 From theCUBE Studios in Palo Alto in Boston, bringing you data-driven insights from theCUBE and ETR. This is Breaking Analysis with Dave Vellante. The rapid pace of cloud adoption has changed the way organizations approach cybersecurity. Specifically, the cloud is increasingly becoming the first line of cyber defense. As such, along with communicating to the board and creating a security aware culture, the Chief Information Security Officer must ensure that the shared responsibility model is being applied properly. Meanwhile, the DevSecOps team has emerged as the critical link between strategy and execution, while audit becomes the free safety, if you will, in the equation, i.e. the last line of defense. Hello, and welcome to this week's Wikibon Cube Insights, powered by ETR. In this Breaking Analysis, we'll share the latest data on hyperscale, IAS and PAS market performance, along with some fresh ETR survey data. And we'll share some highlights and the puts and takes from the recent AWS Reinforce event in Boston. But first, the macro. It's earning season, and that's what many people want to talk about, including us. As we reported last week, the macro spending picture is very mixed and weird. Think back to a week ago when Snap reported a player like Snap misses and the NASDAQ drops 300 points. Meanwhile, Intel, the great semiconductor hope for America, misses by a mile, cuts its revenue outlook by 15% for the year, and the NASDAQ was up nearly 250 points just ahead of the close. Go figure. Earnings reports from Meta, Google, Microsoft, ServiceNow and some others underscored cautious outlooks, especially those exposed to the advertising revenue sector. But at the same time, Apple, Microsoft, and Google were, let's say, less bad than expected, and that brought a sigh of relief. And then there's Amazon, which beat on revenue, it beat on cloud revenue, and it gave positive guidance. The NASDAQ has seen this month a best month since the isolation economy, which breaking analysis contributor, Chip Symington attributes to what he calls an oversold rally. But there are many unknowns that remain. How bad will inflation be? Will the Fed really stop tightening after September? The Senate just approved a big spending bill along with corporate tax hikes, which generally don't favor the economy. And on Monday, August 1st, the market will likely realize that we are in the summer quarter and there's some work to be done. Which is why it's not surprising that investors sold the NASDAQ at the close today on Friday. Are people ready to call the bottom? Some maybe, but there's still lots of uncertainty. However, the cloud continues its march despite some very slight deceleration and growth rates from the two leaders. Here's an update of our big four IS quarterly revenue data. The big four hyperscalers will account for $165 billion in revenue this year, slightly lower than what we had last quarter. We expect AWS to surpass 83 billion this year in revenue. Azure will be more than two thirds the size of AWS, a milestone for Microsoft. Both AWS and Azure came in slightly below our expectations but still very solid growth at 33% and 46% respectively. GCP, Google Cloud Platform is the big concern. By our estimates, GCP's growth rate decelerated from 47% in Q1 and was 38% this past quarter. The company is struggling to keep up with the two giants. Remember, both GCP and Azure, they play a shell game and hide the ball on their IS numbers. So we have to use survey data and other means of estimating. But this is how we see the market shaping up in 2022. Now, before we leave the overall cloud discussion, here's some ETR data that shows the net score or spending momentum granularity for each of the hyperscalers. These bars show the breakdown for each company with net score on the right and in parentheses net score from last quarter. Lime green is new adoptions, forest green is spending up 6% or more, the gray is flat, pink is spending is 6% down or worse and the bright red is replacement or churn. Subtract the reds from the greens and you get net score. One note is this is for each company's overall portfolio. So it's not just cloud. So it's a bit of a mixed bag, but there are a couple of points worth noting. First, anything above 40% or 40 here is shown in the chart is considered elevated. AWS as you can see is well above that 40% mark as is Microsoft. And if you isolate Microsoft's Azure, only Azure, it jumps above AWS's momentum. Google is just barely hanging on to that 40 line and Alibaba is well below with both Google and Alibaba showing much higher replacements that bright red. But here's the key point. AWS and Azure have virtually no churn, no replacements in that bright red. And all four companies are experiencing single digit numbers in terms of decrease spending within customer accounts. People may be moving some workloads back on-prem selectively, but repatriation is definitely not a trend to bet the house on in our view. Okay, let's get to the main subject of this breaking analysis. The Cube was at AWS Reinforce in Boston this week and we have some observations to share. First, we had keynotes from Stephen Schmidt, who used to be the Chief Information Security Officer at Amazon Web Services. Now he's the CSO, the Chief Security Officer of Amazon. Overall, he dropped the I in his title. CJ Moses is the CSO for AWS, Kirk Coofield of AWS also spoke as did Lena Smart, who's