 Okay, we're back here live in Las Vegas for Amazon Web Services' re-invent conference. This is theCUBE, our flagship program. We go out to the events, extract a signal from the noise. I'm John Furrier, the founder of Silicon Island. Join my co-host, Dave Vellante, and we're excited to have this segment here. Steve Schmidt, who's the vice president, chief information security officer for Amazon Web Services. Welcome to theCUBE. Thanks very much for having me here. I mean, it must be a very exciting job because security is the number one conversation anyone has when it comes to the cloud. I mean, I'll see the cloud has proven itself, Amazon has proven, and with all the announcements and innovation that the bloop is being closed, you've got messaging services and real-time streaming, you've got Redshift as data warehouse, you've got Under the Hood, full stack, DevOps moving massively as the standard in public cloud. And it's just a cost structure. So overwhelmingly, no brain is ridiculously amazing. So with that, it attracts people. But their number one question is security. So I got to ask you, what is the security conversation today and within Amazon internally, and externally here at the show? What are the top conversations being discussed that you can share with the crowd? Sure, the biggest conversations that we have internally are all about how we reduce the perimeter around information. Customers are just demanding that we keep shrinking the boundaries around information to give them more and more control over who can see what from where when. It used to be that people sort of fell into two buckets. You were a normal user, or maybe you were an administrator, and there wasn't anything in between. That's no longer sufficient. People want to be able to make sure that you can access this data from your smartphone, but somebody else who's not authorized can. So on the perimeter, so I know Dave's got a slew of questions, because we were discussing prepping the interview, perimeter security is obviously one thing, but now you have an API economy. So there could be potentially leakage of data or security holes all around the market. So how do you guys look at that? It's specifically, okay, if we're going to expose restful APIs to everything, it's a connection oriented world, what do you guys look at on the roadmap there? How does perimeter security get, go to the modern era around that? Is it encapsulation? Is it virtualization? Is it containerization? I mean, how do you guys look at that? Yeah, absolutely. It's all about making sure that when you expose information, you do so in a manner that's consistent with customer expectations. So it's ensuring you've got the right crypto that customers can use to wrap their data up in and keep it safe. It's all about ensuring you have the right access control, allowing people to access data from places they want to when they want to and not when they don't. And it's also giving them the visibility into their network and the use of their data, like with Amazon CloudTrail, service we just announced here at the show, allows customers to see every API call that they make into some of our services. And more importantly, it allows them to see behind the scenes on API calls that our services make on their behalf. So you were previously at the Federal Bureau of Investigation also known as the FBI, you're in charge of Chief Technology, Section Chief responsible for collection and analysis of all the data. So where are we in this surveillance society? People talk about this. And I'll see, and it's important, right? Security is number one. What have you learned from your previous life that you're extending into this modern era? Because Amazon does pride itself and we do give them, give you guys a lot of props around being modern. You guys are cutting edge, changing the paradigm, lowering costs, increasing scale. But a lot of these paradigms are coming back. You see, spot pricing is not a new concept, that's just borrowed from another industry. What have you learned from the FBI that you could bring into Amazon that's going to change the game a bit on how people access content, data on each other, internet of things? Security is all about people. Quite often, security practitioners focus on, well, this particular piece of data or this particular control when in reality it's understanding humans. It's all about figuring out how people need to work versus want to work or how bad guys think and how they want to access information inappropriately. So there's a lot of transference of knowledge about understanding the behavior of humans into this technical world. Dave, what's your take on this? Because you, I- Yeah, I wonder if I could jump in here. So I'm struck by when I listen to the keynotes and I talk to the people around here, I talk to folks from Amazon. It's almost like you guys, this collection of really smart people that got together and just had a blank pallet. Said, okay, if we had to do IT right, how would you do it? And I'm struck by things like workspaces. You say, okay, we're going to do VDI the Amazon way. What is security the Amazon way and how is it different? Security the Amazon way is all about ensuring that you build security in from the start. A lot of people, especially in an older technology environment, have to bolt security on after the fact and that's really tough to do well and more importantly, it's really tough to do well that doesn't cause the user headaches. So one of the things we focus a lot on is designing in at the very beginning the appropriate security that our customers are