the keys. This was something that gives more flexibility on that quantum resistance argument. I got to dig into it. I really don't know how it works, what he meant by that in terms of what does that hybrid actually mean? I think what it means is multi-mode key management, but we'll see. So I come back to the macro for a second. We've got consumer spending, under pressure, Walmart just announced, not great earnings, shouldn't be a surprise to anybody. We have Amazon, Meta and Alphabet announcing this week and I think Microsoft. So everybody's on edge. Is this going to ripple through? Now the flip side of that is because the economy is maybe not in such great shape people are saying maybe the Fed is not going to raise after September. So that's why we come back to this half full half empty. How does that relate to cyber security? Well people are prioritizing cyber security but it's not an unlimited budget. So they may have to steal from other places. It's a double whammy date. It's a double whammy on the spend side and also the macroeconomics. So okay, we're going to have a recession that's predicted the issue. So that's bad on the one hand but it's good from the standpoint of not raising interest rates. It's one of the double whammy. It's one of the double whammy we're talking about here but as we said on the Q two weeks ago at the summit in New York and we did at ReMars, this is the first recession where the cloud computing hyperscalers are pumping full cylinder, all cylinders. So there's a new economic engine called cloud computing that's in play. So unlike data center purchase in the past that was CAPX when spending was hit they pause was a complete shutdown then a reboot. Cloud computer you can pause spending for a little bit. It might make the cycle longer in sales but it's going to be quickly fast turned on. So turning off spending with cloud is not that hard to do. You can hit pause and like check things out and then turn it back on again. So that's just general cloud economics. With security though I don't see the spending slowing down. Maybe the sales cycles might go longer but there's no spending slowdown in my mind that I see. And if there's any pause it's more of refactoring whether it's the crypto stuff or new things that Amazon has. So that's interesting. So a couple of things there. I do think you're seeing a slight slowdown in the velocity of the spend. When you look at the leaders in spending velocity and ETR data, CrowdStrike, Okta, Zscaler, Palo Alto Networks they're all showing a slight deceleration in spending momentum but still highly elevated. So that's I think now to your other point really interesting what you're saying is cloud spending is discretionary. That's one of the advantages. I can dial it down. But trek me if I'm wrong but most of the cloud spending is with reserved instances. So ultimately you're buying those reserved instances and you have to spend over a period of time. So ultimately AWS is going to see that revenue. They just might not see it for this one quarter as people pull back a little bit, right? It might lag a little bit so you might not see for a quarter or two so it's impact but it's not as severe. So the dialing up that's a key indicator. I think I'm going to watch that because that's going to be something that we've never seen before. So what's that reserve instance? Now the wild card in all this and the dark horse is new services. So there's other services besides the classic AC2 but security and others, there's new things coming out. So to me, this is absolutely why we've been saying super cloud is a thing because what's going on right now in security and cloud native is there's net new functionality that needs to be in place to handle multiple clouds multiple abstraction layers and to do all these super cloud like capabilities like MongoDB, like these vendors, they need to up their game and we're going to see new cloud native services that haven't exist. Yeah, I'll use some HashiCorp here. I'll use something over here. I've got some VMware, I've got this, but there's gaps there. There'll be gaps that are going to emerge and I think that's going to be a huge wild card. And now I want to bring something up on the super cloud event. So you think about the layers, IaaS, Paz and SAS and we see super cloud permeating all those. Somebody asked you, because we have Intuit coming on, somebody asked why Intuit in super cloud, here's why. So we talked about cloud being discretionary, you can dial it down, we saw that with Snowflake, sort of Mongo, similarly you can if you want dial it down although transaction databases are hard to do, but SAS, the SAS model is you pay for it every month. Okay, so I've contended that the SAS model is not customer friendly, it's not cloud like and it's broken for customers. And I think in this decade it's going to get fixed and people are going to say, look, we're going to move SAS into a consumption model that's more customer friendly. And that's something that we're going to explore in the super cloud event. And one more thing too on the spend, the other wild card is okay, we believe super cloud, which we just explained. If you don't come to the August 9th event and watch the debate happen, but as the spending gets paused, the only reason why spending will be paused in security is the replatforming of moving from tools to platforms. So one of the indicators that we're seeing with super cloud is a flight to best of breeds on platforms, meaning hyperscale. So on Amazon web services, there's a best of breed set of services from AWS and the ecosystem. On Azure, they have a few goodies there and customers are making a choice to use Azure for certain things if they have teams or whatever or office and they've run all their dev on AWS. So that's kind of what's happened. So that's multi cloud by our definition is customers to clouds. That's not multi cloud as in things are moving around. Now, if you start getting data planes in there, these customers want platforms. So I'm a cybersecurity CISO, I'm moving to platforms, not just tools. So maybe CrowdStrike might have a dial down, but a little bit, but they're turning into a platform. Splunk's trying to be a platform. Octa is a platform. C-scalers a platform. It's a platform war right now, Dave. In cyber arc, right? Being identity, they're all platform beach products. We've talked about that a lot in theCUBE. Yeah, well, great stuff, Dave. Let's get going. We've got two days of live coverage here. These are cubes that in Boston for Reinforce 22. I'm John Furrier, Dave Vellante. We'll be back with our guests coming on theCUBE after this short break.