the MongoDB CSO. And she keynoted and also came on the Cube. We'll come back to her in a moment. The key point Schmidt made, one of them anyway, was that Amazon sees more data points in a day than most organizations see in a lifetime. Actually, it adds up to quadrillions over a fairly short period of time. I think he was there within a month. That's as quadrillion as 15 zeros, by the way. Now there was drill down focus on data protection and privacy, governance, risk and compliance, GRC, identity, big, big topic, both within AWS and the ecosystem, network security and threat detection. Those are the five really highlight areas. Reinforce is really about bringing a lot of best practice guidance to security practitioners, like how to get the most out of AWS tooling. Schmidt had a very strong statement saying, he said, I can assure you with a 100% certainty that single controls and binary states will absolutely positively fail. Hence the importance, of course, of layered security. We heard a little bit of chat about getting ready for the future and skating to the security park where quantum computing threatens to hack all of the existing cryptographic algorithms and how AWS is trying to get in front of all that and a new set of algorithms came out. AWS is testing and we'll talk about that maybe in the future, but that's a ways off. And by its prominent presence, the ecosystem was there in force to talk about their role in filling the gaps and picking up where AWS leaves off. We heard a little bit about ransomware defense, but surprisingly, at least in the key notes, no discussion about air gaps, which we've talked about in previous breaking analysis is a key factor. We heard a lot about services to help with threat detection and container security and DevOps, et cetera, but there really wasn't a lot of specific talk about how AWS is simplifying the life of the CISO. Now, maybe it's inherently assumed as AWS did a good job stressing that security is job number one. Very credible and believable on that front, you have to wonder if the world is getting simpler or more complex with cloud. You know, you might say, well, Dave, come on, course it's better with cloud. But look, attacks are up, the threat surface is expanding and new exfiltration records are being set every day. I think the hard truth is the cloud is driving businesses forward and accelerating digital and those businesses are now exposed more than ever. And that's why security has become such an important topic to boards and throughout the entire organization. Now, the other epiphany that we had at reinforce is that there are new layers and a new trust framework emerging in cyber. Roles are shifting and as a direct result of the cloud, things are changing within organizations. And this first hit me in a conversation with longtime cyber practitioner and Wikibon colleague from our early Wikibon days and friend, Mike Versace. And I spent two days testing the premise that Michael and I talked about. And here's an attempt to put that conversation into a graphic. The cloud is now the first line of defense. AWS specifically, but hyperscalers generally provide the services, the talent, the best practices and automation tools to secure infrastructure and their physical data centers. And they're really good at it. The security inside of hyperscale clouds is best of breed, it's world class. And that first line of defense does take some of the responsibility off of CISOs, but they have to understand and apply the shared responsibility model. Where the cloud provider leaves it to the customer, of course, to make sure that the infrastructure they're deploying is properly configured. So in addition to creating a cyber aware culture and communicating up to the board, the CISO has to ensure compliance with an adherence to the model. That includes attracting and retaining the talent necessary to succeed. Now, on the subject of building a security culture, listen to this clip on one of the techniques that Lena Smart, remember she's the CISO of MongoDB, one of the techniques she uses to foster awareness and build security cultures in her organization. Play the clip. I'm having the security champion program. So that's just, it's like one of my babies. That and helping underrepresented groups in MongoDB kind of get on in the tech world are both really important to me. And so the security champion program is purely voluntary. We have over a hundred members. And these are people, there's no bar to join, you don't have to be technical. If you're an executive assistant who wants to learn more about security, like my assistant does, you're more than welcome up to, we actually, people grade themselves when they join us. We give them a little tick box. Like five is I walk on security water. One is I can spell security, but I'd like to learn more. Mixing those groups together has been game changing for us. Now, the next layer is really where it gets interesting. DevSecOps, we hear about all the time shifting left. It implies designing security into the code at the dev level. Shift left and shield right is the kind of buzz phrase, but it's getting more and more complicated. So there are layers within the development cycle, i.e. securing the container. So the app code can't be threatened by back doors or weaknesses in the containers. Then securing the runtime to make sure the code is maintained and compliant. Then the DevOps platform