demanding. It means putting security engineers into service teams rather than having them sit outside in a separate organization so that every time a decision is made in the design process, it's made with security in mind. So I would say probably around 25 years ago, I received a similar answer in terms of designing in from the IBM mainframe guys. They say that we design it in and then you had this sort of wild, wild west of open systems that created real challenges because the mainframe very constrained in environment but are there parallels there that you can draw on? There are certainly parallels in access control. There are parallels in limiting access to data, enabling access to data. I think the real shift has been that in the mainframe world, things scaled vertically. It was one big box that got bigger whereas in our world, it's all about distributed systems. It's about making sure that the job is chopped up into little pieces and pushed to a bunch of machines. Right, so that obviously creates different challenges. Okay, so now you're based in outside of Washington DC which we were talking off camera as advantageous. Talk about that a little bit. Why is it advantageous for you to be there? There's a huge host of security talent that's available in the Washington DC area. The federal government there obviously is a huge customer and has a lot of security interests but more importantly, there's some excellent universities in that area that turn out some really sharp security engineers and it gives us a pool to draw from that's really important to the success of our business. So when Amazon was very happy to let you guys stay there and do your thing, you have a very interesting background. Economics, law, and a little bit of computer science thrown in. So how do you apply those disciplines in your current role? Yeah, the disciplines are applied in sort of the two different major areas. One is security is not just one thing. It's both an art and a science and the art portion is balancing the need to access information to get business done, to allow your employees to work, to allow your customers to function with the desire to make sure that you protect that which is really important to you sufficiently. There is a science of designing controls that accomplish those means. So things like enabling you to restrict access to a particular field in a database or enabling you to restrict access to a certain virtual machine from a certain location. And so the background there is you've got the balancing act that's often law and economics, and you've got the science portion of CS, computer science, applying to build the controls. We talked about this when we talked a week or so ago about how security's changing. It used to be keep the bad guys out, put a mode around, and when the bad guys used to get in, they'd make a lot of noise. Hey, we got in, virus, wonderful. Now they get in and they're malicious, they're stealth. We talked about the stat that I had thrown out that I think confirmed it. On average, it's about 400 plus days before a breach is even noticed, realized. So how does that change the way in which just not even Amazon specifically, but just in the way the industry needs to think about security? The industry needs to think much more real time about security. Now the federal government has had a push on that for continuous monitoring for a while. But in reality, the practical matter is that people couldn't get logs quickly enough off of machines to make that practical. One of the things that we aimed for with launching CloudTrail is to give customers logs about every five minutes. Gives them a much quicker opportunity to identify behavior that's interesting to them and then investigate it, figure out what's going on. Okay, so that's analytics in part, but it's also being able to know who did what when where. Absolutely. Which was part of the challenge when we went from mainframe to open system. We never knew who did what. Can we talk about physical access a little bit? A lot of things that customers will point to, actually not even so much customers, but sometimes competitors will point to us, oh, we can't get access to Amazon's, or you can't, as a customer, get access to Amazon's physical location. I wonder if you could talk about that philosophy, why it's your approach and why it's so important. Sure, our philosophy is need to know, need to access. If you look at Amazon employees, most of our employees have no idea where our data centers are. They may say it's in Virginia, it's in the Washington DC area, et cetera, but they can't give you a street address. It's gross. Yeah, that's actually useful. It means that if you don't have access to facilities, you can't accidentally do something inappropriate or cause a problem. Security through obscurity is not sufficient of itself, but it's a starting point. The other thing is we have enormous customer base. I mean, hundreds and hundreds of thousands of customers. Would you as one customer want 100,000 other customers tramping through the data center, maybe tripping over a cable, or accidentally falling into a hole or something like that? No, so what we do instead is we use a trusted third party to do the audits on behalf of all of our customers. Okay, so the trusted third party is what, an accounting firm? Exactly, yeah, it's Ernst and Young in our case, and what they do is they do a commonly understood, well-examined review of our data centers to make sure that we're doing what we say we are. They actually come in and test. For instance, if we say that we keep visitor access logs for 60 days, they'll come in and say, I want to see the visitor access logs for this date and this time out of this data center. We have to produce them and prove it to them. Same thing for CCTV or badge access controls. So it's like a random drug test. Absolutely. You don't know what's coming or what's coming. So what's the lingua franca of that world that you said is sort of a commonly accepted, what are the terms that you would use to describe that that would resonate with? Sure, the terms are certifications and accreditations and those like, we're a global company. We have customers all over the planet, so we have to have different languages to describe our certifications to them. In Europe, it tends to be ISO 27001. In the US, it tends to be SOC 1, 2, and 3. In certain verticals, they've got their own language. So whether it's FISMA for the federal government or PCI for the payment card industry. Okay, so Ernie Young comes in, they do their investigation, their audit, they pass it in and then what happens? My auditors can get to talk to your auditors. And in fact, the SOC 2 report is specifically designed to be an auditor to auditor report. So it's, you don't have to trust us, you don't even have to talk to us. You can talk directly to Ernie Young about it. So, could you say that you've not lost business because of this factor, because of the whole we can't get access factor? Actually, with our more savvy customers, it's the other way around. They really appreciate the fact that we don't allow people in the facilities. Yeah, okay, so you would argue that you've won business because of that. Now, you, we talked to Andy Jassy recently. He said, look, we try not to do one-offs at Amazon. It's just, it's not our way. So I presume that's the case with security. Now, I would imagine that you have a lot of demand for one-offs. How do you handle that? We bought, but what we do with, for individual security requests is see how we can work them into our standard operating procedure. You know, we talked about how we've got lots and lots of different certifications that we have to keep. Rather than having one set of our infrastructure, that's the PCI version, or one set that's suitable for healthcare records, or another set that's for financial services, we see what's the highest bar across all of them. And we meet that bar for our whole infrastructure. That way customers can pick and choose what's important to them. Can you summarize why, in your opinion, or provide any facts and metrics if you care to, why cloud security generally, and specifically AWS security, is better than what you could get on-premise? I think the most fundamental thing that's different is visibility. You know, if you think about a customer's on-premise data center, it'll often have grown over time. You know, you've got networks that sort of connect to each other over time and buildings that expand. And people may have even left the company who added things to the network and people are afraid to unplug a rack because they don't know what it does anymore. That's all because a human being is interacting directly with that equipment. In the cloud, you have to talk to us over an API. As a result, everything that's done with your infrastructure can be audited. So you can see with precision who started what virtual machine, from where, what network it's connected to, what the firewall rules are. And this is something that's not only a difference in security that we've pointed out, but our customers are doing so as well. Todd Soderstrom, CTO of NASA JPL, came out and said outright that he believes that they can be more secure in the AWS cloud and it can be on-premise. So I wonder if we could maybe attack some of the misconceptions out there too. Because again, you hear it a lot from pundits, your competitors will talk about it. I had somebody say to me the other day, well, you know, location, where you store the data is very important. As you know, Brazil has laws that recently passed. We've talked about Germany in the past. And somebody said to me, you think Amazon's going to let you determine where you put that data? And your answer was, yeah. In fact, we require you to. It was more than that. You don't have a choice, but to declare what you're going to put there. So I want you to talk about that a little bit. You have a data center in Brazil. We have several. Recent laws, several data centers in Brazil. Recent laws pass that the data, certain data has to stay in Brazil. So talk about how you accommodate that. I want to talk about Europe as well. Sure. The way we accommodate that is that as part of the interaction with our APIs, customers have to say, store this data in a particular location. So literally we will not accept something from them unless they tag it with, I want it to go to this particular part of the world, this region of the world. Additionally, we require that customers decide when they want to move that data somewhere else. So if a customer wants to move something from one region to another, they can initiate that transfer, but we won't do it for them. They have to do it themselves. Okay, what are some of the other misconceptions that people have about Amazon security that you might want to talk about here? There's a misunderstanding that there are multiple levels of security depending on the size of the company. When in reality one of the really cool things about operating in the cloud is that every little guy out there gets the same access to security that the biggest customers do. So when you think about the big guys, the NASs, the Netflix, et cetera, they drive us