so that change management doesn't create gaps and exposures and screw things up. And this is just for the application security side of the equation. What about the network and implementing zero trust principles and securing endpoints to machine and human to app communication? So there's a lot of burden being placed on the DevOps team and they have to partner with the SecOps team to succeed. Those guys are not security experts. And finally, there's audit, which is the last line of defense or what I called at the open, the free safety for you football fans. They have to do more than just tick the box for the board. That doesn't cut it anymore. They really have to know their stuff and make sure that what they sign off on is real. And then you throw ESG into the mix is becoming more important, making sure the supply chain is green and also secure. So you can see, while much of this stuff has been around for a long, long time, the cloud is accelerating innovation and the pace of delivery. And so much is changing as a result. Now, next I want to share a graphic that we shared last week, but a little different twist. It's an XY graphic with net score or spending velocity in the vertical axis and overlap or presence in the data set on the horizontal with that magic 40% red line as shown. Okay, I won't dig into the data and draw conclusions when we did that last week but two points I want to make. First, look at Microsoft in the upper right hand corner. They are big in security and they're attracting a lot of dollars in the space. We've reported on this for a while. They're a five star security company and every time from a spending standpoint and ETR data that little methodology we use. Every time I've run this chart, I've wondered where the heck is AWS? Why aren't they showing up there? If security is so important to AWS, which it is and its customers, why aren't they spending money with Amazon on security? And I asked this very question to Merrick Bear who resides in the office of the CISO at AWS. Listen to her answer. It doesn't mean don't spend on security. There is a lot of goodness that we have to offer in ESS external security services. But I think one of the unique parts of AWS is that we don't believe that security is something you should buy. It's something that you get from us. It's something that we do for you a lot of the time. I mean, this is the definition of the shared responsibility model right now. Maybe that's good messaging to the market. Merrick didn't say it outright, but essentially Microsoft, they charge for security. At AWS, it comes with the package, but it does answer my question. And of course the fact is that AWS can subsidize all this with egress charges. Now on the flip side of that, you got Microsoft, they're competing now. We can take CrowdStrike for instance, Microsoft and CrowdStrike, they compete with each other head to head. So it's an interesting dynamic within the ecosystem. Okay, but I want to turn to a powerful example of how AWS designs in security. And that is the idea of confidential computing. Of course, AWS is not the only one, but we're coming off a reinforce and I really want to dig into something that David Flore and I have talked about in previous episodes. And we had an opportunity to sit down with Arvin Ragu and JD Bean, two security experts from AWS to talk about this subject. And let's share what we learned and why we think it matters. First, what is confidential computing? That's what this slide is designed to convey. To AWS, they would describe it this way, it's the use of special hardware and the associated firmware that protects customer code and data from any unauthorized access while the data is in use, i.e. while it's being processed. That's oftentimes a security gap. And there are two dimensions here. One is protecting the data and the code from operators on the cloud provider, i.e. in this case, AWS, and protecting the data and code from the customers themselves. In other words, from admin level users of possible malicious actors on the customer side where the code and data is being processed. And there are three capabilities that enable this. First, the AWS Nitro system, which is the foundation for virtualization. The second is Nitro enclaves, which isolate environments. And then third, the Nitro Trusted Platform Module, TPM, which enables cryptographic assurances of the integrity of the Nitro instances. Now we've talked about Nitro in the past and we think it's a revolutionary innovation. So let's dig into that a bit. This is an AWS slide that was shared about how they protect and isolate data and code. On the left hand side is a classical view of a virtualized architecture. You have a single host or a single server and those white boxes represent processes on the main board, x86 or could be Intel or AMD or alternative architectures. And you have the hypervisor at the bottom, which translates instructions to the CPU, allowing direct execution from a virtual machine into the CPU. But notice, you also have blocks for networking and storage and security. And the hypervisor emulates or translates IOs between the physical resources and the virtual machines. And it creates some overhead now. Companies like VMware have done a great job and others have stripping out some of that overhead but there's still an overhead there. That's why people still like to run on bare metal. Now, and while it's not shown