really hard on security features and capabilities and audits that we have to undertake. And the kid who's in his college dorm room doing his homework on AWS using our free tier gets that same access to security features. So I want to ask you as well, we talked on the phone the other day, I asked you this question and I really appreciate your answer because I thought it was quite honest. What's the biggest complaint that you get around security? The biggest concerns that most customers have around security is making sure they get the division of responsibility right. We are a shared responsibility model which means that we do some things on behalf of every customer, the physical security, the network layers, et cetera. And then customers get to decide what they do beyond that so they get to choose the OS, the applications, the firewall rules, et cetera. Helping them get that right is something that we've got to be really, really focused on. And then I have one other question John I know wants to jump in as well. We were talking about specials before. GovCloud, security same as what you get on? GovCloud is identical to all of the other regions that we have with one exception that it's operated by U.S. persons. The U.S. government has requirements that we have to meet to, in order to be certified to handle ITAR workloads. That's international trafficking and arms regulations. Things like spacecraft control and certain kinds of aircraft designs are restricted access items. So literally it is the same sets of security, the same kind of security as the rest of our regions just run by U.S. persons. And U.S. persons means that they don't have to be citizens but they've got to be- I think it can be a green card holder. Green card and have the right to do business. That's right. In the United States. Okay, well so John, we're running the camera here. I'll get a word in edgewise somewhere Dave. I want to go to the crowd so we had a little crowd chat here but on Twitter we had some, so just some comments I want to get your take on it. So earlier Werner tweeted and said, putting cloud HSM offering into context, quote securing key store so you only have access to your data and no compromise. Explain what that is out there. Obviously HSM is obviously around the hardware, securing modules or whatever it stands for. I think that's what it is. But what does that mean? I mean explain that, because that's a really fundamental point of the confidence levels that people need to have. The most important way to think about cryptography and keeping data safe using crypto is it's only as safe as the keys. If you think about it, you can put great locks on your house but if you don't keep those keys safe, maybe you got a problem. Cloud HSM allows customers to generate and use crypto keys in a fashion that only they have access to it. Our staff don't even have access to it and that's really important for some customers with highly regulated workloads or specific concerns about PII. As I say, don't lose the keys to the house and you can get in. I mean that's one of the dangers though if you lose your primary key. I mean that's- Unfortunately we can't do backups for the customer in that circumstance. We have to help them do those ourselves. Okay, so let's go back to another tweet. So Holger Mueller from a constellation group said, put up a slide. I want to get your take on this because we've been talking about earlier in theCUBE the importance of Redshift. And with the streaming application you guys launched, really kind of closed the loop but now you can bring detection into this. So now you're basically talking about big data. Right, so what does Redshift mean? Folks out there, I'll say one thing is to prevent security but it's also a detect pattern. So talk about how you guys look at Redshift in particular and how does that play into kind of like the big data analytics for security. We use Redshift internally to look at the behavior of our employees. So for instance we capture logs about what our employees interact with on our network and how they access machines that might contain customer data. We use Redshift to look at their patterns of behavior and ensure they're consistent with our business expectations. So does this software development engineer behave like the other software development engineer? Can be pretty powerful. Customers are starting to do things like say this particular user of mine always logs in from London because that's where they're based. All of a sudden their login comes from Tokyo. What's going on? Like to understand more about it. One of the things that we talk about, first of all we love to talk about how large scale can be leveraged and how when you have large scale a small little feature could be massively huge and differentiated by the leverage of the scale. So talk about where you guys see advances in machine learning because that's really what you're just talking about takes us into another whole another direction of hey I look at pattern detection I have unsupervised machine learning then it changes the game. What's the vision there? And what's your, how do you talk about that? That's all about feeding enough training data to make it useful. And if you think about machine learning it's only as good as the data that you put into it. So one of the things that was really cool about adding cloud trail to the services that are available to customers now it is yet another piece of information about how their employees interact with their assets on AWS. So you see pretty significant machine learning going forward. There's a really cool set