in the graphic there's an operating system in there somewhere, which is privileged. So it's got access to these resources and it provides the services to the VMs. Now, on the right hand side, you have the Nitro system. And you can see immediately the differences between the left and right because the networking, the storage and the security, the management, et cetera, they've been separated from the hypervisor and that main board, which has the Intel AMD Nitro and Graviton and Tranium, you know, whatever XP use are in use in the cloud. And you can see that orange Nitro hypervisor, that is a purpose built lightweight component for this system. And all the other functions are separated in isolated domains. So very strong isolation between the cloud software and the physical hardware running workloads, i.e. those white boxes on the main board. Now, this will run at practically bare metal speeds and there are other benefits as well. Well, one of the biggest is security. As we've previously reported, this came out of AWS's acquisition of Annapurna Labs, which we've estimated was picked up for a measly $350 million, which is a drop in the bucket for AWS to get such a strategic asset. And there are three enablers on this side. One is the Nitro cards, which are accelerators to offload that wasted work that's done in traditional architectures by typically the x86. We've estimated 25 to 30% of core capacity in cycles is wasted on those offloads. The second is the Nitro security chip, which is embedded and extends the root of trust to the main board hardware. And finally, the Nitro hypervisor, which allocates memory and CPU resources. So the Nitro cards communicate directly with the VMs without the hypervisors getting in the way and they're not in the path. And all that data is encrypted while it's in motion. And of course, encryption at rest has been around for a while. We asked AWS, is this, we've presumed it was an ARM based architecture. We wanted to confirm that or is it some other type of maybe hybrid using x86 and ARM? They told us the following, quote, the SOC system on chips for these hardware components are purpose-built and custom designed in-house by Amazon and Aperna Labs. The same group responsible for other silicon innovation such as Graviton, Inferentia, Tranium, and Aqua. Now the Nitro cards are ARM based and do not use any x86 or x86 64 bit CPUs. Okay, so it confirms what we thought. So you may say, why should we even care about all this technical mumbo jumbo Dave? Well, a year ago, David Floyer and I published this piece explaining why Nitro and Graviton are secret weapons of Amazon that have been a decade in the making and why everybody needs some type of Nitro to compete in the future. This is enabled this Nitro innovations and the custom silicon able by the Inferna acquisition. And AWS has the volume economics to make custom silicon. Not everybody can do it. And it's leveraging the ARM ecosystem, the standard software and the fabrication volume, the manufacturing volume to revolutionize enterprise computing. Nitro with the alternative processor architectures like Graviton and others enables AWS to be on a performance, cost, and power consumption curve that blows away anything we've ever seen from Intel. And Intel's disastrous earnings results that we saw this past week are a symptom of this mega trend that we've been talking about for years. In the same way that Intel at x86 destroyed the market for risk chips, thanks to PC volumes, ARM is blowing away x86 with volume economics that cannot be matched by Intel. Thanks of course to mobile and Edge. Our prediction is that these innovations and the ARM ecosystem are migrating and will migrate further into enterprise computing, which is Intel's stronghold. Now that stronghold is getting eaten away by the likes of AMD, Nvidia, and of course ARM in the form of Graviton and other ARM based alternatives. Apple, Tesla, Amazon, Google, Microsoft, Alibaba and others are all designing custom silicon doing so much faster than Intel can go from design to tape out, roughly cutting that time in half. And the premise of this piece is that every company needs a Nitro to enable alternatives to the x86 in order to support emergent workloads that are data rich and AI based and to compete from an economic standpoint. So while it reinforced, we heard that the impetus for Nitro was security, of course the ARM ecosystem and its ascendancy has enabled in our view AWS to create a platform that will set the enterprise computing market this decade and beyond. Okay, that's it for today. Thanks to Alex Morrison who was on production and he does the podcast and Ken Schiffman, our newest member of our Boston studio team is also on production. Kristen Martin and Cheryl Knight helped spread the word on social media and in the community and Rob Hoth is our editor-in-chief over at Silicon Angle. Does some great work for us. Remember, all these episodes are available as podcasts wherever you listen, just search, breaking analysis podcasts I publish each week on wikibon.com and siliconangle.com. You can email me directly at david.volante at siliconangle.com or DM me at dvolante. Comment on my LinkedIn post and please do check out ETR.ai for the best survey data in the enterprise tech business. This is Dave Vellante with theCUBE Insights powered by ETR. Thanks for watching. Be well and we'll see you next time on Breaking Analysis.