of features that are going to be coming out of a bunch of our partner stuff and we use Redshift theirself to do a lot of machine learning. I was joking earlier on Twitter I was saying hey the big talk in the hallways is all about security. Someone joke that's not very secure. Given all the eavesdropping going on. So you know pun aside, what is in your opinion? Take your Amazon hat off for a second. Kind of let's be kind of industry guy here. What is the hottest thing that you're hearing? That surprised you and didn't surprise you. Some that you expected obviously some of the things around key stores probably there but what has surprised you that you expected and what has surprised you that you haven't expected? Things that I expected are that customers continue to demand shrinking perimeters meaning smaller and smaller access boundaries around data. What I didn't expect is that a couple of customers have told us that they really trust our brand inherently and they want us to offer more security features ourselves which was a surprise. Amazon yourself to them as a service or in the stack. As a service as part of the stack we've always thought of it from part of the stack but they want more Amazon branded services as well. Great, hey John remember when we were at I think it was VMworld they had Pat Gelsinger on you know Pat Gelsinger's obviously and we were talking about virtualization and the challenges of security in the cloud and I asked Pat I said is security a do-over? This was a couple of years ago several years ago and he said thought about it and he said yeah you know security is a do-over. So my question to you is are you the do-over? Now I think we're in a situation where we've been very lucky in that we knew that we were going to base this business in a solely virtual world. We didn't sell physical goods to anybody. We don't have a store they can go to. So we had to get security right from the beginning. Yeah so I'm saying is this the dual? Yeah in a lot of ways. Is this the example of the dual? Sure and I understand what you mean. I think this in a lot of ways this is. It gives people a new opportunity a new way of implementing things and more importantly greater visibility in what they have and so they can design better controls. You saw the pie charts that Andy put up there and this is you know as outside observers you get really talented people on one side of that pie chart and really talented people on the other side of the pie chart. What is that what are those diverging pies mean in your opinion from a security standpoint? There is no one way to solve security problems. There's a sort of a spectrum of things you can do. What it does mean is that we've got a lot of customers with a lot of different viewpoints that we have to satisfy which means we're going to have to keep working really hard to make sure we meet their expectations. Yeah so it would be easier if everyone just put the data in the cloud right but that's not going to happen right and someone one of the guys yesterday I think it was one of the folks from Eucalyptus said look economies have proven over history that some people like to rent some people like to buy so that just makes your job harder. Why? It makes it harder in some senses it also makes it easier in others. It's about giving customers choice and if we do that right they're going to move to our services. It's given the capabilities that they're asking for given the features that they want and they'll choose us. If we're not doing it well that's going to be a problem for us. So my final question I know we're getting tight on time I want to ask you this is more provocative question because I really haven't thought about it other than just now. So it's kind of off the cuff question. Auto scaling something that we use a lot in our Amazon app we built a pretty significant app on Amazon I showed you the crowd spots thing. Auto scaling has been like an amazing thing for us it's really and customers love it. How do you apply auto scaling to security? Auto scaling and security is all about making sure that your sensor systems scale with the load that you're expecting. So as networks expand to the sensor systems expand with them when you collect more logs do your processing engines expand at the same time? And that's and how do you guys do that? Do you let the customers tune that up or do you guys provide those parameters to the customer? In many cases it's our partner software sets who do that. We use our own auto scaling things internally to do security analysis. So we grow clusters bigger using EMR shrink them down when we're not using them. Steve Schmidt here is the vice president chief information security officer at Amazon. Thanks for coming on theCUBE I want to give you the final word to end the segment. Put the bumper sticker on the car as it leaves Vegas for this re-invent. From a security perspective and overall greatness of AWS as you guys are innovating. What does that bumper sticker say in the car? You can be more secure in the cloud you can be on premise. Okay security is the number one conversation in the cloud. It's all about the security. Security is the key major hurdle. We're seeing Amazon delivered step up secure more secure than on premise. Dave and I will discuss that comment a little bit later when you leave behind your back. No, but great. Thank you for coming on the interview. Yeah, thank you. Now really great job. Congratulations on the success. Great show. We're a lot of innovation. This is theCUBE exclusive coverage here at AWS reinvent. We'll be right